Jeff King <peff@xxxxxxxx> writes:
> So it would be nice to have a more exact test, but without understanding
> the openssh bug, I think this is the best we can do in the meantime.
Sounds good. We can also ensure that the key we are going to
generate here is actually usable before we leave the lazy-prereq
block, but we can leave it for another day.
Will apply. Thanks.
>
> -- >8 --
> Subject: [PATCH] t/lib-gpg: avoid broken versions of ssh-keygen
>
> The "-Y find-principals" option of ssh-keygen seems to be broken in
> Debian's openssh-client 1:8.7p1-1, whereas it works fine in 1:8.4p1-5.
> This causes several failures for GPGSSH tests. We fulfill the
> prerequisite because generating the keys works fine, but actually
> verifying a signature causes results ranging from bogus results to
> ssh-keygen segfaulting.
>
> We can find the broken version during the prereq check by feeding it
> empty input. This should result in it complaining to stderr, but in the
> broken version it triggers the segfault, causing the GPGSSH tests to be
> skipped.
>
> Signed-off-by: Jeff King <peff@xxxxxxxx>
> ---
> t/lib-gpg.sh | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
> index 1d8e5b5b7e..a3f285f515 100644
> --- a/t/lib-gpg.sh
> +++ b/t/lib-gpg.sh
> @@ -104,6 +104,12 @@ test_lazy_prereq GPGSSH '
> test $? != 127 || exit 1
> echo $ssh_version | grep -q "find-principals:missing signature file"
> test $? = 0 || exit 1;
> +
> + # some broken versions of ssh-keygen segfault on find-principals;
> + # avoid testing with them.
> + ssh-keygen -Y find-principals -f /dev/null -s /dev/null
> + test $? = 139 && exit 1
> +
> mkdir -p "${GNUPGHOME}" &&
> chmod 0700 "${GNUPGHOME}" &&
> (setfacl -k "${GNUPGHOME}" 2>/dev/null || true) &&
