x/crypto/ssh: Unmarshal for SSH_AGENTC_EXTENSION #51689

lpcalisi · 2022-03-15T20:16:20Z

OpenSSH 8.9 will include the ability to control how and where keys in ssh-agent may be used, both locally and when forwarded (subject to some limitations).

This new feature implements a new agent extension an it doesn't compatible with Golang SSH Agent library. This kind of messages could not be parsed by Unmarshall method.

The message format is:

byte            SSH_AGENTC_EXTENSION (0x1b)
string          [email protected]
string          hostkey
string          session identifier
string          signature
bool            is_forwarding

The error is ssh: parse error in message type 27, when 27 is the SSH_AGENTC_EXTENSION message type (referenced in SSH Agent Protocol)

The text was updated successfully, but these errors were encountered:

seankhliao · 2022-03-15T21:24:04Z

cc @FiloSottile

lpcalisi · 2022-05-05T12:47:03Z

hi team! any news about it? thanks you! @seankhliao @FiloSottile

gopherbot · 2022-06-14T17:40:00Z

Change https://go.dev/cl/412154 mentions this issue: ssh/agent: fix extensionAgentMsg

jrcasso · 2022-07-27T17:35:04Z

just a call-out: I'm encountering this error when binding the ssh-agent in Docker builds as described here.

bdols · 2022-08-05T18:16:07Z

not sure if I'm in the right project, but I'm also seeing this exact error of ssh: parse error in message type 27 when using the ssh-agent binding with docker-ce and rootless containerd w/nerdctl. But, I'm only seeing this with a ubuntu 22 base image whereas with a ubuntu 20 base image I do not see this error.

This resolves errors stemming from golang/go#51689

gcsfred2 · 2022-11-02T16:08:07Z

I'm encountering this error when binding the ssh-agent in Docker builds. No solution. golang:1.19-alpine3.16 image.

AkihiroSuda · 2022-11-11T00:31:06Z

@jrcasso @bdols @gcsfred2
https://github.com/moby/buildkit/issues is the right repo to report your issues.

Reported as:

ssh: agent support is incompatible with OpenSSH >= 8.9 (ssh: parse error in message type 27) moby/buildkit#3273

The OpenSSH wire format just suffixes the raw extension body, without a nested string. Fixes golang/go#51689 Change-Id: Ic224cedb934ba0563abca9a45a6be1c67769ed6d Reviewed-on: https://go-review.googlesource.com/c/crypto/+/412154 Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Run-TryBot: hopehook <[email protected]> Reviewed-by: Daniel Lublin <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: David Chase <[email protected]>

- fixes compatibility with OpenSSH >= 8.9 (moby/buildkit#3273) - relates to golang/go#51689 (comment) full diff: golang/crypto@3147a52...v0.1.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>

The OpenSSH wire format just suffixes the raw extension body, without a nested string. Fixes golang/go#51689 Change-Id: Ic224cedb934ba0563abca9a45a6be1c67769ed6d Reviewed-on: https://go-review.googlesource.com/c/crypto/+/412154 Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Run-TryBot: hopehook <[email protected]> Reviewed-by: Daniel Lublin <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: David Chase <[email protected]>

