Ambiguous verification response when ssh-based signatures

Ambiguous verification response when ssh-based signatures

[Thor Andreas Rognan]

Thank you for filling out a Git bug report!
Please answer the following questions to help us understand your issue.

What did you do before the bug happened? (Steps to reproduce your issue)

$ ssh-keygen -t ed25519 -C "me@example.com"
$ mkdir -pv ~/tmp/example && cd ~/tmp/example && git init
$ git config commit.gpgsign true
$ git config gpg.format ssh
$ git config user.signingkey "$(cat ~/.ssh/id_ed25519.pub)"
$ mkdir -p ~/.config/git/ && touch ~/.config/git/allowed_signers\
 && chmod 0600 ~/.config/git/allowed_signers
$ cat ~/.ssh/id_ed25519.pub | awk '{print email " " $0}' email=$(git
config user.email)\
 >> ~/.config/git/allowed_signers
$ git config gpg.ssh.allowedSignersFile "$HOME/.config/git/allowed_signers"
$ git commit --allow-empty -m "Initial commit"
$ git verify-commit HEAD

What did you expect to happen? (Expected behavior)

A verified signature without any error message.

What happened instead? (Actual behavior)

$ git verify-commit HEAD
Good "git" signature with ED25519 key SHA256:...
Too few arguments for sign/verify: missing namespace
$ git log --show-signature
commit 4697b474dd5ec0de14870d5b0eba5f579b852bbd (HEAD -> main)
Good "git" signature with ED25519 key SHA256:...
Too few arguments for sign/verify: missing namespace^M

What's different between what you expected and what actually happened?

Ambiguous signature verification message.

Anything else you want to add:

Please review the rest of the bug report below.
You can delete any lines you don't wish to share.


[System Info]
git version:
git version 2.34.0
cpu: x86_64
no commit associated with this build
sizeof-long: 8
sizeof-size_t: 8
shell-path: /bin/sh
uname: Darwin 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:21
PDT 2021; root:xnu-7195.141.6~3/RELEASE_X86_64 x86_64
compiler info: clang: 13.0.0 (clang-1300.0.29.3)
libc info: no libc information available
$SHELL (typically, interactive shell): /usr/local/bin/bash


[Enabled Hooks]

Re: Ambiguous verification response when ssh-based signatures

[Fabian Stelzer]

On 19.11.2021 03:46, Thor Andreas Rognan wrote:
>Thank you for filling out a Git bug report!
>Please answer the following questions to help us understand your issue.
>
>What did you do before the bug happened? (Steps to reproduce your issue)
>
>$ ssh-keygen -t ed25519 -C "me@example.com"
>$ mkdir -pv ~/tmp/example && cd ~/tmp/example && git init
>$ git config commit.gpgsign true
>$ git config gpg.format ssh
>$ git config user.signingkey "$(cat ~/.ssh/id_ed25519.pub)"
>$ mkdir -p ~/.config/git/ && touch ~/.config/git/allowed_signers\
> && chmod 0600 ~/.config/git/allowed_signers
>$ cat ~/.ssh/id_ed25519.pub | awk '{print email " " $0}' email=$(git
>config user.email)\
> >> ~/.config/git/allowed_signers
>$ git config gpg.ssh.allowedSignersFile "$HOME/.config/git/allowed_signers"
>$ git commit --allow-empty -m "Initial commit"
>$ git verify-commit HEAD
>
>What did you expect to happen? (Expected behavior)
>
>A verified signature without any error message.
>
>What happened instead? (Actual behavior)
>
>$ git verify-commit HEAD
>Good "git" signature with ED25519 key SHA256:...
>Too few arguments for sign/verify: missing namespace
>$ git log --show-signature
>commit 4697b474dd5ec0de14870d5b0eba5f579b852bbd (HEAD -> main)
>Good "git" signature with ED25519 key SHA256:...
>Too few arguments for sign/verify: missing namespace^M
>
>What's different between what you expected and what actually happened?
>
>Ambiguous signature verification message.
>
>Anything else you want to add:
>
>Please review the rest of the bug report below.
>You can delete any lines you don't wish to share.
>
>
>[System Info]
>git version:
>git version 2.34.0
>cpu: x86_64
>no commit associated with this build
>sizeof-long: 8
>sizeof-size_t: 8
>shell-path: /bin/sh
>uname: Darwin 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:21
>PDT 2021; root:xnu-7195.141.6~3/RELEASE_X86_64 x86_64
>compiler info: clang: 13.0.0 (clang-1300.0.29.3)
>libc info: no libc information available
>$SHELL (typically, interactive shell): /usr/local/bin/bash
>
>
>[Enabled Hooks]

Hi Thor,
thanks for your report. I'm curious why verify complains about a missing
namespace. This parameter is basically hard coded to every command :/
What version of openssh are you using (ssh -V)?
Also, could you run the sign & the verify with a `GIT_TRACE=1`?
This way we can see what the actual keygen commands are that are
executed.

