Diff of the two buildlogs: -- --- b1/build.log 2025-08-19 15:05:50.840004967 +0000 +++ b2/build.log 2025-08-19 15:07:47.528137838 +0000 @@ -1,6 +1,6 @@ I: pbuilder: network access will be disabled during build -I: Current time: Tue Aug 19 03:03:40 -12 2025 -I: pbuilder-time-stamp: 1755615820 +I: Current time: Tue Sep 22 11:28:53 +14 2026 +I: pbuilder-time-stamp: 1790026133 I: Building the build Environment I: extracting base tarball [/var/cache/pbuilder/unstable-reproducible-base.tgz] I: copying local configuration @@ -24,53 +24,85 @@ dpkg-source: info: applying fix-32bit.patch I: Not using root during the build. I: Installing the build-deps -I: user script /srv/workspace/pbuilder/2969315/tmp/hooks/D02_print_environment starting +I: user script /srv/workspace/pbuilder/3686188/tmp/hooks/D01_modify_environment starting +debug: Running on codethink03-arm64. +I: Changing host+domainname to test build reproducibility +I: Adding a custom variable just for the fun of it... +I: Changing /bin/sh to bash +'/bin/sh' -> '/bin/bash' +lrwxrwxrwx 1 root root 9 Sep 21 21:29 /bin/sh -> /bin/bash +I: Setting pbuilder2's login shell to /bin/bash +I: Setting pbuilder2's GECOS to second user,second room,second work-phone,second home-phone,second other +I: user script /srv/workspace/pbuilder/3686188/tmp/hooks/D01_modify_environment finished +I: user script /srv/workspace/pbuilder/3686188/tmp/hooks/D02_print_environment starting I: set - BUILDDIR='/build/reproducible-path' - BUILDUSERGECOS='first user,first room,first work-phone,first home-phone,first other' - BUILDUSERNAME='pbuilder1' - BUILD_ARCH='arm64' - DEBIAN_FRONTEND='noninteractive' + BASH=/bin/sh + BASHOPTS=checkwinsize:cmdhist:complete_fullquote:extquote:force_fignore:globasciiranges:globskipdots:hostcomplete:interactive_comments:patsub_replacement:progcomp:promptvars:sourcepath + BASH_ALIASES=() + BASH_ARGC=() + BASH_ARGV=() + BASH_CMDS=() + BASH_LINENO=([0]="12" [1]="0") + BASH_LOADABLES_PATH=/usr/local/lib/bash:/usr/lib/bash:/opt/local/lib/bash:/usr/pkg/lib/bash:/opt/pkg/lib/bash:. + BASH_SOURCE=([0]="/tmp/hooks/D02_print_environment" [1]="/tmp/hooks/D02_print_environment") + BASH_VERSINFO=([0]="5" [1]="2" [2]="37" [3]="1" [4]="release" [5]="aarch64-unknown-linux-gnu") + BASH_VERSION='5.2.37(1)-release' + BUILDDIR=/build/reproducible-path + BUILDUSERGECOS='second user,second room,second work-phone,second home-phone,second other' + BUILDUSERNAME=pbuilder2 + BUILD_ARCH=arm64 + DEBIAN_FRONTEND=noninteractive DEB_BUILD_OPTIONS='buildinfo=+all reproducible=+all parallel=12 ' - DISTRIBUTION='unstable' - HOME='/root' - HOST_ARCH='arm64' + DIRSTACK=() + DISTRIBUTION=unstable + EUID=0 + FUNCNAME=([0]="Echo" [1]="main") + GROUPS=() + HOME=/root + HOSTNAME=i-capture-the-hostname + HOSTTYPE=aarch64 + HOST_ARCH=arm64 IFS=' ' - INVOCATION_ID='8c3f08bdcd794ea8b6ed2479b217eebe' - LANG='C' - LANGUAGE='en_US:en' - LC_ALL='C' - MAIL='/var/mail/root' - OPTIND='1' - PATH='/usr/sbin:/usr/bin:/sbin:/bin:/usr/games' - PBCURRENTCOMMANDLINEOPERATION='build' - PBUILDER_OPERATION='build' - PBUILDER_PKGDATADIR='/usr/share/pbuilder' - PBUILDER_PKGLIBDIR='/usr/lib/pbuilder' - PBUILDER_SYSCONFDIR='/etc' - PPID='2969315' - PS1='# ' - PS2='> ' + INVOCATION_ID=8d0141ee9e1d4dc6af11ba6852c9bf24 + LANG=C + LANGUAGE=nl_BE:nl + LC_ALL=C + MACHTYPE=aarch64-unknown-linux-gnu + MAIL=/var/mail/root + OPTERR=1 + OPTIND=1 + OSTYPE=linux-gnu + PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path + PBCURRENTCOMMANDLINEOPERATION=build + PBUILDER_OPERATION=build + PBUILDER_PKGDATADIR=/usr/share/pbuilder + PBUILDER_PKGLIBDIR=/usr/lib/pbuilder + PBUILDER_SYSCONFDIR=/etc + PIPESTATUS=([0]="0") + POSIXLY_CORRECT=y + PPID=3686188 PS4='+ ' - PWD='/' - SHELL='/bin/bash' - SHLVL='2' - SUDO_COMMAND='/usr/bin/timeout -k 18.1h 18h /usr/bin/ionice -c 3 /usr/bin/nice /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.zTE5Y1DE/pbuilderrc_rhOu --distribution unstable --hookdir /etc/pbuilder/first-build-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/unstable-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.zTE5Y1DE/b1 --logfile b1/build.log opkssh_0.8.0-2.dsc' - SUDO_GID='109' - SUDO_HOME='/var/lib/jenkins' - SUDO_UID='104' - SUDO_USER='jenkins' - TERM='unknown' - TZ='/usr/share/zoneinfo/Etc/GMT+12' - USER='root' - _='/usr/bin/systemd-run' - http_proxy='http://192.168.101.4:3128' + PWD=/ + SHELL=/bin/bash + SHELLOPTS=braceexpand:errexit:hashall:interactive-comments:posix + SHLVL=3 + SUDO_COMMAND='/usr/bin/timeout -k 24.1h 24h /usr/bin/ionice -c 3 /usr/bin/nice -n 11 /usr/bin/unshare --uts -- /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.zTE5Y1DE/pbuilderrc_Exmw --distribution unstable --hookdir /etc/pbuilder/rebuild-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/unstable-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.zTE5Y1DE/b2 --logfile b2/build.log opkssh_0.8.0-2.dsc' + SUDO_GID=109 + SUDO_HOME=/var/lib/jenkins + SUDO_UID=104 + SUDO_USER=jenkins + TERM=unknown + TZ=/usr/share/zoneinfo/Etc/GMT-14 + UID=0 + USER=root + _='I: set' + http_proxy=http://192.168.101.4:3128 I: uname -a - Linux codethink04-arm64 6.12.41+deb13-cloud-arm64 #1 SMP Debian 6.12.41-1 (2025-08-12) aarch64 GNU/Linux + Linux i-capture-the-hostname 6.12.41+deb13-cloud-arm64 #1 SMP Debian 6.12.41-1 (2025-08-12) aarch64 GNU/Linux I: ls -l /bin - lrwxrwxrwx 1 root root 7 Aug 10 12:30 /bin -> usr/bin -I: user script /srv/workspace/pbuilder/2969315/tmp/hooks/D02_print_environment finished + lrwxrwxrwx 1 root root 7 Aug 10 2025 /bin -> usr/bin +I: user script /srv/workspace/pbuilder/3686188/tmp/hooks/D02_print_environment finished -> Attempting to satisfy build-dependencies -> Creating pbuilder-satisfydepends-dummy package Package: pbuilder-satisfydepends-dummy @@ -899,8 +931,8 @@ Setting up tzdata (2025b-5) ... Current default time zone: 'Etc/UTC' -Local time is now: Tue Aug 19 15:04:22 UTC 2025. -Universal Time is now: Tue Aug 19 15:04:22 UTC 2025. +Local time is now: Mon Sep 21 21:29:42 UTC 2026. +Universal Time is now: Mon Sep 21 21:29:42 UTC 2026. Run 'dpkg-reconfigure tzdata' if you wish to change it. Setting up golang-github-cespare-xxhash-dev (2.3.0-1) ... @@ -1048,7 +1080,11 @@ Building tag database... -> Finished parsing the build-deps I: Building the package -I: Running cd /build/reproducible-path/opkssh-0.8.0/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-genchanges -S > ../opkssh_0.8.0-2_source.changes +I: user script /srv/workspace/pbuilder/3686188/tmp/hooks/A99_set_merged_usr starting +Not re-configuring usrmerge for unstable +I: user script /srv/workspace/pbuilder/3686188/tmp/hooks/A99_set_merged_usr finished +hostname: Name or service not known +I: Running cd /build/reproducible-path/opkssh-0.8.0/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-genchanges -S > ../opkssh_0.8.0-2_source.changes dpkg-buildpackage: info: source package opkssh dpkg-buildpackage: info: source version 0.8.0-2 dpkg-buildpackage: info: source distribution unstable @@ -1067,205 +1103,204 @@ dh_auto_configure -O--builddirectory=_build -O--buildsystem=golang dh_auto_build -O--builddirectory=_build -O--buildsystem=golang cd _build && go install -trimpath -v -p 12 github.com/openpubkey/opkssh github.com/openpubkey/opkssh/commands github.com/openpubkey/opkssh/commands/config github.com/openpubkey/opkssh/internal/projectpath github.com/openpubkey/opkssh/policy github.com/openpubkey/opkssh/policy/files github.com/openpubkey/opkssh/policy/plugins github.com/openpubkey/opkssh/sshcert +internal/msan internal/goos -internal/goarch -internal/byteorder -internal/godebugs -internal/unsafeheader internal/goexperiment -internal/asan -internal/profilerecord -internal/msan internal/coverage/rtcov +internal/profilerecord +internal/godebugs +internal/asan +internal/byteorder +internal/unsafeheader +internal/goarch internal/cpu -internal/abi -internal/runtime/math internal/runtime/syscall sync/atomic math/bits +internal/runtime/math internal/itoa +internal/abi cmp unicode/utf8 -internal/chacha8rand unicode encoding +internal/chacha8rand unicode/utf16 crypto/internal/fips140/alias crypto/internal/fips140deps/byteorder crypto/internal/boring/sig vendor/golang.org/x/crypto/cryptobyte/asn1 -crypto/internal/fips140/subtle container/list +crypto/internal/fips140/subtle vendor/golang.org/x/crypto/internal/alias internal/nettrace -math log/internal +math github.com/openpubkey/openpubkey/cosigner/msgs golang.org/x/crypto/internal/alias golang.org/x/crypto/salsa20/salsa -internal/bytealg -internal/runtime/atomic -internal/runtime/sys -crypto/internal/fips140deps/cpu log/slog/internal go.opentelemetry.io/otel/metric/embedded go.opentelemetry.io/otel/trace/embedded -golang.org/x/exp/maps +internal/runtime/atomic +internal/bytealg +crypto/internal/fips140deps/cpu +internal/runtime/sys github.com/zitadel/oidc/pkg/oidc/grants/tokenexchange +golang.org/x/exp/maps golang.org/x/exp/constraints golang.org/x/exp/slices internal/stringslite internal/runtime/exithook +go.opentelemetry.io/otel/internal internal/race internal/sync internal/runtime/maps -go.opentelemetry.io/otel/internal runtime +internal/reflectlite iter crypto/subtle -weak sync -internal/reflectlite +weak maps slices -sort errors -internal/testlog -internal/singleflight -unique -log/slog/internal/buffer -internal/bisect +sort internal/oserror -io path -strconv math/rand/v2 vendor/golang.org/x/net/dns/dnsmessage -runtime/cgo +strconv +internal/bisect syscall -bytes -hash +io +internal/testlog +internal/singleflight +unique +runtime/cgo +log/slog/internal/buffer internal/godebug -hash/crc32 +golang.org/x/text/internal/tag +hash +strings crypto/internal/randutil +bytes internal/saferio -strings -golang.org/x/text/internal/tag -reflect crypto -golang.org/x/crypto/blowfish -crypto/internal/fips140deps/godebug -vendor/golang.org/x/text/transform math/rand -net/netip -golang.org/x/text/transform -golang.org/x/text/runes -crypto/internal/impl +reflect +hash/crc32 bufio -net/http/internal/ascii -net/http/internal/testcert +crypto/internal/impl +crypto/internal/fips140deps/godebug crypto/internal/fips140 +net/http/internal/ascii +net/netip +vendor/golang.org/x/text/transform regexp/syntax +net/http/internal/testcert html -github.com/kballard/go-shellquote crypto/internal/fips140/sha256 crypto/internal/fips140/sha3 crypto/internal/fips140/sha512 crypto/tls/internal/fips140tls -crypto/internal/fips140/hmac +github.com/kballard/go-shellquote +golang.org/x/text/transform +golang.org/x/crypto/blowfish crypto/sha3 crypto/internal/fips140hash +crypto/internal/fips140/hmac +golang.org/x/text/runes crypto/internal/fips140/check time -internal/syscall/execenv internal/syscall/unix +internal/syscall/execenv crypto/internal/fips140/aes -crypto/internal/fips140/nistec/fiat crypto/internal/fips140/edwards25519/field +crypto/internal/fips140/nistec/fiat crypto/internal/fips140/bigmod crypto/internal/fips140/hkdf crypto/internal/fips140/tls12 crypto/internal/fips140/tls13 -crypto/internal/fips140/edwards25519 regexp +crypto/internal/fips140/edwards25519 context io/fs internal/poll crypto/internal/fips140/nistec -go.opentelemetry.io/otel/internal/baggage embed github.com/spf13/afero/internal/common internal/filepathlite +go.opentelemetry.io/otel/internal/baggage os -internal/fmtsort -go.opentelemetry.io/otel/internal/attribute encoding/binary +go.opentelemetry.io/otel/internal/attribute +internal/fmtsort vendor/golang.org/x/crypto/internal/poly1305 +golang.org/x/sys/unix golang.org/x/crypto/blake2b golang.org/x/crypto/internal/poly1305 encoding/base64 -golang.org/x/sys/unix golang.org/x/crypto/nacl/secretbox +encoding/pem crypto/internal/sysrand -internal/sysinfo -io/ioutil fmt -path/filepath -os/signal golang.org/x/sys/cpu -net -encoding/pem +os/signal +path/filepath +io/ioutil +internal/sysinfo crypto/internal/entropy +net crypto/internal/fips140/drbg -os/exec -github.com/openpubkey/opkssh/internal/projectpath -github.com/spf13/afero/mem golang.org/x/crypto/sha3 crypto/internal/fips140only crypto/internal/fips140/ecdh crypto/internal/fips140/ecdsa -crypto/internal/fips140/ed25519 crypto/internal/fips140/aes/gcm crypto/internal/fips140/rsa +crypto/internal/fips140/ed25519 crypto/internal/fips140/mlkem +os/exec +github.com/spf13/afero/mem crypto/md5 crypto/rc4 +github.com/openpubkey/opkssh/internal/projectpath crypto/cipher -crypto/internal/boring -crypto/des -golang.org/x/crypto/chacha20 encoding/json github.com/lestrrat-go/option +math/big encoding/hex -github.com/lestrrat-go/blackmagic github.com/lestrrat-go/httpcc -math/big -vendor/golang.org/x/crypto/chacha20 -crypto/ecdh +github.com/lestrrat-go/blackmagic +net/url +compress/flate +log +crypto/internal/boring github.com/lestrrat-go/jwx/jwa +crypto/des +crypto/ecdh crypto/sha512 -compress/flate crypto/aes crypto/hmac +vendor/golang.org/x/crypto/chacha20 crypto/sha1 crypto/sha256 -vendor/golang.org/x/crypto/chacha20poly1305 -net/url -log +vendor/golang.org/x/text/unicode/bidi vendor/golang.org/x/text/unicode/norm vendor/golang.org/x/net/http2/hpack mime mime/quotedprintable +vendor/golang.org/x/crypto/chacha20poly1305 net/http/internal github.com/lestrrat-go/iter/arrayiter -vendor/golang.org/x/text/unicode/bidi github.com/lestrrat-go/iter/mapiter -github.com/lestrrat-go/jwx/internal/base64 compress/gzip +github.com/lestrrat-go/jwx/internal/base64 golang.org/x/crypto/curve25519 +github.com/lestrrat-go/jwx/internal/iter database/sql/driver github.com/go-jose/go-jose/json -github.com/lestrrat-go/jwx/internal/iter golang.org/x/crypto/pbkdf2 