Adam Dinwoodie <adam@xxxxxxxxxxxxx> writes:
> SSH keys are expected to be created with very restrictive permissions,
> and SSH commands will fail if the permissions are not appropriate. When
> creating a directory for SSH keys in test scripts, attempt to clear any
> ACLs that might otherwise cause the private key to inherit less
> restrictive permissions than it requires.
All of the above makes sense as an explanation as to why the
ssh-keygen command may be unhappy with the $GNUPGHOME directory that
is prepared here, but ...
> This change is required in particular to avoid tests relating to SSH
> signing failing in Cygwin.
... I am not quite sure how this explains "tests relating to ssh
signing failing on Cygwin". After all, this piece of code is
lazy_prereq, which means that ssh-keygen in this block that fails
(due to a less restrictive permissions) would merely mean that tests
that are protected with GPGSSH prerequisite will be skipped without
causing test failures. After all that is the whole point of
computing prereq on the fly.
> Signed-off-by: Adam Dinwoodie <adam@xxxxxxxxxxxxx>
> Helped-by: Fabian Stelzer <fs@xxxxxxxxxxxx>
Please order these chronologically, i.e. Fabian helped and the patch
was finished, and finally you sent with your sign off.
> ---
> t/lib-gpg.sh | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
> index f99ef3e859..1d8e5b5b7e 100644
> --- a/t/lib-gpg.sh
> +++ b/t/lib-gpg.sh
> @@ -106,6 +106,7 @@ test_lazy_prereq GPGSSH '
> test $? = 0 || exit 1;
> mkdir -p "${GNUPGHOME}" &&
> chmod 0700 "${GNUPGHOME}" &&
> + (setfacl -k "${GNUPGHOME}" 2>/dev/null || true) &&
> ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GPGSSH_KEY_PRIMARY}" >/dev/null &&
> echo "\"principal with number 1\" $(cat "${GPGSSH_KEY_PRIMARY}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" &&
> ssh-keygen -t rsa -b 2048 -N "" -C "git rsa2048 key" -f "${GPGSSH_KEY_SECONDARY}" >/dev/null &&
There are other uses of ssh-keygen in the real tests but presumably
they just use the GNUPGHOME directory prepared with this lazy_prereq
block, and "setfacl -k" here would have wiped any possible loosening
of permission, and that is why this is the only place that needs a
change, right? That fact might deserve recording in the proposed
log message.
Thanks.
