Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » EGit / JGit » EGit 5.12 SSH clone failing due to Signature encoding error (SSH clone fails: DefaultAuthFuture[ssh-connection]: Failed (SignatureException) to execute: Signature encoding error)
EGit 5.12 SSH clone failing due to Signature encoding error [message #1842430] Fri, 18 June 2021 19:05 Go to next message
John Czukkermann is currently offline John CzukkermannFriend
Messages: 14
Registered: January 2018
Junior Member
I am posting here because I haven't been able to find a similar error/resolution anywhere else.

I am simply trying to clone my repo.

Eclipse info:
Quote:
eclipse.buildId=4.20.0.I20210611-1600
java.version=11.0.10
java.vendor=AdoptOpenJDK
BootLoader constants: OS=macosx, ARCH=x86_64, WS=cocoa, NL=en_US
Framework arguments: -product org.eclipse.epp.package.jee.product -product org.eclipse.epp.package.jee.product -product org.eclipse.epp.package.jee.product -product org.eclipse.epp.package.jee.product -product org.eclipse.epp.package.jee.product -keyring /Users/jlczuk/.eclipse_keyring
Command-line arguments: -os macosx -ws cocoa -arch x86_64 -product org.eclipse.epp.package.jee.product -product org.eclipse.epp.package.jee.product -product org.eclipse.epp.package.jee.product -product org.eclipse.epp.package.jee.product -data file:/Users/jlczuk/_zWork/Eclipse-2021-06-Workspaces/mgmtsvcs-1.0-hsma24x/ -product org.eclipse.epp.package.jee.product -keyring /Users/jlczuk/.eclipse_keyring


Failure info from Error event details:

Quote:

org.eclipse.jgit.api.errors.TransportException: git@github.<redacted>.git: DefaultAuthFuture[ssh-connection]: Failed (SignatureException) to execute: Signature encoding error
at org.eclipse.jgit.api.LsRemoteCommand.execute(LsRemoteCommand.java:189)
at org.eclipse.jgit.api.LsRemoteCommand.call(LsRemoteCommand.java:128)
at org.eclipse.egit.core.op.ListRemoteOperation.run(ListRemoteOperation.java:116)
at org.eclipse.egit.ui.internal.clone.SourceBranchPage$9.run(SourceBranchPage.java:375)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:122)
Caused by: org.eclipse.jgit.errors.TransportException: git@github.<redacted>.git: DefaultAuthFuture[ssh-connection]: Failed (SignatureException) to execute: Signature encoding error
at org.eclipse.jgit.transport.sshd.SshdSessionFactory.getSession(SshdSessionFactory.java:250)
at org.eclipse.jgit.transport.sshd.SshdSessionFactory.getSession(SshdSessionFactory.java:1)
at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:107)
at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:281)
at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:153)
at org.eclipse.jgit.api.LsRemoteCommand.execute(LsRemoteCommand.java:167)
... 4 more
Caused by: org.apache.sshd.common.SshException: DefaultAuthFuture[ssh-connection]: Failed (SignatureException) to execute: Signature encoding error
at org.apache.sshd.common.future.AbstractSshFuture.lambda$verifyResult$1(AbstractSshFuture.java:131)
at org.apache.sshd.common.future.AbstractSshFuture.formatExceptionMessage(AbstractSshFuture.java:185)
at org.apache.sshd.common.future.AbstractSshFuture.verifyResult(AbstractSshFuture.java:130)
at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:39)
at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:32)
at org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:68)
at org.eclipse.jgit.transport.sshd.SshdSession.connect(SshdSession.java:164)
at org.eclipse.jgit.transport.sshd.SshdSession.connect(SshdSession.java:99)
at org.eclipse.jgit.transport.sshd.SshdSessionFactory.getSession(SshdSessionFactory.java:237)
... 9 more
Caused by: java.io.IOException: ObjectIdentifier mismatch: 2.16.840.1.101.3.4.2.3
at java.base/sun.security.rsa.RSASignature.decodeSignature(RSASignature.java:261)
at java.base/sun.security.rsa.RSASignature.engineVerify(RSASignature.java:217)
at java.base/java.security.Signature$Delegate.engineVerify(Signature.java:1416)
at java.base/java.security.Signature.verify(Signature.java:790)
at org.apache.sshd.common.signature.AbstractSignature.doVerify(AbstractSignature.java:164)
at org.apache.sshd.common.signature.SignatureRSA.verify(SignatureRSA.java:116)
at org.apache.sshd.client.kex.DHGClient.next(DHGClient.java:182)
at org.apache.sshd.common.session.helpers.AbstractSession.handleKexMessage(AbstractSession.java:606)
at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:500)
at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:428)
at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1463)
at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:388)
at org.eclipse.jgit.internal.transport.sshd.JGitClientSession.messageReceived(JGitClientSession.java:199)
at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64)
at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:358)
at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:335)
at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:332)
at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127)
at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842434 is a reply to message #1842430] Fri, 18 June 2021 21:56 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
That looks like a bug in the SSH library, Apache MINA sshd 2.6.0 Something seems to have trouble with a rsa-sha2-512 signature during the host key exchange. OID 2.16.840.1.101.3.4.2.3 is SHA512. Probably sshd tries to validate is as a ssh-rsa (SHA1) signature.

