![]() - configure Maven to run build reproducibly [1] - use UTC timestamp of checked out commit as build timestamp - add git-describe, git-commit-id, git-commit-id, git-tags, git-remote-origin-url to MANIFEST.MF files - configure cyclonedx-maven-plugin to also use UTC timestamp of checked out commit - for packaging build use tycho-buildtimestamp-jgit [2] to ensure version uses the timestamp of the last commit - SBOMs are not reproducible by design [3] they should have a build timestamp matching the time when the build was executed and a serial number which is a unique UUID per build run. Hence exclude them from comparison [4]. - Use gmavenplus-plugin to format build timestamps. Maven expects build timestamp in ISO-8601 format, to replace the qualifier in versions the timestamp format must be compatible with rules for OSGi version numbers. Didn't find a way to read the properties set by the git-commit-id-maven-plugin from another plugin. Hence use JGit in a groovy script to get the commit time of the current HEAD and provide it in these two formats. TODO: packaging build (features and p2 repository) is not yet binary reproducible since that's not yet supported by Tycho [5], artefacts have reproducible version numbers but file lastModified timestamps are not yet reproducible. Test plan for Maven build: - build using mvn clean install" - verify second build is reproducible: mvn -T1 clean verify artifact:compare verification seems not to be thread-safe, hence run it with a single thread using option -T1 For packaging build (still fails due to non-reproducible file timestamps): - build using mvn -f org.eclipse.jgit.packaging/pom.xml clean install - verify second build is reproducible: mvn -T1 -f org.eclipse.jgit.packaging/pom.xml clean verify artifact:compare [1] https://maven.apache.org/guides/mini/guide-reproducible-builds.html [2] https://wiki.eclipse.org/Tycho/Reproducible_Version_Qualifiers [3] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/84 [4] https://maven.apache.org/plugins/maven-artifact-plugin/compare-mojo.html [5] https://github.com/eclipse-tycho/tycho/issues/233 Change-Id: I0202f55a1b6ae0edd922cfef638beb39d2ce9417 |
||
---|---|---|
.. | ||
.settings | ||
META-INF | ||
OSGI-INF/l10n | ||
bin | ||
resources | ||
src/org/eclipse/jgit/internal/transport/sshd/agent/connector | ||
.classpath | ||
.fbprefs | ||
.gitignore | ||
.project | ||
BUILD | ||
README.md | ||
about.html | ||
build.properties | ||
pom.xml |
README.md
JGit SSH agent transport support for Apache MINA sshd
This bundle provides optional support for communicating with an SSH agent for SSH or SFTP authentication. It is an OSGi fragment for bundle org.eclipse.jgit.ssh.apache, and it provides transports for local communication with SSH agents.
Supported SSH agent transports
Linux, OS X, BSD
On Linux, OS X, and BSD, the only transport mechanism supported is the usual
communication via a Unix domain socket. This is the only protocol the OpenSSH
SSH agent supports. A Unix domain socket appears as a special file in the file
system; this file name is typically available in the environment variable
SSH_AUTH_SOCK
.
The SSH config IdentityAgent
can be set to this socket filename to specify
exactly which Unix domain socket to use, or it can be set to SSH_AUTH_SOCK
to use the value from that environment variable. If IdentityAgent
is not set
at all, JGit uses SSH_AUTH_SOCK
by default. If the variable is not set, no
SSH agent will be used. IdentityAgent
can also be set to none
to not use
any SSH agent.
Windows
On Windows, two different transports are supported:
- A transport over a Windows named pipe. This is used by Win32-OpenSSH, and is available for Pageant since version 0.75.
- A Pageant-specific legacy transport via shared memory; useful for Pageant and GPG's gpg-agent.
Possible settings of IdentityAgent
to select a particular transport are
//./pipe/openssh-ssh-agent
: the Windows named pipe of Win32-OpenSSH.//./pageant
: the shared-memory mechanism of Pageant.none
: do not use any SSH agent.//./pipe/<any_valid_pipe_name>
: use a specific Windows named pipe.
The default transport on Windows if IdentityAgent
is not set at all is the
Pageant shared-memory transport. Environment variable SSH_AUTH_SOCK
needs
not be set for Pageant, and must not be set for Win32-OpenSSH.
It is also possible to use a named pipe as transport for Pageant (as of
version 0.75). Unfortunately, Pageant unnecessarily cryptographically
obfuscates the pipe name, so it is not possible for JGit to determine it
automatically. The pipe name is pageant.<user name>.<sha256>
, for instance
pageant.myself.c5687736ba755a70b000955cb191698aed7db221c2b0710199eb1f5298922ab5
.
A user can look up the name by starting Pageant and then running the
command dir \\.\pipe\\
in a command shell. Once the name is known, setting
IdentityAgent
to the pipe name as
//./pipe/pageant.myself.c5687736ba755a70b000955cb191698aed7db221c2b0710199eb1f5298922ab5
makes JGit use this Windows named pipe for communication with Pageant.
(You can use forward slashes in the ~/.ssh/config
file. SSH config file
parsing has its own rules about backslashes in config files; which are
treated as escape characters in some contexts. With backslashes one would
have to write, e.g., \\\\.\pipe\openssh-ssh-agent
.)
With these two transport mechanisms, Pageant and Win32-OpenSSH are supported.
As for GPG: the gpg-agent can be configured to emulate ssh-agent (presumably
via a WinSockets2 "Unix domain socket" on Windows) or to emulate Pageant
(using the shared memory mechanism). Running gpg-agent with the
enable-ssh-support
option is
reported not to work on Windows, though. But
the PuTTY emulation in gpg-agent (option enable-putty-support
) should work,
so it should be possible to use gpg-agent instead of Pageant.
Neither Pageant (as of version 0.76) nor Win32-OpenSSH (as of version 8.6)
support the confirm
or lifetime constraints for AddKeysToAgent
. gpg-agent
apparently does, even when communicating over the Pageant shared memory
mechanism.
The ssh-agent from git bash on Windows is currently not supported. It would need a connector handling Cygwin socket files and the Cygwin handshake over a TCP stream socket bound to the loopback interface. The Cygwin socket file is exposed in the Windows file system at %TEMP%\ssh-XXXXXXXXXX\agent.<number>, but it does not have a fixed name (the X's and the number are variable and change each time ssh-agent is started).
Implementation
The implementation of all transports uses JNA.