intial unit test and impl for ssh-keygen simulator

[castedo]

• unit test that check-novalidate subcmd rejects
• basic CLI impl for ssh-keygen simulator
• trivial always fail impl of check-novalidate subcmd

[castedo]

Probably not worth merging yet since it doesn't actually to any check. So I've put it in draft mode. But good preview of what's to come soon so you can point out any improvements and changes that make sense.

[castedo]

@jelmer Pick your poison:

Soon I'm going to be adding a line of

from __future__ import annotations

from https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L1
so that a return type hint like:
https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L48
does not have to be quoted.

And I think there are few other benefits.

BUT if you think it's better to not __future__, just let me know and I'll quote some of these type hints and go back from the __future__.

[jelmer]

@jelmer Pick your poison:

Soon I'm going to be adding a line of

from __future__ import annotations

from https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L1
so that a return type hint like:
https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L48
does not have to be quoted.

And I think there are few other benefits.

BUT if you think it's better to not __future__, just let me know and I'll quote some of these type hints and go back from the __future__.

Why do we need that? Dulwich is python >= 3.9, so annotations shouldn't require a "from future import"

[castedo]

@jelmer Pick your poison:
Soon I'm going to be adding a line of

from __future__ import annotations

from https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L1
so that a return type hint like:
https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L48
does not have to be quoted.
And I think there are few other benefits.
BUT if you think it's better to not __future__, just let me know and I'll quote some of these type hints and go back from the __future__.

Why do we need that? Dulwich is python >= 3.9, so annotations shouldn't require a "from future import"

It is still needed for recursive/self-referential type hints. For instance, in

https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L48

the unquoted AllowedSigner return type hint is for a function of the class AllowedSigner. So even with 3.9, either the type hint needs to be quoted or the __future__ is needed.

[castedo]

I'm usually in a container with Python 3.12 and the choice still is needed in 3.12.

[castedo]

@jelmer You probably have a better idea than I do on the best way to handle this with unittest. This DOUBLE_CHECK_SSH_KEYGEN_SIMULATION flag will enable also running the real ssh-keygenalong with the main unit test, with the same test case input data, and make sure the exit return code is the same.

I'm thinking this double checking against the real ssh-keygen should be off by default. It's not really the point of the usual unittest. But it's also nice to sanity double check from time to time.

[castedo]

@jelmer I wasn't sure the best way to handle this mypy strictness. Mypy seems to be pretty annoying in terms of selectively enable strict mode (it doesn't really seem to be possible). But I've written all the sshsiglib code passing under strict mode. So seems a pity to not try and keep it type strict.

[castedo]

Interesting ... I just discovered another benefit to using from __future__ import annotations:

ruff requests using the X | Y type notation instead of Union and Option, which Python 3.9 barfs on (I just confirmed) ... but without __future__. With the __future__ Python 3.9 will ignore the pipe X | Y type notation. I'll start following ruffs suggestion by using __future__ to keep both ruff and Python 3.9 happy.

[castedo]

@jelmer OK, this is an actual implementation of ssh-keygen -Y check-novalidate, the core crypto functionality at the base of SSH key signing. This could be a good check point to merge, even though there's more to come, and some more extra sshsig features layerd on top that git uses (namely checking the allowed_signers file for the key found in the signature from this core stage).

[castedo]

I figured I would just throw all the code in to one file, to keep it simple within the bigger picture of dulwich. However, there are a number of natural splits and layers to this implementation. This single file could naturally be split into multiple and placed within a subdirectory/submodule for all this sshsig/ssh_keygen stuff.