apologies for asking this question here instead of actually doing the research, but it always seemed to be that while putting keys in a secure environment would help against leakage of the private bits, there really isn't a great story around making sure than only authorized requests can be signed. is this a stupid concern?

▲

justincormack a day ago | parent | next [-]

Yubikey can require touch, and Secretive for Apple Secure enclave can require touch with fingerprint id. Some people disable these, it depends exactly on your use case.

	▲	akdev1l 19 hours ago \| parent \| next [-]
		You don’t need Secretive, there is actually Apple native way I put my ssh keys into the Mac’s TPM and now it asks for a password/touch ID when I use it. Unfortunately I forget what commands I used
	▲	convolvatron a day ago \| parent \| prev [-]
		yes, but what's to stop a malicious actor from intercepting a signature request and replacing its own contents in place of the legitimate one. yes you would find out when your push was rejected, but that would be a bit late.

▲

guipsp a day ago | parent | prev [-]

It is not a stupid concern, butt there is architecture around making sure you can't just save a request for later and replay it