From ae785c1aa2be97c5778c4d9cba5cbdcada465c30 Mon Sep 17 00:00:00 2001
From: Remo Senekowitsch <remo@buenzli.dev>
Date: Mon, 11 Aug 2025 07:44:27 +0200
Subject: [PATCH] fix: make ssh key verification command more robust (#8821)

This is a follow-up to a13414341b7e462ef5dabc17fad8ff6efda7c370.

There are two situations where the previous verification command could
fail:

* The user has an SSH key in a normal file, but no running SSH agent.

* The user uses a special SSH agent, but it's not specified via the
  SSH_AUTH_SOCK variable.

To fix that, we provide two separate commands to copy-paste. One
for file-based keys and one for agent-based keys. People using
file-based keys with a path other than the standard `~/.ssh/id_ed25519`
should notice themselves what to change. People using an SSH agent
get a little hint to make sure the SSH_AUTH_SOCK variable is set.

See also:
https://codeberg.org/Codeberg/Community/issues/2066

(no test or documentation changes)

### Release notes

- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

## Testing

* `pr=8821 ; git fetch forgejo +refs/pull/$pr/head:refs/heads/wip-pr-$pr`

* `git checkout wip-pr-$pr`

* `make TAGS='sqlite sqlite_unlock_notify' watch`

* login

* visit /user/settings/keys and add an ssh key

* click verify

* see a CLI sample is displayed
      ![image](/attachments/7350cbe5-4a78-47a7-821f-575dd0a43e0e)

* run the command matching your setup (file-based SSH key or agent-provided one), copy paste the output and submit it

* check that the verification is successful
      ![image](attachments/20074f32-e06f-42fd-9732-32171016c47e)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8821
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Remo Senekowitsch <remo@buenzli.dev>
Co-committed-by: Remo Senekowitsch <remo@buenzli.dev>
---
 options/locale/locale_en-US.ini       | 1 +
 templates/user/settings/keys_ssh.tmpl | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index bfc657540b..2664a59ac9 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -895,6 +895,7 @@ ssh_invalid_token_signature = The provided SSH key, signature or token do not ma
 ssh_token_required = You must provide a signature for the below token
 ssh_token = Token
 ssh_token_help = You can generate a signature using:
+ssh_token_help_ssh_agent = or, if you're using an SSH agent (with the SSH_AUTH_SOCK variable set):
 ssh_token_signature = Armored SSH signature
 key_signature_ssh_placeholder = Begins with "-----BEGIN SSH SIGNATURE-----"
 verify_ssh_key_success = SSH key "%s" has been verified.
diff --git a/templates/user/settings/keys_ssh.tmpl b/templates/user/settings/keys_ssh.tmpl
index 420a25cb1d..d7cc074db8 100644
--- a/templates/user/settings/keys_ssh.tmpl
+++ b/templates/user/settings/keys_ssh.tmpl
@@ -77,7 +77,11 @@
 							<label for="token">{{ctx.Locale.Tr "settings.ssh_token"}}</label>
 							<input readonly="" value="{{$.TokenToSign}}">
 							<div class="help">
+								<br>
 								<p>{{ctx.Locale.Tr "settings.ssh_token_help"}}</p>
+								<div class="markup"><pre class="code-block"><code>echo -n '{{$.TokenToSign}}' | ssh-keygen -Y sign -n gitea -f ~/.ssh/id_ed25519 # or the path to the private key if it is different.</code></pre></div>
+								<br>
+								<p>{{ctx.Locale.Tr "settings.ssh_token_help_ssh_agent"}}</p>
 								<div class="markup"><pre class="code-block"><code>bash -c "echo -n '{{$.TokenToSign}}' | ssh-keygen -Y sign -n gitea -f <(echo '{{.OmitEmail}}')"</code></pre></div>
 								<br>
 								<details>