https://bugzilla.mindrot.org/show_bug.cgi?id=3613
--- Comment #18 from aim@orbit.online --- Yes!! Thank you Damien. This works perfectly! I only just now had the extra time to get back to it. I can confirm that I am now able to sign a peer PKCS#11 pubkey with a CA PKCS#11 key, use the resulting certificate and the peer PKCS#11 key to sign a file, and then verify that the file has been signed by the peer and that the peer is trusted through a "cert-authority" in the allow signers file. I have attached a Dockerfile and a test script which functionally tests everything and also demos how it all works together. It can be run with `docker run --rm $(docker build -q .)`. The "Good "file" signature for Peer with RSA-CERT key SHA256:..." is what to look for in the logs. Again, thank you for your hard work Damien, in a corporate context we can now do short lived ssh-certs for git commit signing and pushing while the key itself can reside on a e.g. a YubiKey or a TPM. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs