From: "Fabian Stelzer via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: "Han-Wen Nienhuys" <hanwen@google.com>,
"Fabian Stelzer" <fs@gigacodes.de>,
"brian m. carlson" <sandals@crustytoothpaste.net>,
"Randall S. Becker" <rsbecker@nexbridge.com>,
"Bagas Sanjaya" <bagasdotme@gmail.com>,
"Hans Jerry Illikainen" <hji@dyntopia.com>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"Felipe Contreras" <felipe.contreras@gmail.com>,
"Eric Sunshine" <sunshine@sunshineco.com>,
"Gwyneth Morgan" <gwymor@tilde.club>,
"Jonathan Tan" <jonathantanmy@google.com>,
"Josh Steadmon" <steadmon@google.com>,
"Fabian Stelzer" <fabian@stelzer.cloud>,
"Fabian Stelzer" <fs@gigacodes.de>
Subject: [PATCH v8 5/9] ssh signing: provide a textual signing_key_id
Date: Fri, 10 Sep 2021 20:07:38 +0000 [thread overview]
Message-ID: <0864ed04670c271c3e686cc5301bebd45eae2242.1631304462.git.gitgitgadget@gmail.com> (raw)
In-Reply-To: <pull.1041.v8.git.git.1631304462.gitgitgadget@gmail.com>
From: Fabian Stelzer <fs@gigacodes.de>
For ssh the user.signingkey can be a filename/path or even a literal ssh pubkey.
In push certs and textual output we prefer the ssh fingerprint instead.
Signed-off-by: Fabian Stelzer <fs@gigacodes.de>
---
gpg-interface.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++++
gpg-interface.h | 6 ++++++
send-pack.c | 8 +++----
3 files changed, 66 insertions(+), 4 deletions(-)
diff --git a/gpg-interface.c b/gpg-interface.c
index 3a0cca1b1d2..0f1c6a02e53 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -24,6 +24,7 @@ struct gpg_format {
int (*sign_buffer)(struct strbuf *buffer, struct strbuf *signature,
const char *signing_key);
const char *(*get_default_key)(void);
+ const char *(*get_key_id)(void);
};
static const char *openpgp_verify_args[] = {
@@ -61,6 +62,8 @@ static int sign_buffer_ssh(struct strbuf *buffer, struct strbuf *signature,
static const char *get_default_ssh_signing_key(void);
+static const char *get_ssh_key_id(void);
+
static struct gpg_format gpg_format[] = {
{
.name = "openpgp",
@@ -70,6 +73,7 @@ static struct gpg_format gpg_format[] = {
.verify_signed_buffer = verify_gpg_signed_buffer,
.sign_buffer = sign_buffer_gpg,
.get_default_key = NULL,
+ .get_key_id = NULL,
},
{
.name = "x509",
@@ -79,6 +83,7 @@ static struct gpg_format gpg_format[] = {
.verify_signed_buffer = verify_gpg_signed_buffer,
.sign_buffer = sign_buffer_gpg,
.get_default_key = NULL,
+ .get_key_id = NULL,
},
{
.name = "ssh",
@@ -88,6 +93,7 @@ static struct gpg_format gpg_format[] = {
.verify_signed_buffer = NULL, /* TODO */
.sign_buffer = sign_buffer_ssh,
.get_default_key = get_default_ssh_signing_key,
+ .get_key_id = get_ssh_key_id,
},
};
@@ -484,6 +490,41 @@ int git_gpg_config(const char *var, const char *value, void *cb)
return 0;
}
+static char *get_ssh_key_fingerprint(const char *signing_key)
+{
+ struct child_process ssh_keygen = CHILD_PROCESS_INIT;
+ int ret = -1;
+ struct strbuf fingerprint_stdout = STRBUF_INIT;
+ struct strbuf **fingerprint;
+
+ /*
+ * With SSH Signing this can contain a filename or a public key
+ * For textual representation we usually want a fingerprint
+ */
+ if (starts_with(signing_key, "ssh-")) {
+ strvec_pushl(&ssh_keygen.args, "ssh-keygen", "-lf", "-", NULL);
+ ret = pipe_command(&ssh_keygen, signing_key,
+ strlen(signing_key), &fingerprint_stdout, 0,
+ NULL, 0);
+ } else {
+ strvec_pushl(&ssh_keygen.args, "ssh-keygen", "-lf",
+ configured_signing_key, NULL);
