bugzilla-daemon at mindrot.org
2025-Apr-18  09:33 UTC
[Bug 3815] New: ssh-verify-attestation fails to check attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3815
            Bug ID: 3815
           Summary: ssh-verify-attestation fails to check attestation
           Product: Portable OpenSSH
           Version: 10.0p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: at at symbiosis.finance
Hello, 
I?m currently working with the ssh-verify-attestation tool to verify
the attestation of a key generated on a YubiKey, using the following
commands:
dd if=/dev/random bs=1 count=32 of=challenge 
ssh-keygen -t ed25519-sk -O resident \
-O application=ssh:yubikey \
-O challenge=challenge \
-O write-attestation=id_ed25519_sk_yubi.attest \
-C "YubiKey FIDO SSH Key" \
-f ~/.ssh/id_ed25519_sk_yubi
and when I run 
./openssh-portable/regress/misc/ssh-verify-attestation/ssh-verify-attestation
-A  ~/.ssh/id_ed25519_sk_yubi  challenge  id_ed25519_sk_yubi.attest
I get  "basic attestation failed"  without any details. 
According to 
https://github.com/openssh/openssh-portable/blob/76631fdd04824c3e50ea6551d3611b1fe0216a41/regress/misc/ssh-verify-attestation/ssh-verify-attestation.c#L33
it should be fine. 
What am I doing wrong?
Thank you.
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-19  04:34 UTC
[Bug 3815] ssh-verify-attestation fails to check attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3815
Damien Miller <djm at mindrot.org> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Add -vvv to the commandline for more verbosity
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-19  15:57 UTC
[Bug 3815] ssh-verify-attestation fails to check attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3815 --- Comment #2 from Aleks <at at symbiosis.finance> --- Hello,> Add -vvv to the commandline for more verbosityHere it is: ./openssh-portable/regress/misc/ssh-verify-attestation/ssh-verify-attestation -vvv -A ~/.ssh/id_ed25519_sk_yubi challenge id_ed25519_sk_yubi.attest debug2: key id_ed25519_sk_yubi.attest: ED25519-SK SHA256:zK7k0i4T6b1Vx/LR5wK700kLz15Z9y/aYXMcAKJvdKM debug1: basic attestation basic attestation failed -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-21  02:06 UTC
[Bug 3815] ssh-verify-attestation fails to check attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3815 --- Comment #3 from Damien Miller <djm at mindrot.org> --- Maybe try adding -U to the command-line. This is required if you're using a U2F rather than a FIDO2 token - it's not possible to automatically detect this at present. This tool is also pretty experimental, there may be bugs... -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-21  13:59 UTC
[Bug 3815] ssh-verify-attestation fails to check attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3815 --- Comment #4 from Aleks <at at symbiosis.finance> --- (In reply to Damien Miller from comment #3)> Maybe try adding -U to the command-line. This is required if you're > using a U2F rather than a FIDO2 token - it's not possible to > automatically detect this at present. > > This tool is also pretty experimental, there may be bugs...with -U the output is exactly the same. Btw, this tool successfully validates the attestation https://gist.github.com/joostd/ed790ade9ddd4b711af6c1b80eaed7ca may be it could be useful to understand what is happening. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-30  23:18 UTC
[Bug 3815] ssh-verify-attestation fails to check attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3815
Darren Tucker <dtucker at dtucker.net> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|10.0p1                      |10.0p2
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.