Add SSH signature verification for git commits#1141
Open
bb-Ricardo wants to merge 17 commits into
Open
Conversation
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
2 times, most recently
from
96523af to
1561774
Compare
Member
|
@bb-Ricardo please run |
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
from
eedb46c to
048e862
Compare
2 tasks
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
from
e247a34 to
5e6ab4d
Compare
Author
|
Hi, was just wondering if this PR is sufficient or if anything else is needed? |
stefanprodan
added
enhancement
Member
Member
stefanprodan
left a comment
stefanprodan
left a comment
There was a problem hiding this comment.
Tests are failing with open signatures/... no such file or directory please run make test-git before pushing commits.
Author
|
sorry for that, now the tests passed locally. |
hiddeco
reviewed
Mar 10, 2026
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
from
83338dc to
51ceefd
Compare
Author
|
@hiddeco - would you mind to have a look at this PR again? Thank you. |
pjbgf
requested changes
Mar 19, 2026
Member
pjbgf
left a comment
pjbgf
left a comment
There was a problem hiding this comment.
@bb-Ricardo thanks for working on this. Overall LGTM, however I'd remove any references to DSA as per thread below.
Member
|
@bb-Ricardo please use rebase not merge. Undo the last merge, and properly rebase your fork, GH has a button for this if you go to your forked repo. |
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
from
b6f0ece to
bd9abd8
Compare
Author
Yes, sorry. I used the seemingly convenient button GitHub offered in this PR. I removed all occurrences of GPG DSA keys in the tests and test fixtures. |
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
from
bd9abd8 to
fa037d1
Compare
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
from
fa037d1 to
0811c24
Compare
Author
|
Hi, was wondering if anything else is needed. Thank you |
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
from
0811c24 to
af44b2c
Compare
- adds new package git/signatures - adds validation of SSH signed commits to ssh_signature.go - moves GPG signature validation to gpg_signature.go - adds text fixtures for all SSH and GPG key types including commits and signatures - adds tests for all key/signature combinations - adds wrapper for "Verify(keyRings ...string)" function Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
…tureType' Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Co-authored-by: Paulo Gomes <paulo.gomes.uk@gmail.com> Signed-off-by: Ricardo <ricardo@bitchbrothers.com> Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
from
af44b2c to
074c9de
Compare
hiddeco
reviewed
May 18, 2026
Comment on lines
+93
to
+94
| err := sshsig.Verify(bytes.NewReader(payload), sig, pubKey, sig.HashAlgorithm, SSHSignatureNamespace) | ||
| if err == nil { |
Member
There was a problem hiding this comment.
The sshsig library has certain error sentinels that can be quite informative (e.g. sshsig.ErrPublicKeyMismatch / ErrNamespaceMismatch / ErrUnsupportedHashAlgorithm. VerifyPGPSignature). This information is now swallowed instead of being made available to the user if all keys fail.
hiddeco
reviewed
May 18, 2026
| @@ -0,0 +1,5 @@ | |||
| sign-user@example.com namespaces="git" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpreiO+8XsB4xXGNmwuO48a7WPghb5ihCJNPyQZpnaPfq6vhNVWSgq8AIjBmJOJYo4HZyiHqpS4OBc86glk6qMv8YHRt4VRVBP+DjPLDIsOR7+2HBlOPHMm8lTDi+iMPHBDxqFy7mSDB4+v7n700+49vYhWjZJpesnnE6JoitxSVhmqp75jeNRNU6PD00z+gMUcviv8UOs/Apg1Cw5f+4T9yOnjlOHaFH/ButvZ0t2VF0cs28tfCuLAoumjine5Gm6tCRQlZOoapNJzvnYT+86f/PEU/4kDYf3wT7S+NnUDfCsIpDVlOXPvjnQ/DudhqEnnXvfch+eBCI7rtJBHIGPKFdmC4cUROa0UDGR6o/JxLtx4ZTbkGpq6MVwdrb7qJ+Oib1U8xVimWFfarkm7deVXWD3wB5Wa8Ko/a/WuYfE3gYRhb8iXPYd71FsEy4F41JCMZDcIqMiQRe3e2gvY+z2sf02kHOFeWJmrAY9FFjPL85VD0Dg++jrExkGFjcBTw9gUG5OPGpwqQ9WHO8E8DPza+i5J/wu4DODyLrLxuXHPeSYUjcvh5ln8P70qL+Irwn1mgn2PkIZW0XCPBt6Iylg55t5sfyy03P0Kmb4U3TrppMeig7Lr9LDU4Doh7Fj6oLYDGFUV+F52SSuPs5SfrWd6Apiz+VPjsAh5btPPJNlzQ== test-rsa@example.com | |||
Member
There was a problem hiding this comment.
I do not believe any of the verified_signers_* files are actually utilized in tests?
Comment on lines
+365
to
+370
| ### Script structure | ||
| The script uses separate functions for different key types: | ||
| - `generate_rsa_dsa_key()` - For RSA keys with key length validation | ||
| - `generate_ecc_key()` - For ECC/ECDSA/EdDSA keys with curve validation | ||
| - `create_signed_object()` - For creating signed commits and tags | ||
| - `create_unsigned_commit()` - For creating unsigned test commits |
| ./generate_ssh_fixtures.sh | ||
| ``` | ||
|
|
||
| This script will automatically create all SSH keys, authorized_keys files, verified signers files, signed commits, and signed tags. |
Member
There was a problem hiding this comment.
This seems to not be accurate anymore. (There are probably more things in this doc.)
| // which is not supported by github.com/ProtonMail/go-crypto (only version 4 is supported). | ||
| // The error occurs when trying to read the armored key ring: | ||
| // "unable to read armored key ring: openpgp: invalid data: first packet was not a public/private key" | ||
| {"ed448 valid signature", "commit_ed448_signed.txt", "tag_ed448_signed.txt", "key_ed448.pub", true}, |
Member
There was a problem hiding this comment.
Should we also test tag_unsigned.txt?
| sig: "-----BEGIN SSH SIGNATURE-----\n-----END SSH SIGNATURE-----", | ||
| keyRings: []string{armoredKeyRingFixture}, | ||
| wantErr: "unable to verify openPGP signature, detected signature format: ssh", | ||
| }, |
Member
There was a problem hiding this comment.
Testing a malformed signature (e.g. malformed body and/or missing -----END... would probably be good to test as well.
| sig: "-----BEGIN SSH SIGNATURE-----\n-----END SSH SIGNATURE-----", | ||
| keyRings: []string{armoredKeyRingFixture}, | ||
| wantErr: "unable to verify openPGP signature, detected signature format: ssh", | ||
| }, |
Member
There was a problem hiding this comment.
Testing multi-keyring case would have surfaced the issue I commented on gpg_signature.go itself.
| create_signed_object() { | ||
| local object_type=$1 | ||
| local key_name=$2 | ||
| local key_type=$3 |
| echo "Temporary directory: $TEMP_DIR" | ||
| echo "Output directory: $SCRIPT_DIR" | ||
| echo "" | ||
|
|
Member
There was a problem hiding this comment.
Would probably be good to do a quick command -v safety check to fail early.
matheuscscp
changed the title
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Author
|
Thank you @hiddeco for taking the time to review the code. Will try to fix the rest of the code during the day. |
…alfored key is included Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
from
0d42c77 to
f67d6c3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds support of SSH signature validation.
resolves: fluxcd/flux2#4145