On 2025-04-03 at 20:41:47, Marrold wrote: > Hi all, > > I'm attempting to manually verify git commits signed with SSH keys > using python, however verifying commits consistently fails, no matter > what I try. > > The python verification logic has been tested against signatures > produced with ssh-keygen and confirmed to be working. > > I suspect I'm constructing the message incorrectly to check against > the signature. As far as I know, the message should look like this, > with the gpgsig section removed. > > tree ff5ee8caaf2893a79711151b2937130469d83d39 > parent 3e84a21590a5ad714d168878abc95218d0e42cac > author Matthew H <git@xxxxxxxxxxxxx> 1743454803 +0100 > committer Matthew H <git@xxxxxxxxxxxxx> 1743454803 +0100 > > Commit message > > Could someone point me in the right direction? I'm wondering if its > hashed or encoded prior to signing The message is not hashed or encoded. It is exactly the same object as the regular commit except without the `gpgsig` or `gpgsig-sha256` header. Note that that header has continuation lines starting with a space that are also excluded. So if we take this commit at the tip of my dotfiles: ---- tree 81c2ccabf6c21c811da7c7f1ecc0dd2019ebf2a2 parent 760a2559269f6acccd1d696cbfc2447d33447e1c author brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx> 1743470407 +0000 committer brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx> 1743470407 +0000 gpgsig -----BEGIN PGP SIGNATURE----- wr0EABYKAG8FgmfrP2QJEHwMSWKIh6KBRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ+07Eq2NxeydVlLrWYwgP09Iw8vhBE/bPFShPSulPcqa FiEECCzmip28ZfuD0cORfAxJYoiHooEAAJAwAQDtYPttuP1LW9ZqyWuGNM4epDNm 3IyV2nezfAXxvVkB3wEAsk5U8d3Pq4GHNtE/QMc5FQ0uyI7FThHryBF6HYoLyAY= =ZROA -----END PGP SIGNATURE----- vimrc: enable virtual text in Neovim In Neovim 0.11, virtual text is disabled by default. Since we'd like to use it if it's available, enable it explicitly. If it's not available, then the option will be ignored. Signed-off-by: brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx> ---- then the commit body that's subject to verification is this: ---- tree 81c2ccabf6c21c811da7c7f1ecc0dd2019ebf2a2 parent 760a2559269f6acccd1d696cbfc2447d33447e1c author brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx> 1743470407 +0000 committer brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx> 1743470407 +0000 vimrc: enable virtual text in Neovim In Neovim 0.11, virtual text is disabled by default. Since we'd like to use it if it's available, enable it explicitly. If it's not available, then the option will be ignored. Signed-off-by: brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx> ---- There can definitely be extra headers in the commit, so you can't assume it will always be just those, nor can you assume that the headers (including the signature header) will be in any particular order. Do you have an example commit, key, and command line invocation that you can show us to help pinpoint the problem? I ask because ssh-keygen doesn't exactly present the most intuitive interface and it's easy to make a mistake in invocation. -- brian m. carlson (they/them) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
