Skip to content

Implement signing using SSH certificates #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Dec 21, 2024
Merged

Implement signing using SSH certificates #82

merged 6 commits into from
Dec 21, 2024

Conversation

Foxboron
Copy link
Owner

Fixes #80

@Foxboron Foxboron mentioned this pull request Dec 20, 2024
Closed
@andsens
Copy link
Contributor

andsens commented Dec 20, 2024
edited
Loading

Regarding #81 (comment)

I've realized that the internal implementation of certificates in ssh-tpm-agent is a bit problematic and doesn't work the same way as ssh-agent so I suspect I need to do some larger changes.

Do you think the refactor would change the external behavior of this patch? If not, maybe you could merge the current changes with an alpha notice. Otherwise I'm perfectly fine just running a fork for now.

Also curious to hear what those differences from ssh-agent are? :-)

@Foxboron
Copy link
Owner Author

Do you think the refactor would change the external behavior of this patch? If not, maybe you could merge the current changes with an alpha notice. Otherwise I'm perfectly fine just running a fork for now.

I can merge my slight rewrite into master.

Also curious to hear what those differences from ssh-agent are? :-)

The implementation is done so that the SSHTPMKey struct contains both the public key and the certificate. It implies a 1-to-1 relationship between one public key, and one certificate. So multiple certificates for one key would not work very well. It also implies that the agent will do the wrong thing if you try to remove the key or the certificate from the keyring.

Effectively need to decouple this and ensure that the signer/key list contains both.

@Foxboron
agent: create setup for certificate testing
4f7566d 
Signed-off-by: Morten Linderud <morten@linderud.pw>
@Foxboron
agent: introduce AddProxyAgent
59797c1 
Signed-off-by: Morten Linderud <morten@linderud.pw>
@Foxboron
agent: ensure we can remove certificates from the agent
f98b8cf 
Signed-off-by: Morten Linderud <morten@linderud.pw>
@Foxboron Foxboron force-pushed the morten/cert-signing branch from ffd354f to f98b8cf Compare December 21, 2024 14:35
@Foxboron
key: ensure we embed ssh.PublicKey inside the SSHTPMKey struct
23128cb 
Signed-off-by: Morten Linderud <morten@linderud.pw>
@Foxboron
agent: implement AgentKey to serialize tpmkey
b8cce90 
Signed-off-by: Morten Linderud <morten@linderud.pw>
@Foxboron
agent: ensure certs are not embedded into the key
663ea55 
Signed-off-by: Morten Linderud <morten@linderud.pw>
@Foxboron Foxboron merged commit 3aba1f9 into master Dec 21, 2024
10 checks passed
@Foxboron Foxboron deleted the morten/cert-signing branch March 2, 2025 21:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ssh-tpm-agent: Unable to find private key when using SSH certificate for git commit signing
2 participants
@Foxboron @andsens