On 18/01/2023 11:10, Phillip Wood wrote:
the agent [1]. A fix is scheduled to be released in OpenSSH 9.1. All
that
needs to be done is to pass an additional backward-compatible option
-U to
'ssh-keygen -Y sign' call. With '-U', ssh-keygen always interprets
the file
as public key and expects to find the private key in the agent.
The documentation for user.signingKey says
If gpg.format is set to ssh this can contain the path to either your
private ssh key or the public key when ssh-agent is used.
If I've understood correctly passing -U will prevent users from setting
this to a private key.
If there is an easy way to tell if the user has given us a public key
then we could pass "-U" in that case.
Best Wishes
Phillip
