keygen | KeyGen is a generator for keys and passwords | Cryptography library

It depends on what you used for the $keyFile in your script.

A default name should be part of the /home/pi/.ssh/id_xxx names considered during an SSH session.
But a non-default name would need to be specified in an ~/.ssh/config: double-check if you have one.

Also, in your script, to be sure, don't use ~/.ssh, but /home/$USER/.ssh consistently, to avoid any mistake when the shell substitutes ~.

The RSA family algorithms expect a key of type *rsa.PrivateKey. The library dgrijalva/jwt-go has a helper function jwt.ParseRSAPrivateKeyFromPEM(keyData) where keyData is a []byte slice.

The repo has some handy examples in rsa_test.go file.

_{Also the examples are outdated because as of Go 1.16 the ioutil package is deprecated...}

Please be aware that github.com/dgrijalva/jwt-go has been unmaintained for a long time and has critical unfixed bugs. And doesn't support Go modules, before the version 4 (which is just a preview anyway). I strongly recommend to choose an different library for dealing with JWT.

One option is split the string at the space with strsplit, loop over the list of values, convert to raw through hexmode

I asked a senior dev at my company and he suggested that I just update my ~/.ssh.config file. I added:

So: it