Thanks,
Fabian

Re: Ambiguous verification response when ssh-based signatures

[Thor Andreas Rognan]

Hi Fabian,

Thank you for your quick response! Commands and output below:

$ ssh -V
OpenSSH_8.1p1, LibreSSL 2.7.3

$ GIT_TRACE=1 git commit -m "Trace keygen commands with GIT_TRACE"
11:13:49.771601 git.c:455               trace: built-in: git commit -m
'Trace keygen commands with GIT_TRACE'
11:13:49.776095 run-command.c:668       trace: run_command: ssh-keygen
-Y sign -n git -f
/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_signing_key_tmp1FkZ52
/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_signing_buffer_tmpBweN52
11:13:49.814072 run-command.c:668       trace: run_command: git
maintenance run --auto --no-quiet
11:13:49.819952 git.c:455               trace: built-in: git
maintenance run --auto --no-quiet
[main 633e567] Trace keygen commands with GIT_TRACE
 1 file changed, 59 insertions(+)
 create mode 100644 git-bugreport-2021-11-19-0311.txt

$ GIT_TRACE=1 git verify-commit HEAD
11:14:40.274423 git.c:455               trace: built-in: git verify-commit HEAD
11:14:40.277417 run-command.c:668       trace: run_command: ssh-keygen
-Y find-principals -f ~/.config/git/allowed_signers -s
/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_vtag_tmpEI3SAu
11:14:40.284075 run-command.c:668       trace: run_command: ssh-keygen
-Y check-novalidate -n git -s
/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_vtag_tmpEI3SAu
Good "git" signature with ED25519 key
SHA256:x3FRAl3XR188M9KR3UE+TuG3jkZzPQMjfBo+ddbM0dk
Too few arguments for sign/verify: missing namespace

Best regards,
Thor

On Fri, 19 Nov 2021 at 10:00, Fabian Stelzer <fs@gigacodes.de> wrote:
>
> On 19.11.2021 03:46, Thor Andreas Rognan wrote:
> >Thank you for filling out a Git bug report!
> >Please answer the following questions to help us understand your issue.
> >
> >What did you do before the bug happened? (Steps to reproduce your issue)
> >
> >$ ssh-keygen -t ed25519 -C "me@example.com"
> >$ mkdir -pv ~/tmp/example && cd ~/tmp/example && git init
> >$ git config commit.gpgsign true
> >$ git config gpg.format ssh
> >$ git config user.signingkey "$(cat ~/.ssh/id_ed25519.pub)"
> >$ mkdir -p ~/.config/git/ && touch ~/.config/git/allowed_signers\
> > && chmod 0600 ~/.config/git/allowed_signers
> >$ cat ~/.ssh/id_ed25519.pub | awk '{print email " " $0}' email=$(git
> >config user.email)\
> > >> ~/.config/git/allowed_signers
> >$ git config gpg.ssh.allowedSignersFile "$HOME/.config/git/allowed_signers"
> >$ git commit --allow-empty -m "Initial commit"
> >$ git verify-commit HEAD
> >
> >What did you expect to happen? (Expected behavior)
> >
> >A verified signature without any error message.
> >
> >What happened instead? (Actual behavior)
> >
> >$ git verify-commit HEAD
> >Good "git" signature with ED25519 key SHA256:...
> >Too few arguments for sign/verify: missing namespace
> >$ git log --show-signature
> >commit 4697b474dd5ec0de14870d5b0eba5f579b852bbd (HEAD -> main)
> >Good "git" signature with ED25519 key SHA256:...
> >Too few arguments for sign/verify: missing namespace^M
> >
> >What's different between what you expected and what actually happened?
> >
> >Ambiguous signature verification message.
> >
> >Anything else you want to add:
> >
> >Please review the rest of the bug report below.
> >You can delete any lines you don't wish to share.
> >
> >
> >[System Info]
> >git version:
> >git version 2.34.0
> >cpu: x86_64
> >no commit associated with this build
> >sizeof-long: 8
> >sizeof-size_t: 8
> >shell-path: /bin/sh
> >uname: Darwin 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:21
> >PDT 2021; root:xnu-7195.141.6~3/RELEASE_X86_64 x86_64
> >compiler info: clang: 13.0.0 (clang-1300.0.29.3)
> >libc info: no libc information available
> >$SHELL (typically, interactive shell): /usr/local/bin/bash
> >
> >
> >[Enabled Hooks]
>
> Hi Thor,
> thanks for your report. I'm curious why verify complains about a missing
> namespace. This parameter is basically hard coded to every command :/
> What version of openssh are you using (ssh -V)?
> Also, could you run the sign & the verify with a `GIT_TRACE=1`?
> This way we can see what the actual keygen commands are that are
> executed.
>
> Thanks,
> Fabian

Re: Ambiguous verification response when ssh-based signatures

[Fabian Stelzer]

