florian/git-hardening
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: v0.2.1 FIDO2 macOS keygen, grouped prompts, Linux hints

Browse Source 
Use Homebrew ssh-keygen for FIDO2 key generation on macOS instead of
searching for libsk-libfido2.dylib (removed in modern openssh). Group
interactive apply prompts into 6 categories with explanations. Fix
Linux gitleaks install hint to show apt/dnf instead of brew.

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Flo
2026-03-31 17:39:14 +02:00
parent 09f6369bec
commit 475faf23df
3 changed files with 28 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGELOG.md
View File

@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## [0.2.1] - 2026-03-31
### Fixed
- FIDO2 key generation on macOS — use Homebrew's `ssh-keygen` binary which has built-in FIDO2 support, instead of searching for the removed `libsk-libfido2.dylib` middleware
- Linux gitleaks install hint now shows `apt`/`dnf` instead of `brew`
### Changed
- Group interactive apply prompts by category (6 groups instead of ~25 individual prompts), each showing a table of pending changes with one-line explanations
## [0.2.0] - 2026-03-31 ## [0.2.0] - 2026-03-31
### Added ### Added

42
git-harden.sh
View File

@@ -10,7 +10,7 @@ IFS=$'\n\t'
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Constants # Constants
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
readonly VERSION="0.2.0" readonly VERSION="0.2.1"
readonly BACKUP_DIR="${HOME}/.config/git" readonly BACKUP_DIR="${HOME}/.config/git"
readonly HOOKS_DIR="${HOME}/.config/git/hooks" readonly HOOKS_DIR="${HOME}/.config/git/hooks"
readonly ALLOWED_SIGNERS_FILE="${HOME}/.config/git/allowed_signers" readonly ALLOWED_SIGNERS_FILE="${HOME}/.config/git/allowed_signers"
@@ -873,7 +873,7 @@ apply_precommit_hook() {
if [ "$has_gitleaks" = false ]; then if [ "$has_gitleaks" = false ]; then
print_warn "gitleaks not found — install it for pre-commit secret scanning:" print_warn "gitleaks not found — install it for pre-commit secret scanning:"
printf ' macOS: brew install gitleaks\n' >&2 printf ' macOS: brew install gitleaks\n' >&2
printf ' Linux: brew install gitleaks (or download from GitHub releases)\n' >&2 printf ' Linux: apt install gitleaks / dnf install gitleaks (or download from GitHub releases)\n' >&2
fi fi
if prompt_yn "Install gitleaks pre-commit hook at $hook_path?"; then if prompt_yn "Install gitleaks pre-commit hook at $hook_path?"; then
@@ -1212,29 +1212,27 @@ generate_fido2_key() {
fi fi
fi fi
# Detect FIDO2 middleware library (required on macOS) # On macOS, the system ssh-keygen lacks FIDO2 support. Homebrew's openssh
local sk_provider="" # bundles ssh-sk-helper and builds FIDO2 into its own ssh-keygen binary.
local keygen_cmd="ssh-keygen"
if [ "$PLATFORM" = "macos" ]; then if [ "$PLATFORM" = "macos" ]; then
# The FIDO2 middleware (libsk-libfido2.dylib) is built by Homebrew's local brew_keygen=""
# openssh formula, NOT by libfido2 alone. Search common install paths. local brew_path
local provider_path for brew_path in /opt/homebrew/bin/ssh-keygen /usr/local/bin/ssh-keygen; do
for provider_path in \ # System ssh-keygen prints "No FIDO SecurityKeyProvider" — brew's doesn't
/opt/homebrew/lib/libsk-libfido2.dylib \ if [ -x "$brew_path" ] && ! "$brew_path" -t ed25519-sk -f /dev/null -N "" 2>&1 | grep -q "SecurityKeyProvider"; then
/usr/local/lib/libsk-libfido2.dylib \ brew_keygen="$brew_path"
/opt/homebrew/Cellar/openssh/*/libexec/libsk-libfido2.dylib; do
if [ -f "$provider_path" ]; then
sk_provider="$provider_path"
break break
fi fi
done done
if [ -z "$sk_provider" ]; then if [ -z "$brew_keygen" ]; then
print_warn "FIDO2 middleware (libsk-libfido2.dylib) not found." print_warn "macOS system ssh-keygen lacks FIDO2 support."
printf ' macOS system ssh-keygen requires the OpenSSH FIDO middleware.\n' >&2 printf ' Install Homebrew OpenSSH (includes built-in FIDO2):\n' >&2
printf ' Install with: brew install openssh\n' >&2 printf ' brew install openssh\n' >&2
printf ' This builds libsk-libfido2.dylib against the libfido2 you already have.\n' >&2
printf ' Then re-run this script.\n' >&2 printf ' Then re-run this script.\n' >&2
return return
fi fi
keygen_cmd="$brew_keygen"
fi fi
printf ' Generating ed25519-sk SSH key (touch your security key when prompted)...\n' >&2 printf ' Generating ed25519-sk SSH key (touch your security key when prompted)...\n' >&2
@@ -1249,14 +1247,8 @@ generate_fido2_key() {
mkdir -p "$SSH_DIR" mkdir -p "$SSH_DIR"
chmod 700 "$SSH_DIR" chmod 700 "$SSH_DIR"
# Pass -w <provider> on macOS; on Linux the built-in support usually works
local keygen_args=(-t ed25519-sk -C "$email" -f "$key_path")
if [ -n "$sk_provider" ]; then
keygen_args+=(-w "$sk_provider")
fi
# Do NOT suppress stderr — per AC-7 # Do NOT suppress stderr — per AC-7
ssh-keygen "${keygen_args[@]}" </dev/tty "$keygen_cmd" -t ed25519-sk -C "$email" -f "$key_path" </dev/tty
if [ -f "${key_path}.pub" ]; then if [ -f "${key_path}.pub" ]; then
SIGNING_KEY_FOUND=true SIGNING_KEY_FOUND=true

4
test/git-harden.bats
View File

@@ -1148,7 +1148,7 @@ EOF
# v0.2.0: Version bump # v0.2.0: Version bump
# =========================================================================== # ===========================================================================
@test "--version reports 0.2.0" { @test "--version reports 0.2.1" {
run bash "$SCRIPT" --version run bash "$SCRIPT" --version
assert_output --partial "0.2.0" assert_output --partial "0.2.1"
} }