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [earthly/earthly](https://togithub.com/earthly/earthly) | minor | `v0.1.0` -> `v0.7.19` | | [earthly/earthly](https://togithub.com/earthly/earthly) | patch | `v0.7.17` -> `v0.7.19` | | [earthly/earthly](https://togithub.com/earthly/earthly) | minor | `v0.5.24` -> `v0.7.19` | | [earthly/earthly](https://togithub.com/earthly/earthly) | patch | `v0.7.10` -> `v0.7.19` | --- ### Release Notes <details> <summary>earthly/earthly (earthly/earthly)</summary> ### [`v0.7.19`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0719---2023-09-20) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.17...v0.7.19) ##### Added - Added "dev.earthly.\*" LABELS to saved images, for example `dev.earthly.version` will be set to `v0.7.19` (or whatever version of earthly is used) [#3247](https://togithub.com/earthly/earthly/issues/3247). - Added option to verbose print known_hosts to make it easier to debug git related commands [#3234](https://togithub.com/earthly/earthly/issues/3234). ##### Fixed - When a project based secret is not found, the name of the secret will now be displayed along with the "not found" error. ##### Changed - Log sharing will now stream logs as your build is running (rather than uploading logs when build execution completes). - Satellite reserve calls will now retry on error [#3255](https://togithub.com/earthly/earthly/issues/3255). - Display warning when TLS is disabled. ### [`v0.7.17`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0717---2023-08-30) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.16...v0.7.17) ##### Added - Added a `--pass-arg` flag that can be used with `BUILD`, `FROM`, `COPY`, `WITH DOCKER --load`, or `DO`, which will pass all build arguments to external Earthfiles. [#1891](https://togithub.com/earthly/earthly/issues/1891) ### [`v0.7.16`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0716---2023-08-28) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.15...v0.7.16) ##### Fixed - Fixed a cgroup v2 related bug that affected systemd-based images (such as kind) from being run via `WITH DOCKER`. [#3159](https://togithub.com/earthly/earthly/issues/3159) ##### Changed - Removed redundant output when parts of builds are re-used; the `--verbose` flag will still display the output. - Calling `earthly secret set <path>` (when run interactively) will now prompt for a single-line secret if no other flags are given. - fixed bug in `earthly registry setup` which was waiting for an end of file (eof) rather than newline, when prompting for a password. ##### Added - Added additional error message output when buildkit scheduller errors occur (in order to help debug the ongoing [2957](https://togithub.com/earthly/earthly/issues/2957) issue). ### [`v0.7.15`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0715---2023-08-04) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.14...v0.7.15) ##### Fixed - Fixed a bug in `WITH DOCKER` which prevented the use of newer versions of docker. [#3164](https://togithub.com/earthly/earthly/issues/3164) ### [`v0.7.14`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0714---2023-07-31) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.13...v0.7.14) ##### Changed - Update buildkit (contains upstream changes up to [`687091b`](https://togithub.com/earthly/earthly/commit/687091bb6c8aaa0185cdc570c4db3db533f329d0)). - Use `HTTPS_PROXY` env when connecting to earhly cloud API. ### [`v0.7.13`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0713---2023-07-26) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.12...v0.7.13) ##### Added - `earthly account list-tokens` now shows the last time a token was used - Experimental command `earthly init` to initialize an Earthfile in a project (currently supporting only golang projects) ##### Fixed - Fixed a bug, where the command to create tokens with a set expiration failed. - Long pauses at the end of builds, which were characterized by apparent freezes or delays with the message `Waiting on Buildkit...`. - `earthly account create-token` no longer panics when parsing expiration date - `earthly account login` could change the active user when the JWT expired and an SSH key existed for a different user; now earthly will either refresh the JWT or error ##### Changed - Setting env vars like `FORCE_COLOR`, or `EARTHLY_FULL_TARGET` to `0`, `false`, `FALSE`, or \`\` (an empty-string) will no longer force the color, use any other value like `1`, `true`, or `yesplease`. - `earthly org list` now shows the currently selected org ### [`v0.7.12`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0712---2023-07-17) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.11...v0.7.12) ##### Added - warning if acquiring file-lock takes longer than 3 seconds. ##### Changed - improved error message when a 429 too many requests rate limit error occurs. - `earthly sat ls -a` shows last accessed time - improved output for listing auth tokens ##### Fixed - make use of org from earthly config when using satellite commands. ### [`v0.7.11`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0711---2023-07-06) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.10...v0.7.11) ##### Added - `global.org` configuration value to set a default org for all `earthly` commands that require it. - `earthly org select` and `earthly org unselect` commands, as shortcuts to set a default organization in the `earthly` config file. ##### Changed - Removed the default size in satellite launch (the default size is now determined by the backend when not provided) [#3057](https://togithub.com/earthly/earthly/issues/3057) - Deprecated the satellite org configuration value. It uses the new global configuration value. ### [`v0.7.10`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0710---2023-07-05) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.9...v0.7.10) ##### Changed - Removed the default size in satellite launch (the default size is now determined by the backend when not provided) [#3057](https://togithub.com/earthly/earthly/issues/3057) - Earthly cloud organization auto-detection has been deprecated and should now be explicitly set with the `--org` flag or with the `EARTHLY_ORG` environment variable. - Buildkit has been updated to include upstream changes up to [`cdf28d6`](https://togithub.com/earthly/earthly/commit/cdf28d6fff9583a0b173c62ac9a28d1626599d3b). ##### Fixed - Updated the podman auth provider to better understand podman `auth.json` locations. [#3038](https://togithub.com/earthly/earthly/issues/3038) - Fixed our aggregated authprovider ignoring the cloud authprovider when a project is set after the first creds lookup [#3058](https://togithub.com/earthly/earthly/issues/3058) ### [`v0.7.9`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v079---2023-06-22) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.8...v0.7.9) ##### Changed - The command `docker-build` now also supports passing multiple platforms using a comma (e.g `--platform linux/amd64,linux/arm64`) - Increased temporary lease duration of buildkit's history queue to prevent unknown history in blob errors under high cpu load. [#3000](https://togithub.com/earthly/earthly/issues/3000) - Performing an `earthly account logout` will keep you logged out -- earthly will no longer attempt an auto-login via ssh-agent (use `earthly account login` to log back in). ##### Fixed - Fixed a bug in satellite update command which was incorrectly changing satellites to medium size. - Fixed support for being authenticated with multiple registries when using the cloud-based `earthly registry` feature. [#3010](https://togithub.com/earthly/earthly/issues/3010) - Fixed `WITH DOCKER` auto install script when using latest (bookworm) version. ##### Added - Buildkit logs now include version and revision. - Satellite name autocompletion ### [`v0.7.8`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v078---2023-06-07) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.7...v0.7.8) ##### Added - Add a new command `docker-build` to build a docker image using a Dockerfile without using an Earthfile, locally or on a satellite. ##### Changed - `FROM DOCKERFILE` will use a `.dockerignore` file when using a build context from the host system and both `.earthlyignore` and `.earthignore` do not exist. Enable with `VERSION --use-docker-ignore 0.7`. ##### Fixed - Fixed upstream race condition bug in buildkit, which resulted in `failed to solve: unknown blob sha256:<...> in history` errors. [#3000](https://togithub.com/earthly/earthly/issues/3000) ### [`v0.7.7`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v077---2023-06-01) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.6...v0.7.7) ##### Added - The new ARG `EARTHLY_CI_RUNNER` indicates whether the current build is executed in Earthly CI. Enable with `VERSION --earthly-ci-runner-arg 0.7`. ##### Changed - Updated buildkit up to [`60d134b`](https://togithub.com/earthly/earthly/commit/60d134bf7) and fsutil up to [`9e7a6df`](https://togithub.com/earthly/earthly/commit/9e7a6df48576); this includes a buildkit fix for 401 Unauthorized errors. [#2973](https://togithub.com/earthly/earthly/issues/2973) - Enabled `GIT_LFS_SKIP_SMUDGE=1` when pulling git repos (to avoid pulling in large files initially). ##### Fixed - The earthly docker image incorrectly showed `dev-main` under the embedded buildkit version. ### [`v0.7.6`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v076---2023-05-23) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.5...v0.7.6) ##### Added - Better error messages when git opperations fail. - Added a `runc-ps` script under the earthly-buildkitd container to make it easier to see what processes are running. ##### Fixed - The builtin 'docker compose' (rather than `docker-compose` script) is now used when using the `WITH DOCKER` command under alpine 3.18 or greater. - Fixed context timeout value overflow when connecting to a remote buildkit instance. ### [`v0.7.5`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v075---2023-05-10) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.4...v0.7.5) ##### Changed - Remote BuildKit will use TLS by default. - Deprecation warning: Secret IDs naming scheme should follow the ARG naming scheme; i.e. a letter followed by alphanumeric characters or underscores. [#2883](https://togithub.com/earthly/earthly/issues/2883) - Secrets take precedence over ARGs of the same name. [#2931](https://togithub.com/earthly/earthly/issues/2931) ##### Added - Experimental support for performing a `git lfs pull --include=<path>` when referencing a remote target on the cli, when used with the new `--git-lfs-pull-include` flag. [#2992](https://togithub.com/earthly/earthly/pull/2922) ##### Fixed - `SAVE IMAGE <img>` was incorrectly pushed when earthly was run with the `--push` cli flag (this restores the requirement that images that are pushed must be defined with `SAVE IMAGE --push <img>`). [#2923](https://togithub.com/earthly/earthly/issues/2923) - Incorrect global ARG values when chaining multiple DO commands together. [#2920](https://togithub.com/earthly/earthly/issues/2920) - Build args autocompletion under artifact mode. ### [`v0.7.4`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v074---2023-04-12) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.3...v0.7.4) ##### Changed - Updated the github ssh-rsa public key in the pre-populated buildkitd known_hosts entries. ### [`v0.7.3`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v073---2023-04-12) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.2...v0.7.3) ##### Added - A host of changes to variables under the `--arg-scope-and-set` feature flag: - Redeclaring an `ARG` in the same scope as a previous declaration is now an error. - `ARG`s inside of targets will no longer have their default value overridden by global `ARG`s. - A new command, `LET`, is available for declaring non-argument variables. - `LET` takes precedence over `ARG`, just like `ARG` takes precedence over `ARG --global`. - A new command, `SET`, is available for changing the value of variables declared with `LET`. - Introduced `--size` and `--age` flags to the prune command, to allow better control. ##### Changed - Updated buildkit with changes up to [`3187d2d`](https://togithub.com/earthly/earthly/commit/3187d2d056de7e3f976ef62cd548499dc3472a7e). - The `VERSION --git-branch` feature flag has been removed (`EARTHLY_GIT_BRANCH` was always available in the previous version). - Improved earthly API connection timeout logic. - `earthly doc` now includes `ARG`s in both summary and detail output, and `ARTIFACT`s and `IMAGE`s in its detail output. ##### Fixed - Fixed `Could not detect digest for image` warnings for when using `WITH DOCKER --load` which referenced an earthly target that included a `FROM` referencing an image following the `docker.io/<user>/<img>` naming scheme (rather than the `docker.io/library/<user>/<img>` scheme). - Fixed `COPY --if-exists` to work with earthly targets. [#2541](https://togithub.com/earthly/earthly/issues/2541) - Intentional-indentation of comments is no longer removed by the doc command. [#2747](https://togithub.com/earthly/earthly/issues/2747) - `SAVE ARTIFACT ... AS LOCAL ...` could not write to non-current directories upon failure of a TRY/FINALLY block. [#2800](https://togithub.com/earthly/earthly/issues/2800) ### [`v0.7.2`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v072---2023-03-14) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.1...v0.7.2) ##### Added - Support for [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) translation environment (emulator) in buildkit as an alternative to QEMU. To enable, go to Docker Desktop -> Settings -> Features in development -> Check `Use Rosetta for x86/amd64 emulation on Apple Silicon`. - New ARG `EARTHLY_GIT_BRANCH` will contain the branch of the current git commit, this ARG must be enabled with the `VERSION --git-branch` feature flag. [#2735](https://togithub.com/earthly/earthly/pull/2735) - Verbose logging when git configurations perform a regex substitution. ##### Fixed - SAVE IMAGE --push did not always work under `VERSION 0.7`, when image was refrenced by a `FROM` or `COPY`, followed by a `BUILD`. [#2762](https://togithub.com/earthly/earthly/issues/2762) ##### Changed - Simplified error message when a RUN command fails with an exit code. [#2742](https://togithub.com/earthly/earthly/issues/2742) - Improved warning messages when earthly cloud-based registry auth fails. [#2783](https://togithub.com/earthly/earthly/issues/2783) - Deleting a project will prompt for confirmation, unless --force is specified. - Updated buildkit with changes up to [`4451e1b`](https://togithub.com/earthly/earthly/commit/4451e1be0e6889ffc56225e54f7e26bd6fdada54). ### [`v0.7.1`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0719---2023-09-20) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.7.0...v0.7.1) ##### Added - Added "dev.earthly.\*" LABELS to saved images, for example `dev.earthly.version` will be set to `v0.7.19` (or whatever version of earthly is used) [#3247](https://togithub.com/earthly/earthly/issues/3247). - Added option to verbose print known_hosts to make it easier to debug git related commands [#3234](https://togithub.com/earthly/earthly/issues/3234). ##### Fixed - When a project based secret is not found, the name of the secret will now be displayed along with the "not found" error. ##### Changed - Log sharing will now stream logs as your build is running (rather than uploading logs when build execution completes). - Satellite reserve calls will now retry on error [#3255](https://togithub.com/earthly/earthly/issues/3255). - Display warning when TLS is disabled. ### [`v0.7.0`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v070---2023-02-21) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.30...v0.7.0) The documentation for this version is available at the [Earthly 0.7 documentation page](https://docs.earthly.dev/v/earthly-0.7/). **Earthly CI** Earthly 0.7 is the first version compatible with Earthly CI. Earthly 0.7 introduces the new keywords `PIPELINE` and `TRIGGER` to help define Earthly CI pipelines. my-pipeline: PIPELINE --push TRIGGER push main TRIGGER pr main BUILD +my-target For more information on how to use `PIPELINE` and `TRIGGER`, please see the [reference documentation](https://docs.earthly.dev/v/earthly-0.7/docs/earthfile#pipeline-beta). **Podman support** Podman support has now been promoted out of *beta* status and is generally available in 0.7. Earthly will automatically detect the container frontend, whether that's `docker` or `podman` and use it automatically for running Buildkit locally, or for outputting images locally resulting from the build. Please note that rootful podman is required. Rootless podman is not supported. **VERSION is now mandatory** The `VERSION` command is now required for all Earthfiles, and an error will occur if it is missing. If you are not ready to update your Earthfiles to use 0.7 (or 0.6), you can declare `VERSION 0.5` to continue to use your Earthfiles. **.env file is no longer used for `ARG` or secrets** The `.env` file will only be used to automatically export environment variables, which can be used to configure earthly command line flags. As a result, values will no longer be propagated to Earthfile `ARG`s or `RUN --secret=...