clone_repository from github.com fails with ed25519 key from v1.7.2

[howbazaar]

Platform: linux x86_64 (ubuntu 20.04) Python: 3.9.12

Reproduction script: https://gist.github.com/howbazaar/b4e46806d0c5350623bf8d9ff49c6b4c

works with pygit2 v1.7.1 fails with v1.7.2, 1.9.1

The script is a bit weird because it builds and runs the code the same way our production code does, and I was attempting to find a minimal reproduction of the problem.

Personally I had an older 4096 bit RSA SSH key, but newer users were using ed25519 type SSH keys as recommended by github's own docs.

I created some new keys:

ssh-keygen -t ecdsa
ssh-keygen -t ed25519

And added them to my github profile.

Was using poetry to manage versions inside a local virtual env to easily switch between versions of pygit2.

Failure looks like:

❯ poetry run python clone.py git@github.com:libgit2/pygit2 /home/tim/.ssh/id_ed25519
['clone.py', 'git@github.com:libgit2/pygit2', '/home/tim/.ssh/id_ed25519']
cloning into /tmp/tmp0nhx6l9_
Traceback (most recent call last):
  File "/home/tim/stacklet/test/clone.py", line 58, in <module>
    main(sys.argv)
  File "/home/tim/stacklet/test/clone.py", line 47, in main
    gitrepo = pygit2.clone_repository(
  File "/home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/__init__.py", line 222, in clone_repository
    payload.check_error(err)
  File "/home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/callbacks.py", line 93, in check_error
    check_error(error_code)
  File "/home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/errors.py", line 65, in check_error
    raise GitError(message)
_pygit2.GitError: Failed to retrieve list of SSH authentication methods: Failed getting response

ecdsa keys are fine

ldd for v1.7.1 of the pygit2 shared object file has

❯ ldd /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/_pygit2.cpython-39-x86_64-linux-gnu.so
    linux-vdso.so.1 (0x00007fff79bf3000)
    libgit2-c59d94c5.so.1.3.0 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libgit2-c59d94c5.so.1.3.0 (0x00007f27b3f9c000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f27b3f61000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f27b3d6f000)
    librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f27b3d65000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f27b3d5f000)
    libpcre-9513aab5.so.1.2.0 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 (0x00007f27b3afa000)
    libpcreposix-7b9c3045.so.0.0.1 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libpcreposix-7b9c3045.so.0.0.1 (0x00007f27b38f5000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f27b38d9000)
    libssh2-cd9fe4aa.so.1.0.1 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libssh2-cd9fe4aa.so.1.0.1 (0x00007f27b3571000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f27b4547000)

whereas for v1.7.2 we get

❯ ldd /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/_pygit2.cpython-39-x86_64-linux-gnu.so
    linux-vdso.so.1 (0x00007ffefb7b6000)
    libgit2-ef0a77d6.so.1.3.0 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libgit2-ef0a77d6.so.1.3.0 (0x00007fbbd70f2000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fbbd70b7000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbbd6ec5000)
    librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fbbd6ebb000)
    libssl-e9dd7f6d.so.1.0.2k => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libssl-e9dd7f6d.so.1.0.2k (0x00007fbbd6c29000)
    libcrypto-ddbcb6f7.so.1.0.2k => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libcrypto-ddbcb6f7.so.1.0.2k (0x00007fbbd67a6000)
    libpcre-9513aab5.so.1.2.0 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 (0x00007fbbd6543000)
    libpcreposix-7b9c3045.so.0.0.1 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libpcreposix-7b9c3045.so.0.0.1 (0x00007fbbd633e000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fbbd6322000)
    libssh2-4abf2d1c.so.1.0.1 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libssh2-4abf2d1c.so.1.0.1 (0x00007fbbd62d1000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fbbd72d5000)
    libgssapi_krb5-497db0c6.so.2.2 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libgssapi_krb5-497db0c6.so.2.2 (0x00007fbbd6070000)
    libkrb5-fc820a1d.so.3.3 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libkrb5-fc820a1d.so.3.3 (0x00007fbbd5d6c000)
    libcom_err-2abe824b.so.2.1 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libcom_err-2abe824b.so.2.1 (0x00007fbbd5b67000)
    libk5crypto-b1f99d5c.so.3.1 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libk5crypto-b1f99d5c.so.3.1 (0x00007fbbd5931000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbbd592b000)
    libkrb5support-a4e68a84.so.0.1 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libkrb5support-a4e68a84.so.0.1 (0x00007fbbd5716000)
    libkeyutils-dfe70bd6.so.1.5 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libkeyutils-dfe70bd6.so.1.5 (0x00007fbbd5511000)
    libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fbbd54f5000)
    libselinux-0922c95c.so.1 => /home/tim/stacklet/test/.venv/lib/python3.9/site-packages/pygit2/../pygit2.libs/libselinux-0922c95c.so.1 (0x00007fbbd52c9000)

Given that the primary difference between 1.7.1 and 1.7.2 is just how the wheels were built, it seems a little extreme.

The hash on libssh2 doesn't appear to be a commit hash from their mainline, and the version number isn't set to match, so I'm guessing that some other process is setting these.

[howbazaar]

Possibly has same underlying problem as #1115

[4a6f656c]

This is almost certainly due to the bundling of OpenSSL 1.0.2k (https://github.com/libgit2/pygit2/issues/1136#issuecomment-1087645337, https://github.com/libgit2/pygit2/issues/1136#issuecomment-1223786378).

[jdavid]

Try with the latest release v1.11.1 which includes openssl 1.1 Reopen if it does not work with v1.11.1