I'll have to investigate if I can reproduce this somehow.

Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842436 is a reply to message #1842434] Sat, 19 June 2021 01:15 Go to previous messageGo to next message
John Czukkermann is currently offline John CzukkermannFriend
Messages: 14
Registered: January 2018
Junior Member
Thank you Thomas. I can try using different key types if that would help.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842439 is a reply to message #1842436] Sat, 19 June 2021 08:26 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
It has trouble with the server's host key, not with your key.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842440 is a reply to message #1842439] Sat, 19 June 2021 09:36 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
In any case it would be very helpful if you could get debug or maybe even trace logging from Eclipse for this. It's unfortunately not quite straight-forward to get the log output from that SSH library, but https://www.eclipse.org/forums/index.php?t=msg&th=1105101&goto=1832952&#msg_1832952 gives some hints. It may depend on which logging back-end is used in your Eclipse; logback and log4j use slightly different command line options. log4j uses -Dlog4j.configuration, logback -Dlogback.configurationFile.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842441 is a reply to message #1842440] Sat, 19 June 2021 11:31 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
Cannot reproduce so far. I have seen Github sending a wrong SSH message already (in public key user authentication, not in the key exchange), and I suspect this is a similar case. My suspicion is that client and server negotiate "ssh-rsa", and the server sends a packet with a "ssh-rsa" key but with the signature being "rsa-sha2-512". But it should do that only if "rsa-sha2-512" was negotiated. I also just discovered that unfortunately sshd doesn't log the full negotiation result. It also doesn't log details about the type of the actual signature. :-(

Looks like I'll have to improve the logging first.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842444 is a reply to message #1842441] Sat, 19 June 2021 14:36 Go to previous messageGo to next message
John Czukkermann is currently offline John CzukkermannFriend
Messages: 14
Registered: January 2018
Junior Member
Ok. I'll await further instruction. Have a good weekend. Also, FWIW, this problem isn't occurring with Eclipse 2021-03:
Quote:
Eclipse IDE for Enterprise Java and Web Developers (includes Incubating components)

Version: 2021-03 (4.19.0)
Build id: 20210312-0638

Git integration for Eclipse 5.11.0.202103091610-r org.eclipse.egit.feature.group Eclipse EGit

[Updated on: Sat, 19 June 2021 14:38]

Report message to a moderator

Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842447 is a reply to message #1842444] Sat, 19 June 2021 19:05 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
EGit nightly now should have the logging we need. If you could try installing it from its update site and then get a debug log, I'd have at least something to work with.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842482 is a reply to message #1842447] Mon, 21 June 2021 12:26 Go to previous messageGo to next message
John Czukkermann is currently offline John CzukkermannFriend
Messages: 14
Registered: January 2018
Junior Member
Ok, I'll try to get that done sometime today.

