Passing the pubkey to ssh-keygen is sufficient to verify an SSH signing key #12220

New Issue

Closed

opened 2025-11-02 10:02:29 -06:00 by GiteaMirror · 2 comments

GiteaMirror commented 2025-11-02 10:02:29 -06:00

Owner

Copy Link

Originally created by @Ma27 on GitHub (Dec 18, 2023).

Description

When verifying an SSH key to use it for signatures, gitea instructs to pipe a token to ssh-keygen -Y sign -n gitea -f /path_to_your_privkey:

https://github.com/go-gitea/gitea/blob/v1.21.2/templates/user/settings/keys_ssh.tmpl#L81

This is however not doable when the private key is on e.g. a smartcard (like a YubiKey) and SSH is done via an agent (which is what most people are probably doing anyways regardless of whether they use a hardware token).

In (at least) cases like this you can/need to pass the file containing the public key to ssh-keygen and the agent takes care of the rest.

Since this was changed from pubkey to private key in #20112 (cc @rluetzner @6543 @wxiaoguang ) I decided to not just revert it, but file a bug to discuss this first.

Ideally, it should be explained in the UI here that both variants are possible or link to appropriate docs.

Gitea Version

1.21.2

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

NixOS 23.05

How are you running Gitea?

I deploy gitea on NixOS with the NixOS module.
This is not relevant to the issue itself because the instructions for verifying an SSH key are always the same.

Database

PostgreSQL

Originally created by @Ma27 on GitHub (Dec 18, 2023). ### Description When verifying an SSH key to use it for signatures, `gitea` instructs to pipe a token to `ssh-keygen -Y sign -n gitea -f /path_to_your_privkey`: https://github.com/go-gitea/gitea/blob/v1.21.2/templates/user/settings/keys_ssh.tmpl#L81 This is however not doable when the private key is on e.g. a smartcard (like a YubiKey) and SSH is done via an agent (which is what most people are probably doing anyways regardless of whether they use a hardware token). In (at least) cases like this you can/need to pass the file containing the public key to `ssh-keygen` and the agent takes care of the rest. Since this was changed from pubkey to private key in #20112 (cc @rluetzner @6543 @wxiaoguang ) I decided to not just revert it, but file a bug to discuss this first. Ideally, it should be explained in the UI here that both variants are possible or link to appropriate docs. ### Gitea Version 1.21.2 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System NixOS 23.05 ### How are you running Gitea? I deploy gitea on NixOS with the NixOS module. This is not relevant to the issue itself because the instructions for verifying an SSH key are always the same. ### Database PostgreSQL

GiteaMirror added the type/bug label 2025-11-02 10:02:29 -06:00

GiteaMirror closed this issue 2025-11-02 10:02:29 -06:00

GiteaMirror commented 2025-11-02 10:02:30 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Dec 18, 2023):

No idea why Gitea should explain everything on its UI, since users should figure out how to use SSH-related (all including any third-party) tools independently, by reading their manual carefully (man ssh-keygen) or learn from some official tutorials.

To sign, the private key should always be used, while ssh-keygen could find/use the private key by public key through the agent.

Maybe the simplest approach is to change the prompt to path_to_your_PrivateKey_or_AgentPublicKey

@wxiaoguang commented on GitHub (Dec 18, 2023): No idea why Gitea should explain everything on its UI, since users should figure out how to use SSH-related (all including any third-party) tools independently, by reading their manual carefully (`man ssh-keygen`) or learn from some official tutorials. To sign, the private key should always be used, while `ssh-keygen` could find/use the private key by public key through the agent. Maybe the simplest approach is to change the prompt to `path_to_your_PrivateKey_or_AgentPublicKey`

GiteaMirror commented 2025-11-02 10:02:30 -06:00

Author

Owner

Copy Link

@Ma27 commented on GitHub (Dec 18, 2023):

I wouldn't expect a lot of people to know precisely how singing via ssh-keygen works. And this is a security feature at the end of the day, so I think a bit of help is a good thing here (gitea already demonstrates how to sign the token in the first place). I mean, one of the reasons why many people dislike GPG is because it's extremely inconvenient to use, so assistance is a good thing here.

To sign, the private key should always be used, while ssh-keygen could find/use the private key by public key through the agent.

correct.

Maybe the simplest approach is to change the prompt to path_to_your_PrivateKey_or_AgentPublicKey

Yeah, agreed.

@Ma27 commented on GitHub (Dec 18, 2023): I wouldn't expect a lot of people to know precisely how singing via `ssh-keygen` works. And this is a security feature at the end of the day, so I think a bit of help is a good thing here (gitea already demonstrates how to sign the token in the first place). I mean, one of the reasons why many people dislike GPG is because it's extremely inconvenient to use, so assistance is a good thing here. > To sign, the private key should always be used, while ssh-keygen could find/use the private key by public key through the agent. correct. > Maybe the simplest approach is to change the prompt to path_to_your_PrivateKey_or_AgentPublicKey Yeah, agreed.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#12220