` commands. Instead if you want build arguments or secrets automatically passed into earthly, they must be placed in `.arg` or `.secret` files respectively. Note that this is a **backwards incompatible** change and will apply to all Earthfiles (regardless of the defined `VERSION` value). **Pushing no longer requires everything else to succeed** The behavior of the `--push` mode has changed in `VERSION 0.7` and is backwards incompatible with `VERSION 0.6`. Previously, `--push` commands would only execute if all other commands had succeeded. This precondition is no longer enforced, to allow for more flexible push ordering via the new `WAIT` clause. To achieve the behavior of the previous `--push` mode, you need to wrap any pre-required commands in a `WAIT` clause. For example, to push an image only if tests have passed, you would do the following: ```Earthfile test-and-push: WAIT BUILD +test END BUILD +my-image my-image: ... SAVE IMAGE --push my-org/my-image:latest ``` This type of behavior is useful in order to have better control over the order of push operations. For example, you may want to push an image to a registry, followed by a deployment that uses the newly pushed image. Here is how this might look like: ```Earthfile push-and-deploy: ... WAIT BUILD +my-image END RUN --push ./deploy.sh my-org/my-image:latest my-image: ... SAVE IMAGE --push my-org/my-image:latest ``` Where `./deploy.sh` is custom deployment script instructing a production environment to start using the image that was just pushed. **Promoting experimental features** This version promotes a number of features that have been previously in Experimental and Beta status. To make use of the features in this version you need to declare `VERSION 0.7` at the top of your Earthfile. Declaring `VERSION 0.7` is equivalent to VERSION \ --check-duplicate-images \ --earthly-git-author-args \ --earthly-locally-arg \ --earthly-version-arg \ --explicit-global \ --new-platform \ --no-tar-build-output \ --save-artifact-keep-own \ --shell-out-anywhere \ --use-cache-command \ --use-chmod \ --use-copy-link \ --use-host-command \ --use-no-manifest-list \ --use-pipelines \ --use-project-secrets \ --wait-block \ 0.6 For more information on the individual Earthfile feature flags see the [Earthfile version-specific features page](https://docs.earthly.dev/docs/earthfile/features). ##### Changed - The behavior of the `--push` mode has changed in a backwards incompatible manner. Previously, `--push` commands would only execute if all other commands had succeeded. This precondition is no longer enforced, allowing push commands to execute in the middle of the build now. Previously under `VERSION --wait-block 0.6`. - `ARG`s declared in the base target do not automatically become global unless explicitly declared as such via `ARG --global`. Previously under `VERSION --explicit-global 0.6`. - The Cloud-based secrets model is now project-based; it is not compatible with the older global secrets model. Earthfiles which are defined as `VERSION 0.5` or `VERSION 0.6` will continue to use the old global secrets namespace; however the earthly command line no longer supports accessing or modifying the global secrets. A new `earthly secrets migrate` command has been added to help transition the global-based secrets to the new project-based secrets. If you need to manage secrets from Earthly 0.6 without migrating to the new 0.7 secrets, please use an older Earthly binary. - All `COPY` and `SAVE ARTIFACT` operations now use union filesystem merging for performing the `COPY`. This is similar to `COPY --link` in Dockerfiles, however in Earthly it is automatically enabled for all such operations. Previously under `VERSION --use-copy-link 0.6`. - The platform logic has been improved to allow overriding the platform in situations where previously it was not possible. Additionally, the default platform is now the native platform of the runner, and not of the host running Earthly. This makes platforms work better in remote runner settings. Previously under `VERSION --new-platform 0.6`. - Earthly will automatically shellout to determine the `$HOME` value when referenced [#2469](https://togithub.com/earthly/earthly/issues/2469) - Improved error message when invalid shell variable name is configured for a secret. [#2478](https://togithub.com/earthly/earthly/issues/2478) - The `--ci` flag no longer implies `--save-inline-cache` and `--use-inline-cache` since they were 100% CPU usage in some edge cases. These flags may still be explicitly enabled with `--ci`, but earthly will print a warning. - `earthly ls` has been promoted from *experimental* to *beta* status. - Setting a `VERSION` feature flag boolean to false (or any other value) will now raise an error; previously it was syntactically valid but had no effect. - `SAVE ARTIFACT <path> AS LOCAL ...` when used under a `TRY` / `FINALLY` can fail to be fully transferred to the host when the `TRY` command fails (resulting in an partially transferred file); an underflow can still occur, and is now detected and will not export the partial file. [2452](https://togithub.com/earthly/earthly/issues/2452) - The `--keep-own` flag for `SAVE ARTIFACT` is now applied by default; note that `COPY --keep-own` must still be used in order to keep ownership - Values from the `.env` file will no longer be propigated to Earthfile `ARG`s or `RUN --secret=...` commands; instead values must be placed in `.arg` or `.secret` files respectively. Note that this is a backwards incompatible change and will apply to all Earthfiles (regardless of the defined `VERSION` value). [#1736](https://togithub.com/earthly/earthly/issues/1736) - Some particularly obtuse syntax errors now have hints added to help clarify what the expected syntax might be. [#2656](https://togithub.com/earthly/earthly/issues/2656) - The default size when launching a new satellite is now medium instead of large. - Satellites can be launched with a weekend-only mode for receiving auto-updates. ##### Added - The commands `PIPELINE` and `TRIGGER` have been introduced for defining Earthly CI pipelines. Previously under `VERSION --use-pipelines 0.6`. - The clause `WAIT` is now generally available. The `WAIT` clause allows controlling of build order for operations that require it. This allows use-cases such as pushing images to a registry, followed by infrastructure changes that use the newly pushed images. Previously under `VERSION --wait-block 0.6`. - The command `CACHE` is now generally available. The `CACHE` command allows declaring a cache mount that can be used by any `RUN` command in the target, and also persists in the final image of the target (contents available when used via `FROM`). Previously under `VERSION --use-cache-command 0.6`. - The command `HOST` is now generally available. The `HOST` command allows declaring an `/etc/hosts` entry. Previously under `VERSION --use-host-command 0.6`. - New ARG `EARTHLY_GIT_COMMIT_AUTHOR_TIMESTAMP` will contain the author timestamp of the current git commit. [#2462](https://togithub.com/earthly/earthly/pull/2462) - New ARGs `EARTHLY_VERSION` and `EARTHLY_BUILD_SHA` contain the version of Earthly and the git sha of Earthly itself, respectively. - It is now possible to execute shell commands as part of any command that allows using variables. For example `VOLUME $(cat /volume-name.txt)`. Previously under `VERSION --shell-out-anywhere 0.6`. - Allow custom image to be used for git operations. [#2027](https://togithub.com/earthly/earthly/issues/2027) - Earthly now checks for duplicate image names when performing image outputs. Previously under `VERSION --check-duplicate-images 0.6`. - `SAVE IMAGE --no-manifest-list` allows outputting images of a different platform than the default one, but without the manifest list. This is useful for outputting images for platforms that do not support manifest lists, such as AWS Lambda. Previously under `VERSION --use-no-manifest-list 0.6`. - `COPY --chmod <mode>` allows setting the permissions of the copied files. Previously under `VERSION --use-chmod 0.6`. - The new ARG `EARTHLY_LOCALLY` indicates whether the current target is executed in a `LOCALLY` context. Previously under `VERSION --earthly-locally-arg 0.6`. - The new ARGs `EARTHLY_GIT_AUTHOR` and `EARTHLY_GIT_CO_AUTHORS` contain the author and co-authors of the current git commit, respectively. Previously under `VERSION --earthly-git-author-args 0.6`. - `earthly doc [projectRef[+targetRef]]` is a new subcommand in *beta* status. It will parse and output documentation comments on targets. - Ability to store docker registry credentials in cloud secrets and corresponding `earthly registry setup|list|remove` commands; credentials can be associated with either your user or project. - New satellite commands for enabling auto-upgrades and forcing a manual upgrade. ##### Fixed - Support for saving files larger than 64kB on failure within a `TRY/FINALLY` block. [#2452](https://togithub.com/earthly/earthly/issues/2452) - Fixed race condition where `SAVE IMAGE` or `SAVE ARTIFACT AS LOCAL` commands were not always performed when contained in a target that was referenced by both a `FROM` (or `COPY`) and a `BUILD` command within the context of a `WAIT`/`END` block. [#2237](https://togithub.com/earthly/earthly/issues/2218) - `WORKDIR` is lost when `--use-copy-link` feature is enabled with `GIT CLONE` or `COPY --keep-own` commands. Note that `--use-copy-link` is enabled by default in `VERSION 0.7`. [#2544](https://togithub.com/earthly/earthly/issues/2544) - The `CACHE` command did not work when used inside a `WITH DOCKER` block. [#2549](https://togithub.com/earthly/earthly/issues/2549) - The `--platform` argument is no longer passed to docker or podman, which caused podman to always pull the buildkit image even when it already existed locally. [#2511](https://togithub.com/earthly/earthly/issues/2511), [#2566](https://togithub.com/earthly/earthly/issues/2566) - Fixed missing inline cache export; note that inline cache exports **do not** work when used within a `WAIT` / `END` block, this is a known current limitation. [#2178](https://togithub.com/earthly/earthly/issues/2178) - Indentation in the base Earthfile target would cause a panic (when no other targets existed); now a syntax error is returned. [#2603](https://togithub.com/earthly/earthly/issues/2603) - Added tighter registry read timeout, to prevent 15min stuck "ongoing" image manifest fetching. ### [`v0.6.30`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0630---2022-11-22) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.29...v0.6.30) ##### Added - Added support for a custom `.netrc` file path using the standard `NETRC` environmental variable. [#2426](https://togithub.com/earthly/earthly/pull/2426) - Ability to run multiple Earthly installations at a time via `EARTHLY_INSTALLATION_NAME` environment variable, or the `--installation-name` CLI flag. The installation name defaults to `earthly` if not specified. Different installations use different configurations, different buildkit Daemons, different cache volumes, and different ports. - New `EARTHLY_CI` builtin arg, which is set to `true` when earthly is run with the `--ci` flag, this ARG must be enabled with the `VERSION --ci-arg` feature flag. [#2398](https://togithub.com/earthly/earthly/pull/2398) ##### Changed - Updated buildkit to include changes up to [a5263dd0f990a3fe17b67e0002b76bfd1f5b433d](https://togithub.com/moby/buildkit/commit/a5263dd0f990a3fe17b67e0002b76bfd1f5b433d), which includes a change to speed-up buildkit startup time. - The Earthly Docker image works better for cases where a buildkit instance is not needed. The image now works without `--privileged` when using `NO_BUILDKIT=1`, and additionally, the image can also use `/var/run/docker.sock` or `DOCKER_HOST` for the buildkit daemon. ##### Fixed - Fixed Earthly on Mac would randomly hang on `1. Init` if Earthly was installed from Homebrew or the Earthly homebrew tap. [#2247](https://togithub.com/earthly/earthly/issues/2247) - Only referenced ARGs from .env are displayed on failures, this prevents secrets contained in .env from being displayed. [#1736](https://togithub.com/earthly/earthly/issues/1736) - Earthly now correctly detects if Podman is running but is under the disguise of the Docker CLI. - Improved performance when copying files. Fully-cached builds are now dramatically faster as a result. [#2049](https://togithub.com/earthly/earthly/issues/2049) - Fixed `--shell-out-anywhere` bug where inner quotes were incorrectly removed. [#2340](https://togithub.com/earthly/earthly/issues/2340) ### [`v0.6.29`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0629---2022-11-07) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.28...v0.6.29) ##### Added - Cache mounts sharing mode can now be specified via `RUN --mount type=cache,sharing=shared` via `CACHE --sharing=shared`. Allowed values are `locked` (default - lock concurrent acccess to the cache), `shared` (allow concurrent access) and `private` (create a new empty cache on concurrent access). ##### Changed - Increases the cache limit for local and git sources from 10% to 50% to support copying large files (e.g. binary assets). - The default cache mount sharing mode is now `locked` instead of `shared`. This means that if you have multiple builds running concurrently, they will block on each other to gain access to the cache mount. If you want to share the cache as it was shared in previous version of Earthly, you can use `RUN --mount type=cache,sharing=shared` or `CACHE --sharing=shared`. ##### Fixed - `CACHE` command was not being correctly used in `IF`, `FOR`, `ARG` and other commands. [#2330](https://togithub.com/earthly/earthly/issues/2330) - Fixed buildkit gckeepstorage config value which was was set to 1000 times larger than the cache size, now it is set to the cache size. - Fixed Earthly not detecting the correct image digest for some images loaded in `WITH DOCKER --load` and causing cache not to be bust correctly. [#2337](https://togithub.com/earthly/earthly/issues/2337) and [#2288](https://togithub.com/earthly/earthly/issues/2288) ### [`v0.6.28`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0628---2022-10-26) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.27...v0.6.28) ##### Added - A summary of context file transfers is now displayed every 15 seconds. - Satellite wake command, which can force a satellite to wake up (useful for calling inspect or other non-build related commands). ##### Changed - `WITH DOCKER` merging of user specific `/etc/docker/daemon.json` settings data now applies to arrays (previously only dictionaries were supported). - A final warning will be displayed if earthly is terminated due to a interrupt signal (ctrl-c). ##### Changed - Updated buildkit to include changes up to [c717d6aa7543d4b83395e0552ef2eb311f563aab](https://togithub.com/moby/buildkit/commit/c717d6aa7543d4b83395e0552ef2eb311f563aab) ### [`v0.6.27`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0627---2022-10-17) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.26...v0.6.27) ##### Changed - Support for all ssh-based key types (e.g. ssh-ed25519), and not only ssh-rsa. [#1783](https://togithub.com/earthly/earthly/issues/1783) ##### Fixed - Unable to specify public key to add via the command-line, e.g. running `earthly account add-key <key>` ignored the key and fell back to an interactive prompt. - `GIT CLONE` command was ignoring the `WORK DIR` command when `--use-copy-link` feature was set. ### [`v0.6.26`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0626---2022-10-13) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.25...v0.6.26) ##### Added - Build failures now show the file and line number of the failing command - Introduced `EARTHLY_GIT_AUTHOR` and `EARTHLY_GIT_CO_AUTHORS` ARGS ##### Fixed - Some network operations were being incorrectly executed with a timeout of 0. - Upon `earthly ls` failure it will display the failure reason ##### Changed - Loading Docker images as part of `WITH DOCKER` is now faster through the use of an embedded registry in Buildkit. This functionality was previously hidden (`VERSION --use-registry-for-with-docker`) and was only auto-enabled for Earthly Satellite users. It is now enabled by default for all builds. [#1268](https://togithub.com/earthly/earthly/issues/1268) ##### Changed - `VERSION` command is now required. ### [`v0.6.25`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0625---2022-10-04) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.24...v0.6.25) ##### Fixed - Fixed outputting images with long names [#2053](https://togithub.com/earthly/earthly/issues/2053) - Fixed buildkit connection timing out occasionally [#2229](https://togithub.com/earthly/earthly/issues/2229) - Cache size was incorrectly displayed (magnitude of 1024 higher) ### [`v0.6.24`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0624---2022-09-22) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.23...v0.6.24) ##### Added - The `earthly org invite` command now has the ability to invite multiple email addresses at once. - Experimental support for `TRY/FINALLY`, which allows saving artifacts upon failure. [#988](https://togithub.com/earthly/earthly/issues/988), [#587](https://togithub.com/earthly/earthly/issues/587). Not that this is only a partial implementation, and only accepts a *single* RUN command in the `TRY`, and only `SAVE ARTIFACT` commands in the `FINALLY` block. - Ability to enable specific satellite features via cli flags, e.g. the new experimental sleep feature can be enabled with `earthly satellite launch --feature-flags satellite-sleep my-satellite`. ##### Changed - Bootstrapping zsh autocompletion will first attempt to install under `/usr/local/share/zsh/site-functions`, and will now fallback to `/usr/share/zsh/site-functions`. - The `earthly preview org` command has been