Error / feature-request: Signing git commits with SSH hardware key

Error / feature-request: Signing git commits with SSH hardware key

[Nicolas Graves]

Hi!

I noticed git commit signing works well with ssh-ed25519 keys, but does
fail with sk-ssh-ed25519@openssh.com SSH hardware keys (with can be
used to clone / post to github for instance).

Would that be possible to support in a later release? Thus having a
smart card can be useful for both ssh and git.

I also noticed a similar error in a previous mail from Cuckoo Aidan
<aidancuckoo@gmail.com>, but he doesn't say which type of key he
used. In any case, would that be possible to include the info about
which type of keys cannot be used to commit in the github guide
https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key) ?

-- 
Best regards,
Nicolas Graves

Re: Error / feature-request: Signing git commits with SSH hardware key

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1806 bytes --]

On 2022-10-11 at 18:12:19, Nicolas Graves wrote:
> 
> Hi!

Hey,

> I noticed git commit signing works well with ssh-ed25519 keys, but does
> fail with sk-ssh-ed25519@openssh.com SSH hardware keys (with can be
> used to clone / post to github for instance).

I was surprised to hear that, so I just tested on my Debian amd64/sid
system, and I was able to sign and verify using an
sk-ssh-ed25519@openssh.com SSH key using my YubiKey 5C.  I do believe it
does work, although when the signature occurs, there's no notice that
it's waiting for user interaction, so you just have to look at the
lights to determine that the touch is needed.

Could you maybe mention what version of OpenSSH you're using and on what
platform?  I used 9.0p1, and as I mentioned, it's Linux.  The output
looks like so:

  $ git verify-commit --raw HEAD
  Good "git" signature for sandals@crustytoothpaste.net with ED25519-SK key SHA256:PNxAWB7cxxxrCTbgsdoDq71o3rCm9O7Er4q+0YrEAdM

Specifically, what error message or other indications of failure do you
see when you try to sign?

> I also noticed a similar error in a previous mail from Cuckoo Aidan
> <aidancuckoo@gmail.com>, but he doesn't say which type of key he
> used. In any case, would that be possible to include the info about
> which type of keys cannot be used to commit in the github guide
> https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key) ?

We don't control the GitHub documentation, since we're independent of
GitHub.  If there's incorrect information, you'd need to contact GitHub.
However, as I mentioned above, I do believe this works at least in some
cases.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

Re: Error / feature-request: Signing git commits with SSH hardware key

[Nicolas Graves]

On 2022-10-11 20:41, brian m. carlson wrote:

> Could you maybe mention what version of OpenSSH you're using and on what
> platform?  I used 9.0p1, and as I mentioned, it's Linux.  The output
> looks like so:

I currently use this version on Guix (so Linux):
OpenSSH_8.9p1, OpenSSL 1.1.1q  5 Jul 2022

The errors occurs when I try to "really" commit using magit or git
through the command line.

hint: Waiting for your editor to close the file...
Waiting for Emacs...
error: Couldn't load public key sk-ssh-ed25519@openssh.com AAAAG[..]zaDo=: No such file or directory?

fatal: failed to write commit object


Now if I try this command:
>   $ git verify-commit --raw HEAD

I get the following:
error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification


It's possible that my config is not complete, I remember not having
necessarily done the part with allowedsigners (which is not necessary
for an ed25519 "simple" key apparently). I'll take a look, and come back
to you. 


-- 
Best regards,
Nicolas Graves

Re: Error / feature-request: Signing git commits with SSH hardware key

[Nicolas Graves]

On 2022-10-11 23:54, Nicolas Graves wrote:

> error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification

And I can confirm that it was this error and bad configuration, sorry!

> error: Couldn't load public key sk-ssh-ed25519@openssh.com AAAAG[..]zaDo=: No such file or directory?

This error is not very precise though.

Thanks for your help!


