Re: Ambiguous verification response when ssh-based signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 19.11.2021 11:26, Thor Andreas Rognan wrote:

Hi Fabian,

Thank you for your quick response! Commands and output below:

$ ssh -V
OpenSSH_8.1p1, LibreSSL 2.7.3

$ GIT_TRACE=1 git commit -m "Trace keygen commands with GIT_TRACE"
11:13:49.771601 git.c:455               trace: built-in: git commit -m
'Trace keygen commands with GIT_TRACE'
11:13:49.776095 run-command.c:668       trace: run_command: ssh-keygen
-Y sign -n git -f
/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_signing_key_tmp1FkZ52
/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_signing_buffer_tmpBweN52
11:13:49.814072 run-command.c:668       trace: run_command: git
maintenance run --auto --no-quiet
11:13:49.819952 git.c:455               trace: built-in: git
maintenance run --auto --no-quiet
[main 633e567] Trace keygen commands with GIT_TRACE
1 file changed, 59 insertions(+)
create mode 100644 git-bugreport-2021-11-19-0311.txt

$ GIT_TRACE=1 git verify-commit HEAD
11:14:40.274423 git.c:455               trace: built-in: git verify-commit HEAD
11:14:40.277417 run-command.c:668       trace: run_command: ssh-keygen
-Y find-principals -f ~/.config/git/allowed_signers -s
/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_vtag_tmpEI3SAu
11:14:40.284075 run-command.c:668       trace: run_command: ssh-keygen
-Y check-novalidate -n git -s
/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_vtag_tmpEI3SAu
Good "git" signature with ED25519 key
SHA256:x3FRAl3XR188M9KR3UE+TuG3jkZzPQMjfBo+ddbM0dk
Too few arguments for sign/verify: missing namespace



Ok. OpenSSH 8.1p1 does not have the required functionality for the ssh
signing feature. Normally a git warning would trigger to notify you
about this. Unfortunately it seems as openssh introduced the features
between 8.0 and 8.2 and exactly the 8.1 version has some of them but not
all and does not produce the expected error for the find-principals call
:/. I'll check if can do something about this and print the correct
error.

I'd recommend to upgrade to the latest openssh 8.8. If you don't want to
upgrade your OS version you can install to another prefix (e.g.: /opt)
and point git to the newer ssh-keygen command like this:
`git config --global gpg.ssh.program /opt/openssh/ssh-keygen`.

Fabian
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux