Fossil SCM

Update documentation.

danield 2025-01-14 17:11 ssh-signing

Commit fa82b864cb9d5efcba7930b5e6e550d1f28aed67e69fc87d7c2691d2867f63b4

Parent d4fae7d7b6fa2f9…

1 file changed +17 -8

M www/signing.md

+17 -8

		--- www/signing.md
		+++ www/signing.md
		@@ -18,13 +18,13 @@
18	18	The `clearsign` setting must be on; this will cause every check-in to be signed
19	19	(unless you provide the `--nosign` flag to `fossil commit`). To this end,
20	20	Fossil calls the command given by the `pgp-command` setting.
21	21
22	22	Fossil needs a non-detached signature that includes the rest of the usual
23		-manifest. For GnuPG, this is no problem, but OpenSSH can currently (2024,
24		-version 9.8p1) create and verify only detached signatures; Fossil itself
25		-embeds this signature into the manifest prior to committing. This makes the
	23	+manifest. For GnuPG, this is no problem, but as of 2025 (version 9.9p1) OpenSSH
	24	+can create and verify only detached signatures; Fossil itself must
	25	+attach this signature to the manifest prior to committing. This makes the
26	26	verification more complex, as additional steps are needed to extract the
27	27	signature and feed it into OpenSSH.
28	28
29	29	### GnuPG
30	30
		@@ -85,27 +85,36 @@
85	85
86	86	#### For Linux:
87	87
88	88	```bash
89	89	fsig=$(mktemp /tmp/__fsig.XXXXXX) && \
90		-fusr=$(fossil artifact <CHECK-IN> \| awk -v m="${fsig}" -v s="${fsig}.sig" '/^-----BEGIN SSH SIGNED/{of=m;next} /^-----BEGIN SSH SIGNATURE/{of=s} /^U /{usr=$2} /./{if(!of){exit 42};print >> of} END{print usr}') && \
91		-ssh-keygen -Y verify -f ~/.ssh/allowed_signers -I ${fusr} -n fossilscm -s "${fsig}.sig" < "${fsig}" \|\| echo "No SSH signed check-in" && \
	90	+fusr=$(fossil artifact tip \
	91	+ \| awk -v m="${fsig}" -v s="${fsig}.sig" \
	92	+ '/^-----BEGIN SSH SIGNED/{of=m;next} \
	93	+ /^-----BEGIN SSH SIGNATURE/{of=s} \
	94	+ /^U /{usr=$2} \
	95	+ /./{if(!of){exit 42};print >> of} END{print usr}') && \
	96	+ssh-keygen -Y verify -f ~/.ssh/allowed_signers -I ${fusr} -n fossilscm \
	97	+ -s "${fsig}.sig" < "${fsig}" \|\| echo "No SSH signed check-in" && \
92	98	rm -f "${fsig}.sig" "${fsig}" && \
93	99	unset -v fsig fusr
94	100	```
95	101
96	102	#### For Windows (cmd):
97	103
98	104	The following incantation makes use of `awk` and `dos2unix`, standard Unix
99		-tools but requiring separate installation on Windows (for example, using [BusyBox](https://frippery.org/busybox/#downloads)). The usage of `awk` can be
	105	+tools but requiring separate installation on Windows (for example,using
	106	+[BusyBox](https://frippery.org/busybox/#downloads)). The usage of `awk` can be
100	107	replaced with the Windows basic tool `findstr`, leading to a longer recipe.
101	108
102	109	```bat
103		-fossil artifact <CHECK-IN> \| awk -v m="__fsig" -v s="__fsig.sig" "/^-----BEGIN SSH SIGNED/{of=m;next} /^-----BEGIN SSH SIGNATURE/{of=s} /./{if(!of){exit 42};print >> of}"
	110	+fossil artifact <CHECK-IN> \| awk -v m="__fsig" -v s="__fsig.sig" ^
	111	+ "/^-----BEGIN SSH SIGNED/{of=m;next} /^-----BEGIN SSH SIGNATURE/{of=s} /./{if(!of){exit 42};print >> of}"
104	112	if %errorlevel% equ 42 (echo No SSH signed check-in)
105	113	REM ---Skip remaining lines if no SSH signed message---
106	114	for /f "tokens=2" %i in ('findstr /b "U " __fsig') do set fusr=%i
107	115	dos2unix __fsig __fsig.sig
108		-ssh-keygen -Y verify -f %USERPROFILE%\.ssh\allowed_signers -I "%fusr%" -n fossilscm -s __fsig.sig < __fsig
	116	+ssh-keygen -Y verify -f %USERPROFILE%\.ssh\allowed_signers -I "%fusr%" ^
	117	+ -n fossilscm -s __fsig.sig < __fsig
109	118	del __fsig __fsig.sig 2>nul & set "fusr="
110	119	```
111	120
112	121

