GPG authentication subkey: "invalid format" error

Question

I've been using GPG with authentication subkeys for a while now, and I recently ran into a rather unhelpful error message. I'm writing this question "Q&A-style" to help others who might run into the same problem.

I use a set of GPG keys for GitHub stuff — both for commit signing and for authentication via SSH. I decided to upgrade the authentication subkey to the newer ED25519 elliptic curve standard, so I added a new ed25519 subkey with authentication capability and revoked the old RSA authentication subkey. I gpg --export-ssh-keyed the new subkey, then added it to both GitHub and a local ~/.ssh/id_gpg_gh.pub file, which is set as my identity file for GitHub via my SSH config.

At this point, though, SSH threw a Load key ".ssh/id_gpg_gh.pub": invalid format error when I tested my login ability. Connecting in verbose mode (ssh -T github.com -v) revealed that SSH was correctly advertising my new key and GitHub was accepting it, but that acceptance was immediately followed by the error message. It seemed that SSH was refusing to actually use my new subkey due to formatting issues.

Answer 1

The error message in this case turned out to be a bit misleading. There was no formatting error in my public key file, as it suggested. Instead, I'd forgotten to tell the GPG agent to use my new subkey, which I fixed by adding its keygrip to ~/.gnupg/sshcontrol.

Despite this being a simple fix, the error message was misleading enough that I anticipate others running into the same issue and being similarly confused. I hope this answer will be useful in such a case.

Also, in case anyone reading this needs a good reference for setting up GPG/SSH authentication in the first place: there are several guides available online, but this one from opensource.com is a good one to start with. This was also how I identified the setup step that I'd skipped, solving my issue.