Mailing List Archive

[Bug 3429] New: Confusing error message from `ssh-keygen -Y sign` when private key is not in agent
https://bugzilla.mindrot.org/show_bug.cgi?id=3429

Bug ID: 3429
Summary: Confusing error message from `ssh-keygen -Y sign` when
private key is not in agent
Product: Portable OpenSSH
Version: v9.0p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs@mindrot.org
Reporter: adaszko@gmail.com

Hi,

The `ssh-keygen -Y sign` command produces a confusing "invalid format"
message:

$ ./ssh-keygen -Y sign -n git -f
/var/folders/t5/cscwwl_n3n1_8_5j_00x_3t40000gn/T//.git_signing_key_tmpYT1apW
mac.c
Load key
"/var/folders/t5/cscwwl_n3n1_8_5j_00x_3t40000gn/T//.git_signing_key_tmpYT1apW":
invalid format

The key isn't in fact malformed -- it's a valid *public* key:

$ cat
/var/folders/t5/cscwwl_n3n1_8_5j_00x_3t40000gn/T//.git_signing_key_tmpYT1apW
ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIEC1BkuWP6vSf+4ud6IrkQz8TWlV6cQlwpKlgvpj0j/B
adaszko@gmail.com

The reason for this behavior is the fallback mechanism at [1].
Normally, the filename path passed as `-f` option is interpreted as a
*public* key, but when the corresponding *private* key is missing from
ssh-agent, ssh-keygen tries to interpret the file as a *private* key,
which fails with the above error message. Everything works fine when
the private key is present in ssh-agent.

This becomes even more confusing when it's invoked by git to sign a
commit:

$ git commit --amend -S --no-edit
error: Load key
"/var/folders/t5/cscwwl_n3n1_8_5j_00x_3t40000gn/T//.git_signing_key_tmpkArSj7":
invalid format?
fatal: failed to write commit object

I'm happy to contribute a patch but it isn't entirely clear to me what
the best course of action would actually be in this case. Displaying a
warning when the fallback fires? Remove the fallback altogether?
There's backward compatibility issues with the latter. I'd appreciate
some input on the issue.

All the best
— Adam

[1]
https://github.com/openssh/openssh-portable/blob/457dce2cfef6a48f5442591cd8b21c7e8cba13f8/ssh-keygen.c#L2675-L2692

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs