Fabian Stelzer <fs@xxxxxxxxxxxx> writes:
> Do a full ssh signing, find-principals and verify operation in the test
> prereq's to make sure ssh-keygen works as expected. Only generating the
> keys and verifying its presence is not sufficient in some situations.
> One example was ssh-keygen creating unusable ssh keys in cygwin because
> of unsafe default permissions for the key files. The other a broken
> openssh 8.7 that segfaulted on any find-principals operation. This
> extended prereq check avoids future test breakages in case ssh-keygen or
> any environment behaviour changes.
>
> Signed-off-by: Fabian Stelzer <fs@xxxxxxxxxxxx>
> ---
The way keys are set-up has become much easier to follow.
This unfortunately interacts with the old way of adding a test key
done in <20211119150707.3924636-2-fs@xxxxxxxxxxxx> 350a2518 (ssh
signing: support non ssh-* keytypes, 2021-11-19)
Here is my attempt (which is in 'seen') to resolve the inevitable
merge conflicts between the topics.
Thanks.
commit fa6c2973744b419c95b5eaf6a697c795ab7823fa
Merge: 2a8505f6a0 3b4b5a793a
Author: Junio C Hamano <gitster@xxxxxxxxx>
Date: Wed Dec 1 16:01:54 2021 -0800
Merge branch 'fs/ssh-signing-other-keytypes' into jch
* fs/ssh-signing-other-keytypes:
ssh signing: make sign/amend test more resilient
ssh signing: support non ssh-* keytypes
diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
index ff944f0548..3e7ee1386a 100644
--- a/t/lib-gpg.sh
+++ b/t/lib-gpg.sh
@@ -117,13 +117,14 @@ test_lazy_prereq GPGSSH '
ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GPGSSH_KEY_PRIMARY}" >/dev/null &&
ssh-keygen -t rsa -b 2048 -N "" -C "git rsa2048 key" -f "${GPGSSH_KEY_SECONDARY}" >/dev/null &&
ssh-keygen -t ed25519 -N "${GPGSSH_KEY_PASSPHRASE}" -C "git ed25519 encrypted key" -f "${GPGSSH_KEY_WITH_PASSPHRASE}" >/dev/null &&
-<<<<<<< 2a8505f6a0 (Merge branch 'fs/ssh-signing-key-lifetime' into jch)
+ ssh-keygen -t ecdsa -N "" -f "${GPGSSH_KEY_ECDSA}" >/dev/null &&
ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GPGSSH_KEY_UNTRUSTED}" >/dev/null &&
cat >"${GPGSSH_ALLOWED_SIGNERS}" <<-EOF &&
"principal with number 1" $(cat "${GPGSSH_KEY_PRIMARY}.pub")"
"principal with number 2" $(cat "${GPGSSH_KEY_SECONDARY}.pub")"
"principal with number 3" $(cat "${GPGSSH_KEY_WITH_PASSPHRASE}.pub")"
+ "principal with number 4" $(cat "${GPGSSH_KEY_ECDSA}.pub")"
EOF
# Verify if at least one key and ssh-keygen works as expected
@@ -166,15 +167,6 @@ test_lazy_prereq GPGSSH_VERIFYTIME '
echo "testpayload" |
ssh-keygen -Y sign -n "git" -f "${GPGSSH_KEY_EXPIRED}" >gpgssh_verifytime_prereq.sig &&
! (ssh-keygen -Y verify -n "git" -f "${GPGSSH_ALLOWED_SIGNERS}" -I "principal with expired key" -s gpgssh_verifytime_prereq.sig)
-||||||| cd3e606211
- echo "\"principal with number 3\" $(cat "${GPGSSH_KEY_WITH_PASSPHRASE}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" &&
- ssh-keygen -t ed25519 -N "" -f "${GPGSSH_KEY_UNTRUSTED}" >/dev/null
-=======
- echo "\"principal with number 3\" $(cat "${GPGSSH_KEY_WITH_PASSPHRASE}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" &&
- ssh-keygen -t ecdsa -N "" -f "${GPGSSH_KEY_ECDSA}" >/dev/null
- echo "\"principal with number 4\" $(cat "${GPGSSH_KEY_ECDSA}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" &&
- ssh-keygen -t ed25519 -N "" -f "${GPGSSH_KEY_UNTRUSTED}" >/dev/null
->>>>>>> 3b4b5a793a (ssh signing: make sign/amend test more resilient)
'
sanitize_pgp() {
