From patchwork Wed Dec 8 23:43:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Junio C Hamano X-Patchwork-Id: 12665515 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F31D9C433F5 for ; Wed, 8 Dec 2021 23:43:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241192AbhLHXqw (ORCPT ); Wed, 8 Dec 2021 18:46:52 -0500 Received: from pb-smtp2.pobox.com ([64.147.108.71]:61152 "EHLO pb-smtp2.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241171AbhLHXqt (ORCPT ); Wed, 8 Dec 2021 18:46:49 -0500 Received: from pb-smtp2.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id A7D31ECD70; Wed, 8 Dec 2021 18:43:16 -0500 (EST) (envelope-from gitster@pobox.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=sasl; bh=qnTwghWVxQCrTAvd9KW4gEXFJ MDcvzDiLrtdrmlsit0=; b=QZWJY4DzgiWXcfuQu271YEiQK8zuocTX9DnxxiWvU Dk7LE2u0Ijrn748i6nu6HmhoHpFjSuMS2PcNpGXTgfjOwlHjVvLsW6V2mgiib6n1 kW4Q1wsI7RFm+LI0qy+eNiGiXvP0Ib+vaHX2ttohBCCUlCEoOCpdyS2DjmUGBbx7 3Y= Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id A0693ECD6F; Wed, 8 Dec 2021 18:43:16 -0500 (EST) (envelope-from gitster@pobox.com) Received: from pobox.com (unknown [104.133.2.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id 05CE7ECD6E; Wed, 8 Dec 2021 18:43:15 -0500 (EST) (envelope-from gitster@pobox.com) From: Junio C Hamano To: git@vger.kernel.org Cc: Fabian Stelzer Subject: [PATCH v5.1 1/8] t/fmt-merge-msg: make gpg/ssh tests more specific Date: Wed, 8 Dec 2021 15:43:06 -0800 Message-Id: <20211208234313.3052303-2-gitster@pobox.com> X-Mailer: git-send-email 2.34.1-365-gae484d3562 In-Reply-To: <20211208234313.3052303-1-gitster@pobox.com> References: <20211208234313.3052303-1-gitster@pobox.com> MIME-Version: 1.0 X-Pobox-Relay-ID: 9D56E03C-5880-11EC-A97C-C48D900A682E-77302942!pb-smtp2.pobox.com Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Fabian Stelzer All the GPG and GPGSSH tests are redirecing stdout as well as stderr to `actual` and grep for success/failure over the resulting file. However, no output is printed on stderr and we do not need to include it in the grep. Signed-off-by: Fabian Stelzer Signed-off-by: Junio C Hamano --- t/t6200-fmt-merge-msg.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/t/t6200-fmt-merge-msg.sh b/t/t6200-fmt-merge-msg.sh index 06c5fb5615..b18ba58745 100755 --- a/t/t6200-fmt-merge-msg.sh +++ b/t/t6200-fmt-merge-msg.sh @@ -104,7 +104,7 @@ test_expect_success 'message for merging local branch' ' test_expect_success GPG 'message for merging local tag signed by good key' ' git checkout main && git fetch . signed-good-tag && - git fmt-merge-msg <.git/FETCH_HEAD >actual 2>&1 && + git fmt-merge-msg <.git/FETCH_HEAD >actual && grep "^Merge tag ${apos}signed-good-tag${apos}" actual && grep "^# gpg: Signature made" actual && grep "^# gpg: Good signature from" actual @@ -113,7 +113,7 @@ test_expect_success GPG 'message for merging local tag signed by good key' ' test_expect_success GPG 'message for merging local tag signed by unknown key' ' git checkout main && git fetch . signed-good-tag && - GNUPGHOME=. git fmt-merge-msg <.git/FETCH_HEAD >actual 2>&1 && + GNUPGHOME=. git fmt-merge-msg <.git/FETCH_HEAD >actual && grep "^Merge tag ${apos}signed-good-tag${apos}" actual && grep "^# gpg: Signature made" actual && grep -E "^# gpg: Can${apos}t check signature: (public key not found|No public key)" actual @@ -123,7 +123,7 @@ test_expect_success GPGSSH 'message for merging local tag signed by good ssh key test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && git checkout main && git fetch . signed-good-ssh-tag && - git fmt-merge-msg <.git/FETCH_HEAD >actual 2>&1 && + git fmt-merge-msg <.git/FETCH_HEAD >actual && grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && ! grep "${GPGSSH_BAD_SIGNATURE}" actual ' @@ -132,7 +132,8 @@ test_expect_success GPGSSH 'message for merging local tag signed by unknown ssh test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && git checkout main && git fetch . signed-untrusted-ssh-tag && - git fmt-merge-msg <.git/FETCH_HEAD >actual 2>&1 && + git fmt-merge-msg <.git/FETCH_HEAD >actual && + grep "^Merge tag ${apos}signed-untrusted-ssh-tag${apos}" actual && grep "${GPGSSH_GOOD_SIGNATURE_UNTRUSTED}" actual && ! grep "${GPGSSH_BAD_SIGNATURE}" actual && grep "${GPGSSH_KEY_NOT_TRUSTED}" actual From patchwork Wed Dec 8 23:43:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Junio C Hamano X-Patchwork-Id: 12665517 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67277C433F5 for ; Wed, 8 Dec 2021 23:43:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241202AbhLHXqx (ORCPT ); Wed, 8 Dec 2021 18:46:53 -0500 Received: from pb-smtp1.pobox.com ([64.147.108.70]:51696 "EHLO pb-smtp1.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241204AbhLHXqv (ORCPT ); Wed, 8 Dec 2021 18:46:51 -0500 Received: from pb-smtp1.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 8A2A3F4292; Wed, 8 Dec 2021 18:43:18 -0500 (EST) (envelope-from gitster@pobox.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=sasl; bh=g+EukEHUyF9Aip0Gf3G+bLfAD a0DUGdxl2hY4+sgKog=; b=uH2nwzIVBxP1v8/ydwxEYt0UPxsIqlyvvZI7Vs2nq 9gcYXxQsUc9gNI+PvcdTVdhQS9x0d9Hmf0oFZL5TLiRiY1FAm1tbLlerjtnVJ25p OmKMHwEsH/AyyeFey8RKiJW9JT4sA1Vvf34ZTZrJ8KIbkfsbiP9L783/Coln3l0q s4= Received: from pb-smtp1.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 80C09F4291; Wed, 8 Dec 2021 18:43:18 -0500 (EST) (envelope-from gitster@pobox.com) Received: from pobox.com (unknown [104.133.2.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id 9AB58F428F; Wed, 8 Dec 2021 18:43:17 -0500 (EST) (envelope-from gitster@pobox.com) From: Junio C Hamano To: git@vger.kernel.org Cc: Fabian Stelzer Subject: [PATCH v5.1 2/8] ssh signing: use sigc struct to pass payload Date: Wed, 8 Dec 2021 15:43:07 -0800 Message-Id: <20211208234313.3052303-3-gitster@pobox.com> X-Mailer: git-send-email 2.34.1-365-gae484d3562 In-Reply-To: <20211208234313.3052303-1-gitster@pobox.com> References: <20211208234313.3052303-1-gitster@pobox.com> MIME-Version: 1.0 X-Pobox-Relay-ID: 9E4C5F08-5880-11EC-8B74-E10CCAD8090B-77302942!pb-smtp1.pobox.com Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Fabian Stelzer To be able to extend the payload metadata with things like its creation timestamp or the creators ident we remove the payload parameters to check_signature() and use the already existing sigc->payload field instead, only adding the length field to the struct. This also allows us to get rid of the xmemdupz() calls in the verify functions. Since sigc is now used to input data as well as output the result move it to the front of the function list. - Add payload_length to struct signature_check - Populate sigc.payload/payload_len on all call sites - Remove payload parameters to check_signature() - Remove payload parameters to internal verify_* functions and use sigc instead - Remove xmemdupz() used for verbose output since payload is now already populated. Signed-off-by: Fabian