openssh_cert does not support ecdsa-sk or ed25519-sk public keys

[jnss95]

SUMMARY

I am currently trying to sign a public key that was generated using a hardware token like this:
ssh-keygen -t ed25519-sk
The resulting public key will look something like this:
[email protected] (...) jonas@jonas-thinkpad
If i now sign the key using my CA the ansible task will fail with this error message:
fatal: [openssh-ca.int.lipowsky.de]: FAILED! => {"changed": false, "msg": "Unable to read new certificate: Invalid certificate format identifier: b'[email protected]'"}
Looking on the target remote I noticed that the certificate was correctly signed and its just the ansible checks that failed.

Digging into the source code I noticed that the _SSH_TYPE_STRINGS in plugins/module_utils/openssh/certificate.py are missing the support for the public keys generated with the -sk suffix

ISSUE TYPE

• Bug Report

COMPONENT NAME

ANSIBLE VERSION

ansible [core 2.17.3]
  python version = 3.10.12 (main, Jul 29 2024, 16:56:48) [GCC 11.4.0] 
  jinja version = 3.1.4
  libyaml = True

COLLECTION VERSION

Collection       Version
---------------- -------
community.crypto 2.21.1 

OS / ENVIRONMENT

• Host: Ubuntu on WSL2
• Target: Ubuntu 22.04

STEPS TO REPRODUCE

1. Generate a ssh key using -t ed25519-sk or -t ecdsa-sk
2. Sign the key using community.crypto.openssh_cert

EXPECTED RESULTS

A valid ssh certificate should be produced with no error

ACTUAL RESULTS

A valid ssh certificate is produced - but an error is emitted