verification of commit signatures with SSH key

[castedo]

I am planning to migrate from using GitPython to Dulwich, but I will need to be able to verify commit signatures with SSH keys.

Am I correct that Dulwich does not have this functionality? It looks like tag signatures with GPG keys is only supported.

Are there any libraries or existing Python code that can do this? I've searched long and far and it seems the only Python code that replicates the core functionality of the type of SSH key signatures with git is https://github.com/grawity/ssh-datasign (thank you @grawity!) This is the SSHSIG type signature implemented by ssh-keygen -Y verify which is what git uses for SSH key signatures (nice blog post).

[jelmer]

Hi,

Yes, Dulwich doesn't currently support verifying SSH type signatures. PRs to add such support would be most welcome; using either an external library like https://github.com/grawity/ssh-datasign (although it would have to be on pip and ideally be a little more maintained), or using code in Dulwich itself.

[castedo]

OK, I'm starting to "vendor" in a subset of ssh-datasign into my project in a subdirectory/submodule: https://gitlab.com/perm.pub/hidos/-/tree/sshsig/hidos/sshsiglib (and sshlib branch for now). My grand plan is to switch to Dulwich from GitPython and use this "vendored" submodule to pull it off.

And then I'm thinking I'll create PRs based on this submodule to migrate this SSH signing functionality into Dulwich itself. If this sounds good, I have lots of questions about how you want the code adapted to Dulwich. I'll start with a few question on [matrix].

[jelmer]

That sounds great, I'll keep an eye on matrix (jelmer at matrix.org there).

[grawity]

ssh-datasign isn't my best code (some parts came from an earlier ~2010 project), and wasn't planned to become a pip library, so I would suggest importing the code wholesale and adapting it to fit the project, rather than treating it as a vendored library.

(It in fact predates ssh-keygen -Y sign, and became unmaintained primarily because OpenSSH added its own signing functionality and made the project moot.)

The lib/* files don't explicitly mention their license but it is the same as for the main ssh-sign.py script:

# (c) 2018 Mantas Mikulėnas <grawity@gmail.com>
# Released under the MIT License (https://spdx.org/licenses/MIT)

[castedo]

Your not-best code is still great! Very useful. It was much easier to understand your not-best Python code than the C code in ssh-keygen!

With the advent of WebAssembly, Pyodide, and the browser File System API, your Python code is no longer moot. I bet there are some useful possibilities of doing git related applications in the browser via Python libraries. I wonder what are the possibilities with the (pyodide.mountNativeFS().

I've added those copyright lines to the files I've copied. I'm not sure what the fate will be after adapting the code to dulwich and hidos. If your name should be recorded somewhere, feel free to add your name to record your contribution.

[castedo]

My use of the term "vendored" is a bit wonky. I was thinking more in terms of having code temporarily is hidos as IF it was a external library getting vendored, but actually work on the sshsig code to adapt it to hidos and eventually dulwich.

I've put a "pseudo-package" of sshsiglib at https://gitlab.com/perm.pub/dulwich-sshsig-union for testing. I'm not actually planning on making sshsiglib a real pip package. Just something that hidos and dulwich can use soon and then eventually hidos just uses dulwich.

[grawity]

Right, my point was that, although I don't mind the code being used for a pip library at some point in the future, but I myself have no experience in creating one, nor time to maintain it, thus the suggestion to do a full import for now.

Glad you found the code useful.

[jelmer]

Filed #1394 to track this