severity 1102517 wishlist tags 1102517 upstream confirmed thanks Hi. Thanks for testing. This is expected and intentional, although admittedly not optimal.
We don't know how to reproduce upstream's app.bin bit-by-bit identical using the toolchain that exists in Debian. Debian policy is to rebuild everything from source so we cannot use their binary blob. To get the same private key you must use the same app.bin on all machines. Because tkey-ssh-agent currently embeds the app.bin into the tkey-ssh-agent binary you must even use the same ssh agent. There is an open issue about adding feature to tkey-ssh-agent upstream to support user-provided app binaries but alas this is not implemented: https://github.com/tillitis/tkey-ssh-agent/issues/125 We've discussed this with upstream, and IIRC they were able to reproduce our app.bin on their laptop, and someone reproduced it using ArchLinux toolchain. Hopefully upstream can use debian-based clang for future app releases. I think that someone tested using Ubuntu's toolchain and at least at some point it didn't produce the same output, but I think it was a 24.10 pre-release snapshot clang. /Simon Diego Joss <deta...@joss-kasser.ch> writes: > Package: tkey-ssh-agent > Version: 1.0.0+ds-4 > Severity: important > > Dear Maintainer, > > I recently bought and started using a Tillitis TKey. I tried to connect > via ssh using the ssh agent today from a different computer, expecting > it to work (using the same USS: user supplied secret). However it didnt' > work. > Details: > - computer A uses debian package tkey-ssh-agent 1.0.0+ds-4 > - computer B uses tillitis upstream v1.0.0 deb package > > https://github.com/tillitis/tkey-ssh-agent/releases/download/v1.0.0/tkey-ssh-agent_1.0.0_linux_amd64.deb > > Then I executed the following commands: > - tkey-ssh-agent -a /path/to/socket --uss & > - SSH_AUTH_SOCK=/path/to/socket ssh-add -L > > The resulting public keys are different, however I expected them to be > the same. > > After investigation I found that the `app.bin` file that is embedded in > the `tkey-ssh-agent` executable is different between the debian upstream > package, and the tillitis distribution. > However it should be the same; in particular in the upstream repository > the check sum is saved, and the make target `check-signer-hash` should > verify it. > > Debian package checksum: > b0b08e5b50fd60003f91f60e0cc676a065a6a93d0fea091d605c311d012083fe27d7b2fd6921a28843873d115ff7322135086d5567061b2bb2964c78f52efc76 > /usr/share/tillitis/tkey-device-signer/app.bin > > Tillitis upstream checksum: > fe4458e4125966885d9b745a25422948d76e60371165b97729fce1b423f22b87929c684b4381f2220aa0c94266ba035730d5f08a6e6e0aab7d7bf15165d2fff6 > signer/app.bin > > Kind regards, > Diego > > P.S. I do run Devuan, however I was able to confirm the same > checksum for app.bin by downloading the debian package directly from > https://packages.debian.org/ > > > -- System Information: > Distributor ID: Devuan > Description: Devuan GNU/Linux 6 (excalibur/ceres) > Release: 6 > Codename: excalibur ceres > Architecture: x86_64 > > Kernel: Linux 6.12.19-amd64 (SMP w/4 CPU threads; PREEMPT) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US:en > Shell: /bin/sh linked to /usr/bin/dash > Init: runit (via /run/runit.stopit) > LSM: AppArmor: enabled > > Versions of packages tkey-ssh-agent depends on: > ii libc6 2.41-6 > ii tillitis-tkey-udev 1.0.0+ds-4 > > tkey-ssh-agent recommends no packages. > > tkey-ssh-agent suggests no packages. > > -- no debconf information > >
signature.asc
Description: PGP signature
