### Start Python Interpreter Source: https://github.com/castedo/sshsig/blob/main/docs/tutorial/check_signature.md Start the Python 3 interpreter from the command line. This is where the tutorial's Python code examples will be executed. ```bash python3 ``` -------------------------------- ### Install sshsig Python Library Source: https://github.com/castedo/sshsig/blob/main/docs/index.md Install the sshsig library using pip. This is the primary method for obtaining the package. ```bash pip install sshsig ``` -------------------------------- ### Create an allowed signers file content Source: https://github.com/castedo/sshsig/blob/main/docs/tutorial/verify_signature.md Create the content for an allowed signers file, specifying allowed namespaces and public keys. This example includes the public key from the signature and another key. ```python import io file = io.StringIO(f"""\n* namespaces="git" {pub_key} * namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlKQFTcI28lrqcq8goeL2p1cxdHhm4/reBgjKDp1Ise """) ``` -------------------------------- ### Define the signed message Source: https://github.com/castedo/sshsig/blob/main/docs/tutorial/verify_signature.md Define the message content that was signed. This example uses a Git commit message. ```python message = """\n tree 8d602ce92adf2a598552736e97f07e5b8ab2b0a8 parent 06b3e55161aae343d23453f7443904512599a513 author Castedo Ellerman 1736017937 -0500 committer Castedo Ellerman 1736017937 -0500 add py.typed marker """ ``` -------------------------------- ### Check SSH Signature and Get Public Key Source: https://github.com/castedo/sshsig/blob/main/docs/howto/check_commit.md Extract the raw message and signature from the commit object, then use sshsig.check_signature to verify the signature and obtain the public key. No exception raised indicates a valid signature. ```python import sshsig message = commit.raw_without_sig() signature = commit.gpgsig pub_key = sshsig.check_signature(message, signature) ``` -------------------------------- ### Get Git Commit Object Source: https://github.com/castedo/sshsig/blob/main/docs/howto/check_commit.md Load the Git repository and retrieve the HEAD commit object using the dulwich library within a Python interpreter or script. ```python import dulwich.repo repo = dulwich.repo.Repo('.') commit = repo[b'HEAD'] ``` -------------------------------- ### Check signature and get public key Source: https://github.com/castedo/sshsig/blob/main/docs/tutorial/verify_signature.md Use sshsig.check_signature to verify the message against the signature and retrieve the public key used for signing. This confirms the signature's integrity but not the signer's identity. ```python import sshsig pub_key = sshsig.check_signature(message, signature) print(pub_key) ``` -------------------------------- ### Load allowed signers and filter for Git Source: https://github.com/castedo/sshsig/blob/main/docs/tutorial/verify_signature.md Load the allowed signers file and filter the keys specifically for Git-related namespaces. This prepares the allow list for verification. ```python from sshsig.allowed_signers import load_allowed_signers_file, for_git_allowed_keys allow_list = for_git_allowed_keys(load_allowed_signers_file(file)) print(*allow_list, sep="\n") ``` -------------------------------- ### Print the signing public key Source: https://github.com/castedo/sshsig/blob/main/docs/tutorial/check_signature.md Convert the retrieved public key object to its string representation in OpenSSH format and print it. ```python str(pub_key) ``` -------------------------------- ### Verify signature against allow list Source: https://github.com/castedo/sshsig/blob/main/docs/tutorial/verify_signature.md Use sshsig.verify to simultaneously check the signature and verify that the signing public key is present in the provided allow list. This is a combined verification step. ```python pub_key = sshsig.verify(message, signature, allow_list) ``` -------------------------------- ### Print Signing Public Key Source: https://github.com/castedo/sshsig/blob/main/docs/howto/check_commit.md Display the SSH public key that was used to sign the HEAD Git commit. Note that this step only confirms the signature, not the identity of the signer. ```python print(f"HEAD commit signed with public key {pub_key}") ``` -------------------------------- ### sshsig.allowed_signers Source: https://github.com/castedo/sshsig/blob/main/docs/reference.md Utilities for managing allowed signers files. ```APIDOC ## sshsig.allowed_signers ### Description Utilities for managing allowed signers files. ### Members - **load_allowed_signers_file**: (Function) Loads an allowed signers file. - **for_git_allowed_keys**: (Function) Generates allowed keys configuration for Git. - **save_for_git_allowed_signers_file**: (Function) Saves the allowed signers configuration for Git. ``` -------------------------------- ### Check if public key is in allow list Source: https://github.com/castedo/sshsig/blob/main/docs/tutorial/verify_signature.md Check if the public key obtained from the signature is present in the loaded allow list. This is a direct boolean check. ```python pub_key in allow_list ``` -------------------------------- ### Define the signed message Source: https://github.com/castedo/sshsig/blob/main/docs/tutorial/check_signature.md Define the message string that was signed. This message will be used later to verify the signature. ```python message = "Hello World.