oppi.li / perf-test
loading up the forgejo repo on tangled to test page performance
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

[PORT] Remove SHA1 for support for ssh rsa signing (#31857) (#5303)

https://github.com/go-fed/httpsig seems to be unmaintained.

Switch to github.com/42wim/httpsig which has removed deprecated crypto
and default sha256 signing for ssh rsa.

No impact for those that use ed25519 ssh certificates.

This is a breaking change for:
- gitea.com/gitea/tea (go-sdk) - I'll be sending a PR there too
- activitypub using deprecated crypto (is this actually used?)

(cherry picked from commit 01dec7577a051d9bb30e91f6cf6653dc51a37d06)

---
Conflict resolution: trivial

Co-authored-by: Wim <wim@42.be>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5303
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>

Gusted b2a3a041 387f590d

+10 -10
+2 -2
go.mod
··· 17 17 codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570 18 18 connectrpc.com/connect v1.17.0 19 19 gitea.com/lunny/levelqueue v0.4.2-0.20230414023320-3c0159fe0fe4 20 + github.com/42wim/httpsig v1.2.2 20 21 github.com/42wim/sshsig v0.0.0-20211121163825-841cf5bbc121 21 22 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 22 23 github.com/ProtonMail/go-crypto v1.1.4 ··· 43 44 github.com/go-chi/cors v1.2.1 44 45 github.com/go-co-op/gocron v1.37.0 45 46 github.com/go-enry/go-enry/v2 v2.9.1 46 - github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e 47 47 github.com/go-git/go-git/v5 v5.13.1 48 48 github.com/go-ldap/ldap/v3 v3.4.6 49 49 github.com/go-openapi/spec v0.20.14 ··· 131 131 dario.cat/mergo v1.0.0 // indirect 132 132 filippo.io/edwards25519 v1.1.0 // indirect 133 133 git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078 // indirect 134 - github.com/42wim/httpsig v1.2.2 // indirect 135 134 github.com/DataDog/zstd v1.5.5 // indirect 136 135 github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.0 // indirect 137 136 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.2 // indirect ··· 184 183 github.com/go-ap/errors v0.0.0-20231003111023-183eef4b31b7 // indirect 185 184 github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect 186 185 github.com/go-enry/go-oniguruma v1.2.1 // indirect 186 + github.com/go-fed/httpsig v1.1.0 // indirect 187 187 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect 188 188 github.com/go-git/go-billy/v5 v5.6.1 // indirect 189 189 github.com/go-ini/ini v1.67.0 // indirect
+2 -2
go.sum
··· 919 919 github.com/go-faster/city v1.0.1/go.mod h1:jKcUJId49qdW3L1qKHH/3wPeUstCVpVSXTM6vO3VcTw= 920 920 github.com/go-faster/errors v0.7.1 h1:MkJTnDoEdi9pDabt1dpWf7AA8/BaSYZqibYyhZ20AYg= 921 921 github.com/go-faster/errors v0.7.1/go.mod h1:5ySTjWFiphBs07IKuiL69nxdfd5+fzh1u7FPGZP2quo= 922 - github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e h1:oRq/fiirun5HqlEWMLIcDmLpIELlG4iGbd0s8iqgPi8= 923 - github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM= 922 + github.com/go-fed/httpsig v1.1.0 h1:9M+hb0jkEICD8/cAiNqEB66R87tTINszBRTjwjQzWcI= 923 + github.com/go-fed/httpsig v1.1.0/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM= 924 924 github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g= 925 925 github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks= 926 926 github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY=
+1 -1
modules/activitypub/client.go
··· 22 22 "code.gitea.io/gitea/modules/proxy" 23 23 "code.gitea.io/gitea/modules/setting" 24 24 25 - "github.com/go-fed/httpsig" 25 + "github.com/42wim/httpsig" 26 26 ) 27 27 28 28 const (
+1 -1
modules/setting/federation.go
··· 6 6 import ( 7 7 "code.gitea.io/gitea/modules/log" 8 8 9 - "github.com/go-fed/httpsig" 9 + "github.com/42wim/httpsig" 10 10 ) 11 11 12 12 // Federation settings
+1 -1
routers/api/v1/activitypub/reqsignature.go
··· 18 18 "code.gitea.io/gitea/modules/setting" 19 19 gitea_context "code.gitea.io/gitea/services/context" 20 20 21 + "github.com/42wim/httpsig" 21 22 ap "github.com/go-ap/activitypub" 22 - "github.com/go-fed/httpsig" 23 23 ) 24 24 25 25 func getPublicKeyFromResponse(b []byte, keyID *url.URL) (p crypto.PublicKey, err error) {
+2 -2
services/auth/httpsign.go
··· 17 17 "code.gitea.io/gitea/modules/log" 18 18 "code.gitea.io/gitea/modules/setting" 19 19 20 - "github.com/go-fed/httpsig" 20 + "github.com/42wim/httpsig" 21 21 "golang.org/x/crypto/ssh" 22 22 ) 23 23 ··· 205 205 case strings.HasPrefix(publicKey.Type(), "ssh-ed25519"): 206 206 algos = []httpsig.Algorithm{httpsig.ED25519} 207 207 case strings.HasPrefix(publicKey.Type(), "ssh-rsa"): 208 - algos = []httpsig.Algorithm{httpsig.RSA_SHA1, httpsig.RSA_SHA256, httpsig.RSA_SHA512} 208 + algos = []httpsig.Algorithm{httpsig.RSA_SHA256, httpsig.RSA_SHA512} 209 209 } 210 210 for _, algo := range algos { 211 211 if err := verifier.Verify(cryptoPubkey, algo); err == nil {
+1 -1
tests/integration/api_httpsig_test.go
··· 15 15 "code.gitea.io/gitea/modules/test" 16 16 "code.gitea.io/gitea/tests" 17 17 18 - "github.com/go-fed/httpsig" 18 + "github.com/42wim/httpsig" 19 19 "golang.org/x/crypto/ssh" 20 20 ) 21 21