[Bug 3429] New: Confusing error message from `ssh-keygen -Y sign` when private key is not in agent
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu May 5 23:56:44 AEST 2022
https://bugzilla.mindrot.org/show_bug.cgi?id=3429
Bug ID: 3429
Summary: Confusing error message from `ssh-keygen -Y sign` when
private key is not in agent
Product: Portable OpenSSH
Version: v9.0p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: adaszko at gmail.com
Hi,
The `ssh-keygen -Y sign` command produces a confusing "invalid format"
message:
$ ./ssh-keygen -Y sign -n git -f
/var/folders/t5/cscwwl_n3n1_8_5j_00x_3t40000gn/T//.git_signing_key_tmpYT1apW
mac.c
Load key
"/var/folders/t5/cscwwl_n3n1_8_5j_00x_3t40000gn/T//.git_signing_key_tmpYT1apW":
invalid format
The key isn't in fact malformed -- it's a valid *public* key:
$ cat
/var/folders/t5/cscwwl_n3n1_8_5j_00x_3t40000gn/T//.git_signing_key_tmpYT1apW
ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIEC1BkuWP6vSf+4ud6IrkQz8TWlV6cQlwpKlgvpj0j/B
adaszko at gmail.com
The reason for this behavior is the fallback mechanism at [1].
Normally, the filename path passed as `-f` option is interpreted as a
*public* key, but when the corresponding *private* key is missing from
ssh-agent, ssh-keygen tries to interpret the file as a *private* key,
which fails with the above error message. Everything works fine when
the private key is present in ssh-agent.
This becomes even more confusing when it's invoked by git to sign a
commit:
$ git commit --amend -S --no-edit
error: Load key
"/var/folders/t5/cscwwl_n3n1_8_5j_00x_3t40000gn/T//.git_signing_key_tmpkArSj7":
invalid format?
fatal: failed to write commit object
I'm happy to contribute a patch but it isn't entirely clear to me what
the best course of action would actually be in this case. Displaying a
warning when the fallback fires? Remove the fallback altogether?
There's backward compatibility issues with the latter. I'd appreciate
some input on the issue.
All the best
— Adam
[1]
https://github.com/openssh/openssh-portable/blob/457dce2cfef6a48f5442591cd8b21c7e8cba13f8/ssh-keygen.c#L2675-L2692
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list