Voila, a bit of trace is now uploaded.
  • Attachment: egit.log
    (Size: 7.73KB, Downloaded 25 times)

[Updated on: Mon, 21 June 2021 14:10]

Report message to a moderator

Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842586 is a reply to message #1842482] Thu, 24 June 2021 13:02 Go to previous messageGo to next message
John Czukkermann is currently offline John CzukkermannFriend
Messages: 14
Registered: January 2018
Junior Member
I attached the redacted egit log to me previous post. Just FYI in case you missed it Thomas.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842600 is a reply to message #1842586] Thu, 24 June 2021 21:26 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
Thanks, but somehow I get much more logging output when I run locally. I seem to have more loggers enabled. The log file you posted lacks a lot that I would need to see. (If you're concerned about publishing IP addresses and don't want to redact log files, feel free to e-mail me the log privately.)

I use a log4j config like this:
log4j.rootLogger=WARN, stderr

log4j.appender.stderr=org.apache.log4j.ConsoleAppender
log4j.appender.stderr.Target=System.err
log4j.appender.stderr.layout=org.apache.log4j.PatternLayout
log4j.appender.stderr.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %t %c{1}:%L - %m%n

log4j.logger.org.apache.sshd=DEBUG
log4j.logger.org.eclipse.jgit.transport.sshd=DEBUG
log4j.logger.org.eclipse.jgit.internal.transport.sshd=DEBUG
log4j.logger.org.eclipse.jgit.transport=DEBUG


In particular I'm interested in lines that tell how the server identifies ("JGitClientSession - readIdentification .... Server version string: SSH-2.0-XXXX") and anything related to the initial key exchange, especially "JGitCLientSession - setNegotiationResult".
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842607 is a reply to message #1842600] Fri, 25 June 2021 13:10 Go to previous messageGo to next message
John Czukkermann is currently offline John CzukkermannFriend
Messages: 14
Registered: January 2018
Junior Member
Could you please provide a link on how I can setup to use this property file and where the logging output goes? I created a log4j.properties and updated my eclipse.ini with the following and restarted Eclipse. I don't get any log output in the Console nor in the workspace .metadata/.log file.
-Dlog4j.debug
-Dlog4j.configuration=file:/Users/me/Eclipse-2021-06-Workspaces/test/log4j/log4j.properties


Thank you.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842610 is a reply to message #1842607] Fri, 25 June 2021 14:07 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
Did you use log4j before for the error log you generated? Or did you use logback? You did manage to get log output above. Once you're there, it should just be a matter of enabling a few more loggers.

For logback, it would be something like
<?xml version="1.0" encoding="UTF-8"?>
<configuration scan="true" scanPeriod="5 seconds">

    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
        <encoder>
            <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{40} - %msg%n</pattern>
        </encoder>
    </appender>

    <logger name="org.apache.sshd" level="DEBUG" additivity="false">
        <appender-ref ref="STDOUT" />
    </logger>

    <logger name="org.eclipse.jgit.transport.sshd" level="DEBUG" additivity="false">
        <appender-ref ref="STDOUT" />
    </logger>

    <logger name="org.eclipse.jgit.internal.transport.sshd" level="DEBUG" additivity="false">
        <appender-ref ref="STDOUT" />
    </logger>

    <root level="WARN">
        <appender-ref ref="STDOUT" />
    </root>

</configuration>

Logging output with both log4j or logback with these setups goes to stderr/stdout, so if you start Eclipse from the command line, you should get the output in the terminal.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842681 is a reply to message #1842430] Mon, 28 June 2021 15:37 Go to previous messageGo to next message
John Czukkermann is currently offline John CzukkermannFriend
Messages: 14
Registered: January 2018
Junior Member
Apparently I'm using logback. Here's the latest log. Hopefully it's what you're looking for and a step in the right direction.
  • Attachment: egit.log
    (Size: 36.28KB, Downloaded 16 times)
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842683 is a reply to message #1842681] Mon, 28 June 2021 16:30 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
Thanks, John, but that's the Eclipse log from .metadata/log. It's not the debug log output from logback.

To get the debug log output, start Eclipse from a terminal commandline:
$ cd /Path/to/your/Eclipse.app
$ cd Contents/MacOS
$ _JAVA_OPTIONS='-Dlogback.configurationFile=file:///Users/jlczuk/eclipse-egit-trace.xml' ./eclipse &

Your eclipse-egit-trace.xml file should contain the loggers for org.eclipse.jgit.transport.sshd and org.eclipse.jgit.internal.transport.sshd as shown above. Then the debug log output should be written to the terminal.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842688 is a reply to message #1842683] Mon, 28 June 2021 19:36 Go to previous messageGo to next message
John Czukkermann is currently offline John CzukkermannFriend
Messages: 14
Registered: January 2018
Junior Member
Thank you Thomas. Sorry for the churn. I think this long contains what you requesting.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842693 is a reply to message #1842688] Tue, 29 June 2021 06:59 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
Thanks for your patience, John. We're getting closer, but we're still not there yet.

EGit nightly should issue more lines after 15:32:44.084. I expect to see lines like these there:
... - setNegotiationResult(JGitClientSession[testuser@localhost/127.0.0.1:53730]) Kex: server->client aes128-ctr hmac-sha2-256-etm@openssh.com none
... - setNegotiationResult(JGitClientSession[testuser@localhost/127.0.0.1:53730]) Kex: client->server aes128-ctr hmac-sha2-256-etm@openssh.com none
... - setNegotiationResult(JGitClientSession[testuser@localhost/127.0.0.1:53730]) Kex: kex algorithms = ecdh-sha2-nistp521
... - setNegotiationResult(JGitClientSession[testuser@localhost/127.0.0.1:53730]) Kex: server host key algorithms = ssh-rsa
... - setNegotiationResult(JGitClientSession[testuser@localhost/127.0.0.1:53730]) Kex: encryption algorithms (client to server) = aes128-ctr
... - setNegotiationResult(JGitClientSession[testuser@localhost/127.0.0.1:53730]) Kex: encryption algorithms (server to client) = aes128-ctr
... - setNegotiationResult(JGitClientSession[testuser@localhost/127.0.0.1:53730]) Kex: mac algorithms (client to server) = hmac-sha2-256-etm@openssh.com
... - setNegotiationResult(JGitClientSession[testuser@localhost/127.0.0.1:53730]) Kex: mac algorithms (server to client) = hmac-sha2-256-etm@openssh.com
... - setNegotiationResult(JGitClientSession[testuser@localhost/127.0.0.1:53730]) Kex: compression algorithms (client to server) = none
... - setNegotiationResult(JGitClientSession[testuser@localhost/127.0.0.1:53730]) Kex: compression algorithms (server to client) = none


In particular I'm interested in the "Kex: kex algorithms = ..." and the "Kex: server host key algorithms = ..." lines.

Please install Egit nightly from the update site https://download.eclipse.org/egit/updates-nightly into your Eclipse and then try again.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842762 is a reply to message #1842693] Wed, 30 June 2021 17:20 Go to previous messageGo to next message
John Czukkermann is currently offline John CzukkermannFriend
Messages: 14
Registered: January 2018
Junior Member
No worries Thomas. I appreciate your perseverance! The new log is attached.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842766 is a reply to message #1842762] Wed, 30 June 2021 19:11 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
Great, thanks! This is the log I wanted. The interesting part:
13:16:33.006 JGitClientSession - readIdentification(JGitClientSession[git@github.foo.com/111.111.111.111:22]) Server version string: SSH-2.0-babeld-278d8c4

