SSH agent forward downgrades signing algorithm to sha-rsa (from rsa-sha2-512)

[tlbdk]

When ssh client requests ssh-agent to do a private signing operation newer clients set signature flags to specify more modern hashing algorithms:
https://tools.ietf.org/id/draft-miller-ssh-agent-01.html#rfc.section.4.5

The docker ssh-agent forwarding code strips these flags for some reason forcing the ssh client to retry with sha-rsa instead.

Step #9: #11 0.950 debug1: Next authentication method: publickey
Step #9: #11 0.950 debug1: Offering public key: my private key RSA SHA256:e0ke/RqeDs0wFtilsXGVzrzzXRpp8MhrQ3Coqg2xGN0 agent
Step #9: #11 0.950 debug3: send packet: type 50
Step #9: #11 0.950 debug2: we sent a publickey packet, wait for reply
Step #9: #11 0.972 debug3: receive packet: type 60
Step #9: #11 0.972 debug1: Server accepts key: my private key RSA SHA256:e0ke/RqeDs0wFtilsXGVzrzzXRpp8MhrQ3Coqg2xGN0 agent
Step #9: #11 0.972 debug3: sign_and_send_pubkey: RSA SHA256:e0ke/RqeDs0wFtilsXGVzrzzXRpp8MhrQ3Coqg2xGN0
Step #9: #11 0.972 debug3: sign_and_send_pubkey: signing using rsa-sha2-512
Step #9: #11 0.975 agent key RSA SHA256:e0ke/RqeDs0wFtilsXGVzrzzXRpp8MhrQ3Coqg2xGN0 returned incorrect signature type
Step #9: #11 0.976 debug3: sign_and_send_pubkey: signing using ssh-rsa
Step #9: #11 0.980 debug3: send packet: type 50
Step #9: #11 0.993 debug3: receive packet: type 52
Step #9: #11 0.994 debug1: Authentication succeeded (publickey).
Step #9: #11 0.994 Authenticated to github.com ([140.82.114.3]:22).

I'm guessing, but could it be that it needs to be ExtendedAgent here:

buildkit/session/sshforward/sshprovider/agentprovider.go

Line 181 in 96d13d6

agent.Agent

https://godoc.org/golang.org/x/crypto/ssh/agent

[tonistiigi]

I'm guessing, but could it be that it needs to be ExtendedAgent here:

That seems right. Can you do a PR?

[tlbdk]

Sadly I'm a bit limited on time at the moment being a new dad, so I don't think it will be anytime soon I will have the time to set up a dev environment so I can test if it actually works. Or is there some easy way for me to run an integration test to see that I did not break anything?

[tonistiigi]

https://github.com/moby/buildkit/blob/master/.github/CONTRIBUTING.md all the dev/test flows are containerized so as long as you have Docker you should be good to go.

The specific test that might interest you is

buildkit/client/client_test.go

Line 255 in 5c9365b

func testSSHMount(t *testing.T, sb integration.Sandbox) {