diff --git a/PKGBUILD b/PKGBUILD index e851453..b44993e 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -4,7 +4,7 @@ pkgname='vault' pkgdesc='A tool for managing secrets' -pkgver='1.3.3' +pkgver='1.3.4' pkgrel='1' url="https://vaultproject.io/" license=('MPL') @@ -14,17 +14,19 @@ makedepends=('go-pie' 'git' 'yarn' 'bower' 'nodejs-lts-dubnium' 'npm' 'zip' depends=('glibc') install='vault.install' backup=('etc/vault.hcl') -_vault_commit='8e872c4ad94cb1f193a0fb239ae856e1fdf4bdb0' +_vault_commit='3af4987cd9a61c2e915bcca410884c6e35f93060' source=("git+https://github.com/hashicorp/vault#commit=${_vault_commit}" 'vault.service' 'vault.sysusers' 'vault.tmpfiles' - 'vault.hcl') + 'vault.hcl' + 'vault-fix-ssh-rsa.patch') sha512sums=('SKIP' '6619cf57668e995cddb29fb6c388c18c21b251052a53832415e415bb4fe538361ef77b74536f5b082b9cda6cd71b598fc50d8b7f51092c4d60262052c5725af2' '92616ccf83fa5ca9f8b0d022cf8ceb1f3549e12b66bf21d9f77f3eb26bd75ec1dc36c155948ec987c642067b85fbfc30a9217d6c503d952a402aa5ef63e50928' '073f0f400cba78521cd2709ce86d88fbb14125117f9f3beca657f625d04eab8e00f7a01b5d9a1cfc03e9038844f5732bdbb1a85dd65a803d3f0b90f8bf87880e' - '46106cc76151eef2dd5e4b2caa6a96aae4d6ce1ecbf977dcc8667a3f6c829cbea95133622adafcb15cdfaa066ecc94c73c983e7613ee2f6573694981569729fe') + '46106cc76151eef2dd5e4b2caa6a96aae4d6ce1ecbf977dcc8667a3f6c829cbea95133622adafcb15cdfaa066ecc94c73c983e7613ee2f6573694981569729fe' + '7aab08cc3e203ae9a0c440c53f1f970e086953b6564b0f3ec35a0ae23a1bcbd9bf3db1107ee1777d5a6cc18915a9e80514b8422a5077c2f059b14efd66bafb26') changelog=CHANGELOG.md prepare () { @@ -35,6 +37,7 @@ prepare () { export PACKAGE_ROOT="${GOPATH}/src/github.com/hashicorp/${pkgname}" cd $PACKAGE_ROOT git revert -n 61ff0fd8699dfe9efb9b014df8e9aff86a0aa924 #https://github.com/hashicorp/vault/issues/7475 + patch -Np1 < "${srcdir}/vault-fix-ssh-rsa.patch" } build () { diff --git a/vault-fix-ssh-rsa.patch b/vault-fix-ssh-rsa.patch new file mode 100644 index 0000000..bd51104 --- /dev/null +++ b/vault-fix-ssh-rsa.patch @@ -0,0 +1,41 @@ +diff --git a/builtin/logical/ssh/path_sign.go b/builtin/logical/ssh/path_sign.go +index a64edfa2d..f3c83f765 100644 +--- a/builtin/logical/ssh/path_sign.go ++++ b/builtin/logical/ssh/path_sign.go +@@ -9,6 +9,7 @@ import ( + "crypto/sha256" + "errors" + "fmt" ++ "io" + "strconv" + "strings" + "time" +@@ -484,10 +485,27 @@ func (b *creationBundle) sign() (retCert *ssh.Certificate, retErr error) { + }, + } + +- err = certificate.SignCert(rand.Reader, b.Signer) ++ sshAlgorithmSigner, _ := b.Signer.(ssh.AlgorithmSigner) ++ ++ // prepare certificate for signing ++ certificate.Nonce = make([]byte, 32) ++ if _, err := io.ReadFull(rand.Reader, certificate.Nonce); err != nil { ++ return nil, fmt.Errorf("failed to generate signed SSH key") ++ } ++ certificate.SignatureKey = sshAlgorithmSigner.PublicKey() ++ ++ // get bytes to sign ++ c2 := *certificate ++ c2.Signature = nil ++ out := c2.Marshal() ++ certificateBytes := out[:len(out)-4] ++ ++ // sign with rsa-sha2-256 ++ sig, err := sshAlgorithmSigner.SignWithAlgorithm(rand.Reader, certificateBytes, ssh.SigAlgoRSASHA2256) + if err != nil { + return nil, fmt.Errorf("failed to generate signed SSH key") + } ++ certificate.Signature = sig + + return certificate, nil + }