Recent commits to derivepassphrase.git (8a0b21fee827207b46da6fceb3c98d37b88a08ba)

Fix a longstanding typo in the Markdown manpage examples

2026-02-08T21:01:20+01:00

Apparently, this is a copy-and-paste error from the PDF rendering of the
manpage when it was originally converted to Markdown: while the PDF
*looked* correct, the text layer was not, and so the pasted text was
also out-of-order.
</pre>

Update the manpages with respect to SSH agents

2026-02-08T19:38:24+01:00

Add a section on SSH agent socket providers, and documentation for the
new `--ssh-agent-socket-provider` option and the new "The SSH agent
socket provider %s is not in derivepassphrase's provider registry."
error message.  Also update the section on SSH key suitability, and
remove the entry on Windows incompatibility from the Bugs section.
</pre>

Fix minor formatting errors, linting errors, and typos

2026-02-08T16:10:06+01:00

</pre>

Add tests for explicit SSH agent socket provider selection

2026-02-08T16:02:18+01:00

Extend the vault CLI tests for basic SSH key usage to also cover the SSH
agent socket provider choice case.  We split up the monolithic `_test`
helper function into separate `_setup_environment` and `_check_result`
functions, so that we can share common setup code (including fixtures
and parametrizations), but use different result testing code.  We also
extend the `_setup_environment` code to handle main user configuration
mocking and SSH agent socket provider registry mocking as well, even if
the basic key tests don't use this functionality.
</pre>

Error out correctly when an invalid SSH agent socket provider is specified

2026-02-08T13:40:06+01:00

Issue the correct error message when an SSH agent socket provider is
specified via command-line options or via user configuration, but the
socket provider does not appear in the registry.

Previously, due to a technicality, this would be treated the same as the
`SSH_AUTH_SOCK` environment variable missing, and would issue the same
error message.  This is, of course, blatantly false, and has now been
corrected.
</pre>

Support specifying the SSH agent socket provider via CLI or configuration

2026-02-08T13:00:41+01:00

Add a designated entry `vault.ssh-agent-socket-provider` to the
`derivepassphrase` main configuration and the new option
`--ssh-agent-socket-provider` to the `derivepassphrase vault`
command-line interface.  These both specify a specific SSH agent socket
provider to use, instead of the built-in default provider list.  The
command-line option has precedence over the user configuration.

In complementary work, streamline the construction of SSH agent client
contexts and the querying of configuration files in `derivepassphrase
vault`'s main program: provide a `get_configured_connection_hint` for
the former, and harmonize function signatures and call responsibilities
for the latter.
</pre>

Document platform-specific coverage exclusion markers

2026-02-01T20:51:53+01:00

</pre>

Work around non-reentrant SSH agent sockets/clients

2026-02-01T20:38:39+01:00

Mark some tests as needing the ability to construct a second SSH agent
client (on the same socket address) while another one is still
connected.  This works with most agents, except `gpg-agent` on The
Annoying OS when masquerading as OpenSSH's `ssh-agent`.  Presumably,
`gpg-agent` handles the requests with a single thread, non-multiplexed,
and so blocks all other agent clients from progressing.  The symptoms
are blocking during the connect call, then failing with "socket address
not found" immediately once the other client closes its connection.

We address the affected tests by monkeypatching the
`ssh_agent.SSHAgentClient.ensure_agent_subcontext` context manager – the
main way `derivepassphrase` internally interacts with the SSH agent – to
return a singleton agent: the agent provided to the test function (via
a fixture).  We implement this as a machinery function to set up the
environment explicitly, because this functionality hard to set up
usefully as a test fixture: it interferes with testing SSH agent client
constructor failures, and *those* are sometimes implemented as single
`pytest.param`s of a common test function, but the test function cannot
dynamically adapt the set of applicable fixtures to the specific
parametrization.

While specifically designed for use with `gpg-agent` on The Annoying OS,
the interface is general in nature, and can be used with any declared
SSH agent (except the fake agents).  Since this internally works
similarly to the "permitted SSH agents" feature of the test suite, we
generalize the latter slightly to allow implementing the former.
</pre>

Add more coverage exclusion, with commentary

2026-01-28T20:48:27+01:00

</pre>

Report SSH agent socket providers in `--version` output

2026-01-24T23:50:57+01:00

In the output of `derivepassphrase vault --version`, output the list of
supported and the list of unavailable SSH agent socket providers.
Report all aliases as well.  We intend to reuse the names later on in
the user configuration file, so it is important to expose them
somewhere.

To determine whether an entry key is a base name or an alias, we build
a topological sorting over the entry keys, using tools from the standard
library introduced in Python 3.9.  (Older Python versions could be
retrofitted with a backport, if need be.)

Open problem: The topological sorter checks for cycles, but there is
otherwise no deeper error checking yet.  In particular, these entry keys
may be supplied by a malicious third party, but there are no
sanitization checks yet for terminal sequences or similar when
outputting the key during the `--version` call.  How to handle this?
</pre>