git/gpg-interface.c, branch v2.34.2

Merge branch 'jx/message-fixes'

2021-11-03T20:32:28Z

Fixes to recently added messages. * jx/message-fixes: i18n: fix typos found during l10n for git 2.34.0

gpg-interface: avoid buffer overrun in parse_ssh_output()

2021-11-02T00:00:41Z

If the string "key" we found in the output of ssh-keygen happens to be located at the very end of the line, then going four characters further leaves us beyond the end of the string. Explicitly search for the space after "key" to handle a missing one gracefully. Signed-off-by: René Scharfe Acked-by: Fabian Stelzer Signed-off-by: Junio C Hamano

gpg-interface: handle missing " with " gracefully in parse_ssh_output()

2021-11-02T00:00:41Z

If the output of ssh-keygen starts with "Good \"git\" signature for ", but is not followed by " with " for some reason, then parse_ssh_output() uses -1 as the len parameter of xmemdupz(), which in turn will end the program. Reject the signature and carry on instead in that case. Signed-off-by: René Scharfe Acked-by: Fabian Stelzer Signed-off-by: Junio C Hamano

i18n: fix typos found during l10n for git 2.34.0

2021-11-01T05:49:49Z

Emir and Jean-Noël reported typos in some i18n messages when preparing l10n for git 2.34.0. * Fix unstable spelling of config variable "gpg.ssh.defaultKeyCommand" which was introduced in commit fd9e226776 (ssh signing: retrieve a default key from ssh-agent, 2021-09-10). * Add missing space between "with" and "--python" which was introduced in commit bd0708c7eb (ref-filter: add %(raw) atom, 2021-07-26). * Fix unmatched single quote in 'builtin/index-pack.c' which was introduced in commit 8737dab346 (index-pack: refactor renaming in final(), 2021-09-09) [1] https://github.com/git-l10n/git-po/pull/567 Reported-by: Emir Sarı Reported-by: Jean-Noël Avila Signed-off-by: Jiang Xin Signed-off-by: Junio C Hamano

gpg-interface: fix leak of strbufs in get_ssh_key_fingerprint()

2021-10-18T20:16:53Z

We read stdout from gpg into a strbuf, then split it into a list of strbufs, pull out one element, and return it. But we don't free either the original stdout buffer, nor the list returned from strbuf_split(). This patch fixes both. Note that we have to detach the returned string from its strbuf before calling strbuf_list_free(), as that would otherwise throw it away. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano

gpg-interface: fix leak of "line" in parse_ssh_output()

2021-10-18T20:16:51Z

We xmemdupz() this buffer, but never free it. Let's do so. We'll use a cleanup label, since there are multiple exits from the function. Note that it was also declared a "const char *". We could switch that to "char *" to indicate that it's allocated, but that make it awkward to use with skip_prefix(). So instead, we'll introduce an extra non-const pointer. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano

ssh signing: verify signatures using ssh-keygen

2021-09-10T21:15:52Z

To verify a ssh signature we first call ssh-keygen -Y find-principal to look up the signing principal by their public key from the allowedSignersFile. If the key is found then we do a verify. Otherwise we only validate the signature but can not verify the signers identity. Verification uses the gpg.ssh.allowedSignersFile (see ssh-keygen(1) "ALLOWED SIGNERS") which contains valid public keys and a principal (usually user@domain). Depending on the environment this file can be managed by the individual developer or for example generated by the central repository server from known ssh keys with push access. This file is usually stored outside the repository, but if the repository only allows signed commits/pushes, the user might choose to store it in the repository. To revoke a key put the public key without the principal prefix into gpg.ssh.revocationKeyring or generate a KRL (see ssh-keygen(1) "KEY REVOCATION LISTS"). The same considerations about who to trust for verification as with the allowedSignersFile apply. Using SSH CA Keys with these files is also possible. Add "cert-authority" as key option between the principal and the key to mark it as a CA and all keys signed by it as valid for this CA. See "CERTIFICATES" in ssh-keygen(1). Signed-off-by: Fabian Stelzer Signed-off-by: Junio C Hamano

ssh signing: provide a textual signing_key_id

2021-09-10T21:15:52Z

For ssh the user.signingkey can be a filename/path or even a literal ssh pubkey. In push certs and textual output we prefer the ssh fingerprint instead. Signed-off-by: Fabian Stelzer Signed-off-by: Junio C Hamano

ssh signing: retrieve a default key from ssh-agent

2021-09-10T21:15:52Z

If user.signingkey is not set and a ssh signature is requested we call gpg.ssh.defaultKeyCommand (typically "ssh-add -L") and use the first key we get Signed-off-by: Fabian Stelzer Signed-off-by: Junio C Hamano

ssh signing: add ssh key format and signing code

2021-09-10T21:15:51Z

Implements the actual sign_buffer_ssh operation and move some shared cleanup code into a strbuf function Set gpg.format = ssh and user.signingkey to either a ssh public key string (like from an authorized_keys file), or a ssh key file. If the key file or the config value itself contains only a public key then the private key needs to be available via ssh-agent. gpg.ssh.program can be set to an alternative location of ssh-keygen. A somewhat recent openssh version (8.2p1+) of ssh-keygen is needed for this feature. Since only ssh-keygen is needed it can this way be installed seperately without upgrading your system openssh packages. Signed-off-by: Fabian Stelzer Signed-off-by: Junio C Hamano