From: Junio C Hamano <gitster@pobox.com>
To: Fabian Stelzer <fs@gigacodes.de>
Cc: Andy Lindeman <andy@lindeman.io>,
Andy Lindeman via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org
Subject: Re: [PATCH] ssh signing: Support ECDSA as literal SSH keys
Date: Wed, 01 Jun 2022 00:05:59 -0700 [thread overview]
Message-ID: <xmqqa6awvp60.fsf@gitster.g> (raw)
In-Reply-To: 20220531144703.jbawf3tkypt7se2i@fs
Fabian Stelzer <fs@gigacodes.de> writes:
>>Thanks for replying, Fabian.
>>
>>My main issue is that ecdsa-sha2-* keys currently seem incompatible
>>with `gpg.ssh.defaultKeyCommand = "ssh-add -L"`
>>
>>The git-config documentation of `gpg.ssh.defaultKeyCommand` says:
>>
>>> To automatically use the first available key from your ssh-agent set this to "ssh-add -L".
This is puzzling. One chooses the key to use when signing, and the
key should go to the gpg.ssh.defaultkey, and also "ssh-add" is told
about the key for convenient access. Asking "ssh-add -L" about the
keys it knows about and randomly pick the first one it happens to
tell you about sounds totally backwards to me.
I may have a key I use to sign, and one key each to go to various
destinations, all of which "ssh-add -L" may know about. It alone
cannot fundamentally tell because it does not know what you intend
to use each key for.
Of course, as your own custom script, defaultKeyCommand may know
which keys you intend to use for connecting and which keys you
intend to use for signing. It may even need to know which key you
intend to use for each project you work with and your .git/config
may have something to tell the script what "trait" the key to be
used that appear in "ssh-add -L" output should have (perhaps the key
is rotated very often so you cannot write the exact key in your
configuration, but perhaps the comment at the end of each line have
sufficient cue to tell them apart). So, the custom script would
need to go line by line to find the key to use in the first place,
and if it is computationally capable enough to do so, it should be
easy to prefix key:: in front. IIRC, we designed the system in such
a way that it is not an error to prefix key:: in front of ssh-* keys.
In any case, perhaps we should extend the documentation a bit. It
generally is not sensible to just use "ssh-add -L" and pick one
random key out of it, so we shouldn't be encouraging such a use, I
suspect.
next prev parent reply other threads:[~2022-06-01 7:07 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-30 17:45 [PATCH] ssh signing: Support ECDSA as literal SSH keys Andy Lindeman via GitGitGadget
2022-05-31 7:34 ` Fabian Stelzer
2022-05-31 13:28 ` Andy Lindeman
2022-05-31 14:47 ` Fabian Stelzer
2022-06-01 7:05 ` Junio C Hamano [this message]
2022-06-07 8:52 ` Fabian Stelzer
2022-06-07 17:20 ` Junio C Hamano
2022-06-08 15:24 ` [PATCH] gpg docs: explain better use of ssh.defaultKeyCommand Fabian Stelzer
2022-06-13 1:13 ` Andy Lindeman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqa6awvp60.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=andy@lindeman.io \
--cc=fs@gigacodes.de \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).