search

artyom-poptsov / guile-ssh

Guile-SSH is a library that provides access to the SSH protocol for GNU Guile programs.
https://memory-heap.org/~avp/projects/guile-ssh
GNU General Public License v3.0
60 stars 12 forks source link

[Feature request] Guile functions to verify signatures. #35

Open nicolas-graves opened 1 year ago

nicolas-graves commented 1 year ago

Hi !

I'm using a ssh key to sign git commits, as is possible since a few months / years. I'm probably going to help administer a guix channel, but I would like to stick to an ssh key instead of setting up gnupg.

I've seen that there are bindings for public key infrastructure in libssh, that are not implemented in guile-ssh. I'm thinking in particular about the function ssh_pki_signature_verify from the page https://api.libssh.org/stable/group__libssh__pki.html

Would that be possible to implement a few guile bindings to be able to verify the signature of an object signed by an ssh-key from guile ?

Thanks in advance !

nicolas-graves commented 1 year ago

Hi @artyom-poptsov, just a reminder if you couldn't look for now ;)

artyom-poptsov commented 1 year ago

Hello,

sorry for the late answer.

Although the procedures such as ssh_pki_signature_verify are indeed mentioned in the official documentation, I found no evidence that those procedures are exported in the libssh API for public use. If you take a look at libssh.h header from the libssh version 0.10.5 (the latest version available at the moment) you'll find that:

  1. All the procedures that are exported to libssh API are marked with LIBSSH_API macro.
  2. There are no procedures related to creating cryptographic signatures and verifying them that are marked with LIBSSH_API.

You can find ssh_pki_signature_verify and all the related procedures in pki.h, but unfortunately neither this file is installed to the system during the libssh installation process, nor the procedures are market with LIBSSH_API.

Thanks, avp

nicolas-graves commented 1 year ago

On 2023-08-17 07:38, Artyom V. Poptsov wrote:

Hello,

sorry for the late answer.

Although the procedures such as ssh_pki_signature_verify are indeed mentioned in the official documentation, I found no evidence that those procedures are exported in the libssh API for public use. If you take a look at libssh.h header from the libssh version 0.10.5 (the latest version available at the moment) you'll find that:

  1. All the procedures that are exported to libssh API are marked with LIBSSH_API macro.
  2. There are no procedures related to creating cryptographic signatures and verifying them that are marked with LIBSSH_API.

You can find ssh_pki_signature_verify and all the related procedures in pki.h, but unfortunately neither this file is installed to the system during the libssh installation process, nor the procedures are market with LIBSSH_API.

Thanks for this research. IIUC, I have to open an issue on their side so that I can follow the progress on this issue on the side of the API first.

-- Best regards, Nicolas Graves

artyom-poptsov commented 1 year ago

IIUC, I have to open an issue on their side so that I can follow the progress on this issue on the side of the API first.

Yes, that would be a good idea. Let me know if there will be any findings.

I won't close this issue for now, just in case.

Thanks, avp