	--- www/signing.md
	+++ www/signing.md
	@@ -18,13 +18,13 @@
18	The `clearsign` setting must be on; this will cause every check-in to be signed
19	(unless you provide the `--nosign` flag to `fossil commit`). To this end,
20	Fossil calls the command given by the `pgp-command` setting.
21
22	Fossil needs a non-detached signature that includes the rest of the usual
23	manifest. For GnuPG, this is no problem, but OpenSSH can currently (2024,
24	version 9.8p1) create and verify only detached signatures; Fossil itself
25	embeds this signature into the manifest prior to committing. This makes the
26	verification more complex, as additional steps are needed to extract the
27	signature and feed it into OpenSSH.
28
29	### GnuPG
30
	@@ -85,27 +85,36 @@
85
86	#### For Linux:
87
88	```bash
89	fsig=$(mktemp /tmp/__fsig.XXXXXX) && \
90	fusr=$(fossil artifact <CHECK-IN> \| awk -v m="${fsig}" -v s="${fsig}.sig" '/^-----BEGIN SSH SIGNED/{of=m;next} /^-----BEGIN SSH SIGNATURE/{of=s} /^U /{usr=$2} /./{if(!of){exit 42};print >> of} END{print usr}') && \
91	ssh-keygen -Y verify -f ~/.ssh/allowed_signers -I ${fusr} -n fossilscm -s "${fsig}.sig" < "${fsig}" \|\| echo "No SSH signed check-in" && \






92	rm -f "${fsig}.sig" "${fsig}" && \
93	unset -v fsig fusr
94	```
95
96	#### For Windows (cmd):
97
98	The following incantation makes use of `awk` and `dos2unix`, standard Unix
99	tools but requiring separate installation on Windows (for example, using [BusyBox](https://frippery.org/busybox/#downloads)). The usage of `awk` can be

100	replaced with the Windows basic tool `findstr`, leading to a longer recipe.
101
102	```bat
103	fossil artifact <CHECK-IN> \| awk -v m="__fsig" -v s="__fsig.sig" "/^-----BEGIN SSH SIGNED/{of=m;next} /^-----BEGIN SSH SIGNATURE/{of=s} /./{if(!of){exit 42};print >> of}"

104	if %errorlevel% equ 42 (echo No SSH signed check-in)
105	REM ---Skip remaining lines if no SSH signed message---
106	for /f "tokens=2" %i in ('findstr /b "U " __fsig') do set fusr=%i
107	dos2unix __fsig __fsig.sig
108	ssh-keygen -Y verify -f %USERPROFILE%\.ssh\allowed_signers -I "%fusr%" -n fossilscm -s __fsig.sig < __fsig

109	del __fsig __fsig.sig 2>nul & set "fusr="
110	```
111
112

	--- www/signing.md
	+++ www/signing.md
	@@ -18,13 +18,13 @@
18	The `clearsign` setting must be on; this will cause every check-in to be signed
19	(unless you provide the `--nosign` flag to `fossil commit`). To this end,
20	Fossil calls the command given by the `pgp-command` setting.
21
22	Fossil needs a non-detached signature that includes the rest of the usual
23	manifest. For GnuPG, this is no problem, but as of 2025 (version 9.9p1) OpenSSH
24	can create and verify only detached signatures; Fossil itself must
25	attach this signature to the manifest prior to committing. This makes the
26	verification more complex, as additional steps are needed to extract the
27	signature and feed it into OpenSSH.
28
29	### GnuPG
30
	@@ -85,27 +85,36 @@
85
86	#### For Linux:
87
88	```bash
89	fsig=$(mktemp /tmp/__fsig.XXXXXX) && \
90	fusr=$(fossil artifact tip \
91	\| awk -v m="${fsig}" -v s="${fsig}.sig" \
92	'/^-----BEGIN SSH SIGNED/{of=m;next} \
93	/^-----BEGIN SSH SIGNATURE/{of=s} \
94	/^U /{usr=$2} \
95	/./{if(!of){exit 42};print >> of} END{print usr}') && \
96	ssh-keygen -Y verify -f ~/.ssh/allowed_signers -I ${fusr} -n fossilscm \
97	-s "${fsig}.sig" < "${fsig}" \|\| echo "No SSH signed check-in" && \
98	rm -f "${fsig}.sig" "${fsig}" && \
99	unset -v fsig fusr
100	```
101
102	#### For Windows (cmd):
103
104	The following incantation makes use of `awk` and `dos2unix`, standard Unix
105	tools but requiring separate installation on Windows (for example,using
106	[BusyBox](https://frippery.org/busybox/#downloads)). The usage of `awk` can be
107	replaced with the Windows basic tool `findstr`, leading to a longer recipe.
108
109	```bat
110	fossil artifact <CHECK-IN> \| awk -v m="__fsig" -v s="__fsig.sig" ^
111	"/^-----BEGIN SSH SIGNED/{of=m;next} /^-----BEGIN SSH SIGNATURE/{of=s} /./{if(!of){exit 42};print >> of}"
112	if %errorlevel% equ 42 (echo No SSH signed check-in)
113	REM ---Skip remaining lines if no SSH signed message---
114	for /f "tokens=2" %i in ('findstr /b "U " __fsig') do set fusr=%i
115	dos2unix __fsig __fsig.sig
116	ssh-keygen -Y verify -f %USERPROFILE%\.ssh\allowed_signers -I "%fusr%" ^
117	-n fossilscm -s __fsig.sig < __fsig
118	del __fsig __fsig.sig 2>nul & set "fusr="
119	```
120
121

Fossil SCM

Keyboard Shortcuts