go.opentelemetry.io/otel/baggage encoding/gob @@ -1273,20 +1308,15 @@ github.com/zitadel/schema golang.org/x/text/internal/language github.com/davecgh/go-spew/spew -github.com/awnumar/memcall vendor/golang.org/x/text/secure/bidirule github.com/pmezard/go-difflib/difflib -gopkg.in/yaml.v3 -flag -runtime/debug -runtime/trace vendor/golang.org/x/net/idna -text/template/parse -golang.org/x/text/unicode/norm -os/user +gopkg.in/yaml.v3 +github.com/awnumar/memcall github.com/lestrrat-go/jwx/internal/json github.com/sirupsen/logrus log/slog +go.opentelemetry.io/otel/attribute crypto/rand crypto/elliptic crypto/internal/boring/bbig @@ -1295,70 +1325,76 @@ crypto/rsa crypto/internal/hpke crypto/dsa -github.com/lestrrat-go/jwx/internal/ecutil github.com/lestrrat-go/jwx/internal/pool github.com/lestrrat-go/jwx/x25519 golang.org/x/crypto/ed25519 +github.com/lestrrat-go/jwx/internal/ecutil github.com/awnumar/memguard/core filippo.io/bigmod -go.opentelemetry.io/otel/attribute go.opentelemetry.io/otel/codes +go.opentelemetry.io/otel/metric golang.org/x/text/internal/language/compact -github.com/go-logr/logr -testing +go.opentelemetry.io/otel/trace +flag +runtime/debug vendor/golang.org/x/crypto/cryptobyte crypto/x509/pkix -github.com/go-logr/logr/funcr -github.com/awnumar/memguard -text/template golang.org/x/text/language -golang.org/x/crypto/ssh/internal/bcrypt_pbkdf -encoding/csv +github.com/awnumar/memguard +runtime/trace +text/template/parse +github.com/go-logr/logr +golang.org/x/text/unicode/norm +os/user +golang.org/x/crypto/chacha20 +github.com/go-logr/logr/funcr github.com/gorilla/securecookie -go.opentelemetry.io/otel/metric crypto/ecdsa -go.opentelemetry.io/otel/trace +testing +golang.org/x/crypto/ssh/internal/bcrypt_pbkdf +encoding/csv github.com/go-logr/stdr github.com/stretchr/testify/assert/yaml -html/template +text/template github.com/go-jose/go-jose/cipher -crypto/x509 -vendor/golang.org/x/net/http/httpproxy +html/template net/textproto github.com/google/uuid +crypto/x509 +vendor/golang.org/x/net/http/httpproxy github.com/spf13/pflag vendor/golang.org/x/net/http/httpguts mime/multipart -crypto/tls +github.com/spf13/cobra github.com/lestrrat-go/jwx/jwk/internal/x509 github.com/lestrrat-go/jwx/cert +github.com/openpubkey/openpubkey/util github.com/go-jose/go-jose golang.org/x/crypto/ssh -github.com/openpubkey/openpubkey/util +crypto/tls github.com/openpubkey/openpubkey/oidc -github.com/spf13/cobra github.com/zitadel/oidc/pkg/crypto net/http/httptrace net/http +github.com/lestrrat-go/httprc github.com/zitadel/logging +github.com/spf13/afero go.opentelemetry.io/otel/propagation golang.org/x/oauth2/internal -github.com/lestrrat-go/httprc net/http/httptest -github.com/spf13/afero -go.opentelemetry.io/otel/internal/global golang.org/x/oauth2 -github.com/stretchr/testify/assert +go.opentelemetry.io/otel/internal/global github.com/lestrrat-go/jwx/jwk +github.com/stretchr/testify/assert github.com/zitadel/oidc/pkg/oidc golang.org/x/oauth2/clientcredentials go.opentelemetry.io/otel -github.com/zitadel/oidc/internal/otel github.com/openpubkey/opkssh/policy/files +github.com/zitadel/oidc/internal/otel github.com/zitadel/oidc/pkg/http github.com/zitadel/oidc/pkg/client -github.com/zitadel/oidc/pkg/client/rp github.com/stretchr/testify/require +github.com/zitadel/oidc/pkg/client/rp github.com/lestrrat-go/jwx/internal/keyconv github.com/lestrrat-go/jwx/jws github.com/openpubkey/openpubkey/pktoken/clientinstance @@ -1371,10 +1407,10 @@ github.com/openpubkey/openpubkey/verifier github.com/openpubkey/openpubkey/providers github.com/openpubkey/opkssh/sshcert -github.com/openpubkey/openpubkey/client/choosers -github.com/openpubkey/opkssh/commands/config github.com/openpubkey/openpubkey/client +github.com/openpubkey/opkssh/commands/config github.com/openpubkey/opkssh/policy +github.com/openpubkey/openpubkey/client/choosers github.com/openpubkey/opkssh/commands github.com/openpubkey/opkssh dh_auto_test -O--builddirectory=_build -O--buildsystem=golang @@ -1419,7 +1455,7 @@ === RUN TestRun/Login_command_with_provider_bad_provider_good_google_issuer_but_no_client_secret_value === RUN TestRun/Login_command_with_alias_bad_alias === RUN TestRun/Verify_command_fail_on_bad_log_file_path ---- PASS: TestRun (0.06s) +--- PASS: TestRun (0.03s) --- PASS: TestRun/No_arguments (0.00s) --- PASS: TestRun/Root_Help_flag (0.00s) --- PASS: TestRun/Add_Help_flag (0.00s) @@ -1436,7 +1472,7 @@ --- PASS: TestRun/Login_command_with_provider_bad_provider_good_google_issuer_but_no_client_id_value (0.00s) --- PASS: TestRun/Login_command_with_provider_bad_provider_good_google_issuer_but_no_client_secret_value (0.00s) --- PASS: TestRun/Login_command_with_alias_bad_alias (0.00s) - --- PASS: TestRun/Verify_command_fail_on_bad_log_file_path (0.05s) + --- PASS: TestRun/Verify_command_fail_on_bad_log_file_path (0.02s) === RUN TestWithEnvVars === RUN TestWithEnvVars/Set_OPKSSH_DEFAULT_to_bad_value === RUN TestWithEnvVars/Set_OPKSSH_PROVIDERS_to_bad_value @@ -1450,74 +1486,74 @@ --- PASS: TestWithEnvVars/Set_OPKSSH_PROVIDERS_with_bad_provider (0.00s) --- PASS: TestWithEnvVars/Set_OPKSSH_PROVIDERS_with_good_provider_but_asking_for_wrong_alias (0.00s) PASS -ok github.com/openpubkey/opkssh 0.132s +ok github.com/openpubkey/opkssh 0.052s === RUN TestAddErrors -2025/08/19 03:05:21 Successfully added user with email alice@example.com with principal foo to the policy file ---- PASS: TestAddErrors (0.01s) +2026/09/22 11:30:20 Successfully added user with email alice@example.com with principal foo to the policy file +--- PASS: TestAddErrors (0.00s) === RUN TestAddUniqueness -2025/08/19 03:05:21 Successfully added user with email alice@example.com with principal user1 to the policy file -2025/08/19 03:05:21 User with email alice@example.com already has access under the principal user1, skipping... -2025/08/19 03:05:21 Successfully added user with email alice@example.com with principal user2 to the policy file -2025/08/19 03:05:21 User with email alice@example.com already has access under the principal user2, skipping... +2026/09/22 11:30:20 Successfully added user with email alice@example.com with principal user1 to the policy file +2026/09/22 11:30:20 User with email alice@example.com already has access under the principal user1, skipping... +2026/09/22 11:30:20 Successfully added user with email alice@example.com with principal user2 to the policy file +2026/09/22 11:30:20 User with email alice@example.com already has access under the principal user2, skipping... --- PASS: TestAddUniqueness (0.00s) === RUN TestLoginCmd === RUN TestLoginCmd/Good_path_with_no_vars -2025/08/19 03:05:25 DEBUG: running login command with args: {Fs:0x40003ce810 AutoRefreshArg:false ConfigPathArg: CreateConfigArg:false ConfigureArg:false LogDirArg:./logs SendAccessTokenArg:false DisableBrowserOpenArg:false PrintIdTokenArg:true KeyPathArg: ProviderArg: ProviderAliasArg: SSHConfigured:false Verbosity:2 overrideProvider:0x40002297c0 Config:0x40001b6de0 pkt: signer: alg: client: principals:[]} -2025/08/19 03:05:25 Warning: could not find issuer https://accounts.example.com in client config providers +2026/09/22 11:30:22 DEBUG: running login command with args: {Fs:0x4000535e90 AutoRefreshArg:false ConfigPathArg: CreateConfigArg:false ConfigureArg:false LogDirArg:./logs SendAccessTokenArg:false DisableBrowserOpenArg:false PrintIdTokenArg:true KeyPathArg: ProviderArg: ProviderAliasArg: SSHConfigured:false Verbosity:2 overrideProvider:0x400021a060 Config:0x4000128de0 pkt: signer: alg: client: principals:[]} +2026/09/22 11:30:22 Warning: could not find issuer https://accounts.example.com in client config providers Writing opk ssh public key to /build/reproducible-path/opkssh-0.8.0/debian/.debhelper/generated/_source/home/.ssh/id_ecdsa-cert.pub and corresponding secret key to /build/reproducible-path/opkssh-0.8.0/debian/.debhelper/generated/_source/home/.ssh/id_ecdsa id_token: { "iss": "https://accounts.example.com", "sub": "me", - "exp": 1755623125, - "iat": 1755615925, + "exp": 1790033422, + "iat": 1790026222, "email": "arthur.aardvark@example.com", - "nonce": "oxEtOPfEFahKsHH2ew-P49p5Hk6GNg42g7hFlQeCON8" + "nonce": "JVPebmkc-cwVm5w0CqpRxoCP-ReVqkTFT9Bic6rASds" } Keys generated for identity Email, sub, issuer, audience: arthur.aardvark@example.com me https://accounts.example.com test_client_id === RUN TestLoginCmd/Good_path_(load_config) -2025/08/19 03:05:26 DEBUG: running login command with args: {Fs:0x40003284e0 AutoRefreshArg:false ConfigPathArg: CreateConfigArg:false ConfigureArg:false LogDirArg:./logs SendAccessTokenArg:false DisableBrowserOpenArg:false PrintIdTokenArg:true KeyPathArg: ProviderArg: ProviderAliasArg: SSHConfigured:false Verbosity:2 overrideProvider:0x4000339ca0 Config: pkt: signer: alg: client: principals:[]} -2025/08/19 03:05:26 failed to find client config file to generate a default config, run `opkssh login --create-config` to create a default config file -2025/08/19 03:05:26 Warning: could not find issuer https://accounts.example.com in client config providers +2026/09/22 11:30:23 DEBUG: running login command with args: {Fs:0x4000281a10 AutoRefreshArg:false ConfigPathArg: CreateConfigArg:false ConfigureArg:false LogDirArg:./logs SendAccessTokenArg:false DisableBrowserOpenArg:false PrintIdTokenArg:true KeyPathArg: ProviderArg: ProviderAliasArg: SSHConfigured:false Verbosity:2 overrideProvider:0x400056c120 Config: pkt: signer: alg: client: principals:[]} +2026/09/22 11:30:23 failed to find client config file to generate a default config, run `opkssh login --create-config` to create a default config file +2026/09/22 11:30:23 Warning: could not find issuer https://accounts.example.com in client config providers Writing opk ssh public key to /build/reproducible-path/opkssh-0.8.0/debian/.debhelper/generated/_source/home/.ssh/id_ecdsa-cert.pub and corresponding secret key to /build/reproducible-path/opkssh-0.8.0/debian/.debhelper/generated/_source/home/.ssh/id_ecdsa id_token: { "iss": "https://accounts.example.com", "sub": "me", - "exp": 1755623126, - "iat": 1755615926, + "exp": 1790033423, + "iat": 1790026223, "email": "arthur.aardvark@example.com", - "nonce": "kzy4vJRAyi6N7v3eXEquMsGnEyKQE40Z8Nss7Vtd-YI" + "nonce": "avttrM1TQth8jiYhwFi-fiDsQcFddnsjkD00IqX_n7I" } Keys generated for identity Email, sub, issuer, audience: arthur.aardvark@example.com me https://accounts.example.com test_client_id === RUN TestLoginCmd/Good_path_with_SendAccessToken_set_in_arg_and_config -2025/08/19 03:05:27 DEBUG: running login command with args: {Fs:0x4000253410 AutoRefreshArg:false ConfigPathArg: CreateConfigArg:false ConfigureArg:false LogDirArg:./logs SendAccessTokenArg:true DisableBrowserOpenArg:false PrintIdTokenArg:false KeyPathArg: ProviderArg: ProviderAliasArg: SSHConfigured:false Verbosity:2 overrideProvider:0x40001250f0 Config:0x40003ac870 pkt: signer: alg: client: principals:[]} +2026/09/22 11:30:25 DEBUG: running login command with args: {Fs:0x4000568090 AutoRefreshArg:false ConfigPathArg: CreateConfigArg:false ConfigureArg:false LogDirArg:./logs SendAccessTokenArg:true DisableBrowserOpenArg:false PrintIdTokenArg:false KeyPathArg: ProviderArg: ProviderAliasArg: SSHConfigured:false Verbosity:2 overrideProvider:0x400021b300 Config:0x400049c1b0 pkt: signer: alg: client: principals:[]} Writing opk ssh public key to /build/reproducible-path/opkssh-0.8.0/debian/.debhelper/generated/_source/home/.ssh/id_ecdsa-cert.pub and corresponding secret key to /build/reproducible-path/opkssh-0.8.0/debian/.debhelper/generated/_source/home/.ssh/id_ecdsa Keys generated for identity Email, sub, issuer, audience: arthur.aardvark@example.com me https://accounts.example.com test_client_id === RUN TestLoginCmd/Good_path_with_SendAccessToken_set_in_config_but_not_in_arg -2025/08/19 03:05:29 DEBUG: running login command with args: {Fs:0x4000402330 AutoRefreshArg:false ConfigPathArg: CreateConfigArg:false ConfigureArg:false LogDirArg:./logs SendAccessTokenArg:false DisableBrowserOpenArg:false PrintIdTokenArg:false KeyPathArg: ProviderArg: ProviderAliasArg: SSHConfigured:false Verbosity:2 overrideProvider:0x4000609c10 Config:0x40003ac870 pkt: signer: alg: client: principals:[]} +2026/09/22 11:30:26 DEBUG: running login command with args: {Fs:0x4000384060 AutoRefreshArg:false ConfigPathArg: CreateConfigArg:false ConfigureArg:false LogDirArg:./logs SendAccessTokenArg:false DisableBrowserOpenArg:false PrintIdTokenArg:false KeyPathArg: ProviderArg: ProviderAliasArg: SSHConfigured:false Verbosity:2 overrideProvider:0x40001b06b0 Config:0x400049c1b0 pkt: signer: alg: client: principals:[]} Writing opk ssh public key to /build/reproducible-path/opkssh-0.8.0/debian/.debhelper/generated/_source/home/.ssh/id_ecdsa-cert.pub and corresponding secret key to /build/reproducible-path/opkssh-0.8.0/debian/.debhelper/generated/_source/home/.ssh/id_ecdsa Keys generated for identity Email, sub, issuer, audience: arthur.aardvark@example.com me https://accounts.example.com test_client_id === RUN TestLoginCmd/Good_path_with_SendAccessToken_Arg_(issuer_not_found_in_config) -2025/08/19 03:05:30 DEBUG: running login command with args: {Fs:0x4000402210 AutoRefreshArg:false ConfigPathArg: CreateConfigArg:false ConfigureArg:false LogDirArg:./logs SendAccessTokenArg:true DisableBrowserOpenArg:false PrintIdTokenArg:false KeyPathArg: ProviderArg: ProviderAliasArg: SSHConfigured:false Verbosity:2 overrideProvider:0x40002298c0 Config:0x40001b6de0 pkt: signer: alg: client: principals:[]} +2026/09/22 11:30:27 DEBUG: running login command with args: {Fs:0x40003b5ef0 AutoRefreshArg:false ConfigPathArg: CreateConfigArg:false ConfigureArg:false LogDirArg:./logs SendAccessTokenArg:true DisableBrowserOpenArg:false PrintIdTokenArg:false KeyPathArg: ProviderArg: ProviderAliasArg: SSHConfigured:false Verbosity:2 overrideProvider:0x40003ae360 Config:0x4000128de0 pkt: signer: alg: client: principals:[]} Writing opk ssh public key to /build/reproducible-path/opkssh-0.8.0/debian/.debhelper/generated/_source/home/.ssh/id_ecdsa-cert.pub and corresponding secret key to /build/reproducible-path/opkssh-0.8.0/debian/.debhelper/generated/_source/home/.ssh/id_ecdsa Keys generated for identity Email, sub, issuer, audience: arthur.aardvark@example.com me https://accounts.example.com test_client_id ---- PASS: TestLoginCmd (8.83s) - --- PASS: TestLoginCmd/Good_path_with_no_vars (2.89s) - --- PASS: TestLoginCmd/Good_path_(load_config) (0.86s) - --- PASS: TestLoginCmd/Good_path_with_SendAccessToken_set_in_arg_and_config (1.19s) - --- PASS: TestLoginCmd/Good_path_with_SendAccessToken_set_in_config_but_not_in_arg (1.44s) - --- PASS: TestLoginCmd/Good_path_with_SendAccessToken_Arg_(issuer_not_found_in_config) (1.19s) +--- PASS: TestLoginCmd (7.06s) + --- PASS: TestLoginCmd/Good_path_with_no_vars (1.42s) + --- PASS: TestLoginCmd/Good_path_(load_config) (0.82s) + --- PASS: TestLoginCmd/Good_path_with_SendAccessToken_set_in_arg_and_config (2.15s) + --- PASS: TestLoginCmd/Good_path_with_SendAccessToken_set_in_config_but_not_in_arg (0.61s) + --- PASS: TestLoginCmd/Good_path_with_SendAccessToken_Arg_(issuer_not_found_in_config) (0.77s) === RUN TestDetermineProvider === RUN TestDetermineProvider/Good_path_with_env_vars === RUN TestDetermineProvider/Good_path_with_env_vars_and_provider_arg_(provider_arg_takes_precedence) @@ -1537,11 +1573,11 @@ === RUN TestNewLogin --- PASS: TestNewLogin (0.00s) === RUN TestCreateSSHCert ---- PASS: TestCreateSSHCert (0.27s) +--- PASS: TestCreateSSHCert (1.18s) === RUN TestIdentityString ---- PASS: TestIdentityString (1.30s) +--- PASS: TestIdentityString (0.58s) === RUN TestPrettyPrintIdToken ---- PASS: TestPrettyPrintIdToken (0.71s) +--- PASS: TestPrettyPrintIdToken (1.07s) === RUN TestAuthorizedKeysCommand === PAUSE TestAuthorizedKeysCommand === RUN TestEnvFromConfig @@ -1560,12 +1596,12 @@ === RUN TestAuthorizedKeysCommand/Happy_Path === RUN TestAuthorizedKeysCommand/Happy_Path_(with_auth_token) === RUN TestAuthorizedKeysCommand/Wrong_auth_token ---- PASS: TestAuthorizedKeysCommand (0.96s) - --- PASS: TestAuthorizedKeysCommand/Happy_Path (0.03s) +--- PASS: TestAuthorizedKeysCommand (1.26s) + --- PASS: TestAuthorizedKeysCommand/Happy_Path (0.01s) --- PASS: TestAuthorizedKeysCommand/Happy_Path_(with_auth_token) (0.01s) --- PASS: TestAuthorizedKeysCommand/Wrong_auth_token (0.01s) PASS -ok github.com/openpubkey/opkssh/commands 12.163s +ok github.com/openpubkey/opkssh/commands 11.217s === RUN TestParseConfig --- PASS: TestParseConfig (0.00s) === RUN TestParseConfigWithSendAccessToken @@ -1597,7 +1633,7 @@ --- PASS: TestProviderConfigFromString/Alias_set_but_no_alias_expected (0.00s) --- PASS: TestProviderConfigFromString/No_alias_set_but_alias_expected (0.00s) PASS -ok github.com/openpubkey/opkssh/commands/config 0.062s +ok github.com/openpubkey/opkssh/commands/config 0.038s ? github.com/openpubkey/opkssh/internal/projectpath [no test files] === RUN TestProvidersPolicyRow_GetExpirationPolicy --- PASS: TestProvidersPolicyRow_GetExpirationPolicy (0.00s) @@ -1666,98 +1702,41 @@ === RUN TestDump_Success === PAUSE TestDump_Success === CONT TestPolicyApproved -=== CONT TestLoadUserPolicy_FailUserLookup ---- PASS: TestLoadUserPolicy_FailUserLookup (0.00s) -=== CONT TestDump_Success ---- PASS: TestDump_Success (0.00s) -=== CONT TestLoadSystemDefaultPolicy_Success -=== CONT TestPolicyApprovedOidcGroupWithAtSign ---- PASS: TestLoadSystemDefaultPolicy_Success (0.00s) -=== CONT TestLoadSystemDefaultPolicy_ErrorFile ---- PASS: TestLoadSystemDefaultPolicy_ErrorFile (0.00s) -=== CONT TestLoad -=== RUN TestLoad/both_policies_are_missing - multipolicyloader_test.go:189: Root policy: (*policy.Policy)(nil) - multipolicyloader_test.go:190: User policy: (*policy.Policy)(nil) -2025/08/19 03:05:21 warning: failed to load system default policy: failed to read system default policy file /etc/opk/auth_id: failed to describe the file at path: open /etc/opk/auth_id: file does not exist -2025/08/19 03:05:21 warning: failed to load user policy: failed to read user policy file /home/foo/.opk/auth_id: mock error -=== RUN TestLoad/only_root_policy_exists - multipolicyloader_test.go:189: Root policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}}} - multipolicyloader_test.go:190: User policy: (*policy.Policy)(nil) -2025/08/19 03:05:21 warning: failed to load user policy: failed to read user policy file /home/foo/.opk/auth_id: mock error -=== RUN TestLoad/only_user_policy_exists - multipolicyloader_test.go:189: Root policy: (*policy.Policy)(nil) - multipolicyloader_test.go:190: User policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"foo", "bob"}, Issuer:"https://example.com"}}} -2025/08/19 03:05:21 warning: failed to load system default policy: failed to read system default policy file /etc/opk/auth_id: failed to describe the file at path: open /etc/opk/auth_id: file does not exist -=== RUN TestLoad/both_user_and_root_policy_exist - multipolicyloader_test.go:189: Root policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"charlie@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}}} - multipolicyloader_test.go:190: User policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"foo"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"bob@example.com", Principals:[]string{"foo"}, Issuer:"https://example.com"}}} -=== RUN TestLoad/both_user_and_root_policy_exist_but_no_valid_user_policy_entries - multipolicyloader_test.go:189: Root policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"charlie@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}}} - multipolicyloader_test.go:190: User policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"bob@example.com", Principals:[]string{"test", "test2"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"charlie@example.com", Principals:[]string{"test", "test2", "test3"}, Issuer:"https://example.com"}}} -2025/08/19 03:05:21 warning: user policy /home/foo/.opk/auth_id has no valid user entries; an entry is considered valid if it gives foo access. ---- PASS: TestLoad (0.00s) - --- PASS: TestLoad/both_policies_are_missing (0.00s) - --- PASS: TestLoad/only_root_policy_exists (0.00s) - --- PASS: TestLoad/only_user_policy_exists (0.00s) - --- PASS: TestLoad/both_user_and_root_policy_exist (0.00s) - --- PASS: TestLoad/both_user_and_root_policy_exist_but_no_valid_user_policy_entries (0.00s) -=== CONT TestPolicyDeniedNoUserEntry -=== CONT TestLoadPolicyAtPath_ReadError ---- PASS: TestLoadPolicyAtPath_ReadError (0.00s) -=== CONT TestPolicyApprovedOidcGroups -=== CONT TestLoadPolicyAtPath_BadPermissions ---- PASS: TestLoadPolicyAtPath_BadPermissions (0.00s) -=== CONT TestPolicyDeniedWrongIssuer -=== CONT TestLoadPolicyAtPath_FileMissing ---- PASS: TestLoadPolicyAtPath_FileMissing (0.00s) -=== CONT TestPolicyDeniedMissingOidcGroupsClaim -=== CONT TestLoadUserPolicy_Success_SkipInvalidEntries ---- PASS: TestLoadUserPolicy_Success_SkipInvalidEntries (0.00s) -=== CONT TestPolicyDeniedOidcGroups -=== CONT TestLoadUserPolicy_Success ---- PASS: TestLoadUserPolicy_Success (0.00s) -=== CONT TestPolicySub -=== CONT TestLoadUserPolicy_ErrorFile ---- PASS: TestLoadUserPolicy_ErrorFile (0.00s) -=== CONT TestPolicyDeniedBadUser -=== CONT TestLoadUserPolicy_NoUserHomeDir ---- PASS: TestLoadUserPolicy_NoUserHomeDir (0.00s) -=== CONT TestPolicyEmailDifferentCase -=== CONT TestEnforceTableTest === CONT TestAddAllowedPrincipal === RUN TestAddAllowedPrincipal/empty_policy policy_test.go:263: AddAllowedPrincipal(principal=test, userEmail=alice@example.com) +=== CONT TestPolicyApprovedOidcGroups +=== NAME TestAddAllowedPrincipal/empty_policy policy_test.go:264: Initial policy: &policy.Policy{Users:[]policy.User(nil)} -2025/08/19 03:05:21 Successfully added user with email alice@example.com with principal test to the policy file +2026/09/22 11:30:20 Successfully added user with email alice@example.com with principal test to the policy file === RUN TestAddAllowedPrincipal/non-empty_policy._user_not_found policy_test.go:263: AddAllowedPrincipal(principal=test, userEmail=bob@example.com) policy_test.go:264: Initial policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test", "test2"}, Issuer:"https://example.com"}}} -2025/08/19 03:05:21 Successfully added user with email bob@example.com with principal test to the policy file +2026/09/22 11:30:20 Successfully added user with email bob@example.com with principal test to the policy file === RUN TestAddAllowedPrincipal/user_already_exists._new_principal policy_test.go:263: AddAllowedPrincipal(principal=test3, userEmail=alice@example.com) policy_test.go:264: Initial policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test", "test2"}, Issuer:"https://example.com"}}} -2025/08/19 03:05:21 Successfully added user with email alice@example.com with principal test3 to the policy file +2026/09/22 11:30:20 Successfully added user with email alice@example.com with principal test3 to the policy file === RUN TestAddAllowedPrincipal/user_already_exists._principal_not_new. policy_test.go:263: AddAllowedPrincipal(principal=test, userEmail=alice@example.com) policy_test.go:264: Initial policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}}} -2025/08/19 03:05:21 User with email alice@example.com already has access under the principal test, skipping... +2026/09/22 11:30:20 User with email alice@example.com already has access under the principal test, skipping... === RUN TestAddAllowedPrincipal/policy_has_duplicate_entries,_then_add_a_duplicate_entry policy_test.go:263: AddAllowedPrincipal(principal=test, userEmail=alice@example.com) policy_test.go:264: Initial policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}}} -2025/08/19 03:05:21 User with email alice@example.com already has access under the principal test, skipping... +2026/09/22 11:30:20 User with email alice@example.com already has access under the principal test, skipping... === RUN TestAddAllowedPrincipal/add_the_same_user_but_new_principal policy_test.go:263: AddAllowedPrincipal(principal=test2, userEmail=alice@example.com) policy_test.go:264: Initial policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test1"}, Issuer:"https://example.com"}}} -2025/08/19 03:05:21 Successfully added user with email alice@example.com with principal test2 to the policy file +2026/09/22 11:30:20 Successfully added user with email alice@example.com with principal test2 to the policy file === RUN TestAddAllowedPrincipal/add_duplicate_entry_with_complex_policy policy_test.go:263: AddAllowedPrincipal(principal=test2, userEmail=alice@example.com) policy_test.go:264: Initial policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test1"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"bob@example.com", Principals:[]string{"test2"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test1", "test2", "test3"}, Issuer:"https://example.com"}}} -2025/08/19 03:05:21 User with email alice@example.com already has access under the principal test2, skipping... +2026/09/22 11:30:20 User with email alice@example.com already has access under the principal test2, skipping... === RUN TestAddAllowedPrincipal/add_matching_user_but_new_principal_with_complex_policy policy_test.go:263: AddAllowedPrincipal(principal=test4, userEmail=alice@example.com) policy_test.go:264: Initial policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test1"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"bob@example.com", Principals:[]string{"test2"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test1", "test2", "test3"}, Issuer:"https://example.com"}}} -2025/08/19 03:05:21 Successfully added user with email alice@example.com with principal test4 to the policy file +2026/09/22 11:30:20 Successfully added user with email alice@example.com with principal test4 to the policy file --- PASS: TestAddAllowedPrincipal (0.00s) --- PASS: TestAddAllowedPrincipal/empty_policy (0.00s) --- PASS: TestAddAllowedPrincipal/non-empty_policy._user_not_found (0.00s) @@ -1767,26 +1746,84 @@ --- PASS: TestAddAllowedPrincipal/add_the_same_user_but_new_principal (0.00s) --- PASS: TestAddAllowedPrincipal/add_duplicate_entry_with_complex_policy (0.00s) --- PASS: TestAddAllowedPrincipal/add_matching_user_but_new_principal_with_complex_policy (0.00s) -2025/08/19 03:05:22 Skipping policy plugins: no plugins found at /etc/opk/policy.d ---- PASS: TestPolicyDeniedOidcGroups (1.05s) -2025/08/19 03:05:24 Skipping policy plugins: no plugins found at /etc/opk/policy.d ---- PASS: TestPolicyApprovedOidcGroupWithAtSign (2.56s) -2025/08/19 03:05:24 Skipping policy plugins: no plugins found at /etc/opk/policy.d ---- PASS: TestPolicyApproved (2.73s) -2025/08/19 03:05:25 Skipping policy plugins: no plugins found at /etc/opk/policy.d ---- PASS: TestPolicyDeniedMissingOidcGroupsClaim (3.84s) -2025/08/19 03:05:25 Skipping policy plugins: no plugins found at /etc/opk/policy.d ---- PASS: TestPolicyDeniedWrongIssuer (4.10s) -2025/08/19 03:05:25 Skipping policy plugins: no plugins found at /etc/opk/policy.d ---- PASS: TestPolicyApprovedOidcGroups (4.27s) -2025/08/19 03:05:25 Skipping policy plugins: no plugins found