Documentation
¶
Overview ¶
Package program provides an object signer that shells out to an arbitrary external binary using Git's invocation conventions for the requested signing format. The binary name is supplied by the caller. This package does not assume or default to any particular tool.
For OpenPGP and X.509, the message is fed via stdin and the signature is read from stdout, matching git's invocation of gpg-style binaries.
For SSH, the message is written to a temporary file, the binary is invoked with ssh-keygen(1)'s -Y sign argument layout, and the signature is read from the corresponding .sig file. Literal public keys, using Git's key:: prefix or the deprecated raw ssh-* form, are written to a temporary key file and passed with -U so ssh-keygen signs via ssh-agent.
The program may be a bare binary name resolved on $PATH (e.g. "gpg") or a path to an executable (e.g. "/usr/bin/gpg" or "./gpg").
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // ErrUnsupportedFormat is returned for an unrecognized signing format. ErrUnsupportedFormat = errors.New("unsupported signing format") // ErrEmptyProgram is returned when no program name was provided. ErrEmptyProgram = errors.New("program is empty") // ErrProgramNotFound is returned when program cannot be resolved as // either a path to an existing executable or a bare name on $PATH. ErrProgramNotFound = errors.New("program not found") // ErrEmptySigningKey is returned when no signing key was provided. ErrEmptySigningKey = errors.New("signing key is empty") // ErrNilMessage is returned when a nil message is passed to Sign. ErrNilMessage = errors.New("message is nil") // ErrOutputLimitExceeded is returned when the external program writes // more bytes to stdout or stderr than the configured limit. ErrOutputLimitExceeded = errors.New("output limit exceeded") // ErrSignatureTooLarge is returned when the signature produced by the // external program exceeds the maximum permitted size. ErrSignatureTooLarge = errors.New("signature too large") )
Sentinel errors.
Functions ¶
func New ¶
New returns a signer that invokes program to produce a signature in the given format using the provided signing key.
program is either a bare binary name resolved on $PATH or a path to an executable; it must resolve at the time of this call, otherwise ErrProgramNotFound is returned.
For OpenPGP and X.509, signingKey is the key ID or fingerprint passed to the binary's -u flag.
For SSH, signingKey is the path to a private (or, when an agent is in use, public) key file passed to ssh-keygen's -f flag, or a literal public key prefixed with key::. For compatibility with Git, raw ssh-* public keys are also accepted as literals. Path-style SSH keys have ~ and ~user prefixes expanded before they are passed to ssh-keygen.
Types ¶
type Format ¶
type Format string
Format identifies the signing protocol implemented by the external binary. Values mirror git's gpg.format configuration.
const ( // FormatOpenPGP selects gpg-style invocation: stdin/stdout with // --status-fd=2 -bsau <signingKey>. FormatOpenPGP Format = "openpgp" // FormatSSH selects ssh-keygen(1) -Y sign invocation. FormatSSH Format = "ssh" // FormatX509 selects gpgsm-style invocation, identical to FormatOpenPGP. FormatX509 Format = "x509" )
Source Files