https://git.schokokeks.org/derivepassphrase.git/tree/8a0b21fee827207b46da6fceb3c98d37b88a08ba Recent commits feed provided by GitList. Apparently, this is a copy-and-paste error from the PDF rendering of the manpage when it was originally converted to Markdown: while the PDF *looked* correct, the text layer was not, and so the pasted text was also out-of-order. https://git.schokokeks.org/derivepassphrase.git/commit/8a0b21fee827207b46da6fceb3c98d37b88a08ba software@the13thletter.info (Marco Ricci) Sun, 08 Feb 2026 21:01:20 +0100 8a0b21fee827207b46da6fceb3c98d37b88a08ba Add a section on SSH agent socket providers, and documentation for the new `--ssh-agent-socket-provider` option and the new "The SSH agent socket provider %s is not in derivepassphrase's provider registry." error message. Also update the section on SSH key suitability, and remove the entry on Windows incompatibility from the Bugs section. https://git.schokokeks.org/derivepassphrase.git/commit/46c906e53a432ad1eaaef5fe6ba1d9f7e6e12f1e software@the13thletter.info (Marco Ricci) Sun, 08 Feb 2026 19:38:24 +0100 46c906e53a432ad1eaaef5fe6ba1d9f7e6e12f1e https://git.schokokeks.org/derivepassphrase.git/commit/a19b8bbe85e9fba002b1e1364f6cc9aeb64e5969 software@the13thletter.info (Marco Ricci) Sun, 08 Feb 2026 16:10:06 +0100 a19b8bbe85e9fba002b1e1364f6cc9aeb64e5969 Extend the vault CLI tests for basic SSH key usage to also cover the SSH agent socket provider choice case. We split up the monolithic `_test` helper function into separate `_setup_environment` and `_check_result` functions, so that we can share common setup code (including fixtures and parametrizations), but use different result testing code. We also extend the `_setup_environment` code to handle main user configuration mocking and SSH agent socket provider registry mocking as well, even if the basic key tests don't use this functionality. https://git.schokokeks.org/derivepassphrase.git/commit/369ca71eaa5b58f91a1b31e6e0bbecd87db4a488 software@the13thletter.info (Marco Ricci) Sun, 08 Feb 2026 16:02:18 +0100 369ca71eaa5b58f91a1b31e6e0bbecd87db4a488 Issue the correct error message when an SSH agent socket provider is specified via command-line options or via user configuration, but the socket provider does not appear in the registry. Previously, due to a technicality, this would be treated the same as the `SSH_AUTH_SOCK` environment variable missing, and would issue the same error message. This is, of course, blatantly false, and has now been corrected. https://git.schokokeks.org/derivepassphrase.git/commit/b47aeba92dcb366450841a5f480f0d47d0cd4785 software@the13thletter.info (Marco Ricci) Sun, 08 Feb 2026 13:40:06 +0100 b47aeba92dcb366450841a5f480f0d47d0cd4785 Add a designated entry `vault.ssh-agent-socket-provider` to the `derivepassphrase` main configuration and the new option `--ssh-agent-socket-provider` to the `derivepassphrase vault` command-line interface. These both specify a specific SSH agent socket provider to use, instead of the built-in default provider list. The command-line option has precedence over the user configuration. In complementary work, streamline the construction of SSH agent client contexts and the querying of configuration files in `derivepassphrase vault`'s main program: provide a `get_configured_connection_hint` for the former, and harmonize function signatures and call responsibilities for the latter. https://git.schokokeks.org/derivepassphrase.git/commit/04d675f8ef255a5e68589a6a132490a424595216 software@the13thletter.info (Marco Ricci) Sun, 08 Feb 2026 13:00:41 +0100 04d675f8ef255a5e68589a6a132490a424595216 https://git.schokokeks.org/derivepassphrase.git/commit/1480df53a6ad1f89fb2a570eb7d38f5e10a06e03 software@the13thletter.info (Marco Ricci) Sun, 01 Feb 2026 20:51:53 +0100 1480df53a6ad1f89fb2a570eb7d38f5e10a06e03 Mark some tests as needing the ability to construct a second SSH agent client (on the same socket address) while another one is still connected. This works with most agents, except `gpg-agent` on The Annoying OS when masquerading as OpenSSH's `ssh-agent`. Presumably, `gpg-agent` handles the requests with a single thread, non-multiplexed, and so blocks all other agent clients from progressing. The symptoms are blocking during the connect call, then failing with "socket address not found" immediately once the other client closes its connection. We address the affected tests by monkeypatching the `ssh_agent.SSHAgentClient.ensure_agent_subcontext` context manager – the main way `derivepassphrase` internally interacts with the SSH agent – to return a singleton agent: the agent provided to the test function (via a fixture). We implement this as a machinery function to set up the environment explicitly, because this functionality hard to set up usefully as a test fixture: it interferes with testing SSH agent client constructor failures, and *those* are sometimes implemented as single `pytest.param`s of a common test function, but the test function cannot dynamically adapt the set of applicable fixtures to the specific parametrization. While specifically designed for use with `gpg-agent` on The Annoying OS, the interface is general in nature, and can be used with any declared SSH agent (except the fake agents). Since this internally works similarly to the "permitted SSH agents" feature of the test suite, we generalize the latter slightly to allow implementing the former. https://git.schokokeks.org/derivepassphrase.git/commit/9207fef5eb8663a3246f18239c9b648fbdd3a090 software@the13thletter.info (Marco Ricci) Sun, 01 Feb 2026 20:38:39 +0100 9207fef5eb8663a3246f18239c9b648fbdd3a090 https://git.schokokeks.org/derivepassphrase.git/commit/9d4a186f43ffb9dba80980ed38febd3859ff5b78 software@the13thletter.info (Marco Ricci) Wed, 28 Jan 2026 20:48:27 +0100 9d4a186f43ffb9dba80980ed38febd3859ff5b78 In the output of `derivepassphrase vault --version`, output the list of supported and the list of unavailable SSH agent socket providers. Report all aliases as well. We intend to reuse the names later on in the user configuration file, so it is important to expose them somewhere. To determine whether an entry key is a base name or an alias, we build a topological sorting over the entry keys, using tools from the standard library introduced in Python 3.9. (Older Python versions could be retrofitted with a backport, if need be.) Open problem: The topological sorter checks for cycles, but there is otherwise no deeper error checking yet. In particular, these entry keys may be supplied by a malicious third party, but there are no sanitization checks yet for terminal sequences or similar when outputting the key during the `--version` call. How to handle this? https://git.schokokeks.org/derivepassphrase.git/commit/598c2ba6e3c4a162236535d613a6b6ec1c8b1dcc software@the13thletter.info (Marco Ricci) Sat, 24 Jan 2026 23:50:57 +0100 598c2ba6e3c4a162236535d613a6b6ec1c8b1dcc