# Generated from ssh_sig-0.1.1.gem by gem2rpm -*- rpm-spec -*- %global gem_name ssh_sig Name: rubygem-%{gem_name} Version: 0.1.1 Release: 1%{?dist} Summary: SSH Signatures in Ruby License: MIT URL: https://gitlab.com/bwill/ssh_sig Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem BuildRequires: ruby(release) BuildRequires: rubygems-devel BuildRequires: ruby >= 2.7.0 # BuildRequires: rubygem(gitlab-styles) >= 6.2.0 # BuildRequires: rubygem(gitlab-styles) < 6.3 # BuildRequires: rubygem(rspec-parameterized) >= 0.5.0 # BuildRequires: rubygem(rspec-parameterized) < 0.6 BuildArch: noarch %description # SshSig - SSH signature verification in pure ruby SshSig is a Ruby gem which can be used to verify signatures signed created by `ssh-keygen`. This capability was [first added](https://github.com/openssh/openssh-portable/commit/2a9c9f7272c1e8665155118fe6536bebdafb6166) in OpenSSH 8.0 allows SSH keys to be used for GPG-like signing capabilities, [including signing git commits](https://github.com/git/git/pull/1041). ## Installation Add this line to your application's Gemfile: ```ruby gem 'ssh_sig' ``` And then execute: $ bundle install Or install it yourself as: $ gem install ssh_sig ## Usage Version 1 of [the SSH signature format](https://github.com/openssh/openssh-portable/blob/b7ffbb17e37f59249c31f1ff59d6c5d80888f689/PROTOCOL.sshsig) supports `ed25519` and `rsa` keys. It is recommended that you use `ed25519` over `rsa` where possible (`ssh-keygen -t ed25519`). In order to verify a signature you need: 1. The public key of the sender 1. The signature file 1. The message to be verified. ```ruby require 'ssh_sig' armored_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILXPkJPI4TMFWZP4xRBQjNeizUG99KuZCt9G23rX48kz" blob = ::SshSig::Blob.from_armor( <<~EOF -----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgtc+Qk8jhMwVZk/jFEFCM16LNQb 30q5kK30bbetfjyTMAAAAEZmlsZQAAAAAAAAAGc2hhNTEyAAAAUwAAAAtzc2gtZWQyNTUx OQAAAECJITeYJIlEeydsCTh1DkfdhlDJFBa73ojfWe0MbrIzoJKd9THd9WeQrhygSRGsNG cU/stk3/919nykg67yG2gN -----END SSH SIGNATURE----- EOF ) message = "This message was definitely sent by Brian Williams" valid = ::SshSig::Verifier .from_armored_pubkey(armored_pubkey) .verify(blob, message) if valid puts 'Signature is valid' else puts 'Signature is not valid' end ``` Signatures can be created using `ssh-keygen -Y sign -n file -f ~/.ssh/ed_25519 message.txt` and will be outputted in `message.txt.sig`. Public keys can be found in a variety of places, including: - Your `~/.ssh/id_.pub` file - `authorized_keys` files on servers - `https://gitlab.com/.keys` - `https://github.com/.keys` The `SshSig::Verifier#from_gitlab` and `SshSig::Verifier#from_github` methods are provided to automatically load public keys from the respective `.keys` urls. ```ruby require 'ssh_sig' blob = ::SshSig::Blob.from_armor( <<~EOF -----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgtc+Qk8jhMwVZk/jFEFCM16LNQb 30q5kK30bbetfjyTMAAAAEZmlsZQAAAAAAAAAGc2hhNTEyAAAAUwAAAAtzc2gtZWQyNTUx OQAAAECJITeYJIlEeydsCTh1DkfdhlDJFBa73ojfWe0MbrIzoJKd9THd9WeQrhygSRGsNG cU/stk3/919nykg67yG2gN -----END SSH SIGNATURE----- EOF ) message = 'This message was definitely sent by Brian Williams' valid = ::SshSig::Verifier .from_gitlab('bwill') .verify(blob, message) if valid puts 'Signature is valid' else puts 'Signature is not valid' end ``` ## Is it safe to re-purpose SSH keys for signing? Yes. The [SSH signature protocol](https://github.com/openssh/openssh-portable/blob/d575cf44895104e0fcb0629920fb645207218129/PROTOCOL.sshsig) is designed to be resistant to cross-protocol attacks, where signatures created for one purpose (i.e. signing a git commit), may be re-used for another purpose (i.e. authenticating to a server). It does this using the magic pre-amble (to differentiate between messages signed by `ssh-keygen` and messages used for SSH authentication) and namespaces (to differentiate between messages signed by `ssh-keygen` but used for different purposes). This causes identical messages to produce different signatures for each different protocol. ## Development After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment. To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org). ## Contributing Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/ssh_sig. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/ssh_sig/blob/main/CODE_OF_CONDUCT.md). ## License The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT). %package doc Summary: Documentation for %{name} Requires: %{name} = %{version}-%{release} BuildArch: noarch %description doc Documentation for %{name}. %prep %setup -q -n %{gem_name}-%{version} %build # Create the gem as gem install only works on a gem file gem build ../%{gem_name}-%{version}.gemspec # %%gem_install compiles any C extensions and installs the gem into ./%%gem_dir # by default, so that we can move it into the buildroot in %%install %gem_install %install mkdir -p %{buildroot}%{gem_dir} cp -a .%{gem_dir}/* \ %{buildroot}%{gem_dir}/ %check pushd .%{gem_instdir} # Run the test suite. popd %files %dir %{gem_instdir} %exclude %{gem_instdir}/.rubocop.yml %license %{gem_instdir}/LICENSE.txt %{gem_instdir}/bin %{gem_libdir} %exclude %{gem_cache} %{gem_spec} %files doc %doc %{gem_docdir} %exclude %{gem_instdir}/.rspec %doc %{gem_instdir}/CHANGELOG.md %{gem_instdir}/Gemfile %{gem_instdir}/Gemfile.lock %doc %{gem_instdir}/README.md %{gem_instdir}/Rakefile %changelog * Wed Apr 20 2022 mockbuilder - 0.1.1-1 - Initial package