Stelzer Signed-off-by: Junio C Hamano --- builtin/receive-pack.c | 6 ++++-- commit.c | 5 +++-- fmt-merge-msg.c | 4 ++-- gpg-interface.c | 37 +++++++++++++++++-------------------- gpg-interface.h | 6 +++--- log-tree.c | 8 ++++---- tag.c | 4 ++-- 7 files changed, 35 insertions(+), 35 deletions(-) diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c index 49b846d960..61ab63c2ea 100644 --- a/builtin/receive-pack.c +++ b/builtin/receive-pack.c @@ -769,8 +769,10 @@ static void prepare_push_cert_sha1(struct child_process *proc) memset(&sigcheck, '\0', sizeof(sigcheck)); bogs = parse_signed_buffer(push_cert.buf, push_cert.len); - check_signature(push_cert.buf, bogs, push_cert.buf + bogs, - push_cert.len - bogs, &sigcheck); + sigcheck.payload = xmemdupz(push_cert.buf, bogs); + sigcheck.payload_len = bogs; + check_signature(&sigcheck, push_cert.buf + bogs, + push_cert.len - bogs); nonce_status = check_nonce(push_cert.buf, bogs); } diff --git a/commit.c b/commit.c index 551de4903c..64e040a99b 100644 --- a/commit.c +++ b/commit.c @@ -1212,8 +1212,9 @@ int check_commit_signature(const struct commit *commit, struct signature_check * if (parse_signed_commit(commit, &payload, &signature, the_hash_algo) <= 0) goto out; - ret = check_signature(payload.buf, payload.len, signature.buf, - signature.len, sigc); + + sigc->payload = strbuf_detach(&payload, &sigc->payload_len); + ret = check_signature(sigc, signature.buf, signature.len); out: strbuf_release(&payload); diff --git a/fmt-merge-msg.c b/fmt-merge-msg.c index 5216191488..deca1ea3a3 100644 --- a/fmt-merge-msg.c +++ b/fmt-merge-msg.c @@ -533,8 +533,8 @@ static void fmt_merge_msg_sigs(struct strbuf *out) else { buf = payload.buf; len = payload.len; - if (check_signature(payload.buf, payload.len, sig.buf, - sig.len, &sigc) && + sigc.payload = strbuf_detach(&payload, &sigc.payload_len); + if (check_signature(&sigc, sig.buf, sig.len) && !sigc.output) strbuf_addstr(&sig, "gpg verification failed.\n"); else diff --git a/gpg-interface.c b/gpg-interface.c index 3e7255a2a9..75ab6faacb 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -19,8 +19,8 @@ struct gpg_format { const char **verify_args; const char **sigs; int (*verify_signed_buffer)(struct signature_check *sigc, - struct gpg_format *fmt, const char *payload, - size_t payload_size, const char *signature, + struct gpg_format *fmt, + const char *signature, size_t signature_size); int (*sign_buffer)(struct strbuf *buffer, struct strbuf *signature, const char *signing_key); @@ -53,12 +53,12 @@ static const char *ssh_sigs[] = { }; static int verify_gpg_signed_buffer(struct signature_check *sigc, - struct gpg_format *fmt, const char *payload, - size_t payload_size, const char *signature, + struct gpg_format *fmt, + const char *signature, size_t signature_size); static int verify_ssh_signed_buffer(struct signature_check *sigc, - struct gpg_format *fmt, const char *payload, - size_t payload_size, const char *signature, + struct gpg_format *fmt, + const char *signature, size_t signature_size); static int sign_buffer_gpg(struct strbuf *buffer, struct strbuf *signature, const char *signing_key); @@ -314,8 +314,8 @@ static void parse_gpg_output(struct signature_check *sigc) } static int verify_gpg_signed_buffer(struct signature_check *sigc, - struct gpg_format *fmt, const char *payload, - size_t payload_size, const char *signature, + struct gpg_format *fmt, + const char *signature, size_t signature_size) { struct child_process gpg = CHILD_PROCESS_INIT; @@ -343,14 +343,13 @@ static int verify_gpg_signed_buffer(struct signature_check *sigc, NULL); sigchain_push(SIGPIPE, SIG_IGN); - ret = pipe_command(&gpg, payload, payload_size, &gpg_stdout, 0, + ret = pipe_command(&gpg, sigc->payload, sigc->payload_len, &gpg_stdout, 0, &gpg_stderr, 0); sigchain_pop(SIGPIPE); delete_tempfile(&temp); ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG "); - sigc->payload = xmemdupz(payload, payload_size); sigc->output = strbuf_detach(&gpg_stderr, NULL); sigc->gpg_status = strbuf_detach(&gpg_stdout, NULL); @@ -426,8 +425,8 @@ static void parse_ssh_output(struct signature_check *sigc) } static int verify_ssh_signed_buffer(struct signature_check *sigc, - struct gpg_format *fmt, const char *payload, - size_t payload_size, const char *signature, + struct gpg_format *fmt, + const char *signature, size_t signature_size) { struct child_process ssh_keygen = CHILD_PROCESS_INIT; @@ -480,7 +479,7 @@ static int verify_ssh_signed_buffer(struct signature_check *sigc, "-n", "git", "-s", buffer_file->filename.buf, NULL); - pipe_command(&ssh_keygen, payload, payload_size, + pipe_command(&ssh_keygen, sigc->payload, sigc->payload_len, &ssh_keygen_out, 0, &ssh_keygen_err, 0); /* @@ -526,7 +525,7 @@ static int verify_ssh_signed_buffer(struct signature_check *sigc, } sigchain_push(SIGPIPE, SIG_IGN); - ret = pipe_command(&ssh_keygen, payload, payload_size, + ret = pipe_command(&ssh_keygen, sigc->payload, sigc->payload_len, &ssh_keygen_out, 0, &ssh_keygen_err, 0); sigchain_pop(SIGPIPE); @@ -540,7 +539,6 @@ static int verify_ssh_signed_buffer(struct signature_check *sigc, } } - sigc->payload = xmemdupz(payload, payload_size); strbuf_stripspace(&ssh_keygen_out, 0); strbuf_stripspace(&ssh_keygen_err, 0); /* Add stderr outputs to show the user actual ssh-keygen errors */ @@ -562,8 +560,8 @@ static int verify_ssh_signed_buffer(struct signature_check *sigc, return ret; } -int check_signature(const char *payload, size_t plen, const char *signature, - size_t slen, struct signature_check *sigc) +int check_signature(struct signature_check *sigc, + const char *signature, size_t slen) { struct gpg_format *fmt; int status; @@ -575,8 +573,7 @@ int check_signature(const char *payload, size_t plen, const char *signature, if (!fmt) die(_("bad/incompatible signature '%s'"), signature); - status = fmt->verify_signed_buffer(sigc, fmt, payload, plen, signature, - slen); + status = fmt->verify_signed_buffer(sigc, fmt, signature, slen); if (status && !sigc->output) return !!status; @@ -593,7 +590,7 @@ void print_signature_buffer(const struct signature_check *sigc, unsigned flags) sigc->output; if (flags & GPG_VERIFY_VERBOSE && sigc->payload) - fputs(sigc->payload, stdout); + fwrite(sigc->payload, 1, sigc->payload_len, stdout); if (output) fputs(output, stderr); diff --git a/gpg-interface.h b/gpg-interface.h index beefacbb1e..5ee7d8b6b9 100644 --- a/gpg-interface.h +++ b/gpg-interface.h @@ -17,6 +17,7 @@ enum signature_trust_level { struct signature_check { char *payload; + size_t payload_len; char *output; char *gpg_status; @@ -70,9 +71,8 @@ const char *get_signing_key(void); * Either a GPG KeyID or a SSH Key Fingerprint */ const char *get_signing_key_id(void); -int check_signature(const char *payload, size_t plen, - const char *signature, size_t slen, - struct signature_check *sigc); +int check_signature(struct signature_check *sigc, + const char *signature, size_t slen); void