+ ret = pipe_command(&ssh_keygen, NULL, 0, &fingerprint_stdout, 0,
+ NULL, 0);
+ }
+
+ if (!!ret)
+ die_errno(_("failed to get the ssh fingerprint for key '%s'"),
+ signing_key);
+
+ fingerprint = strbuf_split_max(&fingerprint_stdout, ' ', 3);
+ if (!fingerprint[1])
+ die_errno(_("failed to get the ssh fingerprint for key '%s'"),
+ signing_key);
+
+ return strbuf_detach(fingerprint[1], NULL);
+}
+
/* Returns the first public key from an ssh-agent to use for signing */
static const char *get_default_ssh_signing_key(void)
{
@@ -532,6 +573,21 @@ static const char *get_default_ssh_signing_key(void)
return default_key;
}
+static const char *get_ssh_key_id(void) {
+ return get_ssh_key_fingerprint(get_signing_key());
+}
+
+/* Returns a textual but unique representation of the signing key */
+const char *get_signing_key_id(void)
+{
+ if (use_format->get_key_id) {
+ return use_format->get_key_id();
+ }
+
+ /* GPG/GPGSM only store a key id on this variable */
+ return get_signing_key();
+}
+
const char *get_signing_key(void)
{
if (configured_signing_key)
diff --git a/gpg-interface.h b/gpg-interface.h
index feac4decf8b..beefacbb1e9 100644
--- a/gpg-interface.h
+++ b/gpg-interface.h
@@ -64,6 +64,12 @@ int sign_buffer(struct strbuf *buffer, struct strbuf *signature,
int git_gpg_config(const char *, const char *, void *);
void set_signing_key(const char *);
const char *get_signing_key(void);
+
+/*
+ * Returns a textual unique representation of the signing key in use
+ * Either a GPG KeyID or a SSH Key Fingerprint
+ */
+const char *get_signing_key_id(void);
int check_signature(const char *payload, size_t plen,
const char *signature, size_t slen,
struct signature_check *sigc);
diff --git a/send-pack.c b/send-pack.c
index b3a495b7b19..bc0fcdbb000 100644
--- a/send-pack.c
+++ b/send-pack.c
@@ -341,13 +341,13 @@ static int generate_push_cert(struct strbuf *req_buf,
{
const struct ref *ref;
struct string_list_item *item;
- char *signing_key = xstrdup(get_signing_key());
+ char *signing_key_id = xstrdup(get_signing_key_id());
const char *cp, *np;
struct strbuf cert = STRBUF_INIT;
int update_seen = 0;
strbuf_addstr(&cert, "certificate version 0.1\n");
- strbuf_addf(&cert, "pusher %s ", signing_key);
+ strbuf_addf(&cert, "pusher %s ", signing_key_id);
datestamp(&cert);
strbuf_addch(&cert, '\n');
if (args->url && *args->url) {
@@ -374,7 +374,7 @@ static int generate_push_cert(struct strbuf *req_buf,
if (!update_seen)
goto free_return;
- if (sign_buffer(&cert, &cert, signing_key))
+ if (sign_buffer(&cert, &cert, get_signing_key()))
die(_("failed to sign the push certificate"));
packet_buf_write(req_buf, "push-cert%c%s", 0, cap_string);
@@ -386,7 +386,7 @@ static int generate_push_cert(struct strbuf *req_buf,
packet_buf_write(req_buf, "push-cert-end\n");
free_return:
- free(signing_key);
+ free(signing_key_id);
strbuf_release(&cert);
return update_seen;
}
--
gitgitgadget
next prev parent reply other threads:[~2021-09-10 20:07 UTC|newest]
Thread overview: 153+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-06 8:19 [PATCH] Add commit & tag signing/verification via SSH keys using ssh-keygen Fabian Stelzer via GitGitGadget
2021-07-06 10:07 ` Han-Wen Nienhuys
2021-07-06 11:23 ` Fabian Stelzer
2021-07-06 14:44 ` brian m. carlson
2021-07-06 15:33 ` Fabian Stelzer
2021-07-06 15:04 ` Junio C Hamano
2021-07-06 15:45 ` Fabian Stelzer
2021-07-06 17:55 ` Junio C Hamano
2021-07-06 19:39 ` Randall S. Becker
