nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-11-09 12:06:01 +01:00
Code Activity

Merge pull request #13885 from netadr/fix-ssh-key-ids

Browse source 
libfetchers: Fix SSH key types for sk type keys
This commit is contained in:
Jörg Thalheim 2025-09-03 23:13:48 +02:00 committed by GitHub
commit 1732b4a61b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 23 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

35
src/libfetchers/git-utils.cc
View file

@ -568,23 +568,34 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
void verifyCommit(const Hash & rev, const std::vector<fetchers::PublicKey> & publicKeys) override void verifyCommit(const Hash & rev, const std::vector<fetchers::PublicKey> & publicKeys) override
{ {
// Map of SSH key types to their internal OpenSSH representations
static const std::unordered_map<std::string_view, std::string_view> keyTypeMap = {
{"ssh-dsa", "ssh-dsa"},
{"ssh-ecdsa", "ssh-ecdsa"},
{"ssh-ecdsa-sk", "sk-ecdsa-sha2-nistp256@openssh.com"},
{"ssh-ed25519", "ssh-ed25519"},
{"ssh-ed25519-sk", "sk-ssh-ed25519@openssh.com"},
{"ssh-rsa", "ssh-rsa"}};
// Create ad-hoc allowedSignersFile and populate it with publicKeys // Create ad-hoc allowedSignersFile and populate it with publicKeys
auto allowedSignersFile = createTempFile().second; auto allowedSignersFile = createTempFile().second;
std::string allowedSigners; std::string allowedSigners;
for (const fetchers::PublicKey & k : publicKeys) { for (const fetchers::PublicKey & k : publicKeys) {
if (k.type != "ssh-dsa" && k.type != "ssh-ecdsa" && k.type != "ssh-ecdsa-sk" && k.type != "ssh-ed25519" auto it = keyTypeMap.find(k.type);
&& k.type != "ssh-ed25519-sk" && k.type != "ssh-rsa") if (it == keyTypeMap.end()) {
std::string supportedTypes;
for (const auto & [type, _] : keyTypeMap) {
supportedTypes += fmt(" %s\n", type);
}
throw Error( throw Error(
"Unknown key type '%s'.\n" "Invalid SSH key type '%s' in publicKeys.\n"
"Please use one of\n" "Please use one of:\n%s",
"- ssh-dsa\n" k.type,
" ssh-ecdsa\n" supportedTypes);
" ssh-ecdsa-sk\n" }
" ssh-ed25519\n"
" ssh-ed25519-sk\n" allowedSigners += fmt("* %s %s\n", it->second, k.key);
" ssh-rsa",
k.type);
allowedSigners += "* " + k.type + " " + k.key + "\n";
} }
writeFile(allowedSignersFile, allowedSigners); writeFile(allowedSignersFile, allowedSigners);