Open nielsk opened 1 month ago
It's not clear what you're reporting here.
If you're saying that you have an existing cert/key pair that you generated on your own and use extensively, it's certainly true that Secretive can't "use" them inasmuch as Secretive doesn't have anything to do with cert/key pairs that are generated outside of its own processes. Instead, Secretive allows you to generate and use new cert/key pairs, the key of which only exists within your computer's Secure Enclave (and cannot ever be exported, seen, or otherwise used by anything but that same computer). But Secretive also doesn't prevent you from using your existing cert/key pair with whatever it is with which you want to use it.
For being able to use a certificate, you need to have your public key signed by a certificate authority (and the public key of the ca is on the servers). In a normal ssh-setup you put your ssh certificate next to you public and private key and the ssh-agent will pick it up. On authentication public key and certificate are send. So there needs to be some way to export the public key, so that it can be signed and some way to use the certificate during authentication.
Oh — you're explicitly talking about using chains-of-trust certificates, rather than straightforward SSH certificates.
Secretive certainly has no issue letting you see/"export" your public keys; in the Secretive interface, you get the full path to the public key for every cert pair you generate. But if you're saying that there's no way for you to then get the signed version of that public key and place it somewhere where Secretive's SSH agent can get to it, that's almost certainly true... but I also doubt that this was/is an intended use case for the Secretive-generated secrets. (I obviously can't speak to that!)
There is no way to add an ssh-certificate to a key which I use extensively. See for example here: https://lwn.net/Articles/913971/