promoted to GA, and is now available under `earthly org`. - `earthly sat select` with no arguments now prints the current satellite and the usage text. - The interactive debugger now connects over the buildkit session connection rather than an unencrypted tcp connection; this makes it possible to use the interactive debugger with remote buildkit instances. ##### Fixed - Fixed Earthly failing when using a remote docker host from a machine with an incompatible architecture. [#1895](https://togithub.com/earthly/earthly/issues/1895) - Earthly will no longer race with itself when starting up buildkit. [#2194](https://togithub.com/earthly/earthly/issues/2194) - The error reported when failing to initiate a connection to buildkit has been reworded to account for the remote buildkit/satellite case too. - Errors related to parsing `VERSION` feature flags will no longer be displayed during auto-completion. ### [`v0.6.23`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0623---2022-09-06) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.22...v0.6.23) ##### Fixed - Using `--remote-cache` on a target that contains only `BUILD` instructions caused a hang. [#1945](https://togithub.com/earthly/earthly/issues/1945) - Fixed WAIT/END related bug which prevent `WITH DOCKER --load` from building referenced target. - Images and artifacts which are output (or pushed), are now displayed in the final earthly output. - `ssh: parse error in message type 27` error when using OpenSSH 8.9; fixed by upstream in [golang/go#51689](https://togithub.com/golang/go/issues/51689). ##### Changed - Removed warning stating that `WAIT/END code is experimental and may be incomplete` -- it is still experimental; however, it now has a higher degree of test-coverage. It can be enabled with `VERSION --wait-block 0.6`. - A warning is now displayed during exporting a multi-platform image to the local host if no platform is found that matches the host's platform type. - Reduced verbosity of `To enable pushing use earthly --push` message. ### [`v0.6.22`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0622---2022-08-19) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.21...v0.6.22) ##### Added - `--cache-from` earthly flag, which allows defining multiple ordered caches. [#1693](https://togithub.com/earthly/earthly/issues/1693) - WAIT/END support for saving artifacts to local host. - WAIT/END support for `RUN --push` commands. ##### Fixed - Updated `EXPOSE` parsing to accept (and ignore) host IP prefix, as well as expose udp ports; this should be fully-compatible with dockerfile's format. [#1986](https://togithub.com/earthly/earthly/issues/1986) - The earthly-buildkit container is now only initialized when required. ##### Changed - The earthly-buildkit container is now only initialized when required. ### [`v0.6.21`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0621---2022-08-04) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.20...v0.6.21) ##### Added - `EARTHLY_LOCALLY` builtin arg which is set to `true` or `false` when executing locally or within a container, respectively. This ARG must be enabled with the `VERSION --earthly-locally-arg` feature flag. ##### Fixed - Fixed an incompatibility with older versions of remote BuildKits and Satellites, which was resulting in Earthly crashing. - Fixed `WITH DOCKER` not loading correctly when the image name contained a port number under `VERSION --use-registry-for-with-docker`. [#2071](https://togithub.com/earthly/earthly/issues/2071) - Race condition in WAIT / END block, which prevented waiting on some BUILD commands. ##### Changed - Added a deprecation warning for secrets using a `+secrets/` prefix. Support for this prefix will be removed in a future release. - per-file stat transfers are now logged when running under `--debug` mode. ### [`v0.6.20`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0620---2022-07-18) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.19...v0.6.20) ##### Changed - Updated buildkit to include changes up to [`12cfc87`](https://togithub.com/earthly/earthly/commit/12cfc87450c8d4fc31c8c0a09981e4c3fb3e4d9f) ##### Added - Adding support for saving artifact from `--interactive-keep`. [#1980](https://togithub.com/earthly/earthly/issues/1980) - New `EARTHLY_PUSH` builtin arg, which is set to `true` when earthly is run with the `--push` flag, and the argument is referenced under the direct target, or a target which is indirectly referenced via a `BUILD` command; otherwise it will be set to `false`. The value mimics when a `RUN --push` command is executed. This feature must be enabled with `VERSION --wait-block 0.6`. ##### Fixed - Fixed `context.Canceled` being reported as the error in some builds instead of the root cause. [#1991](https://togithub.com/earthly/earthly/issues/1991) - Improved cache use of `WITH DOCKER` command. - The `earthly/earthly` docker image is now also built for arm64 (in addition to amd64). ### [`v0.6.19`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0619---2022-06-29) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.18...v0.6.19) ##### Fixed - Fixed retagging of images that are made available via the `WITH DOCKER` command when the `--use-registry-for-with-docker` feature is enabled. - Fixed a bug where `earthly --version` would display unknown on some versions of Windows. ### [`v0.6.18`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0618---2022-06-27) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.17...v0.6.18) ##### Fixed - `sh: write error: Resource busy` error caused by running the earthly/earthly docker image on a cgroups2-enabled host. [#1934](https://togithub.com/earthly/earthly/issues/1934) ### [`v0.6.17`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0617---2022-06-20) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.16...v0.6.17) ##### Added - Additional debug information for failure during dind cleanup. ### [`v0.6.16`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0616---2022-06-17) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.15...v0.6.16) ##### Changed - Custom `secret_provider` is now called with user's env variables. - Additional args can be passed to `secret_provider`, e.g. `secret_provider: my-password-manager --db=$HOME/path/to/secrets.db` - Local registry is enabled by default in the earthly-buildkit container. ### [`v0.6.15`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0615---2022-06-02) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.14...v0.6.15) ##### Changed - Switch to MPL-2.0 license. [Announcement](https://earthly.dev/blog/earthly-open-source) ##### Added - Experimental support for Docker registry based image creation and transfer `WITH DOCKER` loads and pulls. Enable with the `VERSION --use-registry-for-with-docker` flag. - Git config options for non-standard port and path prefix; these options are incompatible with a custom git substitution regex. - Experimental WAIT / END blocks, to allow for finer grain of control between pushing images and running commands. - Improved ARG error messages to include the ARG name associated with the error. ##### Fixed - Panic when running earthly --version under some versions of Windows - Removed duplicate git commit hash from earthly --version output string (when running dev versions of earthly) - Garbled auto-completion when using Earthfiles without a VERSION command (or with other warnings) [#1837](https://togithub.com/earthly/earthly/issues/1837). - Masking of cgroups for podman support. ### [`v0.6.14`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0614---2022-04-11) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.13...v0.6.14) ##### Added - Experimental support for `SAVE IMAGE --no-manifest-list`. This option disables creating a multi-platform manifest list for the image, even if the image is created with a non-default platform. This allows the user to create non-native images (e.g. amd64 image on an M1 laptop) that are still compatible with AWS lambda. To enable this feature, please use `VERSION --use-no-manifest-list 0.6`. [#1802](https://togithub.com/earthly/earthly/pull/1802) - Introduced Experimental support for `--chmod` flag in `COPY`. To enable this feature, please use `VERSION --use-chmod 0.6`. [#1817](https://togithub.com/earthly/earthly/pull/1817) - Experimental `secret_provider` config option allows users to provide a script which returns secrets. [#1808](https://togithub.com/earthly/earthly/issues/1808) - `/etc/ssh/ssh_known_hosts` are now passed to buildkit. [#1769](https://togithub.com/earthly/earthly/issues/1769) ##### Fixed - Targets with the same `CACHE` commands incorrectly shared cached contents. [#1805](https://togithub.com/earthly/earthly/issues/1805) - Sometimes local outputs and pushes are skipped mistakenly when a target is referenced both via `FROM` and via `BUILD` [#1823](https://togithub.com/earthly/earthly/issues/1823) - `GIT CLONE` failure (`makeCloneURL does not support gitMatcher substitution`) when used with a self-hosted git repo that was configured under `~/.earthly/config.yml` [#1757](https://togithub.com/earthly/earthly/issues/1757) ### [`v0.6.13`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0613---2022-03-30) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.12...v0.6.13) ##### Added - Earthly now warns when encountering Earthfiles with no `VERSION` specified. In the future, the `VERSION` command will be mandatory. [#1775](https://togithub.com/earthly/earthly/pull/1775) ##### Changed - `WITH DOCKER` now merges changes into `/etc/docker/daemon.json` rather than overwriting the entire file; this change introduces `jq` as a dependency, which will be auto-installed if missing. ##### Fixed - The `COPY` command, when used with `LOCALLY` was incorrectly ignoring the `WORKDIR` value. [#1792](https://togithub.com/earthly/earthly/issues/1792) - The `--shell-out-anywhere` feature introduced a bug which interfered with asynchronous builds. [#1785](https://togithub.com/earthly/earthly/issues/1785) - `EARTHLY_GIT_SHORT_HASH` was not set when building a remotely-referenced target. [#1787](https://togithub.com/earthly/earthly/issues/1787) ### [`v0.6.12`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0612---2022-03-23) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.11...v0.6.12) ##### Changed - A more obvious error is printed if `WITH DOCKER` starts non-natively. This is not supported and it wasn't obvious before. - `WITH DOCKER` will keep any settings pre-applied in `/etc/docker/daemon.json` rather than overwriting them. ##### Added - The feature flag `--exec-after-build` has been enabled retroactively for `VERSION 0.5`. This speeds up large builds by 15-20%. - The feature flag `--parallel-load` has been enabled for every `VERSION`. This speeds up by parallelizing targets built for loading via `WITH DOCKER --load`. - `VERSION 0.0` is now permitted, however it is only meant for Earthly internal debugging purposes. `VERSION 0.0` disables all feature flags. - A new experimental mode in which `--platform` operates. To enable these features in your builds, set `VERSION --new-platform 0.6`: - There is now a distinction between **user** platform and **native** platform. The user platform is the platform of the user running Earthly, while the native platform is the platform of the build worker (these can be different when using a remote buildkit) - New platform shorthands are provided: `--platform=native`, `--platform=user`. - New builtin args are available: `NATIVEPLATFORM`, `NATIVEOS`, `NATIVEARCH`, `NATIVEVARIANT` (these are the equivalent of the `USER*` and `TARGET*` platform args). - When no platform is provided, earthly will default to the **native** platform - Additionally, earthly now default to native platform for internal operations too (copy operations, git clones etc) - Earthly now allows changing the platform in the middle of a target (`FROM --platform` is not a contradiction anymore). There is a distinction between the "input" platform of a target (the platform the caller passes in) vs the "output" platform (the platform that ends up being the final platform of the image). These can be different if the caller passes `BUILD --platform=something +target`, but the target starts with `FROM --platform=otherthing ...`. - Ability to shell-out in any Earthly command, (e.g. `SAVE IMAGE myimage:$(cat version)`), as well as in the middle of ARG strings. To enable this feature, use `VERSION --shell-out-anywhere 0.6`. ##### Fixed - An experimental fix for duplicate output when building images that are loaded via `WITH DOCKER --load`. This can be enabled via `VERSION --no-tar-build-output 0.6`. ### [`v0.6.11`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0611---2022-03-17) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.10...v0.6.11) ##### Added - An experimental feature whereby `WITH DOCKER` parallelizes building of the images to be loaded has been added. To enable this feature use `VERSION --parallel-load 0.6`. [#1725](https://togithub.com/earthly/earthly/pull/1725) - Added `cache_size_pct` config option to allow specifying cache size as a percentage of disk space. ##### Fixed - Fixed a duplicate build issue when using `IF` together with `WITH DOCKER` [#1724](https://togithub.com/earthly/earthly/issues/1724) - Fixed a bug where `BUILD --platform=$ARG` did not expand correctly - Fixed issue preventing use of `WITH DOCKER` with docker systemd-based images such as `kind`, when used under hosts with cgroups v2. ### [`v0.6.10`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0610---2022-03-03) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.9...v0.6.10) ##### Changed - reverted zeroing of mtime change that was introduced in v0.6.9; this restores the behavior of setting modification time to `2020-04-16T12:00`. [#1712](https://togithub.com/earthly/earthly/issues/1712) ### [`v0.6.9`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v069---2022-03-02) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.8...v0.6.9) ##### Changed - Log sharing is enabled by default for logged in users, it can be disabled with `earthly config global.disable_log_sharing true`. - `SAVE ARTIFACT ... AS LOCAL` now sets mtime of output artifacts to the current time. ##### Added - Earthly is now 15-30% faster when executing large builds [#1589](https://togithub.com/earthly/earthly/issues/1589) - Experimental `HOST` command, which can be used like this: `HOST <domain> <ip>` to add additional hosts during the execution of your build. To enable this feature, use `VERSION --use-host-command 0.6`. [#1168](https://togithub.com/earthly/earthly/issues/1168) ##### Fixed - Errors when using inline caching indicating `invalid layer index` [#1635](https://togithub.com/earthly/earthly/issues/1635) - Podman can now use credentials from the default location [#1644](https://togithub.com/earthly/earthly/issues/1644) - Podman can now use the local registry cache without modifying `registries.conf` [#1675](https://togithub.com/earthly/earthly/pull/1675) - Podman can now use `WITH DOCKER --load` inside a target marked as `LOCALLY` [#1675](https://togithub.com/earthly/earthly/pull/1675) - Interactive sessions should now work with rootless configurations that have no apparent external IP address [#1573](https://togithub.com/earthly/earthly/issues/1573), [#1689](https://togithub.com/earthly/earthly/pull/1689) - On native Windows installations, Earthly properly detects the local git path when it's available [#1663](https://togithub.com/earthly/earthly/issues/1663) - On native Windows installations, Earthly will properly identify targets in Earthfiles outside of the current directory using the `\` file separator [#1663](https://togithub.com/earthly/earthly/issues/1663) - On native Windows installations, Earthly will save local artifacts to directories using the `\` file separator [#1663](https://togithub.com/earthly/earthly/issues/1663) - A parsing error, when using `WITH DOCKER --load` in conjunction with new-style build args. [#1696](https://togithub.com/earthly/earthly/issues/1696) - `ENTRYPOINT` and `CMD` were not properly expanding args when used in shell mode. - A race condition sometimes caused a `Canceled` error to be reported, instead of the real error that caused the build to fail ### [`v0.6.8`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v068---2022-02-16) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.7...v0.6.8) ##### Fixed - `RUN --interactive` command exit codes were being ignored. - `RUN --ssh` command were failing to create `SSH_AUTH_SOCK` when run inside a `WITH DOCKER`. [#1672](https://togithub.com/earthly/earthly/issues/1672) ##### Changed - expanded help text for `earthly account register --help`. ### [`v0.6.7`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v067---2022-02-09) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.6...v0.6.7) Log Sharing (experimental) This version of Earthly includes an experimental log-sharing feature which will upload build-logs to the cloud when enabled. To enable this experimental feature, you must first sign up for an earthly account by using the [`earthly account register`](https://docs.earthly.dev/docs/earthly-command#earthly-account-register) command, or by visiting <https://ci.earthly.dev/> Once logged in, you must explicitly enable log-sharing by running: earthly config global.disable_log_sharing false In a future version, log-sharing will be enabled by default for logged-in users; however, you will still be able to disable it, if needed. When log-sharing is enabled, you will see a message such as Share your build log with this link: https://ci.earthly.dev/logs?logId=dc622821-9fe4-4a13-a1db-12680d73c442 as the last line of `earthly` output. ##### Fixed - `GIT CLONE` now works with annotated git tags. [#1571](https://togithub.com/earthly/earthly/issues/1571) - `CACHE` command was not working for versions of earthly installed via homebrew. - Autocompletion bug when directory has both an Earthfile and subdir containing an earthfile. - Autocompletion bug when directory has two subdirectories where one is a prefix of the other. ##### Changed - `earthly account logout` raises an error when `EARTHLY_TOKEN` is set. ### [`v0.6.6`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v066---2022-01-26) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.5...v0.6.6) ##### Added - Ability to change mounted secret file mode. fixes [#1434](https://togithub.com/earthly/earthly/issues/1434) ##### Changed - Permission errors related to reading `~/.earthly/config.yml` and `.env` files are now treated as errors rather than silently ignored (and assuming the file does not exist). - Speedup from pre-emptive execution of build steps prior to them being referenced in the build graph. ##### Fixed - earthly panic when running with `SUDO_USER` pointing to a user the current user did not have read/write permission; notably encountered when running under circleci. ##### Removed - Removed `--git-url-instead-of` flag, which has been replaced by `earthly config git ...