2021-07-07 6:26 ` Bagas Sanjaya
2021-07-07 8:48 ` Fabian Stelzer
2021-07-12 12:19 ` [PATCH v2] Add commit, tag & push " Fabian Stelzer via GitGitGadget
2021-07-12 16:55 ` Ævar Arnfjörð Bjarmason
2021-07-12 20:35 ` Fabian Stelzer
2021-07-12 21:16 ` Felipe Contreras
2021-07-14 12:10 ` [PATCH v3 0/9] RFC: Add commit & tag " Fabian Stelzer via GitGitGadget
2021-07-14 12:10 ` [PATCH v3 1/9] Add commit, tag & push signing via SSH keys Fabian Stelzer via GitGitGadget
2021-07-14 18:19 ` Junio C Hamano
2021-07-14 23:57 ` Eric Sunshine
2021-07-15 8:20 ` Fabian Stelzer
2021-07-14 12:10 ` [PATCH v3 2/9] ssh signing: add documentation Fabian Stelzer via GitGitGadget
2021-07-14 20:07 ` Junio C Hamano
2021-07-15 8:48 ` Fabian Stelzer
2021-07-15 10:43 ` Bagas Sanjaya
2021-07-15 16:29 ` Junio C Hamano
2021-07-14 12:10 ` [PATCH v3 3/9] ssh signing: retrieve a default key from ssh-agent Fabian Stelzer via GitGitGadget
2021-07-14 20:20 ` Junio C Hamano
2021-07-15 7:49 ` Han-Wen Nienhuys
2021-07-15 8:06 ` Fabian Stelzer
2021-07-15 8:13 ` Fabian Stelzer
2021-07-14 12:10 ` [PATCH v3 4/9] ssh signing: sign using either gpg or ssh keys Fabian Stelzer via GitGitGadget
2021-07-14 20:32 ` Junio C Hamano
2021-07-15 8:28 ` Fabian Stelzer
2021-07-14 12:10 ` [PATCH v3 5/9] ssh signing: provide a textual representation of the signing key Fabian Stelzer via GitGitGadget
2021-07-14 12:10 ` [PATCH v3 6/9] ssh signing: parse ssh-keygen output and verify signatures Fabian Stelzer via GitGitGadget
2021-07-16 0:07 ` Gwyneth Morgan
2021-07-16 7:00 ` Fabian Stelzer
2021-07-14 12:10 ` [PATCH v3 7/9] ssh signing: add test prereqs Fabian Stelzer via GitGitGadget
2021-07-14 12:10 ` [PATCH v3 8/9] ssh signing: duplicate t7510 tests for commits Fabian Stelzer via GitGitGadget
2021-07-14 12:10 ` [PATCH v3 9/9] ssh signing: add more tests for logs, tags & push certs Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 0/9] ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 1/9] ssh signing: preliminary refactoring and clean-up Fabian Stelzer via GitGitGadget
2021-07-19 23:07 ` Junio C Hamano
2021-07-19 13:33 ` [PATCH v4 2/9] ssh signing: add ssh signature format and signing using ssh keys Fabian Stelzer via GitGitGadget
2021-07-19 23:53 ` Junio C Hamano
2021-07-20 12:26 ` Fabian Stelzer
2021-07-19 13:33 ` [PATCH v4 3/9] ssh signing: retrieve a default key from ssh-agent Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 4/9] ssh signing: provide a textual representation of the signing key Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 5/9] ssh signing: parse ssh-keygen output and verify signatures Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 6/9] ssh signing: add test prereqs Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 7/9] ssh signing: duplicate t7510 tests for commits Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 8/9] ssh signing: add more tests for logs, tags & push certs Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 9/9] ssh signing: add documentation Fabian Stelzer via GitGitGadget
2021-07-20 0:38 ` [PATCH v4 0/9] ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen Junio C Hamano
