Recent commits to derivepassphrase.git (9518a764d9429c661603f00bc4dfb5bd63afffbf)

Copyedit tutorials, how-tos and reference pages structure

2024-11-28T13:34:17+01:00

Includes

  * index pages for the tutorials and how-tos sections
  * adding a "man page" section in the global navigation block
  * dropping the rendundant "tutorial" in the tutorial titles
</pre>

Copyedit and reclassify changelog entry for deterministic DSA signatures

2024-11-28T13:08:34+01:00

Since the behavior is backward-compatible, the changes are API
"additions" and "fixes", not "changes".

Also fix minor spacing errors and typos.
</pre>

Merge topic branch 'ssh-key-howto' into master

2024-11-28T11:32:33+01:00

This includes the 'pageant-deterministic-signatures' topic branch as
well.

* t/ssh-key-howto:
  Add missing tests for `SSHAgentClient.query_extensions` runtime errors
  Retire the use of symlinks for the README and the changelog
  Use canonical test keys in all SSH agent key listings
  Unmark icon- and badge-type external links as external
  Document that `is_suitable_ssh_key` now takes an optional agent client in the changelog
  Add an ecdsa-sha2-nistp521 SSH test key
  Publish polished `is_suitable_ssh_key` and `has_deterministic_dsa_signatures` interfaces
  Let the `running_ssh_agent` test fixture report the agent type
  Decouple deterministic signatures from general SSH agent detection
  Fix test suite to actually test deterministic signature support
  Fix spurious overloaded signature mismatch
  Indicate external links in non-API documentation as well
  Split the SSH key how-to into how-to and reference documents
  Make suitable SSH key listing easier to distinguish
  Add changelog entry for deterministic DSA/ECDSA signature support
  Add how-to for setting up an SSH key for `derivepassphrase vault`
  Purge the info badges for current Python or derivepassphrase versions
  Support the "all signatures are deterministic" feature of some SSH agents
  Support one-off SSH agent client child contexts
</pre>

Add missing tests for `SSHAgentClient.query_extensions` runtime errors

2024-11-27T20:23:06+01:00

Currently, this is still a white-box, maliciously compliant design that
relies heavily on implementation details of the function under test.
That said, the failure cases being triggered here are all SSH agent
protocol violations, which would otherwise be difficult to trigger in
"real" SSH agents.
</pre>

Retire the use of symlinks for the README and the changelog

2024-11-27T18:21:17+01:00

Symlinks interact very poorly with online git repository viewers, and
while they are offline viewable on Unixish systems, readers only see the
source view, not the rendered view.

For the documentation frontpage `docs/index.md`, use the Snippets
extension (Material for MkDocs/Python-Markdownx) to include the contents
of `README.md`.  This will allow future customization of the frontpage
by either appending further content or only embedding parts of the
README.

For the changelog, because we use `scriv` to maintain it
semi-automatically and thus want the changelog snippets to stay out of
the top-level directory, we do not want `docs/changelog.md` to symlink
to or to snippet-include the top-level `CHANGELOG.md`.  Instead, we let
`CHANGELOG.md` point to the `docs` directory (in prose), and purge the
symlinks to the SVG badges.  The original intent was to make the
changelog renderable at the top-level, without the MkDocs machinery, but
this is only really feasible if the changelog is handwritten, which
hasn't been the case anymore for quite some time already.
</pre>

Use canonical test keys in all SSH agent key listings

2024-11-27T15:10:52+01:00

For all documentation, whenever a formatted key listing of suitable keys
is presented, use the test keys from the test suite if possible.

Also, correct a typo.
</pre>

Unmark icon- and badge-type external links as external

2024-11-27T14:16:59+01:00

Icon-/badge-only external links lose their visual succintness if they
include the external link marker afterwards.

Also use this opportunity to rewrite the external links CSS selectors
using the `:is` and `:has` pseudo-classes, which leads to much less code
repetition.  Supposedly, every major browser has had a release with
`:has` support since December 2023, so browser compatibility shouldn't
be a major issue.
</pre>

Document that `is_suitable_ssh_key` now takes an optional agent client in the changelog

2024-11-27T13:29:15+01:00

</pre>

Add an ecdsa-sha2-nistp521 SSH test key

2024-11-27T00:09:55+01:00

This case was apparently forgotten when adding the 256- and 384-bit
keys.
</pre>

Publish polished `is_suitable_ssh_key` and `has_deterministic_dsa_signatures` interfaces

2024-11-26T23:28:43+01:00

The `has_deterministic_signatures` function internally only ever checked
whether DSA signatures were known deterministic, because currently,
signature schemes are either deterministic by design or they are
DSA-like and can be derandomized via RFC 6979 or a similar procedure.
There's no guarantee this dichotomy will stay this way in the future.
Thus it is better to rename the function to match what it actually
tests: Does this agent use deterministic DSA and ECDSA signatures?  We
do just that.

In a similar vein, the `Vault._is_suitable_ssh_key` only really checks
if the key type is known deterministic, not whether the key is suitable;
the latter depends on the SSH agent, and requires a call to the old
`has_deterministic_signatures` function.  We could of course analogously
rename `_is_suitable_ssh_key` into `is_known_deterministic_key_type` or
similar, but this feels too much like exposing implementation details to
the API user.  It seems better to expose a `Vault.is_suitable_ssh_key`
method that actually does what it advertises: check whether a key type
is known deterministic under a given SSH agent, or under all SSH agents
in general.  So we do just that.

Finally, we clean up some inconsistencies in the `query_extensions`
docstring, and some missing SSH agent clients not passed on to the calls
to the `Vault.phrase_from_key` function in the tests.
</pre>