Fabian Stelzer <fs@xxxxxxxxxxxx> writes: >>Thanks for replying, Fabian. >> >>My main issue is that ecdsa-sha2-* keys currently seem incompatible >>with `gpg.ssh.defaultKeyCommand = "ssh-add -L"` >> >>The git-config documentation of `gpg.ssh.defaultKeyCommand` says: >> >>> To automatically use the first available key from your ssh-agent set this to "ssh-add -L". This is puzzling. One chooses the key to use when signing, and the key should go to the gpg.ssh.defaultkey, and also "ssh-add" is told about the key for convenient access. Asking "ssh-add -L" about the keys it knows about and randomly pick the first one it happens to tell you about sounds totally backwards to me. I may have a key I use to sign, and one key each to go to various destinations, all of which "ssh-add -L" may know about. It alone cannot fundamentally tell because it does not know what you intend to use each key for. Of course, as your own custom script, defaultKeyCommand may know which keys you intend to use for connecting and which keys you intend to use for signing. It may even need to know which key you intend to use for each project you work with and your .git/config may have something to tell the script what "trait" the key to be used that appear in "ssh-add -L" output should have (perhaps the key is rotated very often so you cannot write the exact key in your configuration, but perhaps the comment at the end of each line have sufficient cue to tell them apart). So, the custom script would need to go line by line to find the key to use in the first place, and if it is computationally capable enough to do so, it should be easy to prefix key:: in front. IIRC, we designed the system in such a way that it is not an error to prefix key:: in front of ssh-* keys. In any case, perhaps we should extend the documentation a bit. It generally is not sensible to just use "ssh-add -L" and pick one random key out of it, so we shouldn't be encouraging such a use, I suspect.
