Skip to content

feat: add --inspect-cert and --verbose flags to login command. Closes #353.#497

Merged
EthanHeilman merged 6 commits into
openpubkey:mainfrom
fdcastel:fix-353
Mar 27, 2026
Merged

feat: add --inspect-cert and --verbose flags to login command. Closes #353.#497
EthanHeilman merged 6 commits into
openpubkey:mainfrom
fdcastel:fix-353

Conversation

@fdcastel
Copy link
Copy Markdown
Contributor

@fdcastel fdcastel commented Mar 25, 2026
edited by EthanHeilman
Loading

Adds --print-ssh-key and -v/--verbose flags to opkssh login, allowing users to inspect generated SSH certificate details directly during login.

Closes #353

Changes

New flags on opkssh login

  • --inspect-cert: Prints SSH certificate details (certificate metadata, PKToken structure, signature info, and token metadata) using the same inspection logic as opkssh inspect.
  • -v/--verbose: Shorthand that enables --print-ssh-key. Provides a convenient way to get detailed output during login.

Combined and unified formatting

  • --print-id-token and --inspect-cert both write to the same output writer (l.out()), making them consistent and testable.
  • Updated inspect command and --print-ssh-key JSON formatting to use 2-space indentation, matching --print-id-token output. This ensures consistent formatting across all three: --print-id-token, --print-ssh-key, and opkssh inspect.

Code reuse

  • --print-ssh-key in the login command reuses InspectCmd from the inspect command, avoiding code duplication.

Files changed

  • commands/login.go: Added PrintSshKeyArg field, updated NewLogin, added SSH key inspection in login(), unified --print-id-token to use l.out().
  • commands/login_test.go: Added test case for PrintSshKeyArg, updated TestNewLogin for new parameter.
  • commands/inspect.go: Changed JSON indentation from 2-space to 4-space to match --print-id-token.
  • commands/inspect_test.go: Updated expected output for 4-space indentation.
  • main.go: Added --print-ssh-key, -v/--verbose flag definitions and wiring.

Example usage

# Print SSH certificate details during login
opkssh login --print-ssh-key

# Verbose mode (equivalent to --print-ssh-key)
opkssh login -v

# Combine with existing flags
opkssh login --print-id-token --print-ssh-key

@fdcastel
feat: add --print-ssh-key and --verbose flags to login command
17dccb0 
Implements openpubkey#353:
- Add --print-ssh-key flag to print SSH cert details during login
- Add -v/--verbose flag that enables --print-ssh-key
- Unify JSON formatting between --print-id-token, --print-ssh-key, and inspect
  (all use 4-space indent)
- Reuse InspectCmd for SSH key display in login command
- Use l.out() for --print-id-token output for consistency with other print flags
EthanHeilman
EthanHeilman requested changes Mar 26, 2026
View reviewed changes
Comment thread commands/inspect.go Outdated
Comment thread commands/login.go Outdated
Comment thread main.go Outdated
@fdcastel
fix: address PR review feedback for openpubkey#353
e4ddeeb 
- Revert inspect JSON formatting to 2-space indent (maintainer preference)
- Rename PrintSshKeyArg -> InspectCertArg and --print-ssh-key -> --inspect-cert
  for clearer distinction from PrintKeyArg (which outputs raw key material)
- Improve flag descriptions to clarify what each prints:
  --print-key: raw private key and cert (secret material)
  --inspect-cert: human-readable cert inspection (public info only)
- Add main_test.go tests for --inspect-cert and --verbose flags
- Update --verbose description to reference --inspect-cert
@EthanHeilman
Copy link
Copy Markdown
Member

EthanHeilman commented Mar 26, 2026

Will merge after windows PR is merged

fdcastel added 2 commits March 26, 2026 13:59
@fdcastel
chore: add .editorconfig with project style preferences
b982b9d 
- Go files: tabs (enforced by gofmt)
- YAML/JSON/Markdown: 2-space indent
- Shell scripts: 2-space indent
- UTF-8 charset, LF line endings, trim trailing whitespace
@fdcastel
fix: use 2-space indent for --print-id-token JSON output
99508a6 
Consistent with inspect command and project style preference.
EthanHeilman
EthanHeilman requested changes Mar 26, 2026
View reviewed changes
Comment thread .editorconfig
Comment thread main.go Outdated
Comment thread main.go Outdated
@EthanHeilman EthanHeilman requested a review from Copilot March 27, 2026 20:31
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends the opkssh login command with additional output/inspection capabilities during login, and updates CLI/test wiring to expose and validate the new flags.

