Skip to content

Fix/cli adversarial findings#348

Merged
bordumb merged 6 commits into
mainfrom
fix/cli-adversarial-findings
Jun 23, 2026
Merged

Fix/cli adversarial findings#348
bordumb merged 6 commits into
mainfrom
fix/cli-adversarial-findings

Conversation

@bordumb

@bordumb bordumb commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

No description provided.

bordumb added 5 commits June 23, 2026 03:42
The trust subcommands built the pinned-identity store from the default
~/.auths path and ignored the global --repo flag, so a repo-scoped trust
operation silently read, wrote, or deleted the global store. Resolve the
store path through resolve_repo_path like init and device do; with --repo
absent the path is identical to the previous default.
…jection

A newline in a --scope value was emitted verbatim into the single-line
Auths-Scope commit trailer, splitting it into an attacker-chosen extra
trailer (e.g. a second Auths-Id) that a verifier resolved instead of the
true signer. Validate scope tokens and reject control characters before
building the commit trailers.
…, gate destructive/overwrite ops, and lock it in with --repo guardrail + forgery-resistance tests

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@bordumb bordumb self-assigned this Jun 23, 2026
@vercel

vercel Bot commented Jun 23, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auths Ready Ready Preview, Comment Jun 23, 2026 9:10pm

@github-actions

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
c0f1c444 ❌ Failed No signature found
265fb97e ❌ Failed No signature found
16d86bf2 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
812adf75 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
0f686f58 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).

Result: ❌ 0/5 commits verified


How to fix

Commit c0f1c444 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@github-actions

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
d430fb12 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
c0f1c444 ❌ Failed No signature found
265fb97e ❌ Failed No signature found
16d86bf2 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
812adf75 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
0f686f58 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).

Result: ❌ 1/6 commits verified


How to fix

Commit c0f1c444 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

@bordumb bordumb merged commit 18f1792 into main Jun 23, 2026
21 of 24 checks passed
@bordumb bordumb deleted the fix/cli-adversarial-findings branch June 23, 2026 21:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant