guile-ssh icon indicating copy to clipboard operation
guile-ssh copied to clipboard
Published 1 year ago verified publisher icon artyom-poptsov

[Feature request] Guile functions to verify signatures.

Open nicolas-graves opened this issue 3 years ago • 5 comments

Hi !

I'm using a ssh key to sign git commits, as is possible since a few months / years. I'm probably going to help administer a guix channel, but I would like to stick to an ssh key instead of setting up gnupg.

I've seen that there are bindings for public key infrastructure in libssh, that are not implemented in guile-ssh. I'm thinking in particular about the function ssh_pki_signature_verify from the page https://api.libssh.org/stable/group__libssh__pki.html

Would that be possible to implement a few guile bindings to be able to verify the signature of an object signed by an ssh-key from guile ?

Thanks in advance !

nicolas-graves avatar Jan 24 '23 10:01 nicolas-graves

Hi @artyom-poptsov, just a reminder if you couldn't look for now ;)

nicolas-graves avatar Mar 09 '23 15:03 nicolas-graves

Hello,

sorry for the late answer.

Although the procedures such as ssh_pki_signature_verify are indeed mentioned in the official documentation, I found no evidence that those procedures are exported in the libssh API for public use. If you take a look at libssh.h header from the libssh version 0.10.5 (the latest version available at the moment) you'll find that:

  1. All the procedures that are exported to libssh API are marked with LIBSSH_API macro.
  2. There are no procedures related to creating cryptographic signatures and verifying them that are marked with LIBSSH_API.

You can find ssh_pki_signature_verify and all the related procedures in pki.h, but unfortunately neither this file is installed to the system during the libssh installation process, nor the procedures are market with LIBSSH_API.

Thanks, avp

artyom-poptsov avatar Aug 17 '23 07:08 artyom-poptsov

On 2023-08-17 07:38, Artyom V. Poptsov wrote:

Hello,

sorry for the late answer.

Although the procedures such as ssh_pki_signature_verify are indeed mentioned in the official documentation, I found no evidence that those procedures are exported in the libssh API for public use. If you take a look at libssh.h header from the libssh version 0.10.5 (the latest version available at the moment) you'll find that:

  1. All the procedures that are exported to libssh API are marked with LIBSSH_API macro.
  2. There are no procedures related to creating cryptographic signatures and verifying them that are marked with LIBSSH_API.

You can find ssh_pki_signature_verify and all the related procedures in pki.h, but unfortunately neither this file is installed to the system during the libssh installation process, nor the procedures are market with LIBSSH_API.

Thanks for this research. IIUC, I have to open an issue on their side so that I can follow the progress on this issue on the side of the API first.

-- Best regards, Nicolas Graves

nicolas-graves avatar Aug 17 '23 08:08 nicolas-graves

IIUC, I have to open an issue on their side so that I can follow the progress on this issue on the side of the API first.

Yes, that would be a good idea. Let me know if there will be any findings.

I won't close this issue for now, just in case.

Thanks, avp

artyom-poptsov avatar Aug 17 '23 09:08 artyom-poptsov