Question about ssh-keygen -Y find-principals

Wiktor Kwapisiewicz wiktor at
Thu Mar 7 19:45:50 AEDT 2024


I've noticed that `ssh-keygen -Y find-principals` warns about empty 
lines in the allowed signers file, even though the documentation says 
they should be treated as comments:

$ ssh-keygen -Y find-principals -f -I 
wiktor at -n file -s rsa-key.txt.sig < rsa-key.txt missing key        <---- here
wiktor at

`-Y verify` doesn't have this issue:

$ ssh-keygen -Y verify -f -I wiktor at -n 
file -s rsa-key.txt.sig < rsa-key.txt
Good "file" signature for wiktor at with RSA key 

The man page documentation for ALLOWED_SIGNERS 

 > Empty lines and lines starting with a ‘#’ are ignored as comments.

I'm using openssh version 9.6p1-3 as packaged in Arch Linux.

I've made a repo with all keys and files I'm using:

Context: I'm using SSH signatures in git and wanted to add a bit of 
spacing in the file but then `git log --show-signature` shows all these 
warnings which I traced to be coming from `find-principals`:

commit 78bf960bccfd7677a72362ace717027dc4a7151a
Good "git" signature for wiktor at with ECDSA key 
SHA256:gp2CMX5++SXkPHiyva6kyhp2ftFo6r1HvYeDPVAxvXc missing key^M missing key^M missing key^M

Is this a minor issue or am I holding it wrong?

Thanks for your time!

Kind regards,

More information about the openssh-unix-dev mailing list