The SSH server in your Github instance identifies as "SSH-2.0-babeld-278d8c4". That's a Github-specific SSH server; it's not standard OpenSSH. I have no idea what Github uses.
13:16:33.006 ClientUserAuthService - auth(JGitClientSession[git@github.foo.com/111.111.111.111:22])[ssh-connection] send SSH_MSG_USERAUTH_REQUEST for 'none'
13:16:33.006 JGitClientSession - handleKexInit(JGitClientSession[git@github.foo.com/111.111.111.111:22]) SSH_MSG_KEXINIT
13:16:33.007 JGitClientSession - enqueuePendingPacket(JGitClientSession[git@github.foo.com/111.111.111.111:22])[SSH_MSG_USERAUTH_REQUEST] Start flagging packets as pending until key exchange is done
13:16:33.012 JGitClientSession - setNegotiationResult(JGitClientSession[git@github.foo.com/111.111.111.111:22]) Kex: server->client aes128-ctr hmac-sha2-256-etm@openssh.com none
13:16:33.012 JGitClientSession - setNegotiationResult(JGitClientSession[git@github.foo.com/111.111.111.111:22]) Kex: client->server aes128-ctr hmac-sha2-256-etm@openssh.com none
13:16:33.014 JGitClientSession - setNegotiationResult(JGitClientSession[git@github.foo.com/111.111.111.111:22]) Kex: kex algorithms = ecdh-sha2-nistp521
13:16:33.014 JGitClientSession - setNegotiationResult(JGitClientSession[git@github.foo.com/111.111.111.111:22]) Kex: server host key algorithms = ssh-rsa

The last line above says that client and server negotiated to use a "ssh-rsa" signature during key exchange, and use the "ecdh-sha2-nistp521" key exchange algorithm. This exchanges keys using a SHA2 hash, which is then signed with the SHA1 ssh-rsa signature from the server's RSA host key. So far, so good.
13:16:33.014 JGitClientSession - setNegotiationResult(JGitClientSession[git@github.foo.com/111.111.111.111:22]) Kex: encryption algorithms (client to server) = aes128-ctr
13:16:33.014 JGitClientSession - setNegotiationResult(JGitClientSession[git@github.foo.com/111.111.111.111:22]) Kex: encryption algorithms (server to client) = aes128-ctr
13:16:33.014 JGitClientSession - setNegotiationResult(JGitClientSession[git@github.foo.com/111.111.111.111:22]) Kex: mac algorithms (client to server) = hmac-sha2-256-etm@openssh.com
13:16:33.014 [JGitClientSession - setNegotiationResult(JGitClientSession[git@github.foo.com/111.111.111.111:22]) Kex: mac algorithms (server to client) = hmac-sha2-256-etm@openssh.com
13:16:33.014 JGitClientSession - setNegotiationResult(JGitClientSession[git@github.foo.com/111.111.111.111:22]) Kex: compression algorithms (client to server) = none
13:16:33.014 JGitClientSession - setNegotiationResult(JGitClientSession[git@github.foo.com/111.111.111.111:22]) Kex: compression algorithms (server to client) = none
13:16:33.029 DHGClient - init(DHGClient[ecdh-sha2-nistp521])[JGitClientSession[git@github.foo.com/111.111.111.111:22]] Send SSH_MSG_KEXDH_INIT
13:16:33.029 JGitClientSession - encode(JGitClientSession[git@github.foo.com/111.111.111.111:22]) packet #1 sending command=30[30] len=138
13:16:33.029 Nio2Session - writeBuffer(Nio2Session[local=/10.0.0.6:56665, remote=github.foo.com/111.111.111.111:22]) writing 152 bytes
13:16:33.121 DHGClient - next(DHGClient[ecdh-sha2-nistp521])[JGitClientSession[git@github.foo.com/111.111.111.111:22]] process command=SSH_MSG_KEXDH_REPLY
13:16:33.138 Nio2Session - handleReadCycleFailure(Nio2Session[local=/10.0.0.6:56665, remote=github.foo.com/111.111.111.111:22]) SignatureException after 108390206 nanos at read cycle=2: Signature encoding error
13:16:33.138 Nio2Session - exceptionCaught(Nio2Session[local=/10.0.0.6:56665, remote=github.foo.com/111.111.111.111:22]) caught SignatureException[Signature encoding error] - calling handler
13:16:33.139 JGitClientSession - signalAuthFailure(JGitClientSession[git@github.foo.com/111.111.111.111:22]) type=SignatureException, signalled=true, first=false: Signature encoding error
13:16:33.147 JGitClientSession - exceptionCaught(JGitClientSession[git@github.foo.com/111.111.111.111:22])[state=Opened] SignatureException: Signature encoding error
java.security.SignatureException: Signature encoding error
	at java.base/sun.security.rsa.RSASignature.engineVerify(RSASignature.java:226)
	at java.base/java.security.Signature$Delegate.engineVerify(Signature.java:1416)
	at java.base/java.security.Signature.verify(Signature.java:790)
	at org.apache.sshd.common.signature.AbstractSignature.doVerify(AbstractSignature.java:164)
	at org.apache.sshd.common.signature.SignatureRSA.verify(SignatureRSA.java:116)
	at org.apache.sshd.client.kex.DHGClient.next(DHGClient.java:182)
	at org.apache.sshd.common.session.helpers.AbstractSession.handleKexMessage(AbstractSession.java:606)
	at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:500)
	at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:428)
	at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1463)
	at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:388)
	at org.eclipse.jgit.internal.transport.sshd.JGitClientSession.messageReceived(JGitClientSession.java:200)
	at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64)
	at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:358)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:335)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:332)
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
	at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127)
	at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
	at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.io.IOException: ObjectIdentifier mismatch: 2.16.840.1.101.3.4.2.3
	at java.base/sun.security.rsa.RSASignature.decodeSignature(RSASignature.java:261)
	at java.base/sun.security.rsa.RSASignature.engineVerify(RSASignature.java:217)
	... 24 common frames omitted

