https://git.schokokeks.org/derivepassphrase.git/tree/9176ab7d9a7cf9d32fcc9b98a31a5805703ca349 Recent commits to derivepassphrase.git (9176ab7d9a7cf9d32fcc9b98a31a5805703ca349) 2024-11-28T13:08:34+01:00 tag:gitlist.org,2012:commit/9176ab7d9a7cf9d32fcc9b98a31a5805703ca349 Copyedit and reclassify changelog entry for deterministic DSA signatures 2024-11-28T13:08:34+01:00 Marco Ricci software@the13thletter.info <pre>Since the behavior is backward-compatible, the changes are API "additions" and "fixes", not "changes". Also fix minor spacing errors and typos. &lt;/pre&gt; tag:gitlist.org,2012:commit/c7d52b780ebed8175ef8238a2c811082b29403e6 Merge topic branch 'ssh-key-howto' into master 2024-11-28T11:32:33+01:00 Marco Ricci software@the13thletter.info <pre>This includes the 'pageant-deterministic-signatures' topic branch as well. * t/ssh-key-howto: Add missing tests for `SSHAgentClient.query_extensions` runtime errors Retire the use of symlinks for the README and the changelog Use canonical test keys in all SSH agent key listings Unmark icon- and badge-type external links as external Document that `is_suitable_ssh_key` now takes an optional agent client in the changelog Add an ecdsa-sha2-nistp521 SSH test key Publish polished `is_suitable_ssh_key` and `has_deterministic_dsa_signatures` interfaces Let the `running_ssh_agent` test fixture report the agent type Decouple deterministic signatures from general SSH agent detection Fix test suite to actually test deterministic signature support Fix spurious overloaded signature mismatch Indicate external links in non-API documentation as well Split the SSH key how-to into how-to and reference documents Make suitable SSH key listing easier to distinguish Add changelog entry for deterministic DSA/ECDSA signature support Add how-to for setting up an SSH key for `derivepassphrase vault` Purge the info badges for current Python or derivepassphrase versions Support the "all signatures are deterministic" feature of some SSH agents Support one-off SSH agent client child contexts &lt;/pre&gt; tag:gitlist.org,2012:commit/b725e5f10e6031cf0781c8593fe854b2046a3bae Add missing tests for `SSHAgentClient.query_extensions` runtime errors 2024-11-27T20:23:06+01:00 Marco Ricci software@the13thletter.info <pre>Currently, this is still a white-box, maliciously compliant design that relies heavily on implementation details of the function under test. That said, the failure cases being triggered here are all SSH agent protocol violations, which would otherwise be difficult to trigger in "real" SSH agents. &lt;/pre&gt; tag:gitlist.org,2012:commit/70535b833256e31c5913e3decffc1706bb4ecd38 Retire the use of symlinks for the README and the changelog 2024-11-27T18:21:17+01:00 Marco Ricci software@the13thletter.info <pre>Symlinks interact very poorly with online git repository viewers, and while they are offline viewable on Unixish systems, readers only see the source view, not the rendered view. For the documentation frontpage `docs/index.md`, use the Snippets extension (Material for MkDocs/Python-Markdownx) to include the contents of `README.md`. This will allow future customization of the frontpage by either appending further content or only embedding parts of the README. For the changelog, because we use `scriv` to maintain it semi-automatically and thus want the changelog snippets to stay out of the top-level directory, we do not want `docs/changelog.md` to symlink to or to snippet-include the top-level `CHANGELOG.md`. Instead, we let `CHANGELOG.md` point to the `docs` directory (in prose), and purge the symlinks to the SVG badges. The original intent was to make the changelog renderable at the top-level, without the MkDocs machinery, but this is only really feasible if the changelog is handwritten, which hasn't been the case anymore for quite some time already. &lt;/pre&gt; tag:gitlist.org,2012:commit/adfb4e89b0a8b7e92e7b777c36fd68d51057f231 Use canonical test keys in all SSH agent key listings 2024-11-27T15:10:52+01:00 Marco Ricci software@the13thletter.info <pre>For all documentation, whenever a formatted key listing of suitable keys is presented, use the test keys from the test suite if possible. Also, correct a typo. &lt;/pre&gt; tag:gitlist.org,2012:commit/54f1edfb13a587ccccba30254a52b75d7387d4ad Unmark icon- and badge-type external links as external 2024-11-27T14:16:59+01:00 Marco Ricci software@the13thletter.info <pre>Icon-/badge-only external links lose their visual succintness if they include the external link marker afterwards. Also use this opportunity to rewrite the external links CSS selectors using the `:is` and `:has` pseudo-classes, which leads to much less code repetition. Supposedly, every major browser has had a release with `:has` support since December 2023, so browser compatibility shouldn't be a major issue. &lt;/pre&gt; tag:gitlist.org,2012:commit/5959cb77d6074f26c59cfe5342592aef52c94aee Document that `is_suitable_ssh_key` now takes an optional agent client in the changelog 2024-11-27T13:29:15+01:00 Marco Ricci software@the13thletter.info <pre>&lt;/pre&gt; tag:gitlist.org,2012:commit/da7fed85c9fe23df9a0bba7da52389d0fdcb402f Add an ecdsa-sha2-nistp521 SSH test key 2024-11-27T00:09:55+01:00 Marco Ricci software@the13thletter.info <pre>This case was apparently forgotten when adding the 256- and 384-bit keys. &lt;/pre&gt; tag:gitlist.org,2012:commit/df33a1594cc2496e3858f3818cdab0f807d9ed88 Publish polished `is_suitable_ssh_key` and `has_deterministic_dsa_signatures` interfaces 2024-11-26T23:28:43+01:00 Marco Ricci software@the13thletter.info <pre>The `has_deterministic_signatures` function internally only ever checked whether DSA signatures were known deterministic, because currently, signature schemes are either deterministic by design or they are DSA-like and can be derandomized via RFC 6979 or a similar procedure. There's no guarantee this dichotomy will stay this way in the future. Thus it is better to rename the function to match what it actually tests: Does this agent use deterministic DSA and ECDSA signatures? We do just that. In a similar vein, the `Vault._is_suitable_ssh_key` only really checks if the key type is known deterministic, not whether the key is suitable; the latter depends on the SSH agent, and requires a call to the old `has_deterministic_signatures` function. We could of course analogously rename `_is_suitable_ssh_key` into `is_known_deterministic_key_type` or similar, but this feels too much like exposing implementation details to the API user. It seems better to expose a `Vault.is_suitable_ssh_key` method that actually does what it advertises: check whether a key type is known deterministic under a given SSH agent, or under all SSH agents in general. So we do just that. Finally, we clean up some inconsistencies in the `query_extensions` docstring, and some missing SSH agent clients not passed on to the calls to the `Vault.phrase_from_key` function in the tests. &lt;/pre&gt; tag:gitlist.org,2012:commit/fdbea449cda2a00785dd803c43cf9dbec2995ba1 Let the `running_ssh_agent` test fixture report the agent type 2024-11-26T14:26:21+01:00 Marco Ricci software@the13thletter.info <pre>In the current test scenario, where multiple SSH agents are spawned if possible, it is highly unhelpful to know *that* a running SSH agent failed, but not *which* agent did. For debugging purposes, it is better if the `running_ssh_agent` test fixture reports not only the agent's socket, but also its type. It is sufficient to have the type passed as a fixture output/test function input, because `pytest` will then pretty-print it when a test function fails. &lt;/pre&gt;