upstream/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-12-18 22:36:08 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

feat: use AppDomain for key verification (#10429)
Some checks are pending
/ release (push) Waiting to run
Details
testing-integration / test-unit (push) Waiting to run
Details
testing-integration / test-sqlite (push) Waiting to run
Details
testing-integration / test-mariadb (v10.6) (push) Waiting to run
Details
testing-integration / test-mariadb (v11.8) (push) Waiting to run
Details
testing / backend-checks (push) Waiting to run
Details
testing / frontend-checks (push) Waiting to run
Details
testing / test-unit (push) Blocked by required conditions
Details
testing / test-e2e (push) Blocked by required conditions
Details
testing / test-remote-cacher (redis) (push) Blocked by required conditions
Details
testing / test-remote-cacher (valkey) (push) Blocked by required conditions
Details
testing / test-remote-cacher (garnet) (push) Blocked by required conditions
Details
testing / test-remote-cacher (redict) (push) Blocked by required conditions
Details
testing / test-mysql (push) Blocked by required conditions
Details
testing / test-pgsql (push) Blocked by required conditions
Details
testing / test-sqlite (push) Blocked by required conditions
Details
testing / security-check (push) Blocked by required conditions
Details

Browse source 
Fixes #10416
Followup to a hardcoded string in [gitea#17743](https://github.com/go-gitea/gitea/pull/17743)

* instead of using a hardcoded namespace, use the configured application domain
    * `ssh-keygen` refuses to work with empty namespace, but `Domain` falls back to `localhost`:
    95dca7ff57/modules/setting/server.go (L192)
    * since `VerifySSHKey` verifies the namespace, I think that using a mostly-unique string instead of a hardcoded one doesn't hurt. Here's what `man ssh-keygen` says on the topic:
      > An additional signature namespace, used to prevent signature confusion across different domains of use (e.g. file signing vs email signing) must be provided  via  the  -n  flag.   Namespaces  are  arbitrary strings,  and  may  include:  “file”  for file signing, “email” for email signing.  For custom uses, it is recommended to use
names following a NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces.

## Testing

There's a test `TestFromOpenSSH` but it uses a hardcoded default namespace `file`:
95dca7ff57/models/asymkey/ssh_key_test.go (L334)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10429
Reviewed-by: Beowulf <beowulf@beocode.eu>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Co-committed-by: 0ko <0ko@noreply.codeberg.org>
This commit is contained in:
0ko 2025-12-17 17:01:14 +01:00 committed by Gusted
parent e7f5c492f3
commit 1ef5496055
2 changed files with 7 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
models/asymkey/ssh_key_verify.go
View file

@ -9,6 +9,7 @@ import (
"forgejo.org/models/db"
"forgejo.org/modules/log"
"forgejo.org/modules/setting"
"github.com/42wim/sshsig"
)
@ -30,11 +31,11 @@ func VerifySSHKey(ctx context.Context, ownerID int64, fingerprint, token, signat
return "", ErrKeyNotExist{}
}
err = sshsig.Verify(bytes.NewBuffer([]byte(token)), []byte(signature), []byte(key.Content), "gitea")
err = sshsig.Verify(bytes.NewBuffer([]byte(token)), []byte(signature), []byte(key.Content), setting.Domain)
if err != nil {
// edge case for Windows based shells that will add CR LF if piped to ssh-keygen command
// see https://github.com/PowerShell/PowerShell/issues/5974
if sshsig.Verify(bytes.NewBuffer([]byte(token+"\r\n")), []byte(signature), []byte(key.Content), "gitea") != nil {
if sshsig.Verify(bytes.NewBuffer([]byte(token+"\r\n")), []byte(signature), []byte(key.Content), setting.Domain) != nil {
log.Error("Unable to validate token signature. Error: %v", err)
return "", ErrSSHInvalidTokenSignature{
Fingerprint: key.Fingerprint,

8
templates/user/settings/keys_ssh.tmpl
View file

@ -78,19 +78,19 @@
<div class="help">
<br>
<p>{{ctx.Locale.Tr "settings.ssh_token_help"}}</p>
<div class="markup"><pre class="code-block"><code>echo -n '{{$.TokenToSign}}' | ssh-keygen -Y sign -n gitea -f ~/.ssh/id_ed25519 # or the path to the private key if it is different.</code></pre></div>
<div class="markup"><pre class="code-block"><code>echo -n '{{$.TokenToSign}}' | ssh-keygen -Y sign -n {{AppDomain}} -f ~/.ssh/id_ed25519 # or the path to the private key if it is different.</code></pre></div>
<br>
<p>{{ctx.Locale.Tr "settings.ssh_token_help_ssh_agent"}}</p>
<div class="markup"><pre class="code-block"><code>bash -c "echo -n '{{$.TokenToSign}}' | ssh-keygen -Y sign -n gitea -f <(echo '{{.OmitEmail}}')"</code></pre></div>
<div class="markup"><pre class="code-block"><code>bash -c "echo -n '{{$.TokenToSign}}' | ssh-keygen -Y sign -n {{AppDomain}} -f <(echo '{{.OmitEmail}}')"</code></pre></div>
<br>
<details>
<summary>Windows PowerShell</summary>
<div class="markup"><pre class="code-block"><code>cmd /c "&lt;NUL set /p=`"{{$.TokenToSign}}`"| ssh-keygen -Y sign -n gitea -f /path_to_PrivateKey_or_RelatedPublicKey"</code></pre></div>
<div class="markup"><pre class="code-block"><code>cmd /c "&lt;NUL set /p=`"{{$.TokenToSign}}`"| ssh-keygen -Y sign -n {{AppDomain}} -f /path_to_PrivateKey_or_RelatedPublicKey"</code></pre></div>
</details>
<br>
<details>
<summary>Windows CMD</summary>
<div class="markup"><pre class="code-block"><code>&lt;NUL set /p="{{$.TokenToSign}}"| ssh-keygen -Y sign -n gitea -f /path_to_PrivateKey_or_RelatedPublicKey</code></pre></div>
<div class="markup"><pre class="code-block"><code>&lt;NUL set /p="{{$.TokenToSign}}"| ssh-keygen -Y sign -n {{AppDomain}} -f /path_to_PrivateKey_or_RelatedPublicKey</code></pre></div>
</details>
</div>
<br>