Problem
auths doctor is the natural place users go when things break, but it currently doesn't catch several common issues discovered during dogfooding:
Checks to add
SSH config
Registry
- Check if
refs/auths/registry exists in the current repo
- Verify the identity in the registry matches the current active identity
- Warn if the registry has attestations signed by a different identity (stale data from identity recreation)
- Check if registry is pushed to the remote
Allowed signers
- Check if
~/.ssh/allowed_signers exists and contains the current device's key
- Check if
.auths/allowed_signers exists in the current repo
- Warn if repo's allowed_signers has placeholder/example keys
- Verify format is correct (
<principal> namespaces="git" ssh-ed25519 <key>)
Signing
- Verify a test signature can be created and verified (round-trip check)
- Check that
git log --show-signature works for recent commits
Context
During dogfooding, every one of these issues was hit. auths doctor surfacing them with actionable fix commands would have saved significant debugging time.
Problem
auths doctoris the natural place users go when things break, but it currently doesn't catch several common issues discovered during dogfooding:Checks to add
SSH config
UseKeychainwithoutIgnoreUnknown UseKeychain(see SSH config: add IgnoreUnknown UseKeychain during onboarding #74)gpg.format = sshandcommit.gpgsign = truein git configRegistry
refs/auths/registryexists in the current repoAllowed signers
~/.ssh/allowed_signersexists and contains the current device's key.auths/allowed_signersexists in the current repo<principal> namespaces="git" ssh-ed25519 <key>)Signing
git log --show-signatureworks for recent commitsContext
During dogfooding, every one of these issues was hit.
auths doctorsurfacing them with actionable fix commands would have saved significant debugging time.