1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1102517: tkey-ssh-agent: does not generate same ssh keys as deb pac

    From Diego Joss@21:1/5 to All on Wed Apr 9 22:40:01 2025
    Package: tkey-ssh-agent
    Version: 1.0.0+ds-4
    Severity: important

    Dear Maintainer,

    I recently bought and started using a Tillitis TKey. I tried to connect
    via ssh using the ssh agent today from a different computer, expecting
    it to work (using the same USS: user supplied secret). However it didnt'
    work.
    Details:
    - computer A uses debian package tkey-ssh-agent 1.0.0+ds-4
    - computer B uses tillitis upstream v1.0.0 deb package
    https://github.com/tillitis/tkey-ssh-agent/releases/download/v1.0.0/tkey-ssh-agent_1.0.0_linux_amd64.deb

    Then I executed the following commands:
    - tkey-ssh-agent -a /path/to/socket --uss &
    - SSH_AUTH_SOCK=/path/to/socket ssh-add -L

    The resulting public keys are different, however I expected them to be
    the same.

    After investigation I found that the `app.bin` file that is embedded in
    the `tkey-ssh-agent` executable is different between the debian upstream package, and the tillitis distribution.
    However it should be the same; in particular in the upstream repository
    the check sum is saved, and the make target `check-signer-hash` should
    verify it.

    Debian package checksum: b0b08e5b50fd60003f91f60e0cc676a065a6a93d0fea091d605c311d012083fe27d7b2fd6921a28843873d115ff7322135086d5567061b2bb2964c78f52efc76 /usr/share/tillitis/tkey-device-signer/app.bin

    Tillitis upstream checksum: fe4458e4125966885d9b745a25422948d76e60371165b97729fce1b423f22b87929c684b4381f2220aa0c94266ba035730d5f08a6e6e0aab7d7bf15165d2fff6 signer/app.bin

    Kind regards,
    Diego

    P.S. I do run Devuan, however I was able to confirm the same
    checksum for app.bin by downloading the debian package directly from https://packages.debian.org/


    -- System Information:
    Distributor ID: Devuan
    Description: Devuan GNU/Linux 6 (excalibur/ceres)
    Release: 6
    Codename: excalibur ceres
    Architecture: x86_64

    Kernel: Linux 6.12.19-amd64 (SMP w/4 CPU threads; PREEMPT)
    Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
    Shell: /bin/sh linked to /usr/bin/dash
    Init: runit (via /run/runit.stopit)
    LSM: AppArmor: enabled

    Versions of packages tkey-ssh-agent depends on:
    ii libc6 2.41-6
    ii tillitis-tkey-udev 1.0.0+ds-4

    tkey-ssh-agent recommends no packages.

    tkey-ssh-agent suggests no packages.

    -- no debconf information

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon Josefsson@21:1/5 to Diego Joss on Thu Apr 10 13:00:03 2025
    severity 1102517 wishlist
    tags 1102517 upstream confirmed
    thanks

    Hi. Thanks for testing. This is expected and intentional, although
    admittedly not optimal.

    We don't know how to reproduce upstream's app.bin bit-by-bit identical
    using the toolchain that exists in Debian. Debian policy is to rebuild everything from source so we cannot use their binary blob.

    To get the same private key you must use the same app.bin on all
    machines. Because tkey-ssh-agent currently embeds the app.bin into the tkey-ssh-agent binary you must even use the same ssh agent. There is an
    open issue about adding feature to tkey-ssh-agent upstream to support user-provided app binaries but alas this is not implemented:

    https://github.com/tillitis/tkey-ssh-agent/issues/125

    We've discussed this with upstream, and IIRC they were able to reproduce
    our app.bin on their laptop, and someone reproduced it using ArchLinux toolchain. Hopefully upstream can use debian-based clang for future app releases. I think that someone tested using Ubuntu's toolchain and at
    least at some point it didn't produce the same output, but I think it
    was a 24.10 pre-release snapshot clang.

    /Simon

    Diego Joss <detaoin@joss-kasser.ch> writes:

    Package: tkey-ssh-agent
    Version: 1.0.0+ds-4
    Severity: important

    Dear Maintainer,

    I recently bought and started using a Tillitis TKey. I tried to connect
    via ssh using the ssh agent today from a different computer, expecting
    it to work (using the same USS: user supplied secret). However it didnt' work.
    Details:
    - computer A uses debian package tkey-ssh-agent 1.0.0+ds-4
    - computer B uses tillitis upstream v1.0.0 deb package
    https://github.com/tillitis/tkey-ssh-agent/releases/download/v1.0.0/tkey-ssh-agent_1.0.0_linux_amd64.deb

    Then I executed the following commands:
    - tkey-ssh-agent -a /path/to/socket --uss &
    - SSH_AUTH_SOCK=/path/to/socket ssh-add -L

    The resulting public keys are different, however I expected them to be
    the same.

