fix: make ssh key verification command more robust (#8821)

This is a follow-up to a13414341b. There are two situations where the previous verification command could fail: * The user has an SSH key in a normal file, but no running SSH agent. * The user uses a special SSH agent, but it's not specified via the SSH_AUTH_SOCK variable. To fix that, we provide two separate commands to copy-paste. One for file-based keys and one for agent-based keys. People using file-based keys with a path other than the standard `~/.ssh/id_ed25519` should notice themselves what to change. People using an SSH agent get a little hint to make sure the SSH_AUTH_SOCK variable is set. See also: https://codeberg.org/Codeberg/Community/issues/2066 (no test or documentation changes) ### Release notes - [ ] I do not want this change to show in the release notes. - [x] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. ## Testing * `pr=8821 ; git fetch forgejo +refs/pull/$pr/head:refs/heads/wip-pr-$pr` * `git checkout wip-pr-$pr` * `make TAGS='sqlite sqlite_unlock_notify' watch` * login * visit /user/settings/keys and add an ssh key * click verify * see a CLI sample is displayed ![image](/attachments/7350cbe5-4a78-47a7-821f-575dd0a43e0e) * run the command matching your setup (file-based SSH key or agent-provided one), copy paste the output and submit it * check that the verification is successful ![image](attachments/20074f32-e06f-42fd-9732-32171016c47e) Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8821 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Remo Senekowitsch <remo@buenzli.dev> Co-committed-by: Remo Senekowitsch <remo@buenzli.dev>
2025-08-11 07:44:27 +02:00 · 2025-08-11 07:44:27 +02:00 · ae785c1aa2
commit ae785c1aa2
parent 9524b8c370
2 changed files with 5 additions and 0 deletions
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@ -895,6 +895,7 @@ ssh_invalid_token_signature = The provided SSH key, signature or token do not ma
 ssh_token_required = You must provide a signature for the below token
 ssh_token = Token
 ssh_token_help = You can generate a signature using:
+ssh_token_help_ssh_agent = or, if you're using an SSH agent (with the SSH_AUTH_SOCK variable set):
 ssh_token_signature = Armored SSH signature
 key_signature_ssh_placeholder = Begins with "-----BEGIN SSH SIGNATURE-----"
 verify_ssh_key_success = SSH key "%s" has been verified.
--- a/templates/user/settings/keys_ssh.tmpl
+++ b/templates/user/settings/keys_ssh.tmpl
@ -77,7 +77,11 @@
 							<label for="token">{{ctx.Locale.Tr "settings.ssh_token"}}</label>
 							<input readonly="" value="{{$.TokenToSign}}">
 							<div class="help">
+								<br>
 								<p>{{ctx.Locale.Tr "settings.ssh_token_help"}}</p>
+								<div class="markup"><pre class="code-block"><code>echo -n '{{$.TokenToSign}}' | ssh-keygen -Y sign -n gitea -f ~/.ssh/id_ed25519 # or the path to the private key if it is different.</code></pre></div>
+								<br>
+								<p>{{ctx.Locale.Tr "settings.ssh_token_help_ssh_agent"}}</p>
 								<div class="markup"><pre class="code-block"><code>bash -c "echo -n '{{$.TokenToSign}}' | ssh-keygen -Y sign -n gitea -f <(echo '{{.OmitEmail}}')"</code></pre></div>
 								<br>
 								<details>