Skip to content

API Reference

check_signature(msg_in, armored_signature, namespace='git')

Check that an ssh-keygen signature is a digital signature of the input message.

This function implements functionality provided by:

ssh-keygen -Y check-novalidate -n namespace -s armored_signature_file < msg_in

Returns:

Type Description
PublicKey

The cryptographic PublicKey embedded inside the SSHSIG signature.

Raises:

Type Description
InvalidSignature

If signature is not valid for the input message.
NotImplementedError

If a signature encoding feature is not supported.
Source code in sshsig/sshsig.py 
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
def check_signature(
    msg_in: str | bytes | BinaryIO,
    armored_signature: str | bytes,
    namespace: str = "git",
) -> PublicKey:
    """Check that an ssh-keygen signature is a digital signature of the input message.

    This function implements functionality provided by:
    ```
    ssh-keygen -Y check-novalidate -n namespace -s armored_signature_file < msg_in
    ```

    Returns:
      The cryptographic PublicKey embedded inside the SSHSIG signature.

    Raises:
      InvalidSignature: If signature is not valid for the input message.
      NotImplementedError: If a signature encoding feature is not supported.
    """
    return cast_or_raise(do_check_signature(msg_in, armored_signature, namespace))

verify(msg_in, armored_signature, allowed_signers, namespace='git')

Verify a signature generated by ssh-keygen, the OpenSSH authentication key utility.

This function implements a SUBSET of functionality provided by:

ssh-keygen -Y verify \
    -f allowed_signers_file \
    -I '*' \
    -n namespace \
    -s armored_signature_file \
    < msg_in

when the allowed_signers_file is in a sub-format with only lines starting: * namespaces="X" ... where X equals the namespace argument.

Returns:

Type Description
PublicKey

The cryptographic PublicKey embedded inside the SSHSIG signature.

Raises:

Type Description
InvalidSignature

If signature is not valid for the input message.
NotImplementedError

If a signature encoding feature is not supported.
Source code in sshsig/sshsig.py 
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
def verify(
    msg_in: str | bytes | BinaryIO,
    armored_signature: str | bytes,
    allowed_signers: Iterable[PublicKey],
    namespace: str = "git",
) -> PublicKey:
    r"""Verify a signature generated by ssh-keygen, the OpenSSH authentication key utility.

    This function implements a _SUBSET_ of functionality provided by:
    ```sh
    ssh-keygen -Y verify \
        -f allowed_signers_file \
        -I '*' \
        -n namespace \
        -s armored_signature_file \
        < msg_in
    ```
    when the allowed_signers_file is in a sub-format with only lines starting:
    `* namespaces="X" ...`
    where X equals the namespace argument.

    Returns:
      The cryptographic PublicKey embedded inside the SSHSIG signature.

    Raises:
      InvalidSignature: If signature is not valid for the input message.
      NotImplementedError: If a signature encoding feature is not supported.
    """
    return cast_or_raise(
        do_verify(msg_in, armored_signature, allowed_signers, namespace)
    )