[PATCH] ssh signing: return an error when signature cannot be read

[PATCH] ssh signing: return an error when signature cannot be read

[Phillip Wood via GitGitGadget]

From: Phillip Wood <phillip.wood@dunelm.org.uk>

If the signature file cannot be read we print an error message but do
not return an error to the caller. In practice it seems unlikely that
the file would be unreadable if the call to ssh-keygen succeeds. If we
cannot read the file it may be missing so ignore any errors from
unlink() when we try to remove it.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---
    ssh signing: return an error when signature cannot be read
    
    This patch is based on maint. In the longer term the code could be
    simplified by using pipes rather than tempfiles as we do for gpg.
    ssh-keygen has supported reading the data to be signed from stdin and
    writing the signature to stdout since it introduced signing.

Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1371%2Fphillipwood%2Fssh-signing-return-error-on-missing-signature-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1371/phillipwood/ssh-signing-return-error-on-missing-signature-v1
Pull-Request: https://github.com/gitgitgadget/git/pull/1371

 gpg-interface.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/gpg-interface.c b/gpg-interface.c
index 947b58ad4da..d352bc286b6 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -1043,9 +1043,11 @@ static int sign_buffer_ssh(struct strbuf *buffer, struct strbuf *signature,
 	strbuf_addbuf(&ssh_signature_filename, &buffer_file->filename);
 	strbuf_addstr(&ssh_signature_filename, ".sig");
 	if (strbuf_read_file(signature, ssh_signature_filename.buf, 0) < 0) {
-		error_errno(
+		ret = error_errno(
 			_("failed reading ssh signing data buffer from '%s'"),
 			ssh_signature_filename.buf);
+		unlink(ssh_signature_filename.buf);
+		goto out;
 	}
 	unlink_or_warn(ssh_signature_filename.buf);
 

base-commit: a0feb8611d4c0b2b5d954efe4e98207f62223436
-- 
gitgitgadget

Re: [PATCH] ssh signing: return an error when signature cannot be read

[Junio C Hamano]

"Phillip Wood via GitGitGadget" <gitgitgadget@gmail.com> writes:

> From: Phillip Wood <phillip.wood@dunelm.org.uk>
>
> If the signature file cannot be read we print an error message but do
> not return an error to the caller. In practice it seems unlikely that
> the file would be unreadable if the call to ssh-keygen succeeds. If we
> cannot read the file it may be missing so ignore any errors from
> unlink() when we try to remove it.

OK.  Not removing may help diagnose what the problem is, but going
that route needs to add code to report what file is deliberately
left for inspection.  I do not know how valuable that would be to
help human debuggers --- the user presumably have the original
material (e.g. a signed tag object) anyway, and the human debugger
probably needs to have access to both the original material and what
is fed to the gpg-interface API.  If they are chasing a reproducible
bug, the latter should be recreatable by the human debugger from the
former, so removing would not hurt the debuggability that much.

On the other hand, we can still report if the reason we cannot
remove is not ENOENT, though.

Thanks.

>
> Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
> ---
>     ssh signing: return an error when signature cannot be read
>     
>     This patch is based on maint. In the longer term the code could be
>     simplified by using pipes rather than tempfiles as we do for gpg.
>     ssh-keygen has supported reading the data to be signed from stdin and
>     writing the signature to stdout since it introduced signing.
>
> Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1371%2Fphillipwood%2Fssh-signing-return-error-on-missing-signature-v1
> Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1371/phillipwood/ssh-signing-return-error-on-missing-signature-v1
> Pull-Request: https://github.com/gitgitgadget/git/pull/1371
>
>  gpg-interface.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/gpg-interface.c b/gpg-interface.c
> index 947b58ad4da..d352bc286b6 100644
> --- a/gpg-interface.c
> +++ b/gpg-interface.c
> @@ -1043,9 +1043,11 @@ static int sign_buffer_ssh(struct strbuf *buffer, struct strbuf *signature,
>  	strbuf_addbuf(&ssh_signature_filename, &buffer_file->filename);
>  	strbuf_addstr(&ssh_signature_filename, ".sig");
>  	if (strbuf_read_file(signature, ssh_signature_filename.buf, 0) < 0) {
> -		error_errno(
> +		ret = error_errno(
>  			_("failed reading ssh signing data buffer from '%s'"),
>  			ssh_signature_filename.buf);
> +		unlink(ssh_signature_filename.buf);
> +		goto out;
>  	}
>  	unlink_or_warn(ssh_signature_filename.buf);
>  
>
> base-commit: a0feb8611d4c0b2b5d954efe4e98207f62223436

[PATCH v2] ssh signing: return an error when signature cannot be read

[Phillip Wood via GitGitGadget]

From: Phillip Wood <phillip.wood@dunelm.org.uk>

If the signature file cannot be read we print an error message but do
not return an error to the caller. In practice it seems unlikely that
the file would be unreadable if the call to ssh-keygen succeeds.