print_signature_buffer(const struct signature_check *sigc, unsigned flags); diff --git a/log-tree.c b/log-tree.c index 644893fd8c..a46cf60e1e 100644 --- a/log-tree.c +++ b/log-tree.c @@ -513,8 +513,8 @@ static void show_signature(struct rev_info *opt, struct commit *commit) if (parse_signed_commit(commit, &payload, &signature, the_hash_algo) <= 0) goto out; - status = check_signature(payload.buf, payload.len, signature.buf, - signature.len, &sigc); + sigc.payload = strbuf_detach(&payload, &sigc.payload_len); + status = check_signature(&sigc, signature.buf, signature.len); if (status && !sigc.output) show_sig_lines(opt, status, "No signature\n"); else @@ -583,8 +583,8 @@ static int show_one_mergetag(struct commit *commit, status = -1; if (parse_signature(extra->value, extra->len, &payload, &signature)) { /* could have a good signature */ - status = check_signature(payload.buf, payload.len, - signature.buf, signature.len, &sigc); + sigc.payload = strbuf_detach(&payload, &sigc.payload_len); + status = check_signature(&sigc, signature.buf, signature.len); if (sigc.output) strbuf_addstr(&verify_message, sigc.output); else diff --git a/tag.c b/tag.c index 3e18a41841..62fb09f5a5 100644 --- a/tag.c +++ b/tag.c @@ -25,8 +25,8 @@ static int run_gpg_verify(const char *buf, unsigned long size, unsigned flags) return error("no signature found"); } - ret = check_signature(payload.buf, payload.len, signature.buf, - signature.len, &sigc); + sigc.payload = strbuf_detach(&payload, &sigc.payload_len); + ret = check_signature(&sigc, signature.buf, signature.len); if (!(flags & GPG_VERIFY_OMIT_STATUS)) print_signature_buffer(&sigc, flags); From patchwork Wed Dec 8 23:43:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Junio C Hamano X-Patchwork-Id: 12665519 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A5F22C433FE for ; Wed, 8 Dec 2021 23:43:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241171AbhLHXq4 (ORCPT ); Wed, 8 Dec 2021 18:46:56 -0500 Received: from pb-smtp20.pobox.com ([173.228.157.52]:54215 "EHLO pb-smtp20.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241198AbhLHXq4 (ORCPT ); Wed, 8 Dec 2021 18:46:56 -0500 Received: from pb-smtp20.pobox.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id 9249C174107; Wed, 8 Dec 2021 18:43:23 -0500 (EST) (envelope-from gitster@pobox.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=sasl; bh=KonDw/WEf2kNYEeFA1bofBimb qjiqZerLr5IilNFymk=; b=tnhJ/TygM19V560BA2n1HQXBVq7i0UDrY4m5RFaYf lcDS0IlE4MntrputEQrzbkHC/C0GQcvUshlWobe+od2D22H0keOHV/8bNaj+5QFe kCArchwcX+PphIyWFfZGC/eGUU6hqsJrSuRHqXYMYBix6w57xLqPLh3kTiJgtop0 y4= Received: from pb-smtp20.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id 8973A174106; Wed, 8 Dec 2021 18:43:23 -0500 (EST) (envelope-from gitster@pobox.com) Received: from pobox.com (unknown [104.133.2.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp20.pobox.com (Postfix) with ESMTPSA id 857D8174105; Wed, 8 Dec 2021 18:43:19 -0500 (EST) (envelope-from gitster@pobox.com) From: Junio C Hamano To: git@vger.kernel.org Cc: Fabian Stelzer Subject: [PATCH v5.1 3/8] ssh signing: add key lifetime test prereqs Date: Wed, 8 Dec 2021 15:43:08 -0800 Message-Id: <20211208234313.3052303-4-gitster@pobox.com> X-Mailer: git-send-email 2.34.1-365-gae484d3562 In-Reply-To: <20211208234313.3052303-1-gitster@pobox.com> References: <20211208234313.3052303-1-gitster@pobox.com> MIME-Version: 1.0 X-Pobox-Relay-ID: 9F6FD19E-5880-11EC-94B0-F327CE9DA9D6-77302942!pb-smtp20.pobox.com Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Fabian Stelzer if ssh-keygen supports -Overify-time, add test keys marked as expired, not yet valid and valid both within the test_tick timeframe and outside of it. Signed-off-by: Fabian Stelzer Signed-off-by: Junio C Hamano --- t/lib-gpg.sh | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh index a3f285f515..fc03c8f89b 100644 --- a/t/lib-gpg.sh +++ b/t/lib-gpg.sh @@ -90,6 +90,10 @@ test_lazy_prereq RFC1991 ' GPGSSH_KEY_PRIMARY="${GNUPGHOME}/ed25519_ssh_signing_key" GPGSSH_KEY_SECONDARY="${GNUPGHOME}/rsa_2048_ssh_signing_key" GPGSSH_KEY_UNTRUSTED="${GNUPGHOME}/untrusted_ssh_signing_key" +GPGSSH_KEY_EXPIRED="${GNUPGHOME}/expired_ssh_signing_key" +GPGSSH_KEY_NOTYETVALID="${GNUPGHOME}/notyetvalid_ssh_signing_key" +GPGSSH_KEY_TIMEBOXEDVALID="${GNUPGHOME}/timeboxed_valid_ssh_signing_key" +GPGSSH_KEY_TIMEBOXEDINVALID="${GNUPGHOME}/timeboxed_invalid_ssh_signing_key" GPGSSH_KEY_WITH_PASSPHRASE="${GNUPGHOME}/protected_ssh_signing_key" GPGSSH_KEY_PASSPHRASE="super_secret" GPGSSH_ALLOWED_SIGNERS="${GNUPGHOME}/ssh.all_valid.allowedSignersFile" @@ -119,7 +123,20 @@ test_lazy_prereq GPGSSH ' echo "\"principal with number 2\" $(cat "${GPGSSH_KEY_SECONDARY}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && ssh-keygen -t ed25519 -N "${GPGSSH_KEY_PASSPHRASE}" -C "git ed25519 encrypted key" -f "${GPGSSH_KEY_WITH_PASSPHRASE}" >/dev/null && echo "\"principal with number 3\" $(cat "${GPGSSH_KEY_WITH_PASSPHRASE}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && - ssh-keygen -t ed25519 -N "" -f "${GPGSSH_KEY_UNTRUSTED}" >/dev/null + ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GPGSSH_KEY_UNTRUSTED}" >/dev/null +' + +test_lazy_prereq GPGSSH_VERIFYTIME ' + # Check if ssh-keygen has a verify-time option by passing an invalid date to it + ssh-keygen -Overify-time=INVALID -Y check-novalidate -s doesnotmatter 2>&1 | grep -q -F "Invalid \"verify-time\"" && + ssh-keygen -t ed25519 -N "" -C "timeboxed valid key" -f "${GPGSSH_KEY_TIMEBOXEDVALID}" >/dev/null && + echo "\"timeboxed valid key\" valid-after=\"20050407000000\",valid-before=\"200504100000\" $(cat "${GPGSSH_KEY_TIMEBOXEDVALID}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && + ssh-keygen -t ed25519 -N "" -C "timeboxed invalid key" -f "${GPGSSH_KEY_TIMEBOXEDINVALID}" >/dev/null && + echo "\"timeboxed invalid key\" valid-after=\"20050401000000\",valid-before=\"20050402000000\" $(cat "${GPGSSH_KEY_TIMEBOXEDINVALID}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && + ssh-keygen -t ed25519 -N "" -C "expired key" -f "${GPGSSH_KEY_EXPIRED}" >/dev/null && + echo "\"principal with expired key\" valid-before=\"20000101000000\" $(cat "${GPGSSH_KEY_EXPIRED}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && + ssh-keygen -t ed25519 -N "" -C "not yet valid key" -f "${GPGSSH_KEY_NOTYETVALID}" >/dev/null && + echo "\"principal with not yet valid key\" valid-after=\"29990101000000\" $(cat "${GPGSSH_KEY_NOTYETVALID}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" ' sanitize_pgp() { From patchwork Wed Dec 8 23:43:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Junio C Hamano X-Patchwork-Id: 12665521 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D59CCC433F5 for ; Wed, 8 Dec 2021 23:43:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241217AbhLHXrB (ORCPT ); Wed, 8 Dec 2021 18:47:01 -0500 Received: from pb-smtp21.pobox.com ([173.228.157.53]:52128 "EHLO pb-smtp21.