Changes:

  • Adds a new login flag to print/inspect the generated SSH certificate details, plus a -v/--verbose shorthand.
  • Routes --print-id-token output through the command’s output writer and invokes InspectCmd during login when enabled.
  • Adds CLI help/output tests for the new flags and introduces a repository .editorconfig.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
main.go Adds new login flags and wires them into commands.NewLogin, with --verbose enabling certificate inspection.
main_test.go Adds assertions that login --help includes the new flags.
commands/login.go Adds an inspection flag to LoginCmd, routes --print-id-token output via l.out(), and runs InspectCmd during login.
commands/login_test.go Adds a happy-path test case covering the new inspection behavior and updates NewLogin construction.
.editorconfig Adds EditorConfig settings (tabs for Go, 2-space indentation for JSON/MD/YAML/SH).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread main.go
Comment thread commands/login.go
Comment thread commands/login.go
Comment thread main_test.go
Comment thread .editorconfig
Comment thread main.go
EthanHeilman
EthanHeilman approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@EthanHeilman EthanHeilman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@EthanHeilman EthanHeilman changed the title feat: add --print-ssh-key and --verbose flags to login command. Closes #353. feat: add --inspect-cert and --verbose flags to login command. Closes #353. Mar 27, 2026
@EthanHeilman EthanHeilman merged commit 0e8f4da into openpubkey:main Mar 27, 2026
21 checks passed
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request Apr 28, 2026
@renovate
chore(deps): update dependency openpubkey/opkssh to v0.14.0
e489b80 
##### [\`v0.14.0\`](https://github.com/openpubkey/opkssh/releases/tag/v0.14.0)

Adds support for sshing into windows servers.
Openssh 10.13 makes a breaking, non-backwards compatible change to how ssh certificates work, this breaks opkssh older than this release. This release creates a fix for this breaking change.

##### Changes

- feat: update to openpubkey 0.23.0 [@ianroberts](https://github.com/ianroberts) ([#510](openpubkey/opkssh#510))
- fix(ci): use `go run .` instead of `go run main.go` in gha workflow [@fdcastel](https://github.com/fdcastel) ([#506](openpubkey/opkssh#506))
- \[3/3] Add Windows SSH server support [@fdcastel](https://github.com/fdcastel) ([#480](openpubkey/opkssh#480))
- refactor: unify MockUserLookup into shared test helper package. Closes [#439](openpubkey/opkssh#439). [@fdcastel](https://github.com/fdcastel) ([#495](openpubkey/opkssh#495))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#500](openpubkey/opkssh#500))
- feat: add --inspect-cert and --verbose flags to login command. Closes [#353](openpubkey/opkssh#353). [@fdcastel](https://github.com/fdcastel) ([#497](openpubkey/opkssh#497))
- docs: Add GitHub Actions integration guide. Closes [#481](openpubkey/opkssh#481) [@fdcastel](https://github.com/fdcastel) ([#492](openpubkey/opkssh#492))
- test: cover full printed output of opkssh inspect. Closes [#356](openpubkey/opkssh#356) [@fdcastel](https://github.com/fdcastel) ([#493](openpubkey/opkssh#493))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#498](openpubkey/opkssh#498))
- Add `logout` command to remove opkssh-generated SSH keys. Closes [#317](openpubkey/opkssh#317). [@fdcastel](https://github.com/fdcastel) ([#496](openpubkey/opkssh#496))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#490](openpubkey/opkssh#490))
- \[2/3] Add permissions command [@fdcastel](https://github.com/fdcastel) ([#479](openpubkey/opkssh#479))
- bug: ensure provider arg doesn't skip remote-redirect-uri [@EthanHeilman](https://github.com/EthanHeilman) ([#471](openpubkey/opkssh#471))
- \[1/3] Update GitHub Actions workflows and .gitignore [@fdcastel](https://github.com/fdcastel) ([#478](openpubkey/opkssh#478))
- docs: Add AWS EC2 setup guide for opkssh [@Rishang](https://github.com/Rishang) ([#467](openpubkey/opkssh#467))

##### 🐛 Bug Fixes

- fix(deps): Update docker/build-push-action action to v7 @[renovate\[bot\]](https://github.com/apps/renovate) ([#512](openpubkey/opkssh#512))
- Fix for openssh 10.13 breaking principals wildcard in SSH certificates [@EthanHeilman](https://github.com/EthanHeilman) ([#513](openpubkey/opkssh#513))
- fix(deps): Update zizmorcore/zizmor-action action to v0.5.2 @[renovate\[bot\]](https://github.com/apps/renovate) ([#488](openpubkey/opkssh#488))
- fix(deps): Update dependency golangci/golangci-lint to v2.11.2 @[renovate\[bot\]](https://github.com/apps/renovate) ([#486](openpubkey/opkssh#486))
- fix(deps): Update goreleaser/goreleaser-action action to v7 @[renovate\[bot\]](https://github.com/apps/renovate) ([#484](openpubkey/opkssh#484))
- fix(deps): Update goreleaser/goreleaser-action action to v7 @[renovate\[bot\]](https://github.com/apps/renovate) ([#477](openpubkey/opkssh#477))
- fix(deps): Update actions/setup-go action to v6.3.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#482](openpubkey/opkssh#482))
- fix(deps): Update zizmorcore/zizmor-action action to v0.5.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#451](openpubkey/opkssh#451))
- fix(deps): Update Docker @[renovate\[bot\]](https://github.com/apps/renovate) ([#464](openpubkey/opkssh#464))