at /etc/opk/policy.d ---- PASS: TestPolicySub (4.35s) -2025/08/19 03:05:26 Skipping policy plugins: no plugins found at /etc/opk/policy.d ---- PASS: TestPolicyDeniedNoUserEntry (5.37s) -2025/08/19 03:05:27 Skipping policy plugins: no plugins found at /etc/opk/policy.d ---- PASS: TestPolicyDeniedBadUser (5.75s) -2025/08/19 03:05:27 Skipping policy plugins: no plugins found at /etc/opk/policy.d ---- PASS: TestPolicyEmailDifferentCase (6.00s) +=== CONT TestDump_Success +--- PASS: TestDump_Success (0.00s) +=== CONT TestLoadSystemDefaultPolicy_Success +--- PASS: TestLoadSystemDefaultPolicy_Success (0.00s) +=== CONT TestLoadSystemDefaultPolicy_ErrorFile +--- PASS: TestLoadSystemDefaultPolicy_ErrorFile (0.00s) +=== CONT TestLoadPolicyAtPath_ReadError +--- PASS: TestLoadPolicyAtPath_ReadError (0.00s) +=== CONT TestLoadPolicyAtPath_BadPermissions +--- PASS: TestLoadPolicyAtPath_BadPermissions (0.00s) +=== CONT TestLoadPolicyAtPath_FileMissing +--- PASS: TestLoadPolicyAtPath_FileMissing (0.00s) +=== CONT TestLoadUserPolicy_Success_SkipInvalidEntries +--- PASS: TestLoadUserPolicy_Success_SkipInvalidEntries (0.00s) +=== CONT TestLoadUserPolicy_Success +--- PASS: TestLoadUserPolicy_Success (0.00s) +=== CONT TestLoadUserPolicy_ErrorFile +--- PASS: TestLoadUserPolicy_ErrorFile (0.00s) +=== CONT TestLoadUserPolicy_NoUserHomeDir +--- PASS: TestLoadUserPolicy_NoUserHomeDir (0.00s) +=== CONT TestLoadUserPolicy_FailUserLookup +--- PASS: TestLoadUserPolicy_FailUserLookup (0.00s) +=== CONT TestPolicyDeniedBadUser +=== CONT TestPolicySub +=== CONT TestPolicyDeniedMissingOidcGroupsClaim +=== CONT TestPolicyEmailDifferentCase +=== CONT TestLoad +=== RUN TestLoad/both_policies_are_missing + multipolicyloader_test.go:189: Root policy: (*policy.Policy)(nil) + multipolicyloader_test.go:190: User policy: (*policy.Policy)(nil) +2026/09/22 11:30:20 warning: failed to load system default policy: failed to read system default policy file /etc/opk/auth_id: failed to describe the file at path: open /etc/opk/auth_id: file does not exist +2026/09/22 11:30:20 warning: failed to load user policy: failed to read user policy file /home/foo/.opk/auth_id: mock error +=== RUN TestLoad/only_root_policy_exists + multipolicyloader_test.go:189: Root policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}}} + multipolicyloader_test.go:190: User policy: (*policy.Policy)(nil) +2026/09/22 11:30:20 warning: failed to load user policy: failed to read user policy file /home/foo/.opk/auth_id: mock error +=== RUN TestLoad/only_user_policy_exists + multipolicyloader_test.go:189: Root policy: (*policy.Policy)(nil) + multipolicyloader_test.go:190: User policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"foo", "bob"}, Issuer:"https://example.com"}}} +2026/09/22 11:30:20 warning: failed to load system default policy: failed to read system default policy file /etc/opk/auth_id: failed to describe the file at path: open /etc/opk/auth_id: file does not exist +=== RUN TestLoad/both_user_and_root_policy_exist + multipolicyloader_test.go:189: Root policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"charlie@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}}} + multipolicyloader_test.go:190: User policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"foo"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"bob@example.com", Principals:[]string{"foo"}, Issuer:"https://example.com"}}} +=== RUN TestLoad/both_user_and_root_policy_exist_but_no_valid_user_policy_entries + multipolicyloader_test.go:189: Root policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"charlie@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}}} + multipolicyloader_test.go:190: User policy: &policy.Policy{Users:[]policy.User{policy.User{IdentityAttribute:"alice@example.com", Principals:[]string{"test"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"bob@example.com", Principals:[]string{"test", "test2"}, Issuer:"https://example.com"}, policy.User{IdentityAttribute:"charlie@example.com", Principals:[]string{"test", "test2", "test3"}, Issuer:"https://example.com"}}} +2026/09/22 11:30:20 warning: user policy /home/foo/.opk/auth_id has no valid user entries; an entry is considered valid if it gives foo access. +--- PASS: TestLoad (0.00s) + --- PASS: TestLoad/both_policies_are_missing (0.00s) + --- PASS: TestLoad/only_root_policy_exists (0.00s) + --- PASS: TestLoad/only_user_policy_exists (0.00s) + --- PASS: TestLoad/both_user_and_root_policy_exist (0.00s) + --- PASS: TestLoad/both_user_and_root_policy_exist_but_no_valid_user_policy_entries (0.00s) +=== CONT TestPolicyDeniedWrongIssuer +=== CONT TestEnforceTableTest +=== CONT TestPolicyDeniedOidcGroups +=== CONT TestPolicyApprovedOidcGroupWithAtSign +=== CONT TestPolicyDeniedNoUserEntry +2026/09/22 11:30:21 Skipping policy plugins: no plugins found at /etc/opk/policy.d +--- PASS: TestPolicyDeniedWrongIssuer (1.24s) +2026/09/22 11:30:21 Skipping policy plugins: no plugins found at /etc/opk/policy.d +--- PASS: TestPolicySub (1.35s) +2026/09/22 11:30:21 Skipping policy plugins: no plugins found at /etc/opk/policy.d +--- PASS: TestPolicyDeniedNoUserEntry (1.52s) +2026/09/22 11:30:22 Skipping policy plugins: no plugins found at /etc/opk/policy.d +--- PASS: TestPolicyApproved (1.90s) +2026/09/22 11:30:22 Skipping policy plugins: no plugins found at /etc/opk/policy.d +--- PASS: TestPolicyDeniedMissingOidcGroupsClaim (2.22s) +2026/09/22 11:30:22 Skipping policy plugins: no plugins found at /etc/opk/policy.d +--- PASS: TestPolicyDeniedBadUser (2.23s) +2026/09/22 11:30:22 Skipping policy plugins: no plugins found at /etc/opk/policy.d +--- PASS: TestPolicyEmailDifferentCase (2.24s) +2026/09/22 11:30:22 Skipping policy plugins: no plugins found at /etc/opk/policy.d +--- PASS: TestPolicyApprovedOidcGroupWithAtSign (2.32s) +2026/09/22 11:30:22 Skipping policy plugins: no plugins found at /etc/opk/policy.d +--- PASS: TestPolicyDeniedOidcGroups (2.34s) +2026/09/22 11:30:22 Skipping policy plugins: no plugins found at /etc/opk/policy.d +--- PASS: TestPolicyApprovedOidcGroups (2.48s) === RUN TestEnforceTableTest/Happy_path_(No_userinfo_supplied_but_ID_Token_has_groups_claim) === PAUSE TestEnforceTableTest/Happy_path_(No_userinfo_supplied_but_ID_Token_has_groups_claim) === RUN TestEnforceTableTest/No_groups_claim_in_ID_Token @@ -1805,31 +1842,31 @@ === PAUSE TestEnforceTableTest/policy_loader_failure === CONT TestEnforceTableTest/Happy_path_(No_userinfo_supplied_but_ID_Token_has_groups_claim) === CONT TestEnforceTableTest/Wrong_groups_claim_in_userinfo -=== CONT TestEnforceTableTest/corrupted_userinfo === CONT TestEnforceTableTest/Happy_path_(Valid_user_info) +=== CONT TestEnforceTableTest/No_groups_claim_in_ID_Token === CONT TestEnforceTableTest/Missing_groups_claim_in_userinfo -=== CONT TestEnforceTableTest/sub_in_userinfo_does_not_match_sub_in_ID_Token_does_not_match -2025/08/19 03:05:32 Skipping policy plugins: no plugins found at /etc/opk/policy.d +=== CONT TestEnforceTableTest/corrupted_userinfo === CONT TestEnforceTableTest/policy_loader_failure -=== CONT TestEnforceTableTest/No_groups_claim_in_ID_Token -2025/08/19 03:05:32 Skipping policy plugins: no plugins found at /etc/opk/policy.d -2025/08/19 03:05:32 Skipping policy plugins: no plugins found at /etc/opk/policy.d -2025/08/19 03:05:32 Skipping policy plugins: no plugins found at /etc/opk/policy.d -2025/08/19 03:05:32 Skipping policy plugins: no plugins found at /etc/opk/policy.d -2025/08/19 03:05:32 Skipping policy plugins: no plugins found at /etc/opk/policy.d -2025/08/19 03:05:32 Skipping policy plugins: no plugins found at /etc/opk/policy.d -2025/08/19 03:05:32 Skipping policy plugins: no plugins found at /etc/opk/policy.d ---- PASS: TestEnforceTableTest (11.17s) - --- PASS: TestEnforceTableTest/Happy_path_(Valid_user_info) (0.01s) - --- PASS: TestEnforceTableTest/Wrong_groups_claim_in_userinfo (0.01s) - --- PASS: TestEnforceTableTest/corrupted_userinfo (0.01s) - --- PASS: TestEnforceTableTest/policy_loader_failure (0.01s) +2026/09/22 11:30:27 Skipping policy plugins: no plugins found at /etc/opk/policy.d +=== CONT TestEnforceTableTest/sub_in_userinfo_does_not_match_sub_in_ID_Token_does_not_match +2026/09/22 11:30:27 Skipping policy plugins: no plugins found at /etc/opk/policy.d +2026/09/22 11:30:27 Skipping policy plugins: no plugins found at /etc/opk/policy.d +2026/09/22 11:30:27 Skipping policy plugins: no plugins found at /etc/opk/policy.d +2026/09/22 11:30:27 Skipping policy plugins: no plugins found at /etc/opk/policy.d +2026/09/22 11:30:27 Skipping policy plugins: no plugins found at /etc/opk/policy.d +2026/09/22 11:30:27 Skipping policy plugins: no plugins found at /etc/opk/policy.d +2026/09/22 11:30:27 Skipping policy plugins: no plugins found at /etc/opk/policy.d +--- PASS: TestEnforceTableTest (7.69s) --- PASS: TestEnforceTableTest/Happy_path_(No_userinfo_supplied_but_ID_Token_has_groups_claim) (0.01s) + --- PASS: TestEnforceTableTest/Wrong_groups_claim_in_userinfo (0.01s) + --- PASS: TestEnforceTableTest/Happy_path_(Valid_user_info) (0.01s) --- PASS: TestEnforceTableTest/No_groups_claim_in_ID_Token (0.01s) - --- PASS: TestEnforceTableTest/Missing_groups_claim_in_userinfo (0.01s) + --- PASS: TestEnforceTableTest/corrupted_userinfo (0.02s) + --- PASS: TestEnforceTableTest/Missing_groups_claim_in_userinfo (0.02s) + --- PASS: TestEnforceTableTest/policy_loader_failure (0.02s) --- PASS: TestEnforceTableTest/sub_in_userinfo_does_not_match_sub_in_ID_Token_does_not_match (0.02s) PASS -ok github.com/openpubkey/opkssh/policy 11.292s +ok github.com/openpubkey/opkssh/policy 7.787s === RUN TestLog === RUN TestLog/empty === RUN TestLog/single_entry @@ -1877,7 +1914,7 @@ --- PASS: TestToTable/multiple_rows_with_comment (0.00s) --- PASS: TestToTable/realistic_input (0.00s) PASS -ok github.com/openpubkey/opkssh/policy/files 0.054s +ok github.com/openpubkey/opkssh/policy/files 0.031s === RUN TestLoadPolicyPluginsMissing --- PASS: TestLoadPolicyPluginsMissing (0.00s) === RUN TestLoadPolicyPlugins @@ -1915,19 +1952,19 @@ === RUN TestPluginUnsetsEnvVar --- PASS: TestPluginUnsetsEnvVar (0.00s) === RUN TestPublicCheckPolicy ---- PASS: TestPublicCheckPolicy (2.55s) +--- PASS: TestPublicCheckPolicy (1.36s) === RUN TestNewTokens === RUN TestNewTokens/Happy_path_(all_tokens) === RUN TestNewTokens/Happy_path_(minimal_tokens) === RUN TestNewTokens/Happy_path_(string_list_audience) === RUN TestNewTokens/Wrong_type_for_email_verified_claim_in_ID_token ---- PASS: TestNewTokens (6.36s) +--- PASS: TestNewTokens (3.57s) --- PASS: TestNewTokens/Happy_path_(all_tokens) (0.00s) --- PASS: TestNewTokens/Happy_path_(minimal_tokens) (0.00s) --- PASS: TestNewTokens/Happy_path_(string_list_audience) (0.00s) --- PASS: TestNewTokens/Wrong_type_for_email_verified_claim_in_ID_token (0.00s) PASS -ok github.com/openpubkey/opkssh/policy/plugins 8.967s +ok github.com/openpubkey/opkssh/policy/plugins 4.966s === RUN TestCASignerCreation === PAUSE TestCASignerCreation === RUN TestInvalidSshPublicKey @@ -1938,14 +1975,14 @@ === CONT TestSshCertCreation === RUN TestSshCertCreation/Happy_Path_(no_access_token) === CONT TestInvalidSshPublicKey ---- PASS: TestCASignerCreation (0.04s) ---- PASS: TestInvalidSshPublicKey (0.30s) +--- PASS: TestCASignerCreation (0.02s) +--- PASS: TestInvalidSshPublicKey (0.86s) === RUN TestSshCertCreation/Happy_Path_(with_access_token) ---- PASS: TestSshCertCreation (4.29s) - --- PASS: TestSshCertCreation/Happy_Path_(no_access_token) (3.47s) - --- PASS: TestSshCertCreation/Happy_Path_(with_access_token) (0.82s) +--- PASS: TestSshCertCreation (3.39s) + --- PASS: TestSshCertCreation/Happy_Path_(no_access_token) (1.17s) + --- PASS: TestSshCertCreation/Happy_Path_(with_access_token) (2.22s) PASS -ok github.com/openpubkey/opkssh/sshcert 4.351s +ok github.com/openpubkey/opkssh/sshcert 3.434s create-stamp debian/debhelper-build-stamp dh_testroot -O--builddirectory=_build -O--buildsystem=golang dh_prep -O--builddirectory=_build -O--buildsystem=golang @@ -1970,8 +2007,8 @@ dh_gencontrol -O--builddirectory=_build -O--buildsystem=golang dh_md5sums -O--builddirectory=_build -O--buildsystem=golang dh_builddeb -O--builddirectory=_build -O--buildsystem=golang -dpkg-deb: building package 'opkssh-dbgsym' in '../opkssh-dbgsym_0.8.0-2_arm64.deb'. dpkg-deb: building package 'opkssh' in '../opkssh_0.8.0-2_arm64.deb'. +dpkg-deb: building package 'opkssh-dbgsym' in '../opkssh-dbgsym_0.8.0-2_arm64.deb'. dpkg-deb: building package 'golang-github-openpubkey-opkssh-dev' in '../golang-github-openpubkey-opkssh-dev_0.8.0-2_all.deb'. dpkg-genbuildinfo --build=binary -O../opkssh_0.8.0-2_arm64.buildinfo dpkg-genchanges --build=binary -O../opkssh_0.8.0-2_arm64.changes @@ -1980,12 +2017,14 @@ dpkg-buildpackage: info: binary-only upload (no source included) dpkg-genchanges: info: not including original source code in upload I: copying local configuration +I: user script /srv/workspace/pbuilder/3686188/tmp/hooks/B01_cleanup starting +I: user script /srv/workspace/pbuilder/3686188/tmp/hooks/B01_cleanup finished I: unmounting dev/ptmx filesystem I: unmounting dev/pts filesystem I: unmounting dev/shm filesystem I: unmounting proc filesystem I: unmounting sys filesystem I: cleaning the build env -I: removing directory /srv/workspace/pbuilder/2969315 and its subdirectories -I: Current time: Tue Aug 19 03:05:50 -12 2025 -I: pbuilder-time-stamp: 1755615950 +I: removing directory /srv/workspace/pbuilder/3686188 and its subdirectories +I: Current time: Tue Sep 22 11:30:46 +14 2026 +I: pbuilder-time-stamp: 1790026246