\n" ``` -------------------------------- ### sshsig.sshsig.verify Source: https://github.com/castedo/sshsig/blob/main/docs/reference.md Verifies an SSH signature. ```APIDOC ## sshsig.sshsig.verify ### Description Verifies an SSH signature. ### Method (Not specified, likely a function call) ### Parameters (Parameters not explicitly detailed in the source for this function signature) ### Request Example (No example provided in the source) ### Response (Response details not explicitly detailed in the source) ``` -------------------------------- ### Define the signature Source: https://github.com/castedo/sshsig/blob/main/docs/tutorial/verify_signature.md Define the SSH signature in PEM format. This is the signature corresponding to the message. ```python signature = """----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAghB1C63jrmh3eWRXJVbrTfw9wP/ BIZf/aKPdFxBlMCq0AAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 AAAAQMroG89bt34Civt2ftnKSDj/qpskASeCBHUfc8KQCUl1LAq4gAy4xQ1orAtiEaj5EM yMvtlcxbEImHo4KtbOewA= -----END SSH SIGNATURE----- """ ``` -------------------------------- ### Provide the SSH signature Source: https://github.com/castedo/sshsig/blob/main/docs/tutorial/check_signature.md Store the plain-text encoded SSH signature in a multi-line string. This signature is expected to correspond to the defined message. ```python signature = """ -----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAghB1C63jrmh3eWRXJVbrTfw9wP/ BIZf/aKPdFxBlMCq0AAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 AAAAQCK1pq8IPKuxTat0RJbZ0LjElEgXNowFdFKElzuq9gunl2b4DHrla0FTkUJKp1eOk1 +GOGN+EejKcsFnrfmZ1gE= -----END SSH SIGNATURE----- """ ``` -------------------------------- ### Clone sshsig repository Source: https://github.com/castedo/sshsig/blob/main/docs/howto/check_commit.md Clone the specified release of the sshsig repository to obtain a Git commit with an SSH signature for testing. ```bash git clone https://github.com/castedo/sshsig.git -b 0.2.2 cd sshsig ``` -------------------------------- ### Check signature with the message Source: https://github.com/castedo/sshsig/blob/main/docs/tutorial/check_signature.md Use the `sshsig.check_signature` function to verify that the provided signature matches the message. If the signature is valid, the function returns the public key used for signing. ```python import sshsig pub_key = sshsig.check_signature(message, signature) ``` -------------------------------- ### Attempt to check signature with a different message Source: https://github.com/castedo/sshsig/blob/main/docs/tutorial/check_signature.md Demonstrates that `sshsig.check_signature` raises an `InvalidSignature` exception when the provided message does not match the signature. ```python sshsig.check_signature("A different message", signature) ``` -------------------------------- ### sshsig.ssh_public_key.PublicKey Source: https://github.com/castedo/sshsig/blob/main/docs/reference.md Represents an SSH public key and provides methods for key manipulation. ```APIDOC ## sshsig.ssh_public_key.PublicKey ### Description Represents an SSH public key and provides methods for key manipulation. ### Members - **from_openssh_str**: (Method) Creates a PublicKey object from an OpenSSH string. - **openssh_str**: (Property/Method) Returns the OpenSSH string representation of the public key. - **sha256_str**: (Property/Method) Returns the SHA256 fingerprint string of the public key. ``` -------------------------------- ### sshsig.sshsig.check_signature Source: https://github.com/castedo/sshsig/blob/main/docs/reference.md Checks the signature of a given message against a public key. ```APIDOC ## sshsig.sshsig.check_signature ### Description Checks the signature of a given message against a public key. ### Method (Not specified, likely a function call) ### Parameters (Parameters not explicitly detailed in the source for this function signature) ### Request Example (No example provided in the source) ### Response (Response details not explicitly detailed in the source) ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.