[Feature request] Guile functions to verify signatures.

[nicolas-graves]

Hi !

I'm using a ssh key to sign git commits, as is possible since a few months / years. I'm probably going to help administer a guix channel, but I would like to stick to an ssh key instead of setting up gnupg.

I've seen that there are bindings for public key infrastructure in libssh, that are not implemented in guile-ssh. I'm thinking in particular about the function ssh_pki_signature_verify from the page https://api.libssh.org/stable/group__libssh__pki.html

Would that be possible to implement a few guile bindings to be able to verify the signature of an object signed by an ssh-key from guile ?

Thanks in advance !

[nicolas-graves]

Hi @artyom-poptsov, just a reminder if you couldn't look for now ;)

[artyom-poptsov]

Hello,

sorry for the late answer.

Although the procedures such as ssh_pki_signature_verify are indeed mentioned in the official documentation, I found no evidence that those procedures are exported in the libssh API for public use. If you take a look at libssh.h header from the libssh version 0.10.5 (the latest version available at the moment) you'll find that:

1. All the procedures that are exported to libssh API are marked with LIBSSH_API macro.
2. There are no procedures related to creating cryptographic signatures and verifying them that are marked with LIBSSH_API.

You can find ssh_pki_signature_verify and all the related procedures in pki.h, but unfortunately neither this file is installed to the system during the libssh installation process, nor the procedures are market with LIBSSH_API.

Thanks, avp

[nicolas-graves]

On 2023-08-17 07:38, Artyom V. Poptsov wrote:

Hello,

sorry for the late answer.

Although the procedures such as ssh_pki_signature_verify are indeed mentioned in the official documentation, I found no evidence that those procedures are exported in the libssh API for public use. If you take a look at libssh.h header from the libssh version 0.10.5 (the latest version available at the moment) you'll find that:

1. All the procedures that are exported to libssh API are marked with LIBSSH_API macro.
2. There are no procedures related to creating cryptographic signatures and verifying them that are marked with LIBSSH_API.

You can find ssh_pki_signature_verify and all the related procedures in pki.h, but unfortunately neither this file is installed to the system during the libssh installation process, nor the procedures are market with LIBSSH_API.

Thanks for this research. IIUC, I have to open an issue on their side so that I can follow the progress on this issue on the side of the API first.

-- Best regards, Nicolas Graves

[artyom-poptsov]

IIUC, I have to open an issue on their side so that I can follow the progress on this issue on the side of the API first.

Yes, that would be a good idea. Let me know if there will be any findings.

I won't close this issue for now, just in case.

Thanks, avp

[nicolas-graves]

Hi @artyom-poptsov ! The work to get such a function in the public API is going on here : https://gitlab.com/libssh/libssh-mirror/-/merge_requests/536

I'm no expert on neither SSH internals nor guile ffi, don't hesitate to have a look and comment if you have an opinionated take on how this should be done.

Thanks,

[nicolas-graves]

Hi @artyom-poptsov

The work is probably close to be done on the libssh side, there's still some fixes but it's getting close to a definitive version. How do you want to proceed to try and integrate that in guile-ssh? At first glance, I don't have the knowledge to tackle that without some guidance.

Thanks,