2021-07-27 13:15 ` [PATCH v5 " Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 1/9] ssh signing: preliminary refactoring and clean-up Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 2/9] ssh signing: add ssh signature format and signing using ssh keys Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 3/9] ssh signing: retrieve a default key from ssh-agent Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 4/9] ssh signing: provide a textual representation of the signing key Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 5/9] ssh signing: parse ssh-keygen output and verify signatures Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 6/9] ssh signing: add test prereqs Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 7/9] ssh signing: duplicate t7510 tests for commits Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 8/9] ssh signing: add more tests for logs, tags & push certs Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 9/9] ssh signing: add documentation Fabian Stelzer via GitGitGadget
2021-07-28 19:36 ` [PATCH v6 0/9] ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen Fabian Stelzer via GitGitGadget
2021-07-28 19:36 ` [PATCH v6 1/9] ssh signing: preliminary refactoring and clean-up Fabian Stelzer via GitGitGadget
2021-07-28 22:32 ` Jonathan Tan
2021-07-29 0:58 ` Junio C Hamano
2021-07-29 7:44 ` Fabian Stelzer
2021-07-29 8:43 ` Fabian Stelzer
2021-07-28 19:36 ` [PATCH v6 2/9] ssh signing: add ssh signature format and signing using ssh keys Fabian Stelzer via GitGitGadget
2021-07-28 22:45 ` Jonathan Tan
2021-07-29 1:01 ` Junio C Hamano
2021-07-29 11:01 ` Fabian Stelzer
2021-07-29 19:09 ` Josh Steadmon
2021-07-29 21:25 ` Fabian Stelzer
2021-07-28 19:36 ` [PATCH v6 3/9] ssh signing: retrieve a default key from ssh-agent Fabian Stelzer via GitGitGadget
2021-07-28 21:29 ` Junio C Hamano
2021-07-28 22:48 ` Jonathan Tan
2021-07-29 8:59 ` Fabian Stelzer
2021-07-29 19:09 ` Josh Steadmon
2021-07-29 19:56 ` Junio C Hamano
2021-07-29 21:21 ` Fabian Stelzer
2021-07-28 19:36 ` [PATCH v6 4/9] ssh signing: provide a textual representation of the signing key Fabian Stelzer via GitGitGadget
2021-07-28 21:34 ` Junio C Hamano
2021-07-29 8:21 ` Fabian Stelzer
2021-07-28 19:36 ` [PATCH v6 5/9] ssh signing: parse ssh-keygen output and verify signatures Fabian Stelzer via GitGitGadget
2021-07-28 21:55 ` Junio C Hamano
2021-07-29 9:12 ` Fabian Stelzer
2021-07-29 20:43 ` Junio C Hamano
2021-07-28 23:04 ` Jonathan Tan
2021-07-29 9:48 ` Fabian Stelzer
2021-07-29 13:52 ` Fabian Stelzer
2021-08-03 7:43 ` Fabian Stelzer
2021-08-03 9:33 ` Fabian Stelzer
2021-07-29 20:46 ` Junio C Hamano
2021-07-29 21:01 ` Randall S. Becker
2021-07-29 21:12 ` Fabian Stelzer
2021-07-29 21:25 ` Randall S. Becker
2021-07-29 21:28 ` Fabian Stelzer
2021-07-29 22:28 ` Randall S. Becker
2021-07-30 8:17 ` Fabian Stelzer
2021-07-30 14:26 ` Randall S. Becker
2021-07-30 14:32 ` Fabian Stelzer
2021-07-30 15:05 ` Randall S. Becker
2021-07-28 19:36 ` [PATCH v6 6/9] ssh signing: add test prereqs Fabian Stelzer via GitGitGadget
2021-07-29 19:09 ` Josh Steadmon
2021-07-29 19:57 ` Junio C Hamano
2021-07-30 7:32 ` Fabian Stelzer
2021-07-28 19:36 ` [PATCH v6 7/9] ssh signing: duplicate t7510 tests for commits Fabian Stelzer via GitGitGadget
2021-07-28 19:36 ` [PATCH v6 8/9] ssh signing: add more tests for logs, tags & push certs Fabian Stelzer via GitGitGadget
2021-07-28 19:36 ` [PATCH v6 9/9] ssh signing: add documentation Fabian Stelzer via GitGitGadget
2021-07-29 8:19 ` [PATCH v6 0/9] ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen Bagas Sanjaya
2021-07-29 11:03 ` Fabian Stelzer
