Bug 2119247 - gpg-agent no longer obeys order of ssh keys in sshcontrol file
Summary: gpg-agent no longer obeys order of ssh keys in sshcontrol file
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: gnupg2
Version: 36
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2022-08-18 04:50 UTC by Christian Heimes
Modified: 2022-09-19 13:12 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-573 0 None None None 2022-08-18 04:55:28 UTC

Description Christian Heimes 2022-08-18 04:50:54 UTC
Description of problem:
The update from gnupg2-2.3.4-2.fc36.x86_64 to gnupg2-2.3.7-3.fc36.x86_64 broke my SSH setup with gpg-agent as ssh-agent. I have multiple SSH keys registered with gpg-agent. The preferred key is my GPG key on my YubiKey. The others are backups in local encrypted files. With the update the keys are returned in wrong order. SSH now prefers one of my backup keys.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. configure gpg-agent to act as ssh-agent provider (add enable-ssh-support to ~/.gnupg/gpg-agent.conf and restart agent)
2. add multiple keys to gpg-agent
3. reorder keys in ~/.gnupg/sshcontrol
4. SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh ssh-add -l

Actual results:
ssh-add -l does not list the keys in the order they are specified in ~/.gnupg/sshcontrol instead they seem to be ordered alphanumerical by keygrip fingerprint.

Expected results:
keys are listed in the order they are configured in ~/.gnupg/sshcontrol

Additional info:
A downgrade to 2.3.4-2 and restart of gpg-agent restores the expected behavior.

Comment 1 Jakub Jelen 2022-09-19 13:12:54 UTC
This looks like a fallout from https://dev.gnupg.org/T5996. It was a significant change and from top of my head I do not see a simple way back so let me report the issue upstream:


The only suggestion I have for you now would be to use `IdentitiesOnly` option of SSH to properly assign identities to servers and not depend on the agent returning the keys in particular order.

Note You need to log in before you can comment on or make changes to this bug.