##### 🧰 Maintenance

- Improve install script to make linter happy, fix typo [@EthanHeilman](https://github.com/EthanHeilman) ([#514](openpubkey/opkssh#514))
sdwilsh pushed a commit to sdwilsh/ansible-playbooks that referenced this pull request Apr 30, 2026
@renovate @sdwilsh
chore(deps): update dependency openpubkey/opkssh to v0.14.0
869d212 
##### [\`v0.14.0\`](https://github.com/openpubkey/opkssh/releases/tag/v0.14.0)

Adds support for sshing into windows servers.
Openssh 10.13 makes a breaking, non-backwards compatible change to how ssh certificates work, this breaks opkssh older than this release. This release creates a fix for this breaking change.

##### Changes

- feat: update to openpubkey 0.23.0 [@ianroberts](https://github.com/ianroberts) ([#510](openpubkey/opkssh#510))
- fix(ci): use `go run .` instead of `go run main.go` in gha workflow [@fdcastel](https://github.com/fdcastel) ([#506](openpubkey/opkssh#506))
- \[3/3] Add Windows SSH server support [@fdcastel](https://github.com/fdcastel) ([#480](openpubkey/opkssh#480))
- refactor: unify MockUserLookup into shared test helper package. Closes [#439](openpubkey/opkssh#439). [@fdcastel](https://github.com/fdcastel) ([#495](openpubkey/opkssh#495))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#500](openpubkey/opkssh#500))
- feat: add --inspect-cert and --verbose flags to login command. Closes [#353](openpubkey/opkssh#353). [@fdcastel](https://github.com/fdcastel) ([#497](openpubkey/opkssh#497))
- docs: Add GitHub Actions integration guide. Closes [#481](openpubkey/opkssh#481) [@fdcastel](https://github.com/fdcastel) ([#492](openpubkey/opkssh#492))
- test: cover full printed output of opkssh inspect. Closes [#356](openpubkey/opkssh#356) [@fdcastel](https://github.com/fdcastel) ([#493](openpubkey/opkssh#493))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#498](openpubkey/opkssh#498))
- Add `logout` command to remove opkssh-generated SSH keys. Closes [#317](openpubkey/opkssh#317). [@fdcastel](https://github.com/fdcastel) ([#496](openpubkey/opkssh#496))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#490](openpubkey/opkssh#490))
- \[2/3] Add permissions command [@fdcastel](https://github.com/fdcastel) ([#479](openpubkey/opkssh#479))
- bug: ensure provider arg doesn't skip remote-redirect-uri [@EthanHeilman](https://github.com/EthanHeilman) ([#471](openpubkey/opkssh#471))
- \[1/3] Update GitHub Actions workflows and .gitignore [@fdcastel](https://github.com/fdcastel) ([#478](openpubkey/opkssh#478))
- docs: Add AWS EC2 setup guide for opkssh [@Rishang](https://github.com/Rishang) ([#467](openpubkey/opkssh#467))

##### 🐛 Bug Fixes

- fix(deps): Update docker/build-push-action action to v7 @[renovate\[bot\]](https://github.com/apps/renovate) ([#512](openpubkey/opkssh#512))
- Fix for openssh 10.13 breaking principals wildcard in SSH certificates [@EthanHeilman](https://github.com/EthanHeilman) ([#513](openpubkey/opkssh#513))
- fix(deps): Update zizmorcore/zizmor-action action to v0.5.2 @[renovate\[bot\]](https://github.com/apps/renovate) ([#488](openpubkey/opkssh#488))
- fix(deps): Update dependency golangci/golangci-lint to v2.11.2 @[renovate\[bot\]](https://github.com/apps/renovate) ([#486](openpubkey/opkssh#486))
- fix(deps): Update goreleaser/goreleaser-action action to v7 @[renovate\[bot\]](https://github.com/apps/renovate) ([#484](openpubkey/opkssh#484))
- fix(deps): Update goreleaser/goreleaser-action action to v7 @[renovate\[bot\]](https://github.com/apps/renovate) ([#477](openpubkey/opkssh#477))
- fix(deps): Update actions/setup-go action to v6.3.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#482](openpubkey/opkssh#482))
- fix(deps): Update zizmorcore/zizmor-action action to v0.5.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#451](openpubkey/opkssh#451))
- fix(deps): Update Docker @[renovate\[bot\]](https://github.com/apps/renovate) ([#464](openpubkey/opkssh#464))

##### 🧰 Maintenance

- Improve install script to make linter happy, fix typo [@EthanHeilman](https://github.com/EthanHeilman) ([#514](openpubkey/opkssh#514))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@EthanHeilman EthanHeilman EthanHeilman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add --verbose flag to login

3 participants

@fdcastel @EthanHeilman