From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: Nicolas Graves <ngraves@ngraves.fr>
Cc: git@vger.kernel.org, Cuckoo Aidan <aidancuckoo@gmail.com>
Subject: Re: Error / feature-request: Signing git commits with SSH hardware key
Date: Tue, 11 Oct 2022 20:41:44 +0000 [thread overview]
Message-ID: <Y0XVCDu9o3xDnt81@tapette.crustytoothpaste.net> (raw)
In-Reply-To: <875ygqw7p8.fsf@ngraves.fr>
[-- Attachment #1: Type: text/plain, Size: 1806 bytes --]
On 2022-10-11 at 18:12:19, Nicolas Graves wrote:
>
> Hi!
Hey,
> I noticed git commit signing works well with ssh-ed25519 keys, but does
> fail with sk-ssh-ed25519@openssh.com SSH hardware keys (with can be
> used to clone / post to github for instance).
I was surprised to hear that, so I just tested on my Debian amd64/sid
system, and I was able to sign and verify using an
sk-ssh-ed25519@openssh.com SSH key using my YubiKey 5C. I do believe it
does work, although when the signature occurs, there's no notice that
it's waiting for user interaction, so you just have to look at the
lights to determine that the touch is needed.
Could you maybe mention what version of OpenSSH you're using and on what
platform? I used 9.0p1, and as I mentioned, it's Linux. The output
looks like so:
$ git verify-commit --raw HEAD
Good "git" signature for sandals@crustytoothpaste.net with ED25519-SK key SHA256:PNxAWB7cxxxrCTbgsdoDq71o3rCm9O7Er4q+0YrEAdM
Specifically, what error message or other indications of failure do you
see when you try to sign?
> I also noticed a similar error in a previous mail from Cuckoo Aidan
> <aidancuckoo@gmail.com>, but he doesn't say which type of key he
> used. In any case, would that be possible to include the info about
> which type of keys cannot be used to commit in the github guide
> https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key) ?
We don't control the GitHub documentation, since we're independent of
GitHub. If there's incorrect information, you'd need to contact GitHub.
However, as I mentioned above, I do believe this works at least in some
cases.
--
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]
next prev parent reply other threads:[~2022-10-11 20:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-11 18:12 Error / feature-request: Signing git commits with SSH hardware key Nicolas Graves
2022-10-11 20:41 ` brian m. carlson [this message]
2022-10-11 21:54 ` Nicolas Graves
2022-10-11 22:17 ` Nicolas Graves
2022-10-12 6:54 ` Nicolas Graves
2022-10-12 6:55 ` Fabian Stelzer
2022-10-12 7:22 ` Nicolas Graves
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y0XVCDu9o3xDnt81@tapette.crustytoothpaste.net \
--to=sandals@crustytoothpaste.net \
--cc=aidancuckoo@gmail.com \
--cc=git@vger.kernel.org \
--cc=ngraves@ngraves.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox