Hi Adam
On 18/01/2023 08:17, Adam Szkoda via GitGitGadget wrote:
From: Adam Szkoda <adaszko@xxxxxxxxx>
When signing a commit with a SSH key, with the private key missing from
ssh-agent, a confusing error message is produced:
error: Load key
"/var/folders/t5/cscwwl_n3n1_8_5j_00x_3t40000gn/T//.git_signing_key_tmpkArSj7":
invalid format? fatal: failed to write commit object
The temporary file .git_signing_key_tmpkArSj7 created by git contains a
valid *public* key. The error message comes from `ssh-keygen -Y sign' and
is caused by a fallback mechanism in ssh-keygen whereby it tries to
interpret .git_signing_key_tmpkArSj7 as a *private* key if it can't find in
the agent [1]. A fix is scheduled to be released in OpenSSH 9.1. All that
needs to be done is to pass an additional backward-compatible option -U to
'ssh-keygen -Y sign' call. With '-U', ssh-keygen always interprets the file
as public key and expects to find the private key in the agent.
The documentation for user.signingKey says
If gpg.format is set to ssh this can contain the path to either your
private ssh key or the public key when ssh-agent is used.
If I've understood correctly passing -U will prevent users from setting
this to a private key.
Best Wishes
Phillip
As a result, when the private key is missing from the agent, a more accurate
error message gets produced:
error: Couldn't find key in agent
[1] https://bugzilla.mindrot.org/show_bug.cgi?id=3429
Signed-off-by: Adam Szkoda <adaszko@xxxxxxxxx>
---
ssh signing: better error message when key not in agent
When signing a commit with a SSH key, with the private key missing from
ssh-agent, a confusing error message is produced:
error: Load key "/var/folders/t5/cscwwl_n3n1_8_5j_00x_3t40000gn/T//.git_signing_key_tmpkArSj7": invalid format?
fatal: failed to write commit object
The temporary file .git_signing_key_tmpkArSj7 created by git contains a
valid public key. The error message comes from `ssh-keygen -Y sign' and
is caused by a fallback mechanism in ssh-keygen whereby it tries to
interpret .git_signing_key_tmpkArSj7 as a private key if it can't find
in the agent [1]. A fix is scheduled to be released in OpenSSH 9.1. All
that needs to be done is to pass an additional backward-compatible
option -U to 'ssh-keygen -Y sign' call. With '-U', ssh-keygen always
interprets the file as public key and expects to find the private key in
the agent.
As a result, when the private key is missing from the agent, a more
accurate error message gets produced:
error: Couldn't find key in agent
[1] https://bugzilla.mindrot.org/show_bug.cgi?id=3429
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-git-1270%2Fradicle-dev%2Fmaint-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-git-1270/radicle-dev/maint-v1
Pull-Request: https://github.com/git/git/pull/1270
gpg-interface.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/gpg-interface.c b/gpg-interface.c
index 280f1fa1a58..4a5913ae942 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -1022,6 +1022,7 @@ static int sign_buffer_ssh(struct strbuf *buffer, struct strbuf *signature,
strvec_pushl(&signer.args, use_format->program,
"-Y", "sign",
"-n", "git",
+ "-U",
"-f", ssh_signing_key_file,
buffer_file->filename.buf,
NULL);
base-commit: e54793a95afeea1e10de1e5ad7eab914e7416250