Todd Zullinger <tmz@xxxxxxxxx> writes:
> OpenSSH-9.0 requires a namespace option with `-Y check-novalidate`.
> This was added in openssh-portable commit a0b5816f8 (upstream:
> ssh-keygen -Y check-novalidate requires namespace or SEGV, 2022-03-18).
>
> The -n option was documented as a required option since check-novalidate
> was added in openssh-portable 8aa2aa3cd (upstream: Allow testing
> signature syntax and validity without verifying, 2019-09-16).
>
> Signed-off-by: Todd Zullinger <tmz@xxxxxxxxx>
> ---
> Hi,
>
> I only recently noticed the GPGSSH_VERIFYTIME prereq had
> been failing in the Fedora builds. This began when openssh
> was updated to 9.0 in the distribution, which means I've
> been slack on checking missing prereqs since last August. :/
Better late than never. Thanks.
While I was trying to see if the symptom reproduces in my
environment roughly based on Debian testing, I had this trivial test
script
#!/bin/sh
test_description='heh???'
. ./test-lib.sh
. "$TEST_DIRECTORY/lib-gpg.sh"
test_expect_success setup '
: test_have_prereq GPG &&
test_have_prereq GPGSSH_VERIFYTIME
'
test_done
and noticed that GPGSSH_VERIFYTIME prerequisite does not pass
regardless of the version of ssh-keygen installed, without first
triggering GPG prereq to cause "$GNUPGHOME" to get created.
Otherwise, this part
# Set up keys with key lifetimes
ssh-keygen -t ed25519 -N "" -C "timeboxed valid key" -f "${GPGSSH_KEY_TIMEBOXEDVALID}" >/dev/null &&
because GPGSSH_KEY_TIMEBOXEDVALID is defined to be created under
GNUPGHOME, would not work.
I notice that GPGSM lazy prereq forces GPG prereq to be triggered
by starting it like so:
test_lazy_prereq GPGSM '
test_have_prereq GPG &&
and I think we should do the same for GPGSSH_VERIFYTIME for
completeness in the longer term. The current users of the
prerequisite all seem to trigger GPG prerequisite check so
this is not all that urgent, though.
