[Bug 3429] New: Confusing error message from `ssh-keygen -Y sign` when private key is not in agent

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu May 5 23:56:44 AEST 2022


            Bug ID: 3429
           Summary: Confusing error message from `ssh-keygen -Y sign` when
                    private key is not in agent
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: adaszko at gmail.com


The `ssh-keygen -Y sign` command produces a confusing "invalid format"

    $ ./ssh-keygen -Y sign -n git -f
    Load key
invalid format

The key isn't in fact malformed -- it's a valid *public* key:

    $ cat
adaszko at gmail.com

The reason for this behavior is the fallback mechanism at [1]. 
Normally, the filename path passed as `-f` option is interpreted as a
*public* key, but when the corresponding *private* key is missing from
ssh-agent, ssh-keygen tries to interpret the file as a *private* key,
which fails with the above error message.  Everything works fine when
the private key is present in ssh-agent.

This becomes even more confusing when it's invoked by git to sign a

    $ git commit --amend -S --no-edit
    error: Load key
invalid format?
    fatal: failed to write commit object

I'm happy to contribute a patch but it isn't entirely clear to me what
the best course of action would actually be in this case.  Displaying a
warning when the fallback fires?  Remove the fallback altogether? 
There's backward compatibility issues with the latter.  I'd appreciate
some input on the issue.

All the best
— Adam


You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list