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241198AbhLHXrA (ORCPT ); Wed, 8 Dec 2021 18:47:00 -0500 Received: from pb-smtp21.pobox.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id 95AF51605AF; Wed, 8 Dec 2021 18:43:27 -0500 (EST) (envelope-from gitster@pobox.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=sasl; bh=2WplS0V21UM0vV78+vgDmhOtB dODQoDpN9G7SlFA4K4=; b=L2YxiMlD0xQ6FcVfaURzKN0QytBYWEloW2SLlnrUE tb0jCYazdwBZkRR09+e1aD9P39N5dtsmR9PgMI925qUXUQd0izVz8SinACpf57Ru Vu6cXlty6dxlmvXyN7dH5p2ejvWBaB+quypUezL2WmdYCvk+5PZqvwCim/RIXyE6 6Y= Received: from pb-smtp21.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id 8EF3A1605AD; Wed, 8 Dec 2021 18:43:27 -0500 (EST) (envelope-from gitster@pobox.com) Received: from pobox.com (unknown [104.133.2.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp21.pobox.com (Postfix) with ESMTPSA id 933171605AC; Wed, 8 Dec 2021 18:43:23 -0500 (EST) (envelope-from gitster@pobox.com) From: Junio C Hamano To: git@vger.kernel.org Cc: Fabian Stelzer Subject: [PATCH v5.1 4/8] ssh signing: make verify-commit consider key lifetime Date: Wed, 8 Dec 2021 15:43:09 -0800 Message-Id: <20211208234313.3052303-5-gitster@pobox.com> X-Mailer: git-send-email 2.34.1-365-gae484d3562 In-Reply-To: <20211208234313.3052303-1-gitster@pobox.com> References: <20211208234313.3052303-1-gitster@pobox.com> MIME-Version: 1.0 X-Pobox-Relay-ID: A1DABC8C-5880-11EC-BB52-98D80D944F46-77302942!pb-smtp21.pobox.com Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Fabian Stelzer If valid-before/after dates are configured for this signatures key in the allowedSigners file then the verification should check if the key was valid at the time the commit was made. This allows for graceful key rollover and revoking keys without invalidating all previous commits. This feature needs openssh > 8.8. Older ssh-keygen versions will simply ignore this flag and use the current time. Strictly speaking this feature is available in 8.7, but since 8.7 has a bug that makes it unusable in another needed call we require 8.8. Timestamp information is present on most invocations of check_signature. However signer ident is not. We will need the signer email / name to be able to implement "Trust on first use" functionality later. Since the payload contains all necessary information we can parse it from there. The caller only needs to provide us some info about the payload by setting payload_type in the signature_check struct. - Add payload_type field & enum and payload_timestamp to struct signature_check - Populate the timestamp when not already set if we know about the payload type - Pass -Overify-time={payload_timestamp} in the users timezone to all ssh-keygen verification calls - Set the payload type when verifying commits - Add tests for expired, not yet valid and keys having a commit date outside of key validity as well as within Signed-off-by: Fabian Stelzer Signed-off-by: Junio C Hamano --- Documentation/config/gpg.txt | 5 ++++ commit.c | 1 + gpg-interface.c | 53 ++++++++++++++++++++++++++++++++++++ gpg-interface.h | 9 ++++++ t/t7528-signed-commit-ssh.sh | 42 ++++++++++++++++++++++++++++ 5 files changed, 110 insertions(+) diff --git a/Documentation/config/gpg.txt b/Documentation/config/gpg.txt index 4f30c7dbdd..c9be554c73 100644 --- a/Documentation/config/gpg.txt +++ b/Documentation/config/gpg.txt @@ -64,6 +64,11 @@ A repository that only allows signed commits can store the file in the repository itself using a path relative to the top-level of the working tree. This way only committers with an already valid key can add or change keys in the keyring. + +Since OpensSSH 8.8 this file allows specifying a key lifetime using valid-after & +valid-before options. Git will mark signatures as valid if the signing key was +valid at the time of the signatures creation. This allows users to change a +signing key without invalidating all previously made signatures. ++ Using a SSH CA key with the cert-authority option (see ssh-keygen(1) "CERTIFICATES") is also valid. diff --git a/commit.c b/commit.c index 64e040a99b..a348f085b2 100644 --- a/commit.c +++ b/commit.c @@ -1213,6 +1213,7 @@ int check_commit_signature(const struct commit *commit, struct signature_check * if (parse_signed_commit(commit, &payload, &signature, the_hash_algo) <= 0) goto out; + sigc->payload_type = SIGNATURE_PAYLOAD_COMMIT; sigc->payload = strbuf_detach(&payload, &sigc->payload_len); ret = check_signature(sigc, signature.buf, signature.len); diff --git a/gpg-interface.c b/gpg-interface.c index 75ab6faacb..330cfc5845 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -439,6 +439,13 @@ static int verify_ssh_signed_buffer(struct signature_check *sigc, struct strbuf ssh_principals_err = STRBUF_INIT; struct strbuf ssh_keygen_out = STRBUF_INIT; struct strbuf ssh_keygen_err = STRBUF_INIT; + struct strbuf verify_time = STRBUF_INIT; + const struct date_mode verify_date_mode = { + .type = DATE_STRFTIME, + .strftime_fmt = "%Y%m%d%H%M%S", + /* SSH signing key validity has no timezone information - Use the local timezone */ + .local = 1, + }; if (!ssh_allowed_signers) { error(_("gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification")); @@ -456,11 +463,16 @@ static int verify_ssh_signed_buffer(struct signature_check *sigc, return -1; } + if (sigc->payload_timestamp) + strbuf_addf(&verify_time, "-Overify-time=%s", + show_date(sigc->payload_timestamp, 0, &verify_date_mode)); + /* Find the principal from the signers */ strvec_pushl(&ssh_keygen.args, fmt->program, "-Y", "find-principals", "-f", ssh_allowed_signers, "-s", buffer_file->filename.buf, + verify_time.buf, NULL); ret = pipe_command(&ssh_keygen, NULL, 0, &ssh_principals_out, 0, &ssh_principals_err, 0); @@ -478,6 +490,7 @@ static int verify_ssh_signed_buffer(struct signature_check *sigc, "-Y", "check-novalidate", "-n", "git", "-s", buffer_file->filename.buf, + verify_time.buf, NULL); pipe_command(&ssh_keygen, sigc->payload, sigc->payload_len, &ssh_keygen_out, 0, &ssh_keygen_err, 0); @@ -512,6 +525,7 @@ static int verify_ssh_signed_buffer(struct signature_check *sigc, "-f", ssh_allowed_signers, "-I", principal, "-s", buffer_file->filename.buf, + verify_time.buf, NULL); if (ssh_revocation_file) { @@ -556,10 +570,46 @@ static int verify_ssh_signed_buffer(struct signature_check *sigc, strbuf_release(&ssh_principals_err); strbuf_release(&ssh_keygen_out); strbuf_release(&ssh_keygen_err); + strbuf_release(&verify_time); return ret; } +static int parse_payload_metadata(struct signature_check *sigc) +{ + const char *ident_line = NULL; + size_t ident_len; + struct ident_split ident; + const char *signer_header; + + switch (sigc->payload_type) { + case SIGNATURE_PAYLOAD_COMMIT: + signer_header = "committer"; + break; + case SIGNATURE_PAYLOAD_TAG: + signer_header = "tagger"; + break; + case SIGNATURE_PAYLOAD_UNDEFINED: + case SIGNATURE_PAYLOAD_PUSH_CERT: + /* Ignore payloads we don't want to parse */ + return 0; + default: + BUG("invalid value for sigc->payload_type"); + } + + ident_line = find_commit_header(sigc->payload, signer_header, &ident_len); + if (!ident_line || !ident_len) + return 1; + + if (split_ident_line(&ident, ident_line, ident_len)) + return 1; + + if (!sigc->payload_timestamp && ident.date_begin && ident.date_end) + sigc->payload_timestamp = parse_timestamp(ident.date_begin, NULL, 10); + + return 0; +} + int check_signature(struct signature_check *sigc, const char *signature, size_t slen) { @@ -573,6 +623,9 @@ int check_signature(struct signature_check *sigc, if (!fmt) die(_("bad/incompatible signature '%s'"), signature); + if (parse_payload_metadata(sigc)) + return 1; + status = fmt->verify_signed_buffer(sigc, fmt, signature, slen); if (status && !sigc->output) diff --git a/gpg-interface.h b/gpg-interface.h index 5ee7d8b6b9..b30cbdcd3d 100644 --- a/gpg-interface.h +++ b/gpg-interface.h @@ -15,9 +15,18 @@ enum signature_trust_level { TRUST_ULTIMATE, }; +enum payload_type { + SIGNATURE_PAYLOAD_UNDEFINED, + SIGNATURE_PAYLOAD_COMMIT, + SIGNATURE_PAYLOAD_TAG, + SIGNATURE_PAYLOAD_PUSH_CERT, +}; + struct signature_check { char *payload; size_t payload_len; + enum payload_type payload_type; + timestamp_t payload_timestamp; char *output; char *gpg_status; diff --git a/t/t7528-signed-commit-ssh.sh b/t/t7528-signed-commit-ssh.sh index badf3ed320..dae76ded0c 100755 --- a/t/t7528-signed-commit-ssh.sh +++ b/t/t7528-signed-commit-ssh.sh @@ -76,6 +76,23 @@ test_expect_success GPGSSH 'create signed commits' ' git tag twelfth-signed-alt $(cat oid) ' +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'create signed commits with keys having defined lifetimes' ' + test_when_finished "test_unconfig commit.gpgsign" && + test_config gpg.format ssh && + + echo expired >file && test_tick && git commit -a -m expired -S"${GPGSSH_KEY_EXPIRED}" && + git tag expired-signed && + + echo notyetvalid >file && test_tick && git commit -a -m notyetvalid -S"${GPGSSH_KEY_NOTYETVALID}" && + git tag notyetvalid-signed && + + echo timeboxedvalid >file && test_tick && git commit -a -m timeboxedvalid -S"${GPGSSH_KEY_TIMEBOXEDVALID}" && + git tag timeboxedvalid-signed && + + echo timeboxedinvalid >file && test_tick && git commit -a -m timeboxedinvalid -S"${GPGSSH_KEY_TIMEBOXEDINVALID}" && + git tag timeboxedinvalid-signed +' + test_expect_success GPGSSH 'verify and show signatures' ' test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && test_config gpg.mintrustlevel UNDEFINED && @@ -122,6 +139,31 @@ test_expect_success GPGSSH 'verify-commit exits failure on untrusted signature' grep "${GPGSSH_KEY_NOT_TRUSTED}" actual ' +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-commit exits failure on expired signature key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + test_must_fail git verify-commit expired-signed 2>actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-commit exits failure on not yet valid signature key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + test_must_fail git verify-commit notyetvalid-signed 2>actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-commit succeeds with commit date and key validity matching' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git verify-commit timeboxedvalid-signed 2>actual && + grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && + ! grep "${GPGSSH_BAD_SIGNATURE}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-commit exits failure with commit date outside of key validity' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + test_must_fail git verify-commit timeboxedinvalid-signed 2>actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + test_expect_success GPGSSH 'verify-commit exits success with matching minTrustLevel' ' test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && test_config gpg.minTrustLevel fully && From patchwork Wed Dec 8 23:43:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Junio C Hamano X-Patchwork-Id: 12665523 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C3950C433EF for ; Wed, 8 Dec 2021 23:43:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241219AbhLHXrB (ORCPT ); Wed, 8 Dec 2021 18:47:01 -0500 Received: from pb-smtp2.pobox.com ([64.147.108.71]:61505 "EHLO pb-smtp2.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241213AbhLHXrA (ORCPT ); Wed, 8 Dec 2021 18:47:00 -0500 Received: from pb-smtp2.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id E98F1ECD78; Wed, 8 Dec 2021 18:43:27 -0500 (EST) (envelope-from gitster@pobox.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=sasl; bh=nTZcbM8xt2YG51mcy67rxSylX avmAKezw3aBaghz71I=; b=a88N2hN7P3ubweGE81WltkaRSbpL9SKnl+1YnKJL1 vYJd3OoyAN9KWt8S/GFXpYeQ1hZq7s9+v6mwZcAw0yc3w8NBdzHGHPYAQOyBruIy onKUfPUfbxAIKN/1FEagNMOXxIZxj/lP4l8/Ig0Jrb655xIXgt/SeVTcQJyf3+HN jI= Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id E10A5ECD76; Wed, 8 Dec 2021 18:43:27 -0500 (EST) (envelope-from gitster@pobox.com) Received: from pobox.com (unknown [104.133.2.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id 45404ECD75; Wed, 8 Dec 2021 18:43:27 -0500 (EST) (envelope-from gitster@pobox.com) From: Junio C Hamano To: git@vger.kernel.org Cc: Fabian Stelzer Subject: [PATCH v5.1 5/8] ssh signing: make git log verify key lifetime Date: Wed, 8 Dec 2021 15:43:10 -0800 Message-Id: <20211208234313.3052303-6-gitster@pobox.com> X-Mailer: git-send-email 2.34.1-365-gae484d3562 In-Reply-To: <20211208234313.3052303-1-gitster@pobox.com> References: <20211208234313.3052303-1-gitster@pobox.com> MIME-Version: 1.0 X-Pobox-Relay-ID: A40CF4A2-5880-11EC-B087-C48D900A682E-77302942!pb-smtp2.pobox.com Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Fabian Stelzer Set the payload_type for check_signature() when calling git log. Implements the same tests as for verify-commit. Signed-off-by: Fabian Stelzer Signed-off-by: Junio C Hamano --- log-tree.c | 2 ++ t/t4202-log.sh | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/log-tree.c b/log-tree.c index a46cf60e1e..d3e7a40b64 100644 --- a/log-tree.c +++ b/log-tree.c @@ -513,6 +513,7 @@ static void show_signature(struct rev_info *opt, struct commit *commit) if (parse_signed_commit(commit, &payload, &signature, the_hash_algo) <= 0) goto out; + sigc.payload_type = SIGNATURE_PAYLOAD_COMMIT; sigc.payload = strbuf_detach(&payload, &sigc.payload_len); status = check_signature(&sigc, signature.buf, signature.len); if (status && !sigc.output) @@ -583,6 +584,7 @@ static int show_one_mergetag(struct commit *commit, status = -1; if (parse_signature(extra->value, extra->len, &payload, &signature)) { /* could have a good signature */ + sigc.payload_type = SIGNATURE_PAYLOAD_TAG; sigc.payload = strbuf_detach(&payload, &sigc.payload_len); status = check_signature(&sigc, signature.buf, signature.len); if (sigc.output) diff --git a/t/t4202-log.sh b/t/t4202-log.sh index 7884e3d46b..ba855ec893 100755 --- a/t/t4202-log.sh +++ b/t/t4202-log.sh @@ -1677,6 +1677,24 @@ test_expect_success GPGSSH 'setup sshkey signed branch' ' git commit -S -m signed_commit ' +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'create signed commits with keys having defined lifetimes' ' + test_config gpg.format ssh && + touch file && + git add file && + + echo expired >file && test_tick && git commit -a -m expired -S"${GPGSSH_KEY_EXPIRED}" && + git tag expired-signed && + + echo notyetvalid >file && test_tick && git commit -a -m notyetvalid -S"${GPGSSH_KEY_NOTYETVALID}" && + git tag notyetvalid-signed && + + echo timeboxedvalid >file && test_tick && git commit -a -m timeboxedvalid -S"${GPGSSH_KEY_TIMEBOXEDVALID}" && + git tag timeboxedvalid-signed && + + echo timeboxedinvalid >file && test_tick && git commit -a -m timeboxedinvalid -S"${GPGSSH_KEY_TIMEBOXEDINVALID}" && + git tag timeboxedinvalid-signed +' + test_expect_success GPGSM 'log x509 fingerprint' ' echo "F8BF62E0693D0694816377099909C779FA23FD65 | " >expect && git log -n1 --format="%GF | %GP" signed-x509 >actual && @@ -1714,6 +1732,31 @@ test_expect_success GPGSSH 'log --graph --show-signature ssh' ' grep "${GOOD_SIGNATURE_TRUSTED}" actual ' +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log shows failure on expired signature key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git log --graph --show-signature -n1 expired-signed >actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log shows failure on not yet valid signature key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git log --graph --show-signature -n1 notyetvalid-signed >actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log show success with commit date and key validity matching' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git log --graph --show-signature -n1 timeboxedvalid-signed >actual && + grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && + ! grep "${GPGSSH_BAD_SIGNATURE}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log shows failure with commit date outside of key validity' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git log --graph --show-signature -n1 timeboxedinvalid-signed >actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + test_expect_success GPG 'log --graph --show-signature for merged tag' ' test_when_finished "git reset --hard && git checkout main" && git checkout -b plain main && From patchwork Wed Dec 8 23:43:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Junio C Hamano X-Patchwork-Id: 12665525 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D749C433EF for ; Wed, 8 Dec 2021 23:43:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241213AbhLHXrE (ORCPT ); Wed, 8 Dec 2021 18:47:04 -0500 Received: from pb-smtp1.pobox.com ([64.147.108.70]:55527 "EHLO pb-smtp1.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241226AbhLHXrC (ORCPT ); Wed, 8 Dec 2021 18:47:02 -0500 Received: from pb-smtp1.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 6B78EF429E; Wed, 8 Dec 2021 18:43:29 -0500 (EST) (envelope-from gitster@pobox.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=sasl; bh=v96o96R0iwv+wovmNaKxjBzqE 3WnJinxqLD2gFzvPPc=; b=P2cPF4+jsXfFqGYw/PhewGJMbba293NFSoD9w13cN QU6zjCukZAPKzUQBP+JixvCOI48NAL8ay6I5vpAKahaCTLcwSVbCDYBkUWKENOVu 88RpXRdB7SWQiulfolWV6vqF8KJtJ0CMcEkN9kncGOq+MyU5Qgd2cDQfH3lqaeBN FE= Received: from pb-smtp1.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 624E7F429D; Wed, 8 Dec 2021 18:43:29 -0500 (EST) (envelope-from gitster@pobox.com) Received: from pobox.com (unknown [104.133.2.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id C1BDAF429C; Wed, 8 Dec 2021 18:43:28 -0500 (EST) (envelope-from gitster@pobox.com) From: Junio C Hamano To: git@vger.kernel.org Cc: Fabian Stelzer Subject: [PATCH v5.1 6/8] ssh signing: make verify-tag consider key lifetime Date: Wed, 8 Dec 2021 15:43:11 -0800 Message-Id: <20211208234313.3052303-7-gitster@pobox.com> X-Mailer: git-send-email 2.34.1-365-gae484d3562 In-Reply-To: <20211208234313.3052303-1-gitster@pobox.com> References: <20211208234313.3052303-1-gitster@pobox.com> MIME-Version: 1.0 X-Pobox-Relay-ID: A4F2D742-5880-11EC-9079-E10CCAD8090B-77302942!pb-smtp1.pobox.com Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Fabian Stelzer Set the payload_type for check_signature() when calling verify-tag. Implements the same tests as for verify-commit. Signed-off-by: Fabian Stelzer Signed-off-by: Junio C Hamano --- t/t7031-verify-tag-signed-ssh.sh | 42 ++++++++++++++++++++++++++++++++ tag.c | 1 + 2 files changed, 43 insertions(+) diff --git a/t/t7031-verify-tag-signed-ssh.sh b/t/t7031-verify-tag-signed-ssh.sh index 06c9dd6c93..1cb36b9ab8 100755 --- a/t/t7031-verify-tag-signed-ssh.sh +++ b/t/t7031-verify-tag-signed-ssh.sh @@ -48,6 +48,23 @@ test_expect_success GPGSSH 'create signed tags ssh' ' git tag -u"${GPGSSH_KEY_UNTRUSTED}" -m eighth eighth-signed-alt ' +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'create signed tags with keys having defined lifetimes' ' + test_when_finished "test_unconfig commit.gpgsign" && + test_config gpg.format ssh && + + echo expired >file && test_tick && git commit -a -m expired -S"${GPGSSH_KEY_EXPIRED}" && + git tag -s -u "${GPGSSH_KEY_EXPIRED}" -m expired-signed expired-signed && + + echo notyetvalid >file && test_tick && git commit -a -m notyetvalid -S"${GPGSSH_KEY_NOTYETVALID}" && + git tag -s -u "${GPGSSH_KEY_NOTYETVALID}" -m notyetvalid-signed notyetvalid-signed && + + echo timeboxedvalid >file && test_tick && git commit -a -m timeboxedvalid -S"${GPGSSH_KEY_TIMEBOXEDVALID}" && + git tag -s -u "${GPGSSH_KEY_TIMEBOXEDVALID}" -m timeboxedvalid-signed timeboxedvalid-signed && + + echo timeboxedinvalid >file && test_tick && git commit -a -m timeboxedinvalid -S"${GPGSSH_KEY_TIMEBOXEDINVALID}" && + git tag -s -u "${GPGSSH_KEY_TIMEBOXEDINVALID}" -m timeboxedinvalid-signed timeboxedinvalid-signed +' + test_expect_success GPGSSH 'verify and show ssh signatures' ' test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && ( @@ -80,6 +97,31 @@ test_expect_success GPGSSH 'verify and show ssh signatures' ' ) ' +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-tag exits failure on expired signature key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + test_must_fail git verify-tag expired-signed 2>actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-tag exits failure on not yet valid signature key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + test_must_fail git verify-tag notyetvalid-signed 2>actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-tag succeeds with tag date and key validity matching' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git verify-tag timeboxedvalid-signed 2>actual && + grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && + ! grep "${GPGSSH_BAD_SIGNATURE}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-tag failes with tag date outside of key validity' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + test_must_fail git verify-tag timeboxedinvalid-signed 2>actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + test_expect_success GPGSSH 'detect fudged ssh signature' ' test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && git cat-file tag seventh-signed >raw && diff --git a/tag.c b/tag.c index 62fb09f5a5..dfbcd7fcc2 100644 --- a/tag.c +++ b/tag.c @@ -25,6 +25,7 @@ static int run_gpg_verify(const char *buf, unsigned long size, unsigned flags) return error("no signature found"); } + sigc.payload_type = SIGNATURE_PAYLOAD_TAG; sigc.payload = strbuf_detach(&payload, &sigc.payload_len); ret = check_signature(&sigc, signature.buf, signature.len); From patchwork Wed Dec 8 23:43:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Junio C Hamano X-Patchwork-Id: 12665527 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83BEFC433EF for ; Wed, 8 Dec 2021 23:43:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241220AbhLHXrI (ORCPT ); Wed, 8 Dec 2021 18:47:08 -0500 Received: from pb-smtp20.pobox.com ([173.228.157.52]:55133 "EHLO pb-smtp20.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241240AbhLHXrH (ORCPT ); Wed, 8 Dec 2021 18:47:07 -0500 Received: from pb-smtp20.pobox.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id 99ED017410E; Wed, 8 Dec 2021 18:43:34 -0500 (EST) (envelope-from gitster@pobox.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=sasl; bh=Hm5bRfa/txaq+Pyg9shDYyiM4 diFWemjQD9oOHlDBlo=; b=LeAUH5c1owHyX7zZW+1L0jctTUQmTKfy3R5tpzaSR HzJHIG085pRVLE8EZQJQe/e7XBOlOH0FM6Wf75ZlbqH6eTtjxs77podJX5YWr8x1 zDjm0qWV36OGAHqA7ofQ0AHK2xx24zcxmz+UGkx2TQRXu8L4hD1usEjqvQejPDJd 6g= Received: from pb-smtp20.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id 92A5217410D; Wed, 8 Dec 2021 18:43:34 -0500 (EST) (envelope-from gitster@pobox.com) Received: from pobox.com (unknown [104.133.2.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp20.pobox.com (Postfix) with ESMTPSA id 9720D17410B; Wed, 8 Dec 2021 18:43:30 -0500 (EST) (envelope-from gitster@pobox.com) From: Junio C Hamano To: git@vger.kernel.org Cc: Fabian Stelzer Subject: [PATCH v5.1 7/8] ssh signing: make fmt-merge-msg consider key lifetime Date: Wed, 8 Dec 2021 15:43:12 -0800 Message-Id: <20211208234313.3052303-8-gitster@pobox.com> X-Mailer: git-send-email 2.34.1-365-gae484d3562 In-Reply-To: <20211208234313.3052303-1-gitster@pobox.com> References: <20211208234313.3052303-1-gitster@pobox.com> MIME-Version: 1.0 X-Pobox-Relay-ID: A6097280-5880-11EC-950F-F327CE9DA9D6-77302942!pb-smtp20.pobox.com Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Fabian Stelzer Set the payload_type for check_signature() when generating merge messages to verify merged tags signatures key lifetimes. Implements the same tests as for verify-commit. Signed-off-by: Fabian Stelzer Signed-off-by: Junio C Hamano --- fmt-merge-msg.c | 1 + t/t6200-fmt-merge-msg.sh | 58 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) diff --git a/fmt-merge-msg.c b/fmt-merge-msg.c index deca1ea3a3..e4f7810be2 100644 --- a/fmt-merge-msg.c +++ b/fmt-merge-msg.c @@ -533,6 +533,7 @@ static void fmt_merge_msg_sigs(struct strbuf *out) else { buf = payload.buf; len = payload.len; + sigc.payload_type = SIGNATURE_PAYLOAD_TAG; sigc.payload = strbuf_detach(&payload, &sigc.payload_len); if (check_signature(&sigc, sig.buf, sig.len) && !sigc.output) diff --git a/t/t6200-fmt-merge-msg.sh b/t/t6200-fmt-merge-msg.sh index b18ba58745..12a1e62bf0 100755 --- a/t/t6200-fmt-merge-msg.sh +++ b/t/t6200-fmt-merge-msg.sh @@ -91,6 +91,26 @@ test_expect_success GPGSSH 'created ssh signed commit and tag' ' git tag -s -u"${GPGSSH_KEY_UNTRUSTED}" -m signed-ssh-tag-msg-untrusted signed-untrusted-ssh-tag left ' +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'create signed tags with keys having defined lifetimes' ' + test_when_finished "test_unconfig commit.gpgsign" && + test_config gpg.format ssh && + git checkout -b signed-expiry-ssh && + touch file && + git add file && + + echo expired >file && test_tick && git commit -a -m expired -S"${GPGSSH_KEY_EXPIRED}" && + git tag -s -u "${GPGSSH_KEY_EXPIRED}" -m expired-signed expired-signed && + + echo notyetvalid >file && test_tick && git commit -a -m notyetvalid -S"${GPGSSH_KEY_NOTYETVALID}" && + git tag -s -u "${GPGSSH_KEY_NOTYETVALID}" -m notyetvalid-signed notyetvalid-signed && + + echo timeboxedvalid >file && test_tick && git commit -a -m timeboxedvalid -S"${GPGSSH_KEY_TIMEBOXEDVALID}" && + git tag -s -u "${GPGSSH_KEY_TIMEBOXEDVALID}" -m timeboxedvalid-signed timeboxedvalid-signed && + + echo timeboxedinvalid >file && test_tick && git commit -a -m timeboxedinvalid -S"${GPGSSH_KEY_TIMEBOXEDINVALID}" && + git tag -s -u "${GPGSSH_KEY_TIMEBOXEDINVALID}" -m timeboxedinvalid-signed timeboxedinvalid-signed +' + test_expect_success 'message for merging local branch' ' echo "Merge branch ${apos}left${apos}" >expected && @@ -138,6 +158,44 @@ test_expect_success GPGSSH 'message for merging local tag signed by unknown ssh ! grep "${GPGSSH_BAD_SIGNATURE}" actual && grep "${GPGSSH_KEY_NOT_TRUSTED}" actual ' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag signed by expired ssh key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git checkout main && + git fetch . expired-signed && + git fmt-merge-msg <.git/FETCH_HEAD >actual && + grep "^Merge tag ${apos}expired-signed${apos}" actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag signed by not yet valid ssh key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git checkout main && + git fetch . notyetvalid-signed && + git fmt-merge-msg <.git/FETCH_HEAD >actual && + grep "^Merge tag ${apos}notyetvalid-signed${apos}" actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag signed by valid timeboxed ssh key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git checkout main && + git fetch . timeboxedvalid-signed && + git fmt-merge-msg <.git/FETCH_HEAD >actual && + grep "^Merge tag ${apos}timeboxedvalid-signed${apos}" actual && + grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && + ! grep "${GPGSSH_BAD_SIGNATURE}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'message for merging local tag signed by invalid timeboxed ssh key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git checkout main && + git fetch . timeboxedinvalid-signed && + git fmt-merge-msg <.git/FETCH_HEAD >actual && + grep "^Merge tag ${apos}timeboxedinvalid-signed${apos}" actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + test_expect_success 'message for merging external branch' ' echo "Merge branch ${apos}left${apos} of $(pwd)" >expected && From patchwork Wed Dec 8 23:43:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Junio C Hamano X-Patchwork-Id: 12665529 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5CF86C433EF for ; Wed, 8 Dec 2021 23:43:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241250AbhLHXrN (ORCPT ); Wed, 8 Dec 2021 18:47:13 -0500 Received: from pb-smtp21.pobox.com ([173.228.157.53]:56107 "EHLO pb-smtp21.