I’m trying to understand the output of gpg --export-ssh-key and the significance of using the exclamation mark at the end of a fingerprint, like gpg --export-ssh-key AE33EF7593CCC12AB1525391025EB66818CC429E!. I’m using ed25519 keys.
From the gpg man page:
--export-ssh-key
This command is used to export a key in the OpenSSH public key format. It requires
the specification of one key by the usual means and exports the latest valid subkey
which has an authentication capability to STDOUT or to the file given with option
--output. That output can directly be added to ssh's ‘authorized_key’ file.
By specifying the key to export using a key ID or a fingerprint suffixed with an ex‐
clamation mark (!), a specific subkey or the primary key can be exported. This does
not even require that the key has the authentication capability flag set.
The last sentence is interesting: “This does not even require that the key has the authentication capability flag set.”
The key I tested has a master key with only C capability (not default SC), and three subkeys, one E, one A, one S. Indeed I found I could generate an ssh key with gpg --export-ssh-key KEYID! where KEYID was any ed25519 (not cv25519) key, which for me includes the C master key or the A or S subkeys, and the output was different for each KEYID!. (The E key is cv25519, and gpg failed with gpg: export as ssh key failed: Invalid public key algorithm.)
I could understand if the reality is “gpg will export an SSH key for any valid precursor, in your case any ed25519 key regardless of capability flag set in gpg” — but then what is the purpose of the authentication capability flag at all? Is it just meant to be like a tag, a hint for me that I probably generated an SSH key from the A-capable subkey? And maybe “capabilities” in reality are only constrained by the key algorithm and not a capability flag?
![Has anyone been able to use Google API in MacOS Terminal Command Line? [closed]](https://www.rubin.com.np/wp-content/themes/customizr/assets/front/img/thumb-standard-empty.png)