On Thursday 04 November 2021 at 12:49 pm -0700, Junio C Hamano wrote:
> Adam Dinwoodie <adam@xxxxxxxxxxxxx> writes:
>
> > SSH keys are expected to be created with very restrictive permissions,
> > and SSH commands will fail if the permissions are not appropriate. When
> > creating a directory for SSH keys in test scripts, attempt to clear any
> > ACLs that might otherwise cause the private key to inherit less
> > restrictive permissions than it requires.
>
> All of the above makes sense as an explanation as to why the
> ssh-keygen command may be unhappy with the $GNUPGHOME directory that
> is prepared here, but ...
>
> > This change is required in particular to avoid tests relating to SSH
> > signing failing in Cygwin.
>
> ... I am not quite sure how this explains "tests relating to ssh
> signing failing on Cygwin". After all, this piece of code is
> lazy_prereq, which means that ssh-keygen in this block that fails
> (due to a less restrictive permissions) would merely mean that tests
> that are protected with GPGSSH prerequisite will be skipped without
> causing test failures. After all that is the whole point of
> computing prereq on the fly.
The issue is that the prerequisite check isn't _just_ checking a
prerequisite: it's also creating an SSH key that's used without further
modification by the tests.
There are three cases to consider:
- On systems where this prerequisite check fails, a key may or may not
be created, but the tests that rely on the key won't be run, so it
doesn't matter either way.
- On (clearly the mainline) systems where this check passes and there
are no ACL problems, the key that's generated is stored with
sufficiently restrictive permissions that the tests that rely on the
key can pass.
- On my system, where ACLs are a problem, the prerequisite check passes,
and a key is created, but it has permissions that are too permissive.
As a result, when a test calls OpenSSH to use that key, OpenSSH
refuses due to the permissions, and the test fails.
> > Signed-off-by: Adam Dinwoodie <adam@xxxxxxxxxxxxx>
> > Helped-by: Fabian Stelzer <fs@xxxxxxxxxxxx>
>
> Please order these chronologically, i.e. Fabian helped and the patch
> was finished, and finally you sent with your sign off.
Shall do! I'll resubmit a corrected version as soon as all the other
discussions about this patch seem tidied up.
> > ---
> > t/lib-gpg.sh | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
> > index f99ef3e859..1d8e5b5b7e 100644
> > --- a/t/lib-gpg.sh
> > +++ b/t/lib-gpg.sh
> > @@ -106,6 +106,7 @@ test_lazy_prereq GPGSSH '
> > test $? = 0 || exit 1;
> > mkdir -p "${GNUPGHOME}" &&
> > chmod 0700 "${GNUPGHOME}" &&
> > + (setfacl -k "${GNUPGHOME}" 2>/dev/null || true) &&
> > ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GPGSSH_KEY_PRIMARY}" >/dev/null &&
> > echo "\"principal with number 1\" $(cat "${GPGSSH_KEY_PRIMARY}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" &&
> > ssh-keygen -t rsa -b 2048 -N "" -C "git rsa2048 key" -f "${GPGSSH_KEY_SECONDARY}" >/dev/null &&
>
> There are other uses of ssh-keygen in the real tests but presumably
> they just use the GNUPGHOME directory prepared with this lazy_prereq
> block, and "setfacl -k" here would have wiped any possible loosening
> of permission, and that is why this is the only place that needs a
> change, right? That fact might deserve recording in the proposed
> log message.
More than that: the uses of ssh-keygen elsewhere are calling `ssh-keygen
-l`. That command doesn't generate a key at all, it merely calculates
the fingerprint from the keys that are generated with the ssh-keygen
commands in this prerequisite check.
I think it's unusual that this test_lazy_prereq check isn't just
checking the state of the system but is creating the keys that will be
used in later tests, but I didn't think to document that in my log
because that was clearly a decision that had been made earlier. But I'm
very happy to make that logic clearer in my commit message!
