From 2a82e2d216f11a30636b226fdaf74a035d62fcff Mon Sep 17 00:00:00 2001 From: Giteabot Date: Thu, 14 Dec 2023 12:50:26 +0800 Subject: [PATCH] Retry SSH key verification with additional CRLF if it failed (#28392) (#28464) Backport #28392 by @nekrondev Windows-based shells will add a CRLF when piping the token into ssh-keygen command resulting in verification error. This resolves #21527. Co-authored-by: nekrondev Co-authored-by: Heiko Besemann Co-authored-by: wxiaoguang (cherry picked from commit b47482d58e86c636006f7b17b4d91786e6ed4d37) --- models/asymkey/ssh_key_verify.go | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/models/asymkey/ssh_key_verify.go b/models/asymkey/ssh_key_verify.go index d6c16eb467..708196c668 100644 --- a/models/asymkey/ssh_key_verify.go +++ b/models/asymkey/ssh_key_verify.go @@ -29,10 +29,15 @@ func VerifySSHKey(ownerID int64, fingerprint, token, signature string) (string, return "", ErrKeyNotExist{} } - if err := sshsig.Verify(bytes.NewBuffer([]byte(token)), []byte(signature), []byte(key.Content), "gitea"); err != nil { - log.Error("Unable to validate token signature. Error: %v", err) - return "", ErrSSHInvalidTokenSignature{ - Fingerprint: key.Fingerprint, + err = sshsig.Verify(bytes.NewBuffer([]byte(token)), []byte(signature), []byte(key.Content), "gitea") + if err != nil { + // edge case for Windows based shells that will add CR LF if piped to ssh-keygen command + // see https://github.com/PowerShell/PowerShell/issues/5974 + if sshsig.Verify(bytes.NewBuffer([]byte(token+"\r\n")), []byte(signature), []byte(key.Content), "gitea") != nil { + log.Error("Unable to validate token signature. Error: %v", err) + return "", ErrSSHInvalidTokenSignature{ + Fingerprint: key.Fingerprint, + } } }