Re: Using principal wildcards in gpg.ssh.allowedSignersFile

[Matthias Maier <tamiko-GITVGER@43-1.org>]

Hi Fabian,

Thanks for doing the bug report to openssh!


On Fri, Dec 17, 2021, at 03:42 CST, Fabian Stelzer <fs@gigacodes.de> wrote:

> [...]

>>  $ ssh-keygen -Y find-principals -f allowed_signers -n file -s test.txt.sig
>>  tamiko@43-1.org
>
> Are you sure the allowed_signers file was exactly what you generated
> before for this command? If I follow your steps this will not produce
> a principal for me with neither openssh-8.8.1, nor master. Can you run
> this with `-vvv` which will show a bit more ssh internal output?
> In the openssh code for find-principals wildcard principals are
> filtered for CA certs. I'm not sure why and have asked them about it.
>
> By the way, find-principals will not consider the namespace parameter.
> This has another bug in the current master producing a segfault for
> which I've already sent a patch. But this should be unrelated to your
> issue.

You're absolutely right - I did confuse myself. The find-principals call
does not work:

    % ssh-keygen -vvv -Y find-principals -f allowed_signers -n file -s test.txt.sig
    debug3: allowed_signers:1: options cert-authority,namespaces="file,git"
    debug1: allowed_signers:1: principal "*@43-1.org" not authorized: contains wildcards
    allowed_signers:1: no valid principals found
    debug1: allowed_signers:1: cert_filter_principals: invalid certificate
    No principal matched.

I agree. It is interesting that they explicitly filter wildcards for the
find-principals call. Let's see what openssh upstream has to say.


> [...]
>
> Just FYI: if you add GIT_TRACE=1 to the git commands you can see the
> executed ssh-keygen commands, which can help to see whats going on.

Ah, that's neat!


Best,
Matthias