Hello, I've noticed that `ssh-keygen -Y find-principals` warns about empty lines in the allowed signers file, even though the documentation says they should be treated as comments: $ ssh-keygen -Y find-principals -f allowed_signers.md -I wiktor at metacode.biz -n file -s rsa-key.txt.sig < rsa-key.txt allowed_signers.md:3: missing key <---- here wiktor at metacode.biz `-Y verify` doesn't have this issue: $ ssh-keygen -Y verify -f allowed_signers.md -I wiktor at metacode.biz -n file -s rsa-key.txt.sig < rsa-key.txt Good "file" signature for wiktor at metacode.biz with RSA key SHA256:xb+QgBmoSdveobEdwKqUb3BCk9SLJVxq3Ltu2o/FK7U The man page documentation for ALLOWED_SIGNERS (https://man.archlinux.org/man/ssh-keygen.1#ALLOWED_SIGNERS): > Empty lines and lines starting with a ?#? are ignored as comments. I'm using openssh version 9.6p1-3 as packaged in Arch Linux. I've made a repo with all keys and files I'm using: https://github.com/wiktor-k/ssh-repro Context: I'm using SSH signatures in git and wanted to add a bit of spacing in the file but then `git log --show-signature` shows all these warnings which I traced to be coming from `find-principals`: commit 78bf960bccfd7677a72362ace717027dc4a7151a Good "git" signature for wiktor at metacode.biz with ECDSA key SHA256:gp2CMX5++SXkPHiyva6kyhp2ftFo6r1HvYeDPVAxvXc allowed_signers.md:3: missing key^M allowed_signers.md:5: missing key^M allowed_signers.md:7: missing key^M Is this a minor issue or am I holding it wrong? Thanks for your time! Kind regards, Wiktor
On Thu, 7 Mar 2024, Wiktor Kwapisiewicz wrote:> Hello, > > I've noticed that `ssh-keygen -Y find-principals` warns about empty > lines in the allowed signers file, even though the documentation says > they should be treated as comments: > > $ ssh-keygen -Y find-principals -f allowed_signers.md -I > wiktor at metacode.biz -n file -s rsa-key.txt.sig < rsa-key.txt > allowed_signers.md:3: missing key <---- here > wiktor at metacode.bizI think this is what is happening:> allowed_signers.md:3: missing key^MYou have line feed characters in your allowed_signers file, possibly from editing it on a Windows system. We don't currently ignore this character at the ends of lines. You could try removing them or try this patch: diff --git a/sshsig.c b/sshsig.c index d50d65fe2..145bca862 100644 --- a/sshsig.c +++ b/sshsig.c @@ -747,7 +747,7 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line, cp = line; cp = cp + strspn(cp, " \t"); /* skip leading whitespace */ - if (*cp == '#' || *cp == '\0') + if (*cp == '#' || *cp == '\0' || strcmp(cp, "\r") == 0) return SSH_ERR_KEY_NOT_FOUND; /* blank or all-comment line */ /* format: identity[,identity...] [option[,option...]] key */