[Bug 3429] Confusing error message from `ssh-keygen -Y sign` when private key is not in agent

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri May 6 18:18:20 AEST 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3429

--- Comment #2 from Adam Szkoda <adaszko at gmail.com> ---
Thanks Damien.  Your patch is indeed an improvement.  Although the
error message coming from git is still going to be a little bit
confusing -- it's expressed in terms of a temporary file path that the
user has no control over.

Zooming out a little, I think the root cause is the double meaning of
the `-f` option: it's used for specifying both the private and the
public key which, in case anything goes wrong, makes it hard to guess
what the actual user intention was and thus produce an accurate error
message.

There are two ways that I see it could be improved further for git
users:

  1) An additional warning could be produced if ssh-keygen didn't find
the private key in the agent.  That I think would be a sufficient hint
to git user.  Though such a warning is a bit questionable given the
fact it's normal, documented behavior to perform a fallback to reading
a the private key from the file given to `-f`.

  2) Better IMO: It would have been clearer if for `-Y sign`, the `-f`
option was restricted to only to specify a *public* key.  An additional
option would need to be passed to indicate that `-f` is being given a
*private* key.  As it happens, such option already exists: `-U`, so it
seems like an ideal candidate.  I realize though, it's easier said than
done given backward compatibility.

Or perhaps 3): There's something on the git side that can be done to
make it clear the key is missing from ssh-agent?

Cheers

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list