2021-08-03 13:45 ` [PATCH v7 " Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 1/9] ssh signing: preliminary refactoring and clean-up Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 2/9] ssh signing: add test prereqs Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 3/9] ssh signing: add ssh key format and signing code Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 4/9] ssh signing: retrieve a default key from ssh-agent Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 5/9] ssh signing: provide a textual signing_key_id Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 6/9] ssh signing: verify signatures using ssh-keygen Fabian Stelzer via GitGitGadget
2021-08-03 23:47 ` Junio C Hamano
2021-08-04 9:01 ` Fabian Stelzer
2021-08-04 17:32 ` Junio C Hamano
2021-08-03 13:45 ` [PATCH v7 7/9] ssh signing: duplicate t7510 tests for commits Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 8/9] ssh signing: tests for logs, tags & push certs Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 9/9] ssh signing: test that gpg fails for unkown keys Fabian Stelzer via GitGitGadget
2021-08-29 22:15 ` [PATCH v7 0/9] ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen Junio C Hamano
2021-08-29 23:56 ` Gwyneth Morgan
2021-08-30 10:35 ` Fabian Stelzer
2021-09-07 17:35 ` Junio C Hamano
2021-09-10 8:03 ` Fabian Stelzer
2021-09-10 18:44 ` Junio C Hamano
2021-09-10 19:49 ` Fabian Stelzer
2021-09-10 20:20 ` Carlo Arenas
2021-09-10 20:07 ` [PATCH v8 " Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 1/9] ssh signing: preliminary refactoring and clean-up Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 2/9] ssh signing: add test prereqs Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 3/9] ssh signing: add ssh key format and signing code Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 4/9] ssh signing: retrieve a default key from ssh-agent Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` Fabian Stelzer via GitGitGadget [this message]
2021-09-10 20:07 ` [PATCH v8 6/9] ssh signing: verify signatures using ssh-keygen Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 7/9] ssh signing: duplicate t7510 tests for commits Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 8/9] ssh signing: tests for logs, tags & push certs Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 9/9] ssh signing: test that gpg fails for unknown keys Fabian Stelzer via GitGitGadget
2021-12-22 3:18 ` t7510-signed-commit.sh hangs on old gpg, regression in 1bfb57f642d (was: [PATCH v8 9/9] ssh signing: test that gpg fails for unknown keys) Ævar Arnfjörð Bjarmason
2021-12-22 10:13 ` Fabian Stelzer
2021-12-22 15:58 ` brian m. carlson
2021-12-26 22:53 ` Ævar Arnfjörð Bjarmason
2021-12-30 11:10 ` Fabian Stelzer
2021-09-10 20:23 ` [PATCH v8 0/9] ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen Junio C Hamano
2021-09-10 20:48 ` Fabian Stelzer
2021-09-10 21:01 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0864ed04670c271c3e686cc5301bebd45eae2242.1631304462.git.gitgitgadget@gmail.com \
--to=gitgitgadget@gmail.com \
--cc=avarab@gmail.com \
--cc=bagasdotme@gmail.com \
--cc=fabian@stelzer.cloud \
--cc=felipe.contreras@gmail.com \
--cc=fs@gigacodes.de \
--cc=git@vger.kernel.org \
--cc=gwymor@tilde.club \
--cc=hanwen@google.com \
--cc=hji@dyntopia.com \
--cc=jonathantanmy@google.com \
--cc=rsbecker@nexbridge.com \
--cc=sandals@crustytoothpaste.net \
--cc=steadmon@google.com \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.