This patch series adds a few tests to the find-principals & verify operations of ssh-keygen and fixes a bug in find-principals. find-principals was checking key validity times for CA signed certs but not for normal keys or a validity specified on the CA key. The verify operation correctly does both. As find-principals just returns the first match, this could return principals with an expired/notyetvalid key. This patch changes this behaviour and could therefore be considered a breaking change. At the moment the docs are not quite clear about this. find-principals is specified to return a list of principals. It wasn't clear to me that this meant only those found on a single line. I assumed i would get all that match the signatures public key. If my understanding is correct that find-principals should always just return one match (sometimes having multiple principals) then i can update the manpage as well. It also adds a new -Y match-principals that can be used to determine if a principal is present in the allowed signers file (considering wildcard matches). I am implementing "Trust on first use" for git commit signing via ssh keys and needed a safe way to check that i will not add a principal already present (and thereby possibly overriding their key if it expires for example). Generally i only would like to add principals not already matching any existing entry. Fabian Stelzer (4): sshsig: add tests for signing key validity and find-principals sshsig: fix find-principals key lifespan validation ssh-keygen: make verify-time argument parsing optional ssh-keygen: add match-principals call regress/sshsig.sh | 151 ++++++++++++++++++++++++++++++++++++++++++++++ ssh-keygen.1 | 14 +++++ ssh-keygen.c | 43 ++++++++++++- sshsig.c | 95 +++++++++++++++++++++++------ sshsig.h | 4 ++ 5 files changed, 284 insertions(+), 23 deletions(-) -- 2.31.1 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