-- 
Best regards,
Nicolas Graves

Re: Error / feature-request: Signing git commits with SSH hardware key

[Nicolas Graves]

>> error: Couldn't load public key sk-ssh-ed25519@openssh.com AAAAG[..]zaDo=: No such file or directory?
>
Sorry, I still do have this error, even though the previous one
disappeared (it verified a commit signed byb another key) and my
configuration is OK.

No such file or directory would indicate I don't own the key. I've
verified I have the key on my Yubikey5C, in the directory ~/.ssh with
the right condition, and additionnaly I've imported it in ssh-agent with
ssh-add.

Using the GIT_TRACE=2 env variable, I get this:
08:32:41.916712 git.c:460               trace: built-in: git commit -m test
08:32:41.917380 run-command.c:655       trace: run_command: ssh-keygen -Y sign -n git -f 'sk-ssh-ed25519@openssh.com AAAAG[...]zaDo=' /tmp/.git_signing_buffer_tmp6Dc0Mx

The ssh-keygen manual indicates the following:

-Y sign
             Cryptographically sign a file or some data using a SSH key.  When
             signing, ssh-keygen accepts zero or more files to sign on the
             command-line - if no files are specified then ssh-keygen will
             sign data presented on standard input.  Signatures are written to
             the path of the input file with “.sig” appended, or to standard
             output if the message to be signed was read from standard input.

             The key used for signing is specified using the -f option and may
             refer to either a private key, or a public key with the private
             half available via ssh-agent(1).  An additional signature name‐
             space, used to prevent signature confusion across different do‐
             mains of use (e.g. file signing vs email signing) must be pro‐
             vided via the -n flag.  Namespaces are arbitrary strings, and may
             include: “file” for file signing, “email” for email signing.  For
             custom uses, it is recommended to use names following a NAME‐
             SPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces.

Running ssh-add -L, I can confirm that the private half is available via
ssh-agent.

I've also check that the error doesn't come from the missing input file (used to
sign), here /tmp/.git_signing_buffer_tmp6Dc0Mx . Re-running the
ssh-keygen command with a mock file fails with the same error.

I don't really know where to investigate next. What I get is that the
error probably comes from ssh (should I report it there? The problem
feels isolated now that I know which command fails). I may try to
update openssh to v9, but since I'm using guix that might be quick as
well as tedious.

-- 
Best regards,
Nicolas Graves

Re: Error / feature-request: Signing git commits with SSH hardware key

[Fabian Stelzer]

On 12.10.2022 00:17, Nicolas Graves wrote:
>On 2022-10-11 23:54, Nicolas Graves wrote:
>
>> error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification
>
>And I can confirm that it was this error and bad configuration, sorry!
>
>> error: Couldn't load public key sk-ssh-ed25519@openssh.com AAAAG[..]zaDo=: No such file or directory?
>
>This error is not very precise though.

I assume you have specified your key in the git config in user.signingkey as 
the literal keystring?
If so, then you'll need a `key::` prefix. Otherwise git will treat it as a 
file path.
See 
https://git-scm.com/docs/git-config#Documentation/git-config.txt-usersigningKey

In the initial merge of this feature, git would allow ssh-* keys to be 
specified without the prefix. This was later deprecated and not all 
Tutorial/Docs you'll find online consider this.

Cheers,
Fabian

>
>Thanks for your help!
>
>
>-- 
>Best regards,
>Nicolas Graves

Re: Error / feature-request: Signing git commits with SSH hardware key

[Nicolas Graves]

On 2022-10-12 08:55, Fabian Stelzer wrote:

> I assume you have specified your key in the git config in user.signingkey as
> the literal keystring?
> If so, then you'll need a `key::` prefix. Otherwise git will treat it as a
> file path.
> See
> https://git-scm.com/docs/git-config#Documentation/git-config.txt-usersigningKey
>
> In the initial merge of this feature, git would allow ssh-* keys to be
> specified without the prefix. This was later deprecated and not all
> Tutorial/Docs you'll find online consider this.

Our mails crossed :)

This was the actual error, thanks a lot!

-- 
Best regards,
Nicolas Graves