The unlink_or_warn() call is moved to the end of the function so that
we always try and remove the signature file. This isn't strictly
necessary at the moment but it protects us against any extra code
being added between trying to read the signature file and the cleanup
at the end of the function in the future. unlink_or_warn() only prints
a warning if it exists and cannot be removed.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---
    ssh signing: return an error when signature cannot be read
    
    Thanks to Junio for his comments. I've updated the patch to always use
    unlink_or_warn() to remove the signature file as it does not warn on
    missing files.
    
    V1 cover letter
    
    This patch is based on maint. In the longer term the code could be
    simplified by using pipes rather than tempfiles as we do for gpg.
    ssh-keygen has supported reading the data to be signed from stdin and
    writing the signature to stdout since it introduced signing.

Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1371%2Fphillipwood%2Fssh-signing-return-error-on-missing-signature-v2
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1371/phillipwood/ssh-signing-return-error-on-missing-signature-v2
Pull-Request: https://github.com/gitgitgadget/git/pull/1371

Range-diff vs v1:

 1:  6f569ac0f48 ! 1:  1db8af68fce ssh signing: return an error when signature cannot be read
     @@ Commit message
      
          If the signature file cannot be read we print an error message but do
          not return an error to the caller. In practice it seems unlikely that
     -    the file would be unreadable if the call to ssh-keygen succeeds. If we
     -    cannot read the file it may be missing so ignore any errors from
     -    unlink() when we try to remove it.
     +    the file would be unreadable if the call to ssh-keygen succeeds.
     +
     +    The unlink_or_warn() call is moved to the end of the function so that
     +    we always try and remove the signature file. This isn't strictly
     +    necessary at the moment but it protects us against any extra code
     +    being added between trying to read the signature file and the cleanup
     +    at the end of the function in the future. unlink_or_warn() only prints
     +    a warning if it exists and cannot be removed.
      
          Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
      
     @@ gpg-interface.c: static int sign_buffer_ssh(struct strbuf *buffer, struct strbuf
      +		ret = error_errno(
       			_("failed reading ssh signing data buffer from '%s'"),
       			ssh_signature_filename.buf);
     -+		unlink(ssh_signature_filename.buf);
      +		goto out;
       	}
     - 	unlink_or_warn(ssh_signature_filename.buf);
     +-	unlink_or_warn(ssh_signature_filename.buf);
     +-
     + 	/* Strip CR from the line endings, in case we are on Windows. */
     + 	remove_cr_after(signature, bottom);
       
     +@@ gpg-interface.c: out:
     + 		delete_tempfile(&key_file);
     + 	if (buffer_file)
     + 		delete_tempfile(&buffer_file);
     ++	if (ssh_signature_filename.len)
     ++		unlink_or_warn(ssh_signature_filename.buf);
     + 	strbuf_release(&signer_stderr);
     + 	strbuf_release(&ssh_signature_filename);
     + 	FREE_AND_NULL(ssh_signing_key_file);


 gpg-interface.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/gpg-interface.c b/gpg-interface.c
index 947b58ad4da..b5c2bbb3b91 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -1043,12 +1043,11 @@ static int sign_buffer_ssh(struct strbuf *buffer, struct strbuf *signature,
 	strbuf_addbuf(&ssh_signature_filename, &buffer_file->filename);
 	strbuf_addstr(&ssh_signature_filename, ".sig");
 	if (strbuf_read_file(signature, ssh_signature_filename.buf, 0) < 0) {
-		error_errno(
+		ret = error_errno(
 			_("failed reading ssh signing data buffer from '%s'"),
 			ssh_signature_filename.buf);
+		goto out;
 	}
-	unlink_or_warn(ssh_signature_filename.buf);
-
 	/* Strip CR from the line endings, in case we are on Windows. */
 	remove_cr_after(signature, bottom);
 
@@ -1057,6 +1056,8 @@ out:
 		delete_tempfile(&key_file);
 	if (buffer_file)
 		delete_tempfile(&buffer_file);
+	if (ssh_signature_filename.len)
+		unlink_or_warn(ssh_signature_filename.buf);
 	strbuf_release(&signer_stderr);
 	strbuf_release(&ssh_signature_filename);
 	FREE_AND_NULL(ssh_signing_key_file);

base-commit: a0feb8611d4c0b2b5d954efe4e98207f62223436
-- 
gitgitgadget

Re: [PATCH v2] ssh signing: return an error when signature cannot be read

[Fabian Stelzer]

On 04.10.2022 10:01, Phillip Wood via GitGitGadget wrote:
>From: Phillip Wood <phillip.wood@dunelm.org.uk>
>
>If the signature file cannot be read we print an error message but do
>not return an error to the caller. In practice it seems unlikely that
>the file would be unreadable if the call to ssh-keygen succeeds.
>
>The unlink_or_warn() call is moved to the end of the function so that
>we always try and remove the signature file. This isn't strictly
>necessary at the moment but it protects us against any extra code
>being added between trying to read the signature file and the cleanup
>at the end of the function in the future. unlink_or_warn() only prints
>a warning if it exists and cannot be removed.

Sounds sensible and the change looks good to me.

>
>Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
>---
>    ssh signing: return an error when signature cannot be read
>
>    Thanks to Junio for his comments. I've updated the patch to always use
>    unlink_or_warn() to remove the signature file as it does not warn on
>    missing files.
>
>    V1 cover letter
>
>    This patch is based on maint. In the longer term the code could be
>    simplified by using pipes rather than tempfiles as we do for gpg.
>    ssh-keygen has supported reading the data to be signed from stdin and
>    writing the signature to stdout since it introduced signing.

The ssh-keygen call is already using stdin for the content to sign or 
verify. The signature and the signing key need to be files passed as 
parameters to ssh-keygen. I'm not aware of any other option of providing 
them to it.

Cheers,
Fabian

Re: [PATCH v2] ssh signing: return an error when signature cannot be read

[Phillip Wood]

Hi Fabian

On 06/10/2022 09:28, Fabian Stelzer wrote:
> On 04.10.2022 10:01, Phillip Wood via GitGitGadget wrote:
>> From: Phillip Wood <phillip.wood@dunelm.org.uk>
>>    This patch is based on maint. In the longer term the code could be
>>    simplified by using pipes rather than tempfiles as we do for gpg.
>>    ssh-keygen has supported reading the data to be signed from stdin and
>>    writing the signature to stdout since it introduced signing.
> 
> The ssh-keygen call is already using stdin for the content to sign or 
> verify. The signature and the signing key need to be files passed as 
> parameters to ssh-keygen. I'm not aware of any other option of providing 
> them to it.

We use stdin for the content when verifying but not when signing

	strvec_pushl(&signer.args, use_format->program,
		     "-Y", "sign",
		     "-n", "git",
		     "-f", ssh_signing_key_file,
		     buffer_file->filename.buf,
		     NULL);

	sigchain_push(SIGPIPE, SIG_IGN);
	ret = pipe_command(&signer, NULL, 0, NULL, 0, &signer_stderr, 0);
	sigchain_pop(SIGPIPE);

Note that when verifying with -Y check-novalidate there is a missing 
call to sigchain_push(SIGPIPE, SIG_IGN) as we are passing data over 
stdin so need to ignore SIGPIPE.

Best Wishes

Phillip


> Cheers,
> Fabian
> 

Re: [PATCH v2] ssh signing: return an error when signature cannot be read

[Fabian Stelzer]

On 06.10.2022 14:05, Phillip Wood wrote:
>Hi Fabian
>
>On 06/10/2022 09:28, Fabian Stelzer wrote:
>>On 04.10.2022 10:01, Phillip Wood via GitGitGadget wrote:
>>>From: Phillip Wood <phillip.wood@dunelm.org.uk>
>>>   This patch is based on maint. In the longer term the code could be
>>>   simplified by using pipes rather than tempfiles as we do for gpg.
>>>   ssh-keygen has supported reading the data to be signed from stdin and
>>>   writing the signature to stdout since it introduced signing.
>>
>>The ssh-keygen call is already using stdin for the content to sign 
>>or verify. The signature and the signing key need to be files passed 
>>as parameters to ssh-keygen. I'm not aware of any other option of 
>>providing them to it.
>
>We use stdin for the content when verifying but not when signing
>
>	strvec_pushl(&signer.args, use_format->program,
>		     "-Y", "sign",
>		     "-n", "git",
>		     "-f", ssh_signing_key_file,
>		     buffer_file->filename.buf,
>		     NULL);
>
>	sigchain_push(SIGPIPE, SIG_IGN);
>	ret = pipe_command(&signer, NULL, 0, NULL, 0, &signer_stderr, 0);
>	sigchain_pop(SIGPIPE);
>
>Note that when verifying with -Y check-novalidate there is a missing 
>call to sigchain_push(SIGPIPE, SIG_IGN) as we are passing data over 
>stdin so need to ignore SIGPIPE.
>

Hm, true. I was kinda sure it both used stdin/out. I'm short on time at the 
moment and can't really work on git stuff. But I hope i can at the end of 
the year. There's a few more todos on my list.

Cheers,
Fabian