adds SSH signature validation for git commits#1141
adds SSH signature validation for git commits#1141bb-Ricardo wants to merge 7 commits intofluxcd:mainfrom
Conversation
- adds new package git/signatures - adds validation of SSH signed commits to ssh_signature.go - moves GPG signature validation to gpg_signature.go - adds text fixtures for all SSH and GPG key types including commits and signatures - adds tests for all key/signature combinations - adds wrapper for "Verify(keyRings ...string)" function Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
from
f814194 to
394fe64
Compare
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
from
96523af to
1561774
Compare
|
@bb-Ricardo please run |
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
from
eedb46c to
048e862
Compare
git/signatures/ssh_signature.go
Outdated
| // in the format used by SSH (e.g., "SHA256:abc123..."). | ||
| func GetPublicKeyFingerprint(pubKey gossh.PublicKey) string { | ||
| hash := sha256.Sum256(pubKey.Marshal()) | ||
| return "SHA256:" + strings.TrimSuffix(base64.StdEncoding.EncodeToString(hash[:]), "=") |
There was a problem hiding this comment.
Maybe use base64.RawStdEncoding which omits padding entirely.
There was a problem hiding this comment.
thank you, will change it accordingly.
git/signatures/signature.go
Outdated
|
|
||
| // Isx509Signature tests if the given signature is of type x509. | ||
| // It returns true if the signature starts with the x509 signature prefix. | ||
| func Isx509Signature(signature string) bool { |
There was a problem hiding this comment.
| func Isx509Signature(signature string) bool { | |
| func IsX509Signature(signature string) bool { |
We do not support X509, why have this code here?
There was a problem hiding this comment.
This is a place holder / compatibility implementation:
- to embed the signature type into the error message to inform the user about the wrong type of signature
- it is planned to implement x509 signature validation as well: Feature Request: support validation of additional git commit signature types source-controller#1996
There was a problem hiding this comment.
Ok can you please add a comment and explain all of this. Also normalize the naming instead of Isx should be IsX .
There was a problem hiding this comment.
Sure, will do that. So due to the CameCasing the x in x509 would be capitalized?
In general, these functions should be implemented in go-git but this is currently not the case. But the discussion about the git signature validation improvements are already ongoing.
| return GetPublicKeyFingerprint(pubKey), nil | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
The hash algo is specified in the SSH signature. So instead of trying both algos, we can do:
err := sshsig.Verify(bytes.NewReader(payload), sig, pubKey, sig.HashAlgorithm, "git")
if err == nil {
return GetPublicKeyFingerprint(pubKey), nil
}There was a problem hiding this comment.
thank you, will have a look into changing it.
git/signatures/ssh_signature_test.go
Outdated
|
|
||
| for _, tt := range tests { | ||
| t.Run(tt.name, func(t *testing.T) { | ||
| sig, err := sshsig.Unarmor([]byte(tt.sig)) |
There was a problem hiding this comment.
Why are we testing sshsig here? call VerifySSHSignature or ParseAuthorizedKeys instead?
There was a problem hiding this comment.
Test cases have been combined and redundant tests have been removed.
git/signatures/ssh_signature_test.go
Outdated
| }) | ||
| } | ||
|
|
||
| func TestVerifySSHSignatureAllKeyTypes(t *testing.T) { |
There was a problem hiding this comment.
This looks like a duplicate of TestVerifySSHSignature, if you delete it, does the test coverage drops?
git/signatures/ssh_signature.go
Outdated
|
|
||
| // getPublicKeyFingerprint returns the SHA256 fingerprint of the public key | ||
| // in the format used by SSH (e.g., "SHA256:abc123..."). | ||
| func GetPublicKeyFingerprint(pubKey gossh.PublicKey) string { |
There was a problem hiding this comment.
Do we need to export this?
There was a problem hiding this comment.
I wanted to use BuildCommitWithRef from clone. But to avoid circular dependencies, I needed to make this function public. I could put the test for the fingerprints into a separate test package to avoid that. Otherwise I would need to reimplement the behaviour of BuildCommitWithRef mockup, but wanted to avoid that to get some meaningful test results.
There was a problem hiding this comment.
I have split the test packages and now the function is not exported anymore.
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
bb-Ricardo
force-pushed
the
rb-feature/adds-ssh-signature-validation
branch
from
e247a34 to
5e6ab4d
Compare
2 participants
This PR adds support of SSH signature validation.
resolves: fluxcd/flux2#4145