Hi Phillip, Good point! My first thought is to try doing a stat() syscall on the path from 'user.signingKey' to see if it exists and if not, treat it as a public key (and pass the -U option). If that sounds reasonable, I can update the patch. Best — Adam On Wed, Jan 18, 2023 at 3:34 PM Phillip Wood <phillip.wood123@xxxxxxxxx> wrote: > > On 18/01/2023 11:10, Phillip Wood wrote: > >> the agent [1]. A fix is scheduled to be released in OpenSSH 9.1. All > >> that > >> needs to be done is to pass an additional backward-compatible option > >> -U to > >> 'ssh-keygen -Y sign' call. With '-U', ssh-keygen always interprets > >> the file > >> as public key and expects to find the private key in the agent. > > > > The documentation for user.signingKey says > > > > If gpg.format is set to ssh this can contain the path to either your > > private ssh key or the public key when ssh-agent is used. > > > > If I've understood correctly passing -U will prevent users from setting > > this to a private key. > > If there is an easy way to tell if the user has given us a public key > then we could pass "-U" in that case. > > Best Wishes > > Phillip
