Re: [PATCH v2 0/6] ssh signing: verify key lifetime

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 04 November 2021 at 05:54 pm +0100, Fabian Stelzer wrote:
> On 04.11.2021 16:31, Adam Dinwoodie wrote:
> > On Wednesday 03 November 2021 at 08:45 pm +0100, Fabian Stelzer wrote:
> > > On 03.11.2021 19:27, Adam Dinwoodie wrote:
> > > > On Wed, 27 Oct 2021 at 09:06, Fabian Stelzer <fs@xxxxxxxxxxxx> wrote:
> > > > > This series adds key lifetime validity checks by parsing commit/tag
> > > > > dates from the paylod and passing them to the ssh-keygen operations.
> > > > >
> > > > > changes since v1:
> > > > >  - struct signature_check is now used to input payload data into
> > > > >    check_function
> > > > >  - payload metadata parsing is completely internal to check_signature.
> > > > >    the caller only need to set the payload type in the sigc struct
> > > > >  - small nits and readability fixes
> > > > >  - removed payload_signer parameter. since we now use the struct we can extend
> > > > >    this later.
> > > > >
> > > > As part of testing v2.34-rc0 on Cygwin, I've found this patch series
> > > > is breaking t4202, t5534, and t6200.
> > > >
> > > > Specifically, bisecting points to f265f2d630 (ssh signing: tests for
> > > > logs, tags & push certs, 2021-09-10) as breaking t4202 and t5534,
> > > > while responsibility for t6200 seems to be 9d12546de9 (ssh signing:
> > > > fmt-merge-msg tests & config parse, 2021-10-12).
> 
> Ok, i should have read this closer / checked the commit. The commit you are
> referring to is not part of 'this' patch series, but an earlier one which was
> indeed merged and part of the rc.

Ah!  That's at least in part on me then; I'd found the most recent
thread that looked like it was related to this patch series, and assumed
it'd be the one that was included, without checking the actual commit
contents.  Apologies!

> > For t4202-log.sh, the failing tests are "72 - setup sshkey signed
> > branch" and "75 - log ssh key fingerprint".
> > 
> > For t5534-push-signed.sh, the failing tests are "8 - ssh signed push
> > sends push certificate" and "12 - fail without key and heed
> > user.signingkey ssh".
> > 
> > For t6200-fmt-merge-msg.sh, the failing tests are "3 - created ssh
> > signed commit and tag", "7 - message for merging local tag signed by
> > good ssh key" and "8 - message for merging local tag signed by unknown
> > ssh key".
> 
> Could you send the full output of these tests directly to me?
> Best would be sth like the full output of
> "GIT_TRACE=1 sh t4202-log.sh -vx"
> and maybe for one test with the trash directory in a zip file (just run
> the test with -vix, it will stop at the first failure and leave the test
> files in place)
> 
> I don't have much experience on windows (especially not cygwin) but
> maybe i can spot the problem.

I'll send these to you shortly.

I don't have much experience with any of Git's signing functions, so
perhaps between us we might be able to get somewhere :)

> > > What openssh version are you using? (ssh -V)
> > 
> >    OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021
> 
> That should be recent enough for this to work.



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux