[darcs-users] Re: openssl keys

David Roundy droundy at abridgegame.org
Sun Mar 14 12:54:54 UTC 2004


On Sat, Mar 13, 2004 at 10:22:42PM -0800, Adam Megacz wrote:
> If the user chooses ssh-{dsa|rsa}, the following commands should be
> invoked to sign the patchset (I only give dsa here; for rsa just
> change the 'd' to an 'r'):
> 
>   (while true; do echo; done) | \
>   openssl req -new -key ~/.ssh/id_dsa -outform PEM -days 365 | \
>   openssl x509 -req -extensions v3_ca -signkey ~/.ssh/id_dsa -outform PEM -days 365 2>/dev/null | \
>   openssl x509 -outform PEM

Is there any way to do with without pipes, or with fewer pipes? I prefer
not to call system (since then you could get "interesting" problems if
there are shell metacharacters in file paths), so I'm doing all the piping
in haskell, which is a bit of a pain.  I guess most of the pain isn't from
the piping, but from the fact that I need to call openssl four times to
verify the signature and four times to create the signature.  :(  That's a
lot of possibilities for making mistakes... (and/or providing flags that
introduce a potential security hole).

> [...]
> It might be useful for 'darcs apply' to have an option to specify an
> alternate 'trusted keys' file (in case you want people to be able to
> send patches but not be able to log into the account used to apply
> them!)

Agreed.  In fact, I'd prefer to always require that the user specify the
trusted keys, so that's what I've done.

> This would be a huge help for all those people out there who were
> forced (by cvs's lameness) into setting up ssh keying for their repo.
> Now those groups can adopt darcs without having to set up new keys.

I've implemented this, but not tested it, so I'd definitely appreciate
testing (probably easiest done by saving the patch bundles to a file).  The
flags are --verify-ssl=~/.ssh/authorized_keys and
--sign-ssl=~/.ssh/id_{r,d}sa.  It's not really documented yet, since it
took a lot longer than I expected to implement, and now I'm tired of
working on it.  The changes should be in the darcs repo in an hour or so,
and then you can grab it.
-- 
David Roundy
http://www.abridgegame.org




More information about the darcs-users mailing list