Skip to content

adds SSH signature validation for git commits#1141

Open
bb-Ricardo wants to merge 11 commits intofluxcd:mainfrom
bb-Ricardo:rb-feature/adds-ssh-signature-validation
Open

adds SSH signature validation for git commits#1141
bb-Ricardo wants to merge 11 commits intofluxcd:mainfrom
bb-Ricardo:rb-feature/adds-ssh-signature-validation

Conversation

@bb-Ricardo
Copy link
Copy Markdown

@bb-Ricardo bb-Ricardo commented Feb 27, 2026

This PR adds support of SSH signature validation.

resolves: fluxcd/flux2#4145

  • adds new package git/signatures
  • adds validation of SSH signed commits to ssh_signature.go
  • moves GPG signature validation to gpg_signature.go
  • adds text fixtures for all SSH and GPG key types including commits and signatures
  • adds tests for all key/signature combinations
  • adds wrapper for "Verify(keyRings ...string)" function

@bb-Ricardo bb-Ricardo force-pushed the rb-feature/adds-ssh-signature-validation branch 2 times, most recently from 96523af to 1561774 Compare February 28, 2026 00:35
@stefanprodan
Copy link
Copy Markdown
Member

stefanprodan commented Feb 28, 2026

@bb-Ricardo please run make tidy and force push to unblock the test.

@bb-Ricardo bb-Ricardo requested a review from a team as a code owner February 28, 2026 08:48
@bb-Ricardo bb-Ricardo force-pushed the rb-feature/adds-ssh-signature-validation branch from eedb46c to 048e862 Compare February 28, 2026 09:07
@bb-Ricardo bb-Ricardo mentioned this pull request Feb 28, 2026
Open
2 tasks
stefanprodan
stefanprodan reviewed Feb 28, 2026
View reviewed changes
@bb-Ricardo bb-Ricardo mentioned this pull request Feb 28, 2026
Open
stefanprodan
stefanprodan reviewed Feb 28, 2026
View reviewed changes
@bb-Ricardo bb-Ricardo force-pushed the rb-feature/adds-ssh-signature-validation branch from e247a34 to 5e6ab4d Compare March 2, 2026 23:16
@bb-Ricardo
Copy link
Copy Markdown
Author

bb-Ricardo commented Mar 10, 2026

Hi, was just wondering if this PR is sufficient or if anything else is needed?

@stefanprodan stefanprodan added enhancement New feature or request area/git Git and SSH related issues and pull requests labels Mar 10, 2026
@stefanprodan
Copy link
Copy Markdown
Member

stefanprodan commented Mar 10, 2026

Hey @hiddeco and @pjbgf could you please review?

stefanprodan
stefanprodan reviewed Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests are failing with open signatures/... no such file or directory please run make test-git before pushing commits.

@bb-Ricardo
Copy link
Copy Markdown
Author

bb-Ricardo commented Mar 10, 2026

sorry for that, now the tests passed locally.

hiddeco
hiddeco reviewed Mar 10, 2026
View reviewed changes
@bb-Ricardo bb-Ricardo force-pushed the rb-feature/adds-ssh-signature-validation branch from 83338dc to 51ceefd Compare March 10, 2026 14:30
@bb-Ricardo
Copy link
Copy Markdown
Author

bb-Ricardo commented Mar 17, 2026

@hiddeco - would you mind to have a look at this PR again? Thank you.

pjbgf
pjbgf requested changes Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@pjbgf pjbgf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bb-Ricardo thanks for working on this. Overall LGTM, however I'd remove any references to DSA as per thread below.

git/git.go
// It returns the fingerprint of the key the signature was verified with, or an error.
// It does not verify the signature of the referencing tag (if present). Users are
// expected to explicitly verify the referencing tag's signature using `c.ReferencingTag.VerifySSH()`
func (c *Commit) VerifySSH(authorizedKeys ...string) (string, error) {
Copy link
Copy Markdown
Member

@pjbgf pjbgf Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think having a new func per type is sub-optimal as that violates OCP. From an user perspective that feels a bit awkward, as you need to iterate through commits, check each type and then make the verification. I'd rather that is abstracted away.

That being said, we can keep this as is and revisit it during the implementation upstream in go-git.

Copy link
Copy Markdown
Author

@bb-Ricardo bb-Ricardo Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @pjbgf,

I could rework this but didn't want to break any current implementation in the source-controller. Not actually sure which other component uses this part of the pkg.

I would also like to see most of the functionality implemented in go-git and only abstract here where needed.

Maybe we can continue with the discussions over there.

@stefanprodan
Copy link
Copy Markdown
Member

stefanprodan commented Mar 19, 2026
edited
Loading

@bb-Ricardo please use rebase not merge. Undo the last merge, and properly rebase your fork, GH has a button for this if you go to your forked repo.

@bb-Ricardo
adds SSH signature validation for git commits
e3d86be 
- adds new package git/signatures
- adds validation of SSH signed commits to ssh_signature.go
- moves GPG signature validation to gpg_signature.go
- adds text fixtures for all SSH and GPG key types including commits and signatures
- adds tests for all key/signature combinations
- adds wrapper for "Verify(keyRings ...string)" function

Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
@bb-Ricardo
adds validation of key fingerprint string
346a15f 
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
@bb-Ricardo
adds better git signature detection format
fad85ab 
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
@bb-Ricardo
adds detection for added signature prefixes
4fca161 
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
@bb-Ricardo
adds tests for git.go
a49102a 
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
@bb-Ricardo
adds requested changes regarding naming
6fc8cb3 
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
@bb-Ricardo
cleans up tests and removed duplicate test files
88b3554 
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
bb-Ricardo and others added 4 commits March 19, 2026 12:24
@bb-Ricardo
fixes text fixtures public key names
54044f6 
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
@bb-Ricardo
adds 'SignatureTypeEmpty' check and improves description of 'GetSigna…
9db1f82 
…tureType'

Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
@bb-Ricardo @pjbgf
Update git/signatures/testdata/gpg_signatures/generate_gpg_fixtures.sh
c261da5 
Co-authored-by: Paulo Gomes <paulo.gomes.uk@gmail.com>
Signed-off-by: Ricardo <ricardo@bitchbrothers.com>
@bb-Ricardo
removes insecure DSA keys from signature test
bd9abd8 
Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>
@bb-Ricardo bb-Ricardo force-pushed the rb-feature/adds-ssh-signature-validation branch from b6f0ece to bd9abd8 Compare March 19, 2026 11:30
@bb-Ricardo
Copy link
Copy Markdown
Author

bb-Ricardo commented Mar 19, 2026

@bb-Ricardo please use rebase not merge. Undo the last merge, and properly rebase your fork, GH has a button for this if you go to your forked repo.

Yes, sorry. I used the seemingly convenient button GitHub offered in this PR. I removed all occurrences of GPG DSA keys in the tests and test fixtures.
Also rebased onto the current main.

@bb-Ricardo bb-Ricardo requested a review from pjbgf March 23, 2026 15:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stefanprodan stefanprodan stefanprodan left review comments

@hiddeco hiddeco hiddeco left review comments

@aryan9600 aryan9600 Awaiting requested review from aryan9600 aryan9600 is a code owner

@pjbgf pjbgf Awaiting requested review from pjbgf

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

area/git Git and SSH related issues and pull requests enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bb-Ricardo @stefanprodan @pjbgf @hiddeco