[PATCH 0/4] T1756 gpg-agent doesn't accept ssh certificates

Igor Okulist okigan at gmail.com
Sat Mar 27 01:32:23 CET 2021

On Thu, Mar 18, 2021 at 11:25 PM NIIBE Yutaka <gniibe at fsij.org> wrote:
> Igor Okulist wrote:
> > This set of patches updates support for certificates and
> > addresses (at least part of) https://dev.gnupg.org/T1756.
> >
> > With thes patches user shall be able to add RSA key and
> > certificate to the gpg-agent and get a passwordless sign
> > through signed certificates.
> AFAIU, ssh-agent (or gpg-agent's ssh-agent emulation) has no way to
> _use_ certificates, when transferred from ssh-add.
> Please use -k option for ssh-add.  Then, no changes are required to
> current implementation of gpg-agent.
> Please let us know your use case(s), if it's real.
> --

Thanks for review NIIBE,

You are absolutely right, but current functionality of gpg-agent does not allow
certificate based login. Here is a workflow (and test script) showing usage of
ssh-agent and gpg-agent and unfortunately it would not work with
gpg-agent as is.

So looking for a way to use gpg-agent with ssh and actually other tools as well,
the attached patch allowed it to work, but I would be curious if there
is another way to do that.


More information about the Gnupg-devel mailing list