Hi Phillip,

Good point!  My first thought is to try doing a stat() syscall on the
path from 'user.signingKey' to see if it exists and if not, treat it
as a public key (and pass the -U option).  If that sounds reasonable,
I can update the patch.

Best
— Adam


On Wed, Jan 18, 2023 at 3:34 PM Phillip Wood [off-list ref] wrote:

On 18/01/2023 11:10, Phillip Wood wrote:

quoted

quoted

the agent [1].  A fix is scheduled to be released in OpenSSH 9.1. All
that
needs to be done is to pass an additional backward-compatible option
-U to
'ssh-keygen -Y sign' call.  With '-U', ssh-keygen always interprets
the file
as public key and expects to find the private key in the agent.

The documentation for user.signingKey says

  If gpg.format is set to ssh this can contain the path to either your
private ssh key or the public key when ssh-agent is used.

If I've understood correctly passing -U will prevent users from setting
this to a private key.

If there is an easy way to tell if the user has given us a public key
then we could pass "-U" in that case.

Best Wishes

Phillip