Feature: SSH Agent – Add support for certificates#13077
Open
AlexpFr wants to merge 16 commits intokeepassxreboot:developfrom
Open
Feature: SSH Agent – Add support for certificates#13077AlexpFr wants to merge 16 commits intokeepassxreboot:developfrom
AlexpFr wants to merge 16 commits intokeepassxreboot:developfrom
Conversation
droidmonkey
added
feature: SSH agent
pr: new feature
varjolintu
reviewed
Mar 8, 2026
varjolintu
reviewed
Mar 8, 2026
varjolintu
reviewed
Mar 8, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds OpenSSH certificate support to the SSH Agent integration, allowing a configured *-cert.pub to be loaded alongside the private key when an entry is unlocked/opened.
Changes:
- Extend
KeeAgentSettingsandOpenSSHKeyto store/load/serialize certificate configuration and data (attachment or external file). - Update the SSH Agent add/remove flows to handle an optional certificate identity.
- Update the entry editor UI (new “Certificate” tab), documentation, and translation sources for the new feature.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| src/sshagent/SSHAgent.cpp | Adds agent requests for adding/removing a certificate identity alongside the key. |
| src/sshagent/OpenSSHKey.h | Adds certificate parsing/writing APIs and storage fields. |
| src/sshagent/OpenSSHKey.cpp | Implements certificate parsing and binary serialization for agent messages. |
| src/sshagent/KeeAgentSettings.h | Adds certificate-related settings getters/setters and env substitution. |
| src/sshagent/KeeAgentSettings.cpp | Adds XML read/write for certificate settings and loads certificate data into OpenSSHKey. |
| src/gui/entry/EditEntryWidgetSSHAgent.ui | Introduces a new “Certificate” tab and related widgets for certificate selection. |
| src/gui/entry/EditEntryWidget.h | Adds slots/members for certificate UI interaction. |
| src/gui/entry/EditEntryWidget.cpp | Wires certificate UI controls into settings and key info refresh; adds file browsing for cert. |
| share/translations/keepassxc_en.ts | Adds new translatable strings for certificate UI and errors. |
| docs/topics/SSHAgent.adoc | Documents how to associate a certificate with an SSH key in the UI. |
You can also share your feedback on Copilot code review. Take the survey.
Member
|
The changes here makes this one obsolete? #13068 |
- Add #define SSH_MAX_LOCAL_KEY_SIZE (1 MiB) in KeeAgentSettings.h - Replace magic value "1024 * 1024" with this constant
attachmentCertificateComboBox and attachmentComboBox are already cleared in updateSSHAgentAttachments().
Removed erroneous semicolon
- Check elements non-empty before accessing first() - Validate minimum 2 elements (type + nonce) - Reject invalid/unsupported certificate types - Verify Base64 nonce decoding success
Move m_addedKeys insertion after key add success but before optional cert add. Ensures keys are always tracked (and auto-removed) even if cert fails.
Validate `stream.writeString(m_certificateType)` success and set m_error on failure, consistent with other write*() calls. Prevents partial stream writes
Avoid sending invalid SSH_AGENTC_REMOVE_IDENTITY to agent when KeePassXC cannot read the certificate data itself. Prevents malformed removal requests for unreadable certificates.
AlexpFr
commented
Mar 9, 2026
Contributor
Author
AlexpFr
left a comment
AlexpFr
left a comment
There was a problem hiding this comment.
For unit tests: I haven't written them yet as I'm not comfortable with the test framework yet. Are tests required for this new certificate handling path
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SSH Agent – Add support for certificates
This implements the requested feature discussed in issue #5486.
If you have an externally generated OpenSSH certificate file associated with your SSH key, you can configure it in the "Certificate" tab. When the key is loaded, if "Use certificate" is checked, both the key and certificate are added to the agent.
The certificate selection logic strictly mirrors the SSH private key selection logic.
Backward Compatibility
In the
KeeAgent.settingsfile, certificate support has been implemented by adding a separated<LocationCertificate>node with dedicated element names and<UseCertificate>for "Use certificate" checkbox.Older versions of KeePassXC that do not implement certificate support will ignore these additional XML nodes. Therefore, configuration files containing certificate settings remain fully backward compatible.
Screenshots
Private key tab:
Certificate tab:
Testing strategy
Quick certificate generation for testing
The certificate for
user_keyisuser_key-cert.pubType of change