Recent commits to derivepassphrase.git (f9a8d370e5d2cb92d7c9f430543fe42a28bc5ff6)

Add a tutorial for using SSH keys with `derivepassphrase vault`

2026-03-08T22:46:41+01:00

The tutorial builds on the previous tutorial for setting up
`derivepassphrase vault` with a master passphrase, modifying the
existing configuration to use a master SSH key instead.  It covers SSH
agent installation, key generation, and reconfiguring `derivepassphrase
vault`.  Both tutorials link to each other.

The other tutorial (for setting up `derivepassphrase vault` with
a master passphrase) now also contains a short note on shell prompts as
well as operating system-specific instructions for the `pip` install
method.

For reproducibility, the new tutorial uses the standard Ed25519 SSH test
key as the master SSH key.  The test key is explicitly linked.  The
tutorial also includes a copy of the Pageant icon to help the reader
identify the correct icon in The Annoying OS's task bar.
</pre>

Update the copyright year to 2026

2026-02-08T21:25:06+01:00

Also fix one instance where the declared license identifier still was
the MIT license, making it unclear whether this file was licensed under
a different license than the rest.  (No, it was merely a typo.)
</pre>

Fix a longstanding typo in the Markdown manpage examples

2026-02-08T21:01:20+01:00

Apparently, this is a copy-and-paste error from the PDF rendering of the
manpage when it was originally converted to Markdown: while the PDF
*looked* correct, the text layer was not, and so the pasted text was
also out-of-order.
</pre>

Update the manpages with respect to SSH agents

2026-02-08T19:38:24+01:00

Add a section on SSH agent socket providers, and documentation for the
new `--ssh-agent-socket-provider` option and the new "The SSH agent
socket provider %s is not in derivepassphrase's provider registry."
error message.  Also update the section on SSH key suitability, and
remove the entry on Windows incompatibility from the Bugs section.
</pre>

Fix minor formatting errors, linting errors, and typos

2026-02-08T16:10:06+01:00

</pre>

Add tests for explicit SSH agent socket provider selection

2026-02-08T16:02:18+01:00

Extend the vault CLI tests for basic SSH key usage to also cover the SSH
agent socket provider choice case.  We split up the monolithic `_test`
helper function into separate `_setup_environment` and `_check_result`
functions, so that we can share common setup code (including fixtures
and parametrizations), but use different result testing code.  We also
extend the `_setup_environment` code to handle main user configuration
mocking and SSH agent socket provider registry mocking as well, even if
the basic key tests don't use this functionality.
</pre>

Error out correctly when an invalid SSH agent socket provider is specified

2026-02-08T13:40:06+01:00

Issue the correct error message when an SSH agent socket provider is
specified via command-line options or via user configuration, but the
socket provider does not appear in the registry.

Previously, due to a technicality, this would be treated the same as the
`SSH_AUTH_SOCK` environment variable missing, and would issue the same
error message.  This is, of course, blatantly false, and has now been
corrected.
</pre>

Support specifying the SSH agent socket provider via CLI or configuration

2026-02-08T13:00:41+01:00

Add a designated entry `vault.ssh-agent-socket-provider` to the
`derivepassphrase` main configuration and the new option
`--ssh-agent-socket-provider` to the `derivepassphrase vault`
command-line interface.  These both specify a specific SSH agent socket
provider to use, instead of the built-in default provider list.  The
command-line option has precedence over the user configuration.

In complementary work, streamline the construction of SSH agent client
contexts and the querying of configuration files in `derivepassphrase
vault`'s main program: provide a `get_configured_connection_hint` for
the former, and harmonize function signatures and call responsibilities
for the latter.
</pre>

Document platform-specific coverage exclusion markers

2026-02-01T20:51:53+01:00

</pre>

Work around non-reentrant SSH agent sockets/clients

2026-02-01T20:38:39+01:00

Mark some tests as needing the ability to construct a second SSH agent
client (on the same socket address) while another one is still
connected.  This works with most agents, except `gpg-agent` on The
Annoying OS when masquerading as OpenSSH's `ssh-agent`.  Presumably,
`gpg-agent` handles the requests with a single thread, non-multiplexed,
and so blocks all other agent clients from progressing.  The symptoms
are blocking during the connect call, then failing with "socket address
not found" immediately once the other client closes its connection.

We address the affected tests by monkeypatching the
`ssh_agent.SSHAgentClient.ensure_agent_subcontext` context manager – the
main way `derivepassphrase` internally interacts with the SSH agent – to
return a singleton agent: the agent provided to the test function (via
a fixture).  We implement this as a machinery function to set up the
environment explicitly, because this functionality hard to set up
usefully as a test fixture: it interferes with testing SSH agent client
constructor failures, and *those* are sometimes implemented as single
`pytest.param`s of a common test function, but the test function cannot
dynamically adapt the set of applicable fixtures to the specific
parametrization.

While specifically designed for use with `gpg-agent` on The Annoying OS,
the interface is general in nature, and can be used with any declared
SSH agent (except the fake agents).  Since this internally works
similarly to the "permitted SSH agents" feature of the test suite, we
generalize the latter slightly to allow implementing the former.
</pre>