` ### [`v0.6.5`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v065---2022-01-24) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.4...v0.6.5) ##### Added - Ability to load a different `.env` file via the `--env-file` flag. - Added experimental feature than changes the ARGs defined in the `+base` target to be local, unless defined with a `--global` flag; To enable this feature use `VERSION --explicit-global 0.6`. ##### Changed - Updated buildkit to include changes up to [`17c237d`](https://togithub.com/earthly/earthly/commit/17c237d69a46d61653746c03bcbe6953014b41a5) ##### Fixed - `failed to solve: image is defined multiple times for the same default platform` errors. [#1594](https://togithub.com/earthly/earthly/issues/1594), [#1582](https://togithub.com/earthly/earthly/issues/1582) - `failed to solve: image rmi after pull and retag: command failed: docker image rm ...: exit status 1: Error: No such image` errors. [#1590](https://togithub.com/earthly/earthly/issues/1590) ### [`v0.6.4`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v064---2022-01-17) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.3...v0.6.4) ##### Fixed - Duplicate execution occurring when using ARGs. [#1572](https://togithub.com/earthly/earthly/issues/1572), [#1582](https://togithub.com/earthly/earthly/issues/1582) - Overriding builtin ARG value now displays an error (rather than silently ignoring it). ### [`v0.6.3`](https://togithub.com/earthly/earthly/blob/HEAD/CHANGELOG.md#v0630---2022-11-22) [Compare Source](https://togithub.com/earthly/earthly/compare/v0.6.2...v0. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/earthly/earthly).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* ocsp: add Response.Raw Fixes golang/go#38340 Change-Id: I77afc901584ac3361eafa13c9ee9f8cf9ec2ee28 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/389256 Trust: Roland Shoemaker <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Damien Neil <[email protected]> * acme/autocert: support External Account Binding (EAB) tokens Support External Account Binding (EAB) tokens to the Manager as defined in RFC 8555, Section 7.3.4. If the ExternalAccountBinding field is set on Manager, pass it into the acme Account during registration. Fixes golang/go#48809 Change-Id: I64c38b05ab577acbde9f526638cc8104d15ff055 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/354189 Reviewed-by: Brad Fitzpatrick <[email protected]> Trust: Brad Fitzpatrick <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * all: gofmt Gofmt to update doc comments to the new formatting. For golang/go#51082. Change-Id: I076031b6613691eefbb0f21739366e3fd2011ec9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/399356 Run-TryBot: Russ Cox <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Russ Cox <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> * internal/wycheproof: add ECDH tests, including point decompression Fixes golang/go#38936 Change-Id: I231d30fcc683abd9efb36b6fd9cc05f599078ade Reviewed-on: https://go-review.googlesource.com/c/crypto/+/396174 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> * internal/wycheproof: skip truncated SHA-512 RSAPSS tests for boring On the boringcrypto builder, skip the RSAPSS tests that use the truncated SHA-512 hashes, since boringcrypto does not support them. Fixes #52670 Change-Id: I8caecd0f34eb6d2740372db2b641563e3965ac7c Reviewed-on: https://go-review.googlesource.com/c/crypto/+/404654 Run-TryBot: Roland Shoemaker <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Bryan Mills <[email protected]> * acme/autocert/internal/acmetest: don't validate in goroutine In the test server, rather than spawning a goroutine to validate challenges, block on the validation before responding to the client. This prevents a test race, where testing.T.Logf is called after the test is completed. While this has a slight behavioral difference to some production ACME server implementations (although is behavior allowed in the spec), the change has little material impact on what we are testing, since previously the validation would happen so quickly that it would be indistinguishable from the new blocking behavior (i.e. we would not be sending multiple requests during polling previously.) Fixes golang/go#52170 Change-Id: I75e3b2da69ddc2302be25a99f1b1151ed0f4af9b Reviewed-on: https://go-review.googlesource.com/c/crypto/+/405548 Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Bryan Mills <[email protected]> * ssh/agent: fix non-RSA certificates The type of ssh.PublicKey.Type can be a certificate type, while the algorithm passed to SignWithAlgorithm is going to be an underlying algorithm. Fixes golang/go#52185 Change-Id: I0f7c46defa83d1fd64a3c1e861734650b20cca21 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/404614 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> * acme: add AccountKeyRollover Add support for AccountKeyRollover. API only returns an error since acme.Error will contain appropriate KID lookup information. Due to the requirements of double JWS encoding jwsEncodeJSON is also modified to support a missing Nonce header and raw string embedding in the payload. Fixes golang/go#42516 Change-Id: I959660a1a39b2c469b959accd48fda519daf4eb3 GitHub-Last-Rev: 8e8cc5b094743262939c145f56d3a3b57a057d64 GitHub-Pull-Request: golang/crypto#215 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/400274 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> * curve25519/internal/field: update generator to avo v0.4.0 This version generates //go:build lines. For golang/go#46155 Change-Id: I23e4617aa96bc5c15c10f3cd0882028ca08e09e8 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/388874 Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Tobias Klauser <[email protected]> Auto-Submit: Tobias Klauser <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> * acme: DeactivateReg fix panic Currently discover is not called which results in a panic if just a key is added to an ACME client and then deactivation is attempted. This patch adds a discover call as well as missing unit tests for the API. Change-Id: I0719e5376eb2fccf62182e5f91e5b5eaa7bdd518 GitHub-Last-Rev: 501d7c6c1b75a3069dcad4254b4d4a0d2ccb02c8 GitHub-Pull-Request: golang/crypto#217 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/406734 TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Michael Knyszek <[email protected]> * acme/autocert: properly clean DirCache paths Don't assume the path passed into the DirCache methods is absolute, and clean it before further operating on it. Put and Delete are not attacker controlled, but clean them anyway. Fixes #53082 Fixes CVE-2022-30636 Change-Id: I755f525a737da60ccba07ebce4d41cc8faebfcca Reviewed-on: https://go-review.googlesource.com/c/crypto/+/408694 Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * curve25519: remove dependency on fmt For golang/go#48154 Change-Id: If7e99bd1159edc2e3deeb3a4e3d8fb048bc591ab Reviewed-on: https://go-review.googlesource.com/c/crypto/+/348069 Reviewed-by: Ian Lance Taylor <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Dmitri Shuralyov <[email protected]> Auto-Submit: Dmitri Shuralyov <[email protected]> * A+C: delete AUTHORS and CONTRIBUTORS In 2009, Google's open-source lawyers asked us to create the AUTHORS file to define "The Go Authors", and the CONTRIBUTORS file was in keeping with open source best practices of the time. Re-reviewing our repos now in 2022, the open-source lawyers are comfortable with source control history taking the place of the AUTHORS file, and most open source projects no longer maintain CONTRIBUTORS files. To ease maintenance, remove AUTHORS and CONTRIBUTORS from all repos. For golang/go#53961. Change-Id: Ieb32933de4f234c77f0131490d4081b6c336820c Reviewed-on: https://go-review.googlesource.com/c/crypto/+/419094 Run-TryBot: Russ Cox <[email protected]> Reviewed-by: David Chase <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * internal/subtle: rename to internal/alias This avoids an import conflict in code that needs to import crypto/subtle as well. CL 424194 does the same for the main repo. Change-Id: Ic54cb62bbfdcf5c2cb6f15ac47075ee1c41981ad Reviewed-on: https://go-review.googlesource.com/c/crypto/+/424175 Reviewed-by: Cherry Mui <[email protected]> Run-TryBot: Russ Cox <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Russ Cox <[email protected]> * acme: gofmt code with Go 1.19 gofmt Change-Id: Ib0fd6fcfa358df2bdb820a512b73e7cdb34120f8 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/424174 Run-TryBot: Russ Cox <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Russ Cox <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> * cryptobyte: add ReadUint64 and AddUint64 Fixes golang/go#53481. Change-Id: Ic00eef498d1d3b5b0ca5c9c526fac7c26de30cf2 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/421014 TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Run-TryBot: hopehook <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> * ssh/agent: match OpenSSH extensionAgentMsg, not IETF draft The OpenSSH wire format just suffixes the raw extension body, without a nested string. Fixes golang/go#51689 Change-Id: Ic224cedb934ba0563abca9a45a6be1c67769ed6d Reviewed-on: https://go-review.googlesource.com/c/crypto/+/412154 Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Run-TryBot: hopehook <[email protected]> Reviewed-by: Daniel Lublin <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: David Chase <[email protected]> * internal/wycheproof: add crypto/ecdh tests Alongside the existing ECDH tests, add tests that use the new crypto/ecdh package. The test vectors include a number of private that use non-standard sizes, which we reject, but aren't flagged, so we need to skip them. Change-Id: Iaaef225b0149a86833095f51748d230385d43bfe Reviewed-on: https://go-review.googlesource.com/c/crypto/+/424274 Reviewed-by: Russ Cox <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> * all: replace io/ioutil with io and os package For golang/go#45557 Change-Id: I447530cc66896aef7a8d528ccb8d095b80e3cf47 GitHub-Last-Rev: 5f385ff46487ac318bd1147cdbbd26bb0ffd0426 GitHub-Pull-Request: golang/crypto#230 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/430797 Auto-Submit: Ian Lance Taylor <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> Reviewed-by: Meng Zhuo <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Cherry Mui <[email protected]> * acme/autocert: fix renewal timer issue Block when creating the renewal timer, rather than doing it in a goroutine. This fixes an issue where startRenew and stopRenew are called very closely together, and due to lock ordering, stopRenew may be called before startRenew, resulting in the appearance that the renewal timer has been stopped before it has actually been created. This is only an issue in tests, as that is the only place stopRenew is actually used. In particular this issue manifests in TestGetCertiifcate sub-tests, where a httptest server reuses a port across two of the sub-tests. In this case, the renewal calls end up creating dirty state for the subsequent test, which can cause confusing behavior (such as attempting to register an account twice.) Another solution to this problem would be introducing a bool, protected by renewalMu, which indicates if renewal has been halted, and to check it in startRenew to check if stopRenew has already been called, which would allow us to continue calling startRenew in a goroutine and relying on renewalMu locking for ordering. That said I don't see a particularly strong reason to call startRenew concurrently, so this seems like the simplest solution for now. Fixes golang/go#52494 Change-Id: I95420d3fd877572a0b9e408d2f8cd353f6a4e80e Reviewed-on: https://go-review.googlesource.com/c/crypto/+/433016 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Bryan Mills <[email protected]> * acme/autocert: remove TestRenewFromCache skips Removes the skips from TestRenewFromCache and TestRenewFromCacheAlreadyRenewed, which were added due to flakes which may have been fixed by the renewal timer change. Updates golang/go#51080 Change-Id: Ib953a24e610e89dfbbea450a4c257c105055ce7e Reviewed-on: https://go-review.googlesource.com/c/crypto/+/433815 Run-TryBot: Roland Shoemaker <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Bryan Mills <[email protected]> * all: replace bytes.Compare with bytes.Equal Change-Id: I911366b91ff2a1d02d7de202a166d876fb873142 GitHub-Last-Rev: f50e00376856fb9da36bb98ed0cdfd96c2f3b304 GitHub-Pull-Request: golang/crypto#233 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/438536 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]> * ssh: add ServerConfig.NoClientAuthCallback It was possible to accept auth type "none" before, but not dynamically at runtime as a function of the ConnMetadata like the other auth types' callback hooks. Fixes golang/go#51994 Change-Id: I83ea80901d4977d8f78523e3d1e16e0a7df5b172 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/395314 Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Brad Fitzpatrick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Julie Qiu <[email protected]> * all: fix a few function names on comments Change-Id: Iac9c8f06b874e62b56f634dede8757b87514f421 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/442135 Run-TryBot: Ian Lance Taylor <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Joedian Reid <[email protected]> * all: use automatic RFC linking pkgsite automatically links /RFC \d+/ to the mentioned RFC. Insert a bunch of spaces into doc-comments for that to match. Change-Id: I01834d7573428563f21c37e43316442e148dd8c4 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/442055 Reviewed-by: Joedian Reid <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]> * go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Once this CL is submitted, and post-submit testing succeeds on all first-class ports across all supported Go versions, this repository will be tagged with its next minor version. Change-Id: If840eea1cadc749ce55efd88eb7d9fc38472839e Reviewed-on: https://go-review.googlesource.com/c/crypto/+/443996 Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Gopher Robot <[email protected]> * all: use math/bits.RotateLeft Updates golang/go#31456 Change-Id: Idf043a25632526baa190bf42ed360cb79f85e493 GitHub-Last-Rev: 59461578926a85a87cc68dac96c0b7559766b7cf GitHub-Pull-Request: golang/crypto#195 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/356518 Auto-Submit: Filippo Valsorda <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> Reviewed-by: David Chase <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> * ssh: fix typo Change-Id: I560d7f5a62161cd88361a9fe9982d36f8e25e5af Reviewed-on: https://go-review.googlesource.com/c/crypto/+/447475 Reviewed-by: Ian Lance Taylor <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Once this CL is submitted, and post-submit testing succeeds on all first-class ports across all supported Go versions, this repository will be tagged with its next minor version. Change-Id: Ic7c0afcece0f3d2065c7a7e08f092c4344d90655 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/448755 Run-TryBot: Gopher Robot <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Jenny Rakoczy <[email protected]> * all: remove redundant type conversion Change-Id: Ic6b210c1e5b99eef5c6e38d96feaf40e7e6033bb GitHub-Last-Rev: b8ecf761efe6a2eec78a805a99d778bdcdb938f9 GitHub-Pull-Request: golang/crypto#229 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/429016 Run-TryBot: Ian Lance Taylor <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Michael Knyszek <[email protected]> * ssh: support rsa-sha2-256/512 on the server side This lets clients know we support rsa-sha2-256/512 signatures from ssh-rsa public keys. OpenSSH prefers to break the connection rather than attempting trial and error, apparently. We don't enable support for the "ext-info-s" because we're not interested in any client->server extensions. This also replaces isAcceptableAlgo which was rejecting the rsa-sha2-256/[email protected] public key algorithms. Tested with OpenSSH 9.1 on macOS Ventura. Fixes golang/go#49269 Updates golang/go#49952 Co-authored-by: Nicola Murino <[email protected]> Co-authored-by: Kristin