As mentioned above: this stack trace says that the server sent back the key exchange message using a SHA2 "rsa-sha2-512" signature, even though both client and server had agreed on SHA1 "ssh-rsa" before!

This looks like a bug in the Github SSH server.

(Unless the Apache MINA sshd client log should be lying. There is a remote possibility that either side does the negotiation wrong: the server thinks, "rsa-sha2-512" had been negotiated, while the client thinks "ssh-rsa" had been negotiated. If you have access to debug-level server-side logs, you could probably verify what the server logs as the KEX negotiation outcome. If so, I'd be very interested to know what it logs. If it also logs "ssh-rsa", then it's definitely a bug in the Github SSH server. If it logs "rsa-sha2-512", then client and server have different negotiation results, which could be wrong in either.)

I am not sure I can do something about it. I have some ideas of what to try, but I don't see how I could set up a unit test against Github's custom "SSH-2.0-babeld-278d8c4" SSH server... I might have to rely on you to install JGit versions from temporary zipped update sites from our CI build and try out the fix (once I have one).

[Updated on: Wed, 30 June 2021 19:11]

Report message to a moderator

Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842767 is a reply to message #1842766] Wed, 30 June 2021 19:32 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
John, could you run this again, please, but with TRACE level for all three loggers? I think that would also log the server's negotiation proposal, which would help me figure out where the bug is: in the client or in the server.

[Updated on: Wed, 30 June 2021 19:37]

Report message to a moderator

Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842841 is a reply to message #1842767] Fri, 02 July 2021 12:47 Go to previous messageGo to next message
John Czukkermann is currently offline John CzukkermannFriend
Messages: 14
Registered: January 2018
Junior Member
Hi Thomas, I do not have access to anything related to operations for the Github server. It's a corporate tool/thing. I suspect that this will in fact be on them and I'll have to open a ticket. But I will get that updated log for you today.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842842 is a reply to message #1842767] Fri, 02 July 2021 13:00 Go to previous messageGo to next message
John Czukkermann is currently offline John CzukkermannFriend
Messages: 14
Registered: January 2018
Junior Member
Here's the log with TRACE for the three loggers.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842843 is a reply to message #1842842] Fri, 02 July 2021 13:03 Go to previous messageGo to next message
John Czukkermann is currently offline John CzukkermannFriend
Messages: 14
Registered: January 2018
Junior Member
It is odd that this doesn't seem to affect EGit 5.11 in Eclipse 2020-12.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842844 is a reply to message #1842843] Fri, 02 July 2021 13:54 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
Thank you. Here we have it:

