GnuPG's SSH agent does not work when using SSH host certificates in GnuPG 2.4.8

[Jay Kayes]

Hi all,

I've been experimenting with moving my environment to use SSH host
certificates to authenticate hosts.  In my testing I have found that
when the server is using a ssh host certificate, I cannot authenticate
using my PGP key and GnuPG's SSH agent from my Fedora machines.  The
Fedora machines are on GnuPG version 2.4.7 (Fedora 42) or 2.4.8 (Fedora
43).  Authentication with PGP key does work when accessing the test
server from an OpenSUSE machine with GnuPG 2.5.13, and works from all
machines and tested GnuPG versions if I disable the host certificates
on the server.  Host authentication with certificates works if I bypass
GnuPG and use a "normal" file based SSH key, so the problem seems to be
specifically GnuPG 2.4.*.

The error I get on connection:
    ssh jay at testserver
    sign_and_send_pubkey: signing failed for ED25519
"cardno:0000_12345678" from agent: agent refused operation

I did not notice any relevant changes listed in the release notes, but
something has clearly been fixed in the 2.5 series.

Is this a known issue, and is there a known workaround for the 2.4
GnuPG versions?

I'd like to implement SSH host authentication with certificates, but
unfortunately this is a blocker as I am invested in using GPG for SSH
auth.  Moving away from Fedora is not really an option right now, and
installing a more recent GnuPG on Silverblue is rather awkward, so I'll
postpone implementing certificates if there is no workaround.

Cheers!
Jay


P.S.: My SSH keys are on a Yubikey/Nitrokey, I have not tested with
file based PGP keys

P.P.S.: OpenSSH versions do differ somewhat as well, so potentially the
problem could be on the OpenSSH side. The only combination that works
for me is on OpenSUSE Tumbleweed with GnuPG 2.5.13 and OpenSSH 10.2p2.
Fedora with GPG 2.4.7 and OpenSSH 9.9p1, and Debian 13 with 2.4.7 and
OpenSSH 10.0p2 do not work.