bugzilla-daemon at mindrot.org
2025-Apr-18 09:33 UTC
[Bug 3815] New: ssh-verify-attestation fails to check attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3815 Bug ID: 3815 Summary: ssh-verify-attestation fails to check attestation Product: Portable OpenSSH Version: 10.0p1 Hardware: amd64 OS: Linux Status: NEW Severity: trivial Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org Reporter: at at symbiosis.finance Hello, I?m currently working with the ssh-verify-attestation tool to verify the attestation of a key generated on a YubiKey, using the following commands: dd if=/dev/random bs=1 count=32 of=challenge ssh-keygen -t ed25519-sk -O resident \ -O application=ssh:yubikey \ -O challenge=challenge \ -O write-attestation=id_ed25519_sk_yubi.attest \ -C "YubiKey FIDO SSH Key" \ -f ~/.ssh/id_ed25519_sk_yubi and when I run ./openssh-portable/regress/misc/ssh-verify-attestation/ssh-verify-attestation -A ~/.ssh/id_ed25519_sk_yubi challenge id_ed25519_sk_yubi.attest I get "basic attestation failed" without any details. According to https://github.com/openssh/openssh-portable/blob/76631fdd04824c3e50ea6551d3611b1fe0216a41/regress/misc/ssh-verify-attestation/ssh-verify-attestation.c#L33 it should be fine. What am I doing wrong? Thank you. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-19 04:34 UTC
[Bug 3815] ssh-verify-attestation fails to check attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3815 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- Add -vvv to the commandline for more verbosity -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-19 15:57 UTC
[Bug 3815] ssh-verify-attestation fails to check attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3815 --- Comment #2 from Aleks <at at symbiosis.finance> --- Hello,> Add -vvv to the commandline for more verbosityHere it is: ./openssh-portable/regress/misc/ssh-verify-attestation/ssh-verify-attestation -vvv -A ~/.ssh/id_ed25519_sk_yubi challenge id_ed25519_sk_yubi.attest debug2: key id_ed25519_sk_yubi.attest: ED25519-SK SHA256:zK7k0i4T6b1Vx/LR5wK700kLz15Z9y/aYXMcAKJvdKM debug1: basic attestation basic attestation failed -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-21 02:06 UTC
[Bug 3815] ssh-verify-attestation fails to check attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3815 --- Comment #3 from Damien Miller <djm at mindrot.org> --- Maybe try adding -U to the command-line. This is required if you're using a U2F rather than a FIDO2 token - it's not possible to automatically detect this at present. This tool is also pretty experimental, there may be bugs... -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-21 13:59 UTC
[Bug 3815] ssh-verify-attestation fails to check attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3815 --- Comment #4 from Aleks <at at symbiosis.finance> --- (In reply to Damien Miller from comment #3)> Maybe try adding -U to the command-line. This is required if you're > using a U2F rather than a FIDO2 token - it's not possible to > automatically detect this at present. > > This tool is also pretty experimental, there may be bugs...with -U the output is exactly the same. Btw, this tool successfully validates the attestation https://gist.github.com/joostd/ed790ade9ddd4b711af6c1b80eaed7ca may be it could be useful to understand what is happening. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-30 23:18 UTC
[Bug 3815] ssh-verify-attestation fails to check attestation
https://bugzilla.mindrot.org/show_bug.cgi?id=3815 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|10.0p1 |10.0p2 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.