Davidson <[email protected]> Change-Id: I4955c3b12bb45575e9977ac657bb5805b49d00c3 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/447757 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Nicola Murino <[email protected]> Reviewed-by: Michael Knyszek <[email protected]> * internal/wycheproof: update Go 1.20 crypto/ecdh API For golang/go#56052 Change-Id: If34d01132e221ff525319e43d127ef14579f9054 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/451095 Reviewed-by: Bryan Mills <[email protected]> Reviewed-by: Joedian Reid <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Run-TryBot: Joedian Reid <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * cryptobyte: add support for ReadASN1Integer into []byte This lets us extract large integers without involving math/big. While at it, drop some use of reflect where a type switch will do. Change-Id: Iebe2fb2267610bf95cf9747ba1d49b5ac9e62cda Reviewed-on: https://go-review.googlesource.com/c/crypto/+/451515 Run-TryBot: Filippo Valsorda <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Bryan Mills <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> * go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Once this CL is submitted, and post-submit testing succeeds on all first-class ports across all supported Go versions, this repository will be tagged with its next minor version. Change-Id: If72a913d54ec282d75e270409971b148df4b417c Reviewed-on: https://go-review.googlesource.com/c/crypto/+/455436 Reviewed-by: Carlos Amedee <[email protected]> Run-TryBot: Gopher Robot <[email protected]> Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * acme: eliminate arbitrary timeouts in tests Fixes golang/go#57107. Change-Id: I20b1f6ca85170c6b4731d7c7ea06f4db742526cc Reviewed-on: https://go-review.googlesource.com/c/crypto/+/456123 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Bryan Mills <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Auto-Submit: Bryan Mills <[email protected]> * ssh: ensure that handshakeTransport goroutines have finished before Close returns This fixes a data race in the tests for x/crypto/ssh, which expects to be able to examine a transport's read and write counters without locking after closing it. (Given the number of goroutines, channels, and mutexes used in this package, I wouldn't be surprised if other concurrency bugs remain. I would suggest simplifying the concurrency in this package, but I don't intend to follow up on that myself at the moment.) Fixes golang/go#56957. Change-Id: Ib1f1390b66707c66a3608e48f3f52483cff3c1f5 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/456758 Reviewed-by: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Bryan Mills <[email protected]> Run-TryBot: Bryan Mills <[email protected]> * internal/wycheproof: also use Verify in TestECDSA Check both Verify and VerifyASN1 in the ECDSA tests. Change-Id: Id767354484a7da18ae4e00cd6f2a01a2909e6732 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/453755 Reviewed-by: Than McIntosh <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> * bcrypt: reject passwords longer than 72 bytes By design, bcrypt only uses the first 72 bytes of a password when generating a hash. Most implementations, including the reference one, simply silently ignore any trailing input when provided passwords longer than 72 bytes. This can cause confusion for users who expect the entire password to be used to generate the hash. In GenerateFromPassword, reject passwords longer than 72 bytes. CompareHashAndPassword will still accept these passwords, since we cannot break hashes that have already been stored. Fixes golang/go#36546 Change-Id: I039addd2a2961a7fa9d1e4a3e892a9e3c8bf4c9a Reviewed-on: https://go-review.googlesource.com/c/crypto/+/450415 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Jason McNeil <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> * go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Once this CL is submitted, and post-submit testing succeeds on all first-class ports across all supported Go versions, this repository will be tagged with its next minor version. Change-Id: I25128883772569c8f729b091b0efcbc4afcbea67 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/460500 Run-TryBot: Gopher Robot <[email protected]> Auto-Submit: Gopher Robot <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> * all: fix some comments Change-Id: I11030ee466c8cac6855ce4fe2cf72e0b8d7029f8 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/463796 Auto-Submit: Ian Lance Taylor <[email protected]> Reviewed-by: Michael Knyszek <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> * cryptobyte: reject negative Unwrite argument Fixes golang/go#57112 Change-Id: I7a533046a6451d7ae3704eb81e6ddeec8442cf06 GitHub-Last-Rev: 3b088d95a2feca197cc4ebd1d9d34cb28008349f GitHub-Pull-Request: golang/crypto#249 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/464338 TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> Reviewed-by: Emmanuel Odeke <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Bryan Mills <[email protected]> * go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Once this CL is submitted, and post-submit testing succeeds on all first-class ports across all supported Go versions, this repository will be tagged with its next minor version. Change-Id: If0ff32acaae5f6a717ed4d178a88f3346ecf1600 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/466736 Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Gopher Robot <[email protected]> * ssh: add support for [email protected] Change-Id: I91caf3bda3dfd00c050f5ebf23c2a35a04c5762b GitHub-Last-Rev: 6e71340e7960b5b6f71f7b96eeeaf8dfb268e306 GitHub-Pull-Request: golang/crypto#127 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/223518 Auto-Submit: Filippo Valsorda <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Reviewed-by: Han-Wen Nienhuys <[email protected]> * go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Once this CL is submitted, and post-submit testing succeeds on all first-class ports across all supported Go versions, this repository will be tagged with its next minor version. Change-Id: Ic0f0e8147eae1918612c3d1a1c1de14af0a43294 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/473439 Reviewed-by: Dmitri Shuralyov <[email protected]> Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> Run-TryBot: Gopher Robot <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> * ssh: document that ParseRawPrivateKey supports Ed25519 keys From CL 173457 and CL 235358. Change-Id: Ia46ab9c7e2c57472df3126ddc7050f0068fcaab9 GitHub-Last-Rev: c38e379355602fe4ff11ff65f98c296d5c326281 GitHub-Pull-Request: golang/crypto#146 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/241282 Auto-Submit: Han-Wen Nienhuys <[email protected]> Reviewed-by: Bryan Mills <[email protected]> Reviewed-by: Han-Wen Nienhuys <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Han-Wen Nienhuys <[email protected]> * curve25519: use crypto/ecdh on Go 1.20 For golang/go#52221 Change-Id: I27e867d4cc89cd52c8d510f0dbab4e89b7cd4763 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/451115 Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> * all: fix some comments Change-Id: Ia0410f1f3bb0a9ee68c6dbe1e6f62f65f9e00955 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/477755 Reviewed-by: Ian Lance Taylor <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> Run-TryBot: shuang cui <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Once this CL is submitted, and post-submit testing succeeds on all first-class ports across all supported Go versions, this repository will be tagged with its next minor version. Change-Id: I568d040817345a10881c31b8efc296f543e59113 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/482855 Reviewed-by: Heschi Kreinick <[email protected]> Auto-Submit: Gopher Robot <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Gopher Robot <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> * cryptobyte: reject Object Identifiers with leading 0x80 Change-Id: Ie3a1b53e801077cd86963799e644b9783943933c GitHub-Last-Rev: 6629bd74f1874eb9fde8e72bfb444ebf9073a1ab GitHub-Pull-Request: golang/crypto#255 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/483955 Run-TryBot: Mateusz Poliwczak <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> * ssh/test: skip TestValidTerminalMode on non-Bourne shells Fixes golang/go#38037. Change-Id: Ide77dddc9f57b3f0318a419a1474e11215623b64 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/485175 Run-TryBot: Bryan Mills <[email protected]> Commit-Queue: Bryan Mills <[email protected]> Auto-Submit: Bryan Mills <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> * ssh: skip unsupported tests on wasip1 Updates golang/go#32840 Updates golang/go#58141 Change-Id: Ib4425c1743d417920745205586af250dbf80c7e4 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/485695 Auto-Submit: Tobias Klauser <[email protected]> Reviewed-by: Bryan Mills <[email protected]> Run-TryBot: Tobias Klauser <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> * ssh/test: enable on solaris Change-Id: Icf9c867e64ef68f6f46dd7d4cec07cf7c315c2ad Reviewed-on: https://go-review.googlesource.com/c/crypto/+/490155 Reviewed-by: Bryan Mills <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> Run-TryBot: Tobias Klauser <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Tobias Klauser <[email protected]> * go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Once this CL is submitted, and post-submit testing succeeds on all first-class ports across all supported Go versions, this repository will be tagged with its next minor version. Change-Id: I1eb2365549b72cbad23fa7c355f427c6ed75e450 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/493575 TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> * Add support for "[email protected]" Change-Id: I0203881afd7ad72e68f76650817451d7e292c91b GitHub-Last-Rev: 42b4119e1987e7a46aa06a2b142d5fd3ef6f216a GitHub-Pull-Request: golang/crypto#129 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/226982 Run-TryBot: Han-Wen Nienhuys <[email protected]> Reviewed-by: Han-Wen Nienhuys <[email protected]> Auto-Submit: Han-Wen Nienhuys <[email protected]> Reviewed-by: David Chase <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * x509roots: add new module Adds the nss parser, under x509roots/nss, and the fallback module/package, with the initial generated bundle. Fixes golang/go#57792 Change-Id: Iebb1052e49126fa5baba1236f4ebc8dd8a823179 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/462036 Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Reviewed-by: Damien Neil <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> * go.mod: tell x repo tagging to ignore dep on net CL 475438 introduced a cycle between net and crypto. This direction is less important, so have the tagging process ignore it. Change-Id: Ie424fef0238702a5a16aba79bb60f86f39dc66eb Reviewed-on: https://go-review.googlesource.com/c/crypto/+/502595 Auto-Submit: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Heschi Kreinick <[email protected]> * go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Once this CL is submitted, and post-submit testing succeeds on all first-class ports across all supported Go versions, this repository will be tagged with its next minor version. Change-Id: If19e251a79af033583e6968766b7a831741cebb7 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/502518 Reviewed-by: Heschi Kreinick <[email protected]> Run-TryBot: Gopher Robot <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Gopher Robot <[email protected]> * ssh/test: set a timeout and WaitDelay on sshd subcommands This uses a copy of testenv.Command copied from the main repo, with light edits to allow the testenv helpers to build with Go 1.19. The testenv helper revealed an exec.Command leak in TestCertLogin, so we also fix that leak and simplify server cleanup using testing.T.Cleanup. For golang/go#60099. Fixes golang/go#60343. Change-Id: I7f79fcdb559498b987ee7689972ac53b83870aaf Reviewed-on: https://go-review.googlesource.com/c/crypto/+/496935 Auto-Submit: Bryan Mills <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Bryan Mills <[email protected]> * x509roots: use "generate" build tag Since go generate sets it automatically. Change-Id: I4623e523392140c0472b250ac99c8c3fa31e5b15 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/504595 Auto-Submit: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> * x509roots: fix generate script argument checking Check for supply of both arguments forgot that the URL is set by default. Instead just let the local path supersede the URL. Change-Id: I0499137c99c735e8e453ff1c2a925435f3cd8039 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/504596 Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> * x509roots: remove list hash and generation date, change ordering This makes the automated update workflow simpler. Also switch the ordering from human readable subject (which is not necessarily unique), to the raw SPKI (which should always be unique). This makes it somewhat harder to read to a human (since it'll appear a little jumbled) but results in a stable sort. Note this results in adding two new roots, which were added since we last generated the bundle. Change-Id: Id4d34bf9e98164e7b2fc4f06f9b46b63c0013d23 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/504597 Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * ssh: add hmac-sha2-512 This adds support for hmac-sha2-512 to ensure compatibility with SSH clients that request this MAC algorithm. This rebases https://github.com/golang/crypto/pull/18. Change-Id: Ia103c10a8b7e2e8dde556d5c36550eb5fa6bc1f6 GitHub-Last-Rev: 987ccae2bc7ae5e90a482d8797351c39dcb9bf33 GitHub-Pull-Request: golang/crypto#257 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/501455 Reviewed-by: Dmitri Shuralyov <[email protected]> Commit-Queue: Han-Wen Nienhuys <[email protected]> Auto-Submit: Dmitri Shuralyov <[email protected]> Reviewed-by: Han-Wen Nienhuys <[email protected]> Run-TryBot: Han-Wen Nienhuys <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * x509roots/fallback: add //go:build go1.20 to bundle.go Package fallback has no API; its only purpose is to automatically call x509.SetFallbackRoots with a set of fallback roots. That API was added in Go 1.20, hence the go1.20 build constraint in fallback.go. Add that constraint to bundle.go too, so that it fails to build rather than quietly being a no-op in Go 1.19. Also simplify Write(fmt.Sprintf()) into fmt.Fprintf while here. Add a temporary workaround for go.dev/issue/52287. It has no effect on the public API in this module. For golang/go#57792. For golang/go#52287. Change-Id: I1fe13f7d54b07b0b031e8bae685cffd7a8160165 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/505578 Auto-Submit: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Dmitri Shuralyov <[email protected]> * x509roots: generate a stable sort, for real this time Sort based on the stringified subject, then break ties based on the raw DER (which will, actually, be unique this time). Change-Id: I3dd912fb19b103e92fabfb4562e31c6dcec40614 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/505695 Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> * go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Once this CL is submitted, and post-submit testing succeeds on all first-class ports across all supported Go versions, this repository will be tagged with its next minor version. Change-Id: Icede82501a3703fcaad524f6b91ff6e5452b4547 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/507837 Reviewed-by: Heschi Kreinick <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Gopher Robot <[email protected]> Auto-Submit: Gopher Robot <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * ssh: prefer sha256 based MAC algorithms sha256 is more optimized than sha512 in Go and is secure enough so prefer sha256 over sha512. Fixes golang/go#61138 Change-Id: I7658808655367f1ab5f4ac8b52e6b20bd30ebf87 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/507555 Run-TryBot: Filippo Valsorda <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Joedian Reid <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> * ssh: fix RSA certificate and public key authentication with older clients After adding support for rsa-sha2-256/512 on the server side some edge cases started to arise with old clients: 1) public key authentication with gpg-agent < 2.2.6 fails because we receive ssh-rsa as signature format and rsa-sha2-256 or rsa-sha2-512 as algorithm. This is a bug in gpg-agent fixed in this commit: https://github.com/gpg/gnupg/commit/80b775bdbb852aa4a80292c9357e5b1876110c00 2) certificate authentication fails with OpenSSH 7.2-7.7 because we receive [email protected] as algorithm and rsa-sha2-256 or rsa-sha2-512 as signature format. This patch is based on CL 412854 and has been tested with every version of OpenSSH from 7.1 to 7.9 and OpenSSH 9.3. Fixes golang/go#53391 Change-Id: Id71f596f73d84efb5c76d6d5388432cccad3e3b1 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/506835 Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> * fix TestValidTerminalMode: missing output from echo SHELL $SHELL add leading `echo` to have better compatibility before ``` go test -run ^TestValidTerminalMode -v === RUN TestValidTerminalMode session_test.go:261: echo SHELL $SHELL && stty -a && exit: Last login: Thu Jul 6 12:24:38 2023 from 192.168.200.1 SHELL /bin/bashubuntu:~$ speed 38400 baud; rows 80; columns 40; line = 0; intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0; -parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel -iutf8 opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0 isig icanon iexten -echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc logout session_test.go:266: missing output from echo SHELL $SHELL ``` after ``` go test -run ^TestValidTerminalMode -v === RUN TestValidTerminalMode session_test.go:261: echo SHELL $SHELL && stty -a && exit: Last login: Thu Jul 6 12:24:38 2023 from 192.168.200.1 bolian@ubuntu:~$ SHELL /bin/bash speed 38400 baud; rows 80; columns 40; line = 0; intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0; -parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel -iutf8 opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0 isig icanon iexten -echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc logout --- PASS: TestValidTerminalMode (0.06s) ``` Change-Id: If60c040edb8c78a7d86bf58a6be47636d9e8f173 GitHub-Last-Rev: a2cc1b1af09e47df82fcb8685d829dfed945e8b0 GitHub-Pull-Request: golang/crypto#264 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/508115 Reviewed-by: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Heschi Kreinick <[email protected]> Auto-Submit: Heschi Kreinick <[email protected]> Reviewed-by: Bryan Mills <[email protected]> * ssh: disable client agent tests on Windows ssh-agent is implemented as a Windows service and exposed on a named pipe. We don't currently support it. See golang/go#60981 Change-Id: Iebdc42db30b37a87ac0766231b16aff3f17b3f56 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/509035 Run-TryBot: Heschi Kreinick <[email protected]> Reviewed-by: Cherry Mui <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> Auto-Submit: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * ssh: prefer sha256 based RSA key algorithms sha256 is more optimized than sha512 in Go and is secure enough so prefer sha256 over sha512. Change-Id: I3fcf7457791e3ef4539e97049aa905dcd293499d Reviewed-on: https://go-review.googlesource.com/c/crypto/+/507556 Reviewed-by: Filippo Valsorda <[email protected]> Reviewed-by: Cherry Mui <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> * internal/wycheproof: skip all tests in short test mode The testdata for this package is around 8 MB and downloaded dynamically via 'go mod download' from its canonical source rather than being copied to this repository. We're moving towards disallowing all network use in short test mode, including proxy.golang.org, so add a corresponding test skip. Needing to lookup a go test flag is unfortunate, but I don't know of a less bad available option while the test does the download in TestMain. On balance, it becomes viable to no longer disable the checksum database since the test will only run on builders that permit internet use and so sum.golang.org should just work. Change-Id: Iaffe3899351da375928aaba114c4875f5438336b Reviewed-on: https://go-review.googlesource.com/c/crypto/+/510695 Run-TryBot: Dmitri Shuralyov <[email protected]> Auto-Submit: Dmitri Shuralyov <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * x509roots/fallback: update bundle This is an automated CL which updates the NSS root bundle. Change-Id: Ic70152e674c60e48e85d96eab244add9b4fa5eb8 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/512595 Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Gopher Robot <[email protected]> Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * ssh: ignore invalid MACs and KEXs just like we do for ciphers Tighter validation could cause backwards incompatibility issues, eg configurations with valid and invalid MACs, KEXs, ciphers currently work if a supported algorithm is negotiated and that's also the scenario of removing support for an existing algorithm. Fixes golang/go#39397 Change-Id: If90253ba89e1d8f732cc1e1c3d24fe0a1e2dac71 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/512175 Run-TryBot: Han-Wen Nienhuys <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Reviewed-by: Han-Wen Nienhuys <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: David Chase <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * ssh: add diffie-hellman-group16-sha512 kex This group is disabled by default because it is a bit slower than the others. The group18-sha512 variant is too slow to include. Benchstat results including diffie-hellman-group18-sha512: name time/op Kexes/diffie-hellman-group-exchange-sha256-12 22.6ms ± 9% Kexes/diffie-hellman-group18-sha512-12 1.15s ±11% Kexes/ecdh-sha2-nistp384-12 3.91ms ± 6% Kexes/ecdh-sha2-nistp256-12 304µs ± 5% Kexes/[email protected] 413µs ± 7% Kexes/ecdh-sha2-nistp521-12 11.6ms ±13% Kexes/curve25519-sha256-12 361µs ± 5% Kexes/diffie-hellman-group-exchange-sha1-12 22.9ms ± 9% Kexes/diffie-hellman-group1-sha1-12 3.59ms ± 6% Kexes/diffie-hellman-group14-sha1-12 22.1ms ±11% Kexes/diffie-hellman-group14-sha256-12 21.6ms ± 8% Kexes/diffie-hellman-group16-sha512-12 138ms ± 9% name alloc/op Kexes/diffie-hellman-group-exchange-sha256-12 67.8kB ± 1% Kexes/diffie-hellman-group18-sha512-12 243kB ± 9% Kexes/ecdh-sha2-nistp384-12 13.9kB ± 0% Kexes/ecdh-sha2-nistp256-12 12.1kB ± 0% Kexes/[email protected] 8.22kB ± 0% Kexes/ecdh-sha2-nistp521-12 16.5kB ± 0% Kexes/curve25519-sha256-12 8.22kB ± 0% Kexes/diffie-hellman-group-exchange-sha1-12 67.5kB ± 0% Kexes/diffie-hellman-group1-sha1-12 34.9kB ± 0% Kexes/diffie-hellman-group14-sha1-12 61.9kB ± 0% Kexes/diffie-hellman-group14-sha256-12 62.0kB ± 0% Kexes/diffie-hellman-group16-sha512-12 117kB ± 0% name allocs/op Kexes/diffie-hellman-group-exchange-sha256-12 314 ± 0% Kexes/diffie-hellman-group18-sha512-12 271 ± 4% Kexes/ecdh-sha2-nistp384-12 243 ± 0% Kexes/ecdh-sha2-nistp256-12 213 ± 0% Kexes/[email protected] 168 ± 0% Kexes/ecdh-sha2-nistp521-12 245 ± 0% Kexes/curve25519-sha256-12 168 ± 0% Kexes/diffie-hellman-group-exchange-sha1-12 314 ± 0% Kexes/diffie-hellman-group1-sha1-12 255 ± 0% Kexes/diffie-hellman-group14-sha1-12 255 ± 0% Kexes/diffie-hellman-group14-sha256-12 255 ± 0% Kexes/diffie-hellman-group16-sha512-12 256 ± 0% Change-Id: Id119401fda7e417675325f37e3d442e70585206c Reviewed-on: https://go-review.googlesource.com/c/crypto/+/506839 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Cherry Mui <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: David Chase <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> * ssh: fix call to Fatalf from a non-test goroutine Also fix some redundant type declarations. Change-Id: Iad2950b67b1ec2e2590c59393b8ad15421ed3add GitHub-Last-Rev: 41cf552f11387208491dee7b867050475043b25e GitHub-Pull-Request: golang/crypto#263 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/505798 Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: David Chase <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Dmitri Shuralyov <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> * go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Once this CL is submitted, and post-submit testing succeeds on all first-class ports across all supported Go versions, this repository will be tagged with its next minor version. Change-Id: Id40feba36dfc31c7033c91b952ec824a38e048ee Reviewed-on: https://go-review.googlesource.com/c/crypto/+/515976 Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Gopher Robot <[email protected]> * go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Change-Id: Ib391e4f2f09056cb025de97d5d8f2640859d9163 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/525335 Run-TryBot: Gopher Robot <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> * ssh: check the declared public key algo against decoded one This check will ensure we don't accept e.g. [email protected] algorithm with ssh-rsa public key type. The algorithm and public key type must be consistent: both must be certificate algorithms, or neither. Change-Id: I1d75074fb4d6db3a8796408e98ddffe577a96ab1 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/506836 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Cherry Mui <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> * ssh: support for marshaling keys using the OpenSSH format This adds methods to marshal private keys, encrypted and unencrypted to the OpenSSH format. Fixes golang/go#37132 Change-Id: I1a95301f789ce04858e6b147748c6e8b7700384b Reviewed-on: https://go-review.googlesource.com/c/crypto/+/218620 Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Cherry Mui <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> * cryptobyte: add uint48 methods Adds uint48 methods for cryptobyte.Builder and cryptobyte.String. Supporting 48-bit unsigned integers is useful for working with protocols that use them for sequence numbers, such as DTLS. Fixes golang/go#61275 Change-Id: Ibe49422d37644b9212b28b123dc5e01850f7b05b GitHub-Last-Rev: 11b388c240109c8f4ac23880645c901ce6d2f093 GitHub-Pull-Request: golang/crypto#265 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/508675 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Cherry Mui <[email protected]> Reviewed-by: qiulaidongfeng <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> * sha3: have ShakeHash extend hash.Hash Package sha3 recommends the SHAKE functions for new uses, but this is currently somewhat inconvenient because ShakeHash does not implement hash.Hash. This is understandable, as SHAKE supports arbitrary-length outputs whereas hash.Hash only supports fixed-length outputs. But there's a natural fixed-length output to provide: the minimum output that still provides SHAKE's full-strength generic security. While here, tweak Sum so that its temporary buffer can be stack allocated. Also, tweak the panic message in Write so that the error text is more readily understandable to Go programmers without needing to be familiar with crypto jargon, and add a similar check in Sum. Change-Id: Icf037d3990a71de5630f8825606614443f8c5245 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/526937 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Adam Langley <[email protected]> Auto-Submit: Matthew Dempsky <[email protected]> * ssh: add MultiAlgorithmSigner MultiAlgorithmSigner allows to restrict client-side, server-side and certificate signing algorithms. Fixes golang/go#52132 Fixes golang/go#36261 Change-Id: I295092f1bba647327aaaf294f110e9157d294159 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/508398 Reviewed-by: Filippo Valsorda <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]> * ssh: add test cases for compatibility with old (buggy) clients Improved test cases for CL 506835. Change-Id: If4a98ae4a7b39d2e59b203d10080b71283e1a80e Reviewed-on: https://go-review.googlesource.com/c/crypto/+/525735 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> * all: use crypto/ed25519 instead of golang.org/x/crypto/ed25519 This is a follow-up to CL 317169, which dropped go1.12 compatibility, and made the golang.org/x/crypto/ed25519 package an alias / wrapper for crypto/ed25519 in stdlib. This patch updates uses within this repository to use stdlib instead of depending on the wrapper. With this patch applied, the only remaining use of the wrapper is in ed25519_test, which appears to be in place to verify compatibility of the wrapper itself. Change-Id: I0195396102a75ae20bdd82ca8ab59855c0eb5cea GitHub-Last-Rev: 24dbec563cbd84bc47bdc7736b0245fc83dd3353 GitHub-Pull-Request: golang/crypto#238 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/448238 Reviewed-by: Bryan Mills <[email protected]> Run-TryBot: Nicola Murino <[email protected]> Reviewed-by: Nicola Murino <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Joedian Reid <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Than McIntosh <[email protected]> * chacha20: drop Go 1.10 compatibility for arm64 Other packages already dropped compatibility with go < 1.12, so it should be safe to remove it for this package as well. Change-Id: Ib1424763e3aa94d0187a667ebee058100136f53b GitHub-Last-Rev: 51df9690a5f37ba50d5ae5e84cf31b78fb6c5cd8 GitHub-Pull-Request: golang/crypto#241 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/448241 Reviewed-by: Roland Shoemaker <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Than McIntosh <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Reviewed-by: Joedian Reid <[email protected]> * ssh: add server side support for [email protected] protocol extension Fixes golang/go#62390 Change-Id: Ie4dc577fb55b45a0c26a9e2dc5903af2bd382e00 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/524775 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Run-TryBot: Nicola Murino <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> * go.mod: update golang.org/x dependencies Update golang.org/x dependencies to their latest tagged versions. Change-Id: Ib80d50bdd762d1ba04f9267aeddc17272ef8cd66 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/532976 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Auto-Submit: Gopher Robot <[email protected]> * ssh: add support for SSH_AGENT_CONSTRAIN_EXTENSION with id 255 it was changed in the following draft https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent-03 The id 3 is now used for SSH_AGENT_CONSTRAIN_MAXSIGN key constraint, an OpenSSH extension to the protocol that we do not currently support. Instead, we added a compatibility layer for SSH_AGENT_CONSTRAIN_EXTENSION with ID 3. Fixes golang/go#62311 Change-Id: I421aee92aee9e693e43f66e6a5515c055333cb9b Reviewed-on: https://go-review.googlesource.com/c/crypto/+/525355 Reviewed-by: Matthew Dempsky <[email protected]> Run-TryBot: Nicola Murino <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Than McIntosh <[email protected]> * all: update go directive to 1.18 Done with: go get [email protected] go mod tidy go fix ./... Using go1.21.3. Also update avo to v0.5.0 in the curve25519/internal/field/_asm module. It's newer and produces no diff in the generated code. For golang/go#60268. Change-Id: I9bd771ee8561595d7f68aaca76df6e3e33d35013 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/534141 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Damien Neil <[email protected]> Auto-Submit: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> * x509roots: check HTTP response status code and media type The HTTP response status code is expected to be 200 OK, and the certdata.txt file media type is expected to be plain text. Check that it is before proceeding with parsing it. Might help avoid repeats of CL 535735. Change-Id: I1a7896b3e20d33a23fdc53c572ae9700c9eae1ef Reviewed-on: https://go-review.googlesource.com/c/crypto/+/536717 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Commit-Queue: Roland Shoemaker <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> * x509roots: catch the zero-roots case when generating the bundle If the parser returns zero roots, don't attempt to completely remove the bundle. This may happen if, i.e., the HTTP response is 200 but has no content. An example of this may be http://go.dev/cl/535735. Change-Id: I81fc2b49c8ec813cca17fd1c807296bfb053d992 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/536136 Reviewed-by: Damien Neil <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> * ssh: add test case against ssh CLI These tests try to ensure better compatibility of our server implementation with the ssh CLI. With these tests in place: 1) before merging CL 447757 we would have noticed that our server implementation was broken with OpenSSH 8.8+ 2) after merging CL 447757 we would have noticed that our server implementation was broken with OpenSSH 7.2-7.7 The ssh CLI from $PATH is used by default, but can be overridden using the SSH_CLI_PATH environment variable. Change-Id: I93d64be41c7613132b0364afac8397f57c2dcbca Reviewed-on: https://go-review.googlesource.com/c/crypto/+/506837 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Benny Siegert <[email protected]> Reviewed-by: Han-Wen Nienhuys <[email protected]> Run-TryBot: Nicola Murino <[email protected]> * crypto/hkdf: remove useless call to Reset HKDF is commonly used to read keys that are the the same length (or smaller) than the size of the hash digest, which means the loop inside Read only runs once. In that case, calling Reset is unnecesssary overhead. name old time/op new time/op delta 16ByteMD5Single-8 1.39µs ± 1% 1.22µs ± 0% -11.95% (p=0.000 n=10+9) 20ByteSHA1Single-8 826ns ± 0% 746ns ± 0% -9.70% (p=0.000 n=9+10) 32ByteSHA256Single-8 838ns ± 1% 744ns ± 0% -11.29% (p=0.000 n=10+10) 64ByteSHA512Single-8 5.12µs ± 0% 4.57µs ± 0% -10.78% (p=0.000 n=8+10) 8ByteMD5Stream-8 137ns ± 0% 138ns ± 0% +0.27% (p=0.009 n=9+6) 16ByteMD5Stream-8 264ns ± 0% 265ns ± 0% +0.29% (p=0.000 n=10+10) 8ByteSHA1Stream-8 64.1ns ± 0% 64.4ns ± 0% +0.60% (p=0.000 n=9+9) 20ByteSHA1Stream-8 145ns ± 0% 146ns ± 1% +0.69% (p=0.000 n=9+10) 8ByteSHA256Stream-8 42.9ns ± 1% 43.1ns ± 0% +0.48% (p=0.005 n=10+10) 32ByteSHA256Stream-8 151ns ± 0% 152ns ± 0% +0.35% (p=0.006 n=10+8) 8ByteSHA512Stream-8 139ns ± 0% 139ns ± 0% +0.08% (p=0.035 n=9+10) 64ByteSHA512Stream-8 1.07µs ± 0% 1.07µs ± 0% +0.33% (p=0.000 n=9+10) name old speed new speed delta 16ByteMD5Single-8 11.6MB/s ± 0% 13.1MB/s ± 0% +13.50% (p=0.000 n=9+9) 20ByteSHA1Single-8 24.2MB/s ± 0% 26.8MB/s ± 0% +10.75% (p=0.000 n=9+10) 32ByteSHA256Single-8 38.2MB/s ± 1% 43.0MB/s ± 0% +12.72% (p=0.000 n=10+10) 64ByteSHA512Single-8 12.5MB/s ± 0% 14.0MB/s ± 0% +12.06% (p=0.000 n=8+10) 8ByteMD5Stream-8 58.2MB/s ± 0% 58.1MB/s ± 0% -0.27% (p=0.004 n=9+9) 16ByteMD5Stream-8 60.6MB/s ± 0% 60.5MB/s ± 0% -0.27% (p=0.000 n=9+10) 8ByteSHA1Stream-8 125MB/s ± 0% 124MB/s ± 0% -0.59% (p=0.000 n=9+9) 20ByteSHA1Stream-8 138MB/s ± 0% 137MB/s ± 1% -0.69% (p=0.000 n=9+10) 8ByteSHA256Stream-8 186MB/s ± 1% 185MB/s ± 0% -0.47% (p=0.005 n=10+10) 32ByteSHA256Stream-8 211MB/s …

