The user.signingKey config for ssh signing supports either a path to a
file containing the key or for the sake of convenience a literal string
with the ssh public key. To differentiate between those two cases we
check if the first few characters contain "ssh-" which is unlikely to be
the start of a path. ssh supports other key types which are not prefixed
with "ssh-" and will currently be treated as a file path and therefore
fail to load. To remedy this we move the prefix check into its own
function and add the other key types. "ssh -Q key" can be used to show a
list of all supported types.
Signed-off-by: Fabian Stelzer <fs@xxxxxxxxxxxx>
---
gpg-interface.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/gpg-interface.c b/gpg-interface.c
index 3e7255a2a9..dd1df9f4ee 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -707,6 +707,16 @@ int git_gpg_config(const char *var, const char *value, void *cb)
return 0;
}
+/* Determines wether key contains a literal ssh key or a path to a file */
+static int is_literal_ssh_key(const char *key) {
+ return (
+ starts_with(key, "ssh-") ||
+ starts_with(key, "ecdsa-") ||
+ starts_with(key, "sk-ssh-") ||
+ starts_with(key, "sk-ecdsa-")
+ );
+}
+
static char *get_ssh_key_fingerprint(const char *signing_key)
{
struct child_process ssh_keygen = CHILD_PROCESS_INIT;
@@ -719,7 +729,7 @@ static char *get_ssh_key_fingerprint(const char *signing_key)
* With SSH Signing this can contain a filename or a public key
* For textual representation we usually want a fingerprint
*/
- if (starts_with(signing_key, "ssh-")) {
+ if (is_literal_ssh_key(signing_key)) {
strvec_pushl(&ssh_keygen.args, "ssh-keygen", "-lf", "-", NULL);
ret = pipe_command(&ssh_keygen, signing_key,
strlen(signing_key), &fingerprint_stdout, 0,
@@ -774,7 +784,7 @@ static const char *get_default_ssh_signing_key(void)
if (!ret) {
keys = strbuf_split_max(&key_stdout, '\n', 2);
- if (keys[0] && starts_with(keys[0]->buf, "ssh-")) {
+ if (keys[0] && is_literal_ssh_key(keys[0]->buf)) {
default_key = strbuf_detach(keys[0], NULL);
} else {
warning(_("gpg.ssh.defaultKeyCommand succeeded but returned no keys: %s %s"),
@@ -894,7 +904,7 @@ static int sign_buffer_ssh(struct strbuf *buffer, struct strbuf *signature,
return error(
_("user.signingkey needs to be set for ssh signing"));
- if (starts_with(signing_key, "ssh-")) {
+ if (is_literal_ssh_key(signing_key)) {
/* A literal ssh key */
key_file = mks_tempfile_t(".git_signing_key_tmpXXXXXX");
if (!key_file)
base-commit: cd3e606211bb1cf8bc57f7d76bab98cc17a150bc
--
2.31.1
