[arch-commits] Commit in vault/trunk (PKGBUILD vault-fix-ssh-rsa.patch)
Christian Rebischke
shibumi at archlinux.org
Sat Apr 4 11:53:13 UTC 2020
Date: Saturday, April 4, 2020 @ 11:53:12
Author: shibumi
Revision: 611558
upgpkg: vault 1.3.4-1 Fix #65559 + version bump
Added:
vault/trunk/vault-fix-ssh-rsa.patch
Modified:
vault/trunk/PKGBUILD
-------------------------+
PKGBUILD | 11 +++++++----
vault-fix-ssh-rsa.patch | 41 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+), 4 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-04-04 11:45:51 UTC (rev 611557)
+++ PKGBUILD 2020-04-04 11:53:12 UTC (rev 611558)
@@ -4,7 +4,7 @@
pkgname='vault'
pkgdesc='A tool for managing secrets'
-pkgver='1.3.3'
+pkgver='1.3.4'
pkgrel='1'
url="https://vaultproject.io/"
license=('MPL')
@@ -14,17 +14,19 @@
depends=('glibc')
install='vault.install'
backup=('etc/vault.hcl')
-_vault_commit='8e872c4ad94cb1f193a0fb239ae856e1fdf4bdb0'
+_vault_commit='3af4987cd9a61c2e915bcca410884c6e35f93060'
source=("git+https://github.com/hashicorp/vault#commit=${_vault_commit}"
'vault.service'
'vault.sysusers'
'vault.tmpfiles'
- 'vault.hcl')
+ 'vault.hcl'
+ 'vault-fix-ssh-rsa.patch')
sha512sums=('SKIP'
'6619cf57668e995cddb29fb6c388c18c21b251052a53832415e415bb4fe538361ef77b74536f5b082b9cda6cd71b598fc50d8b7f51092c4d60262052c5725af2'
'92616ccf83fa5ca9f8b0d022cf8ceb1f3549e12b66bf21d9f77f3eb26bd75ec1dc36c155948ec987c642067b85fbfc30a9217d6c503d952a402aa5ef63e50928'
'073f0f400cba78521cd2709ce86d88fbb14125117f9f3beca657f625d04eab8e00f7a01b5d9a1cfc03e9038844f5732bdbb1a85dd65a803d3f0b90f8bf87880e'
- '46106cc76151eef2dd5e4b2caa6a96aae4d6ce1ecbf977dcc8667a3f6c829cbea95133622adafcb15cdfaa066ecc94c73c983e7613ee2f6573694981569729fe')
+ '46106cc76151eef2dd5e4b2caa6a96aae4d6ce1ecbf977dcc8667a3f6c829cbea95133622adafcb15cdfaa066ecc94c73c983e7613ee2f6573694981569729fe'
+ '7aab08cc3e203ae9a0c440c53f1f970e086953b6564b0f3ec35a0ae23a1bcbd9bf3db1107ee1777d5a6cc18915a9e80514b8422a5077c2f059b14efd66bafb26')
changelog=CHANGELOG.md
prepare () {
@@ -35,6 +37,7 @@
export PACKAGE_ROOT="${GOPATH}/src/github.com/hashicorp/${pkgname}"
cd $PACKAGE_ROOT
git revert -n 61ff0fd8699dfe9efb9b014df8e9aff86a0aa924 #https://github.com/hashicorp/vault/issues/7475
+ patch -Np1 < "${srcdir}/vault-fix-ssh-rsa.patch"
}
build () {
Added: vault-fix-ssh-rsa.patch
===================================================================
--- vault-fix-ssh-rsa.patch (rev 0)
+++ vault-fix-ssh-rsa.patch 2020-04-04 11:53:12 UTC (rev 611558)
@@ -0,0 +1,41 @@
+diff --git a/builtin/logical/ssh/path_sign.go b/builtin/logical/ssh/path_sign.go
+index a64edfa2d..f3c83f765 100644
+--- a/builtin/logical/ssh/path_sign.go
++++ b/builtin/logical/ssh/path_sign.go
+@@ -9,6 +9,7 @@ import (
+ "crypto/sha256"
+ "errors"
+ "fmt"
++ "io"
+ "strconv"
+ "strings"
+ "time"
+@@ -484,10 +485,27 @@ func (b *creationBundle) sign() (retCert *ssh.Certificate, retErr error) {
+ },
+ }
+
+- err = certificate.SignCert(rand.Reader, b.Signer)
++ sshAlgorithmSigner, _ := b.Signer.(ssh.AlgorithmSigner)
++
++ // prepare certificate for signing
++ certificate.Nonce = make([]byte, 32)
++ if _, err := io.ReadFull(rand.Reader, certificate.Nonce); err != nil {
++ return nil, fmt.Errorf("failed to generate signed SSH key")
++ }
++ certificate.SignatureKey = sshAlgorithmSigner.PublicKey()
++
++ // get bytes to sign
++ c2 := *certificate
++ c2.Signature = nil
++ out := c2.Marshal()
++ certificateBytes := out[:len(out)-4]
++
++ // sign with rsa-sha2-256
++ sig, err := sshAlgorithmSigner.SignWithAlgorithm(rand.Reader, certificateBytes, ssh.SigAlgoRSASHA2256)
+ if err != nil {
+ return nil, fmt.Errorf("failed to generate signed SSH key")
+ }
++ certificate.Signature = sig
+
+ return certificate, nil
+ }
More information about the arch-commits
mailing list