fix(ssh): skip file path signing keys in GPG agent forwarding (#734)

skevetter · web-flow · commit 8f408e42dbc4 · 2026-04-13T22:23:22.000-05:00
GPG key IDs are hex fingerprints, not file paths. When user.signingKey
is a file path (starts with / or ~), it's an SSH key — skip passing it
to setup-gpg. This handles the case where gpg.format is not set to ssh
but the signing key is still an SSH key path.
diff --git a/cmd/ssh.go b/cmd/ssh.go
@@ -769,7 +769,11 @@ func (cmd *SSHCmd) setupGPGAgent(
 // (SSH signing keys are handled by the separate SSH signature helper).
 func gpgSigningKey(log log.Logger) string {
 	format, err := exec.Command("git", "config", "--get", "gpg.format").Output()
-	if err == nil && strings.TrimSpace(string(format)) == "ssh" {
+	formatStr := ""
+	if err == nil {
+		formatStr = strings.TrimSpace(string(format))
+	}
+	if formatStr == "ssh" {
 		log.Debugf(
 			"[GPG] gpg.format is ssh, skipping GPG signing key (handled by SSH signing helper)",
 		)
@@ -783,6 +787,18 @@ func gpgSigningKey(log log.Logger) string {
 	}
 
 	result := strings.TrimSpace(string(key))
+
+	// GPG key IDs are hex fingerprints, not file paths. If the signing key
+	// looks like a file path and the format isn't x509 (which legitimately
+	// uses certificate file paths via gpgsm), it's an SSH key.
+	if (strings.HasPrefix(result, "/") || strings.HasPrefix(result, "~")) && formatStr != "x509" {
+		log.Debugf(
+			"[GPG] signing key %s looks like a file path, skipping (not a GPG key ID)",
+			result,
+		)
+		return ""
+	}
+
 	log.Debugf("[GPG] detected git sign key %s", result)
 	return result
 }
diff --git a/cmd/ssh_test.go b/cmd/ssh_test.go
@@ -45,3 +45,15 @@ func TestGpgSigningKey_X509Format_Returned(t *testing.T) {
 	result := gpgSigningKey(log.Discard)
 	assert.Equal(t, "/path/to/cert", result)
 }
+
+func TestGpgSigningKey_SSHKeyPath_Skipped(t *testing.T) {
+	writeGitConfig(t, "[user]\n\tsigningKey = /home/user/.ssh/id_ed25519.pub\n")
+	result := gpgSigningKey(log.Discard)
+	assert.Empty(t, result)
+}
+
+func TestGpgSigningKey_TildeKeyPath_Skipped(t *testing.T) {
+	writeGitConfig(t, "[user]\n\tsigningKey = ~/.ssh/id_ed25519.pub\n")
+	result := gpgSigningKey(log.Discard)
+	assert.Empty(t, result)
+}