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241256AbhLHXrL (ORCPT ); Wed, 8 Dec 2021 18:47:11 -0500 Received: from pb-smtp21.pobox.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id 8ADD81605B2; Wed, 8 Dec 2021 18:43:38 -0500 (EST) (envelope-from gitster@pobox.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=sasl; bh=3nsBaVLQllLyxuuO47eF4uvAS gh4Ki36xAz3+TxC2Yw=; b=cAg5M69jlx6fupVMOF25JuGOriQucQ5+FPwgfSB3G dfpkdu+ksS+RxB89ll4+9d1IbEOITdgpNJ+QM61HcZnhLDQyURC8MAnYNh0YYDmJ gRUVsf2Xl9A+NjjgsPWKeyjjkNFYS9A2quPIBGTNbujdDwrCeJ5Y4d0eK61hFb4v gU= Received: from pb-smtp21.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id 83F4F1605B1; Wed, 8 Dec 2021 18:43:38 -0500 (EST) (envelope-from gitster@pobox.com) Received: from pobox.com (unknown [104.133.2.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp21.pobox.com (Postfix) with ESMTPSA id 85F4B1605B0; Wed, 8 Dec 2021 18:43:34 -0500 (EST) (envelope-from gitster@pobox.com) From: Junio C Hamano To: git@vger.kernel.org Cc: Fabian Stelzer Subject: [PATCH v5.1 8/8] ssh signing: verify ssh-keygen in test prereq Date: Wed, 8 Dec 2021 15:43:13 -0800 Message-Id: <20211208234313.3052303-9-gitster@pobox.com> X-Mailer: git-send-email 2.34.1-365-gae484d3562 In-Reply-To: <20211208234313.3052303-1-gitster@pobox.com> References: <20211208234313.3052303-1-gitster@pobox.com> MIME-Version: 1.0 X-Pobox-Relay-ID: A860E3BA-5880-11EC-819E-98D80D944F46-77302942!pb-smtp21.pobox.com Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Fabian Stelzer Do a full ssh signing, find-principals and verify operation in the test prereq's to make sure ssh-keygen works as expected. Only generating the keys and verifying its presence is not sufficient in some situations. One example was ssh-keygen creating unusable ssh keys in cygwin because of unsafe default permissions for the key files. The other a broken openssh 8.7 that segfaulted on any find-principals operation. This extended prereq check avoids future test breakages in case ssh-keygen or any environment behaviour changes. Signed-off-by: Fabian Stelzer Signed-off-by: Junio C Hamano --- t/lib-gpg.sh | 53 +++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 40 insertions(+), 13 deletions(-) diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh index fc03c8f89b..3fadfcb306 100644 --- a/t/lib-gpg.sh +++ b/t/lib-gpg.sh @@ -109,34 +109,61 @@ test_lazy_prereq GPGSSH ' echo $ssh_version | grep -q "find-principals:missing signature file" test $? = 0 || exit 1; - # some broken versions of ssh-keygen segfault on find-principals; - # avoid testing with them. - ssh-keygen -Y find-principals -f /dev/null -s /dev/null - test $? = 139 && exit 1 - + # Setup some keys and an allowed signers file mkdir -p "${GNUPGHOME}" && chmod 0700 "${GNUPGHOME}" && (setfacl -k "${GNUPGHOME}" 2>/dev/null || true) && ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GPGSSH_KEY_PRIMARY}" >/dev/null && - echo "\"principal with number 1\" $(cat "${GPGSSH_KEY_PRIMARY}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && ssh-keygen -t rsa -b 2048 -N "" -C "git rsa2048 key" -f "${GPGSSH_KEY_SECONDARY}" >/dev/null && - echo "\"principal with number 2\" $(cat "${GPGSSH_KEY_SECONDARY}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && ssh-keygen -t ed25519 -N "${GPGSSH_KEY_PASSPHRASE}" -C "git ed25519 encrypted key" -f "${GPGSSH_KEY_WITH_PASSPHRASE}" >/dev/null && - echo "\"principal with number 3\" $(cat "${GPGSSH_KEY_WITH_PASSPHRASE}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && - ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GPGSSH_KEY_UNTRUSTED}" >/dev/null + ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GPGSSH_KEY_UNTRUSTED}" >/dev/null && + + cat >"${GPGSSH_ALLOWED_SIGNERS}" <<-EOF && + "principal with number 1" $(cat "${GPGSSH_KEY_PRIMARY}.pub")" + "principal with number 2" $(cat "${GPGSSH_KEY_SECONDARY}.pub")" + "principal with number 3" $(cat "${GPGSSH_KEY_WITH_PASSPHRASE}.pub")" + EOF + + # Verify if at least one key and ssh-keygen works as expected + echo "testpayload" | + ssh-keygen -Y sign -n "git" -f "${GPGSSH_KEY_PRIMARY}" >gpgssh_prereq.sig && + ssh-keygen -Y find-principals -f "${GPGSSH_ALLOWED_SIGNERS}" -s gpgssh_prereq.sig && + echo "testpayload" | + ssh-keygen -Y verify -n "git" -f "${GPGSSH_ALLOWED_SIGNERS}" -I "principal with number 1" -s gpgssh_prereq.sig ' test_lazy_prereq GPGSSH_VERIFYTIME ' # Check if ssh-keygen has a verify-time option by passing an invalid date to it ssh-keygen -Overify-time=INVALID -Y check-novalidate -s doesnotmatter 2>&1 | grep -q -F "Invalid \"verify-time\"" && + + # Set up keys with key lifetimes ssh-keygen -t ed25519 -N "" -C "timeboxed valid key" -f "${GPGSSH_KEY_TIMEBOXEDVALID}" >/dev/null && - echo "\"timeboxed valid key\" valid-after=\"20050407000000\",valid-before=\"200504100000\" $(cat "${GPGSSH_KEY_TIMEBOXEDVALID}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && + key_valid=$(cat "${GPGSSH_KEY_TIMEBOXEDVALID}.pub") && ssh-keygen -t ed25519 -N "" -C "timeboxed invalid key" -f "${GPGSSH_KEY_TIMEBOXEDINVALID}" >/dev/null && - echo "\"timeboxed invalid key\" valid-after=\"20050401000000\",valid-before=\"20050402000000\" $(cat "${GPGSSH_KEY_TIMEBOXEDINVALID}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && + key_invalid=$(cat "${GPGSSH_KEY_TIMEBOXEDINVALID}.pub") && ssh-keygen -t ed25519 -N "" -C "expired key" -f "${GPGSSH_KEY_EXPIRED}" >/dev/null && - echo "\"principal with expired key\" valid-before=\"20000101000000\" $(cat "${GPGSSH_KEY_EXPIRED}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && + key_expired=$(cat "${GPGSSH_KEY_EXPIRED}.pub") && ssh-keygen -t ed25519 -N "" -C "not yet valid key" -f "${GPGSSH_KEY_NOTYETVALID}" >/dev/null && - echo "\"principal with not yet valid key\" valid-after=\"29990101000000\" $(cat "${GPGSSH_KEY_NOTYETVALID}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" + key_notyetvalid=$(cat "${GPGSSH_KEY_NOTYETVALID}.pub") && + + # Timestamps outside of test_tick span + ts2005a=20050401000000 ts2005b=200504020000 && + # Timestamps within test_tick span + ts2005c=20050407000000 ts2005d=200504100000 && + # Definitely not yet valid / expired timestamps + ts2000=20000101000000 ts2999=29990101000000 && + + cat >>"${GPGSSH_ALLOWED_SIGNERS}" <<-EOF && + "timeboxed valid key" valid-after="$ts2005c",valid-before="$ts2005d" $key_valid" + "timeboxed invalid key" valid-after="$ts2005a",valid-before="$ts2005b" $key_invalid" + "principal with expired key" valid-before="$ts2000" $key_expired" + "principal with not yet valid key" valid-after="$ts2999" $key_notyetvalid" + EOF + + # and verify ssh-keygen verifies the key lifetime + echo "testpayload" | + ssh-keygen -Y sign -n "git" -f "${GPGSSH_KEY_EXPIRED}" >gpgssh_verifytime_prereq.sig && + ! (ssh-keygen -Y verify -n "git" -f "${GPGSSH_ALLOWED_SIGNERS}" -I "principal with expired key" -s gpgssh_verifytime_prereq.sig) ' sanitize_pgp() {