Certificates aren't properly added to the ssh-agent service

[tomtastic]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest version
• Search the existing issues.

Steps to reproduce

All versions from 8.1.0.1 to 9.5.0.1p1-Beta fail to add a matching pair of identity and certificate into the agent when using using ssh-add.

PS C:\Users\user> winget install Microsoft.OpenSSH.Beta --override ADDLOCAL=Client
Found OpenSSH Beta [Microsoft.OpenSSH.Beta] Version 9.5.0.0
Successfully verified installer hash
Starting package install...
Successfully installed

PS C:\Users\user> Get-Command ssh-add
CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Application     ssh-add.exe                                        9.5.0.0    C:\Program Files\OpenSSH\ssh-add.exe

PS C:\Users\user> ssh -V
OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2

PS C:\Users\user> dir .ssh
    Directory: C:\Users\user\.ssh

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        08/05/2024     14:30            634 id_ecdsa
-a----        09/05/2024     07:42           1338 id_ecdsa-cert.pub
-a----        08/05/2024     14:30            233 id_ecdsa.pub

Expected behavior

PS C:\Users\user> ssh-add -v
Identity added: C:\Users\user/.ssh/id_ecdsa (abc\user@DESKTOP-123)
Certificate added: C:\Users\user/.ssh/id_ecdsa-cert.pub (cert)

PS C:\Users\user> ssh-add -l
384 SHA256:GPcZoAOWDF3mEc9ZNe2qDsa71ottMJPJyNsx13vB+Z4 abc\user@DESKTOP-123 (ECDSA)
384 SHA256:GPcZoAOWDF3mEc9ZNe2qDsa71ottMJPJyNsx13vB+Z4 abc\user@DESKTOP-123 (ECDSA-CERT)

Actual behavior

PS C:\Users\user> ssh-add -v
Identity added: C:\Users\user/.ssh/id_ecdsa (abc\user@DESKTOP-123)
Certificate added: C:\Users\user/.ssh/id_ecdsa-cert.pub (cert)

PS C:\Users\user> ssh-add -l
384 SHA256:GPcZoAOWDF3mEc9ZNe2qDsa71ottMJPJyNsx13vB+Z4 abc\user@DESKTOP-123 (ECDSA-CERT)

Error details

No response

Environment data

PS C:\Users\user> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.19041.4291
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.4291
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2

Visuals

No response

[tomtastic]

Related:

• ssh-agent certicates not loading id #1333
• Certificates aren't properly added to the ssh-agent service in 8.9.1.0 #1954

[tomtastic]

@tgauth / @maertendMSFT Is there anything else I can provide to help your investigation?
It seems like the hashes of the identity and cert (which are the same) are colliding in the registry path they're being referenced in, and so one overwrites the other leaving ssh-add -l to list only the most recently added to the registry path.