From: Phillip Wood <phillip.wood123@gmail.com>
To: Adam Szkoda via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org
Cc: Adam Szkoda <adaszko@gmail.com>
Subject: Re: [PATCH] ssh signing: better error message when key not in agent
Date: Wed, 18 Jan 2023 11:10:04 +0000 [thread overview]
Message-ID: <abec912c-065d-2098-962e-41f9646dd046@dunelm.org.uk> (raw)
In-Reply-To: <pull.1270.git.git.1674029874363.gitgitgadget@gmail.com>
Hi Adam
On 18/01/2023 08:17, Adam Szkoda via GitGitGadget wrote:
> From: Adam Szkoda <adaszko@gmail.com>
>
> When signing a commit with a SSH key, with the private key missing from
> ssh-agent, a confusing error message is produced:
>
> error: Load key
> "/var/folders/t5/cscwwl_n3n1_8_5j_00x_3t40000gn/T//.git_signing_key_tmpkArSj7":
> invalid format? fatal: failed to write commit object
>
> The temporary file .git_signing_key_tmpkArSj7 created by git contains a
> valid *public* key. The error message comes from `ssh-keygen -Y sign' and
> is caused by a fallback mechanism in ssh-keygen whereby it tries to
> interpret .git_signing_key_tmpkArSj7 as a *private* key if it can't find in
> the agent [1]. A fix is scheduled to be released in OpenSSH 9.1. All that
> needs to be done is to pass an additional backward-compatible option -U to
> 'ssh-keygen -Y sign' call. With '-U', ssh-keygen always interprets the file
> as public key and expects to find the private key in the agent.
The documentation for user.signingKey says
If gpg.format is set to ssh this can contain the path to either your
private ssh key or the public key when ssh-agent is used.
If I've understood correctly passing -U will prevent users from setting
this to a private key.
Best Wishes
Phillip
> As a result, when the private key is missing from the agent, a more accurate
> error message gets produced:
>
> error: Couldn't find key in agent
>
> [1] https://bugzilla.mindrot.org/show_bug.cgi?id=3429
>
> Signed-off-by: Adam Szkoda <adaszko@gmail.com>
> ---
> ssh signing: better error message when key not in agent
>
> When signing a commit with a SSH key, with the private key missing from
> ssh-agent, a confusing error message is produced:
>
> error: Load key "/var/folders/t5/cscwwl_n3n1_8_5j_00x_3t40000gn/T//.git_signing_key_tmpkArSj7": invalid format?
> fatal: failed to write commit object
>
>
> The temporary file .git_signing_key_tmpkArSj7 created by git contains a
> valid public key. The error message comes from `ssh-keygen -Y sign' and
> is caused by a fallback mechanism in ssh-keygen whereby it tries to
> interpret .git_signing_key_tmpkArSj7 as a private key if it can't find
> in the agent [1]. A fix is scheduled to be released in OpenSSH 9.1. All
> that needs to be done is to pass an additional backward-compatible
> option -U to 'ssh-keygen -Y sign' call. With '-U', ssh-keygen always
> interprets the file as public key and expects to find the private key in
> the agent.
>
> As a result, when the private key is missing from the agent, a more
> accurate error message gets produced:
>
> error: Couldn't find key in agent
>
>
> [1] https://bugzilla.mindrot.org/show_bug.cgi?id=3429
>
> Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-git-1270%2Fradicle-dev%2Fmaint-v1
> Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-git-1270/radicle-dev/maint-v1
> Pull-Request: https://github.com/git/git/pull/1270
>
> gpg-interface.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/gpg-interface.c b/gpg-interface.c
> index 280f1fa1a58..4a5913ae942 100644
> --- a/gpg-interface.c
> +++ b/gpg-interface.c
> @@ -1022,6 +1022,7 @@ static int sign_buffer_ssh(struct strbuf *buffer, struct strbuf *signature,
> strvec_pushl(&signer.args, use_format->program,
> "-Y", "sign",
> "-n", "git",
> + "-U",
> "-f", ssh_signing_key_file,
> buffer_file->filename.buf,
> NULL);
>
> base-commit: e54793a95afeea1e10de1e5ad7eab914e7416250
next prev parent reply other threads:[~2023-01-18 11:56 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-18 8:17 [PATCH] ssh signing: better error message when key not in agent Adam Szkoda via GitGitGadget
2023-01-18 11:10 ` Phillip Wood [this message]
2023-01-18 14:34 ` Phillip Wood
2023-01-18 15:28 ` Adam Szkoda
2023-01-18 16:29 ` Phillip Wood
2023-01-20 9:03 ` Fabian Stelzer
2023-01-23 9:33 ` Phillip Wood
2023-01-23 10:02 ` Fabian Stelzer
2023-01-23 16:17 ` Adam Szkoda
2023-01-24 15:26 ` [PATCH v2] " Adam Szkoda via GitGitGadget
2023-01-24 17:52 ` Junio C Hamano
2023-01-25 12:46 ` Adam Szkoda
2023-01-25 17:04 ` Junio C Hamano
2023-01-25 17:17 ` Junio C Hamano
2023-01-25 21:42 ` Eric Sunshine
2023-01-25 22:22 ` Junio C Hamano
2023-02-15 1:22 ` Eric Sunshine
2023-01-25 12:40 ` [PATCH v3] " Adam Szkoda via GitGitGadget
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abec912c-065d-2098-962e-41f9646dd046@dunelm.org.uk \
--to=phillip.wood123@gmail.com \
--cc=adaszko@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=phillip.wood@dunelm.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).