gopherbot added this to the Unreleased milestone Mar 15, 2022

lpcalisi closed this as completed Mar 15, 2022

lpcalisi reopened this Mar 15, 2022

seankhliao changed the title ~~x/crypto: SSH Agent - OpenSSH 8.9 - SSH Agent Restriction~~ x/crypto/ssh: Unmarshal for SSH_AGENTC_EXTENSION Mar 15, 2022

seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 15, 2022

bguerout mentioned this issue Mar 22, 2022

Error when starting agent on ArchLinux with OpenSSH 8.9 FiloSottile/yubikey-agent#123

Closed

gopherbot closed this as completed in golang/crypto@bd7e27e Aug 26, 2022

rrjjvv added a commit to rrjjvv/earthly that referenced this issue Aug 26, 2022

Update crypto to address "parse error in message type 27" errors

3ef49c1

This resolves errors stemming from golang/go#51689

This was referenced Aug 26, 2022

Spurious "parse error in message type 27" errors in build output earthly/earthly#2151

Closed

Update crypto to address "parse error in message type 27" errors earthly/earthly#2152

Merged

alexcb pushed a commit to earthly/earthly that referenced this issue Aug 30, 2022

Update crypto to address "parse error in message type 27" errors (#2152)

1b89360

This resolves errors stemming from golang/go#51689

rrjjvv added a commit to rrjjvv/earthly that referenced this issue Oct 15, 2022

Update crypto to address "parse error in message type 27" errors

b953229

This resolves errors stemming from golang/go#51689

proofy mentioned this issue Nov 5, 2022

post/2019-02-24-docker-build-learns-about-secr/ larsks/blog.oddbit.com#7

Open

AkihiroSuda mentioned this issue Nov 11, 2022

ssh: agent support is incompatible with OpenSSH >= 8.9 (ssh: parse error in message type 27) moby/buildkit#3273

Closed

This was referenced Nov 15, 2022

vendor: golang.org/x/crypto v0.1.0, golang.org/x/oauth2 v0.1.0 moby/moby#44419

Merged

[22.06 backport] vendor: golang.org/x/crypto v0.1.0 and other golang.org/x/.. dependencies moby/moby#44468

Merged

thaJeztah mentioned this issue Nov 16, 2022

vendor: docker d15be0c54de92a4d868ebd66dbb1065e264554f2 / v22.06-dev docker/cli#3865

Merged

artyom mentioned this issue Dec 20, 2022

Possible incompatibility with macOS 13.1 FiloSottile/yubikey-agent#135

Closed

LeSuisse mentioned this issue Dec 28, 2022

Update golang.org/x/crypto from v0.0.0-20210421170649-83a5a9bb288b to v0.4.0 FiloSottile/yubikey-agent#136

Merged

golang locked and limited conversation to collaborators Nov 11, 2023

gopherbot added the FrozenDueToAge label Nov 11, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/crypto/ssh: Unmarshal for SSH_AGENTC_EXTENSION #51689

x/crypto/ssh: Unmarshal for SSH_AGENTC_EXTENSION #51689

lpcalisi commented Mar 15, 2022

seankhliao commented Mar 15, 2022

lpcalisi commented May 5, 2022 •

edited

Loading

gopherbot commented Jun 14, 2022

jrcasso commented Jul 27, 2022

bdols commented Aug 5, 2022

gcsfred2 commented Nov 2, 2022 •

edited

Loading

AkihiroSuda commented Nov 11, 2022 •

edited

Loading

x/crypto/ssh: Unmarshal for SSH_AGENTC_EXTENSION #51689

x/crypto/ssh: Unmarshal for SSH_AGENTC_EXTENSION #51689

Comments

lpcalisi commented Mar 15, 2022

seankhliao commented Mar 15, 2022

lpcalisi commented May 5, 2022 • edited Loading

gopherbot commented Jun 14, 2022

jrcasso commented Jul 27, 2022

bdols commented Aug 5, 2022

gcsfred2 commented Nov 2, 2022 • edited Loading

AkihiroSuda commented Nov 11, 2022 • edited Loading

lpcalisi commented May 5, 2022 •

edited

Loading

gcsfred2 commented Nov 2, 2022 •

edited

Loading

AkihiroSuda commented Nov 11, 2022 •

edited

Loading