08:54:56.680 [sshd-JGitSshClient[4ecbfd8c]-nio2-thread-1] TRACE o.e.j.i.transport.sshd.JGitClientSession - negotiate(JGitClientSession[git@github.foo.com/111.111.111.111:22])[server host key algorithms] guess=ssh-rsa (client=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-dss-cert-v01@openssh.com,ssh-dss,ext-info-c / server=ecdsa-sha2-nistp256,ssh-dss,rsa-sha2-512,rsa-sha2-256,ssh-rsa)

So: I'd say this is a server bug. It should take the first algorithm from the client's proposal that is applicable and also in the server proposal. The client proposes (among other stuff) "ssh-rsa,rsa-sha2-512,rsa-sha2-256", while the server proposes "rsa-sha2-512,rsa-sha2-256,ssh-rsa". That means "ssh-rsa" should be chosen. So the client is correct and the server is wrong.

However: it would indeed be better if the client also proposed the algorithms in the order "rsa-sha2-512,rsa-sha2-256,ssh-rsa". That it doesn't is actually something I could fix, and then "rsa-sha2-512" should be chosen by both, thus avoiding the problem. You could try if that indeed helps:

Add to your ~/.ssh/config entry for that server a line "HostKeyAlgorithms ^rsa-sha2-512,rsa-sha2-256,ssh-rsa". Then save and re-try.

If you don't have a ~/.ssh/config file, create one with content
Host github.foo.com
Hostname github.foo.com
User git
Port 22
IdentityFile ~/.ssh/your_private_key
HostKeyAlgorithms ^rsa-sha2-512,rsa-sha2-256,ssh-rsa

(Replace the host name and the path to the key as appropriate.)

If it works then we know at least that a corresponding change in JGit will indeed solve the problem.

Another way to fix it on your side would be to remove from the file ~/.ssh/known_hosts all entries for github.foo.com. You would then get a new host key from the server (and would be prompted about it), and if I read the log correctly, it'd be not an RSA key but an ECDSA key. That would then also avoid this particular problem.

And yes, it is a bit strange that it doesn't occur in EGit 5.11.0. Possibly it is caused by the "ext-info-c" at the end of the client's proposal. That was added in 5.11.1 -- it doesn't change the key exchange, though! That only tells the server that the client is interested in any extension capabilities that the server might have. The server will tell about such capabilities only _after_ the key exchange is done. But perhaps this github server sees this "ext-info-c" and then mistakenly chooses the wrong signature. (Because later on for public key authentication, this is, when you actually try to log-in, and you use an RSA key, client and server would indeed use "rsa-sha2-512".)
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842853 is a reply to message #1842844] Sat, 03 July 2021 03:25 Go to previous messageGo to next message
John Czukkermann is currently offline John CzukkermannFriend
Messages: 14
Registered: January 2018
Junior Member
Et voila! Adding the HostKeyAlgorithms to my .ssh/config did the trick.

I removed the HostKeyAlgorithms, deleted the host key from my known_hosts and restarted Eclipse. That also worked.

I can't thank you enough for your expertise Thomas! Have a great weekend.
Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1842860 is a reply to message #1842853] Sat, 03 July 2021 12:27 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
That's great to hear. Now I know that I can fix this in JGit by making it propose "rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,..." instead of "ssh-rsa,ecdsa-sha2-nistp256,...,rsa-sha2-512,rsa-sha2-256,...". The second is still technically correct, but the first is "more correct".

I've created bug 574635 for this. Will be fixed in the next EGit/JGit release.

[Updated on: Sat, 03 July 2021 20:00]

Report message to a moderator

Re: EGit 5.12 SSH clone failing due to Signature encoding error [message #1843151 is a reply to message #1842860] Fri, 16 July 2021 15:17 Go to previous message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 406
Registered: August 2016
Senior Member
Should be fixed in EGit nightly now.
Previous Topic:What else can cause "[lock failed]" besides branches that are dups except for case?
Next Topic:EGit 5.13 clone TFS repository with SSH fail
Goto Forum:
  


Current Time: Wed Oct 20 21:08:47 GMT 2021

Powered by FUDForum. Page generated in 0.01995 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top