On 19.11.2021 11:26, Thor Andreas Rognan wrote:
>Hi Fabian,
>
>Thank you for your quick response! Commands and output below:
>
>$ ssh -V
>OpenSSH_8.1p1, LibreSSL 2.7.3
>
>$ GIT_TRACE=1 git commit -m "Trace keygen commands with GIT_TRACE"
>11:13:49.771601 git.c:455               trace: built-in: git commit -m
>'Trace keygen commands with GIT_TRACE'
>11:13:49.776095 run-command.c:668       trace: run_command: ssh-keygen
>-Y sign -n git -f
>/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_signing_key_tmp1FkZ52
>/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_signing_buffer_tmpBweN52
>11:13:49.814072 run-command.c:668       trace: run_command: git
>maintenance run --auto --no-quiet
>11:13:49.819952 git.c:455               trace: built-in: git
>maintenance run --auto --no-quiet
>[main 633e567] Trace keygen commands with GIT_TRACE
> 1 file changed, 59 insertions(+)
> create mode 100644 git-bugreport-2021-11-19-0311.txt
>
>$ GIT_TRACE=1 git verify-commit HEAD
>11:14:40.274423 git.c:455               trace: built-in: git verify-commit HEAD
>11:14:40.277417 run-command.c:668       trace: run_command: ssh-keygen
>-Y find-principals -f ~/.config/git/allowed_signers -s
>/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_vtag_tmpEI3SAu
>11:14:40.284075 run-command.c:668       trace: run_command: ssh-keygen
>-Y check-novalidate -n git -s
>/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_vtag_tmpEI3SAu
>Good "git" signature with ED25519 key
>SHA256:x3FRAl3XR188M9KR3UE+TuG3jkZzPQMjfBo+ddbM0dk
>Too few arguments for sign/verify: missing namespace
>

Ok. OpenSSH 8.1p1 does not have the required functionality for the ssh
signing feature. Normally a git warning would trigger to notify you
about this. Unfortunately it seems as openssh introduced the features
between 8.0 and 8.2 and exactly the 8.1 version has some of them but not
all and does not produce the expected error for the find-principals call
:/. I'll check if can do something about this and print the correct
error.

I'd recommend to upgrade to the latest openssh 8.8. If you don't want to
upgrade your OS version you can install to another prefix (e.g.: /opt)
and point git to the newer ssh-keygen command like this:
`git config --global gpg.ssh.program /opt/openssh/ssh-keygen`.

Fabian

Re: Ambiguous verification response when ssh-based signatures

[Thor Andreas Rognan]

Hi Fabian,

I upgraded and it works, thank you for your help! :)

Best regards,
Thor

On Fri, 19 Nov 2021 at 12:07, Fabian Stelzer <fs@gigacodes.de> wrote:
>
> On 19.11.2021 11:26, Thor Andreas Rognan wrote:
> >Hi Fabian,
> >
> >Thank you for your quick response! Commands and output below:
> >
> >$ ssh -V
> >OpenSSH_8.1p1, LibreSSL 2.7.3
> >
> >$ GIT_TRACE=1 git commit -m "Trace keygen commands with GIT_TRACE"
> >11:13:49.771601 git.c:455               trace: built-in: git commit -m
> >'Trace keygen commands with GIT_TRACE'
> >11:13:49.776095 run-command.c:668       trace: run_command: ssh-keygen
> >-Y sign -n git -f
> >/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_signing_key_tmp1FkZ52
> >/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_signing_buffer_tmpBweN52
> >11:13:49.814072 run-command.c:668       trace: run_command: git
> >maintenance run --auto --no-quiet
> >11:13:49.819952 git.c:455               trace: built-in: git
> >maintenance run --auto --no-quiet
> >[main 633e567] Trace keygen commands with GIT_TRACE
> > 1 file changed, 59 insertions(+)
> > create mode 100644 git-bugreport-2021-11-19-0311.txt
> >
> >$ GIT_TRACE=1 git verify-commit HEAD
> >11:14:40.274423 git.c:455               trace: built-in: git verify-commit HEAD
> >11:14:40.277417 run-command.c:668       trace: run_command: ssh-keygen
> >-Y find-principals -f ~/.config/git/allowed_signers -s
> >/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_vtag_tmpEI3SAu
> >11:14:40.284075 run-command.c:668       trace: run_command: ssh-keygen
> >-Y check-novalidate -n git -s
> >/var/folders/jj/sfgpggbj5b13gvljxf977zq80000gn/T//.git_vtag_tmpEI3SAu
> >Good "git" signature with ED25519 key
> >SHA256:x3FRAl3XR188M9KR3UE+TuG3jkZzPQMjfBo+ddbM0dk
> >Too few arguments for sign/verify: missing namespace
> >
>
> Ok. OpenSSH 8.1p1 does not have the required functionality for the ssh
> signing feature. Normally a git warning would trigger to notify you
> about this. Unfortunately it seems as openssh introduced the features
> between 8.0 and 8.2 and exactly the 8.1 version has some of them but not
> all and does not produce the expected error for the find-principals call
> :/. I'll check if can do something about this and print the correct
> error.
>
> I'd recommend to upgrade to the latest openssh 8.8. If you don't want to
> upgrade your OS version you can install to another prefix (e.g.: /opt)
> and point git to the newer ssh-keygen command like this:
> `git config --global gpg.ssh.program /opt/openssh/ssh-keygen`.
>
> Fabian