meissa
/
forgejo
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
forgejo-federated-star
forgejo
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6fe756dc93'
${ noResults }
forgejo/vendor/github.com/42wim/sshsig
History
Wim 6fe756dc93
Add support for ssh commit signing (#17743) 
* Add support for ssh commit signing

* Split out ssh verification to separate file

* Show ssh key fingerprint on commit page

* Update sshsig lib

* Make sure we verify against correct namespace

* Add ssh public key verification via ssh signatures

When adding a public ssh key also validate that this user actually
owns the key by signing a token with the private key.

* Remove some gpg references and make verify key optional

* Fix spaces indentation

* Update options/locale/locale_en-US.ini

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Update templates/user/settings/keys_ssh.tmpl

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Update options/locale/locale_en-US.ini

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Update options/locale/locale_en-US.ini

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Update models/ssh_key_commit_verification.go

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Reword ssh/gpg_key_success message

* Change Badsignature to NoKeyFound

* Add sign/verify tests

* Fix upstream api changes to user_model User

* Match exact on SSH signature

* Fix code review remarks

Co-authored-by: Gusted <williamzijl7@hotmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
 		3 years ago
..
pem Add support for ssh commit signing (#17743) 3 years ago
LICENSE Add support for ssh commit signing (#17743) 3 years ago
README.md Add support for ssh commit signing (#17743) 3 years ago
doc.go Add support for ssh commit signing (#17743) 3 years ago
encode.go Add support for ssh commit signing (#17743) 3 years ago
go.mod Add support for ssh commit signing (#17743) 3 years ago
go.sum Add support for ssh commit signing (#17743) 3 years ago
sign.go Add support for ssh commit signing (#17743) 3 years ago
sshsig.go Add support for ssh commit signing (#17743) 3 years ago
verify.go Add support for ssh commit signing (#17743) 3 years ago

README.md

Armored ssh signatures in go

Go Reference

Package sshsig implements signing/verifying armored SSH signatures. You can use this package to sign data and verify signatures using your ssh private keys or your ssh agent. It gives the same output as using ssh-keygen, eg when signing ssh-keygen -Y sign -f keyfile -n namespace data

This code is based upon work by https://github.com/sigstore/rekor

References: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig

You can find some examples on how to use this library on: https://pkg.go.dev/github.com/42wim/sshsig#pkg-examples

Examples

package main

import (
	"bytes"
	"fmt"
	"net"
	"os"

	"github.com/42wim/sshsig"
	"golang.org/x/crypto/ssh/agent"
)

func ExampleSignWithAgent() {
	// This example will panic when you don't have a ssh-agent running.
	conn, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
	if err != nil {
		panic(err)
	}

	ag := agent.NewClient(conn)

	// This public key must match in your agent (use `ssh-add -L` to get the public key)
	pubkey := []byte(`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAo3D7CGN01tTYY/dLKXEv8RxRyxa32c51X0uKMhnMab wim@localhost`)
	//
	data := []byte("hello world")

	res, err := sshsig.SignWithAgent(pubkey, ag, bytes.NewBuffer(data), "file")
	if err != nil {
		panic(err)
	}

	fmt.Println(string(res))
}

func ExampleSign() {
	privkey := []byte(`-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCOjP6i4Pm/pYAAmpAMNZ6xrbHl9RW8xdul6kzIWuKMMAAAAIhoQm34aEJt
+AAAAAtzc2gtZWQyNTUxOQAAACCOjP6i4Pm/pYAAmpAMNZ6xrbHl9RW8xdul6kzIWuKMMA
AAAEBfIl93TLj6qHeg37GnPuZ00h8OVv1mzlhy0rhuO4Y0do6M/qLg+b+lgACakAw1nrGt
seX1FbzF26XqTMha4owwAAAAAAECAwQF
-----END OPENSSH PRIVATE KEY-----`)

	data := []byte("hello world")

	res, err := sshsig.Sign(privkey, bytes.NewBuffer(data), "file")
	if err != nil {
		panic(err)
	}

	fmt.Println(string(res))

	// Output:
	// -----BEGIN SSH SIGNATURE-----
	// U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgjoz+ouD5v6WAAJqQDDWesa2x5f
	// UVvMXbpepMyFrijDAAAAAEZmlsZQAAAAAAAAAGc2hhNTEyAAAAUwAAAAtzc2gtZWQyNTUx
	// OQAAAEBeu9Z+vLxBORysiqEbTzJP0EZKG0/aE5HpTtvimjQS6mHZCAGFg+kimNatBE0Y1j
	// gS4pfD73TlML1SyB5lb/YO
	// -----END SSH SIGNATURE-----
}

func main() {
	ExampleSign()
}