    After investigation I found that the `app.bin` file that is embedded in
    the `tkey-ssh-agent` executable is different between the debian upstream package, and the tillitis distribution.
    However it should be the same; in particular in the upstream repository
    the check sum is saved, and the make target `check-signer-hash` should
    verify it.

    Debian package checksum: b0b08e5b50fd60003f91f60e0cc676a065a6a93d0fea091d605c311d012083fe27d7b2fd6921a28843873d115ff7322135086d5567061b2bb2964c78f52efc76
    /usr/share/tillitis/tkey-device-signer/app.bin

    Tillitis upstream checksum: fe4458e4125966885d9b745a25422948d76e60371165b97729fce1b423f22b87929c684b4381f2220aa0c94266ba035730d5f08a6e6e0aab7d7bf15165d2fff6 signer/app.bin

    Kind regards,
    Diego

    P.S. I do run Devuan, however I was able to confirm the same
    checksum for app.bin by downloading the debian package directly from https://packages.debian.org/


    -- System Information:
    Distributor ID: Devuan
    Description: Devuan GNU/Linux 6 (excalibur/ceres)
    Release: 6
    Codename: excalibur ceres
    Architecture: x86_64

    Kernel: Linux 6.12.19-amd64 (SMP w/4 CPU threads; PREEMPT)
    Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
    Shell: /bin/sh linked to /usr/bin/dash
    Init: runit (via /run/runit.stopit)
    LSM: AppArmor: enabled

    Versions of packages tkey-ssh-agent depends on:
    ii libc6 2.41-6
    ii tillitis-tkey-udev 1.0.0+ds-4

    tkey-ssh-agent recommends no packages.

    tkey-ssh-agent suggests no packages.

    -- no debconf information



    -----BEGIN PGP SIGNATURE-----

    iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmf3okEUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFooAyAP9FB9K8Pb9h lbg572qqHaSmceRV9y/mbmjZMHPAEIs77gD/UmciyGhzZACC5CAXZuZnsVHi1kDD 9/xRoN7yYVDgqw8=
    =1gYW
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Diego Joss@21:1/5 to All on Thu Apr 10 13:30:02 2025
    Hi,

    10 Apr 2025 12:51:01 Simon Josefsson <simon@josefsson.org>:
    Hi.  Thanks for testing.  This is expected and intentional, although admittedly not optimal.

    We don't know how to reproduce upstream's app.bin bit-by-bit identical
    using the toolchain that exists in Debian.  Debian policy is to rebuild everything from source so we cannot use their binary blob.

    I understand.

    To get the same private key you must use the same app.bin on all
    machines.  Because tkey-ssh-agent currently embeds the app.bin into the tkey-ssh-agent binary you must even use the same ssh agent.  There is
    an
    open issue about adding feature to tkey-ssh-agent upstream to support user-provided app binaries but alas this is not implemented:

    https://github.com/tillitis/tkey-ssh-agent/issues/125

    Sorry, I didn't search sufficiently to find it :-).

    We've discussed this with upstream, and IIRC they were able to
    reproduce
    our app.bin on their laptop, and someone reproduced it using ArchLinux toolchain.  Hopefully upstream can use debian-based clang for future
    app
    releases.  I think that someone tested using Ubuntu's toolchain and at
    least at some point it didn't produce the same output, but I think it
    was a 24.10 pre-release snapshot clang.

    Thank you very much for the clarification. I'll follow the upstream
    issue.

    I hope it will be possible to find a solution. If there is something I
    can do to help, please let me know.

    Diego

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon Josefsson@21:1/5 to Diego Joss on Thu Apr 10 13:40:02 2025
    Diego Joss <diego@joss-kasser.ch> writes:

    Thank you very much for the clarification. I'll follow the upstream
    issue.

    I hope it will be possible to find a solution. If there is something I
    can do to help, please let me know.

    Thank you for understanding! If you speak Go, I don't think it would be
    hard to implement the tkey-ssh-agent feature to at least be able to
    provide your own app.bin, so that would be a good contribution. Then
    you would be able to use your tkey with some copying of app.bin file and configuration. But getting this ready for trixie is a challenge, you
    basically only have a day or two...

    /Simon

    -----BEGIN PGP SIGNATURE-----

    iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmf3rI4UHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFojBKAQCuyYeC3T3I +nWcYi9vKljerZfupin36p6vpPFgpt3Q0QEAzXBsrKaCYiKvBp74afsYG8qFBQX3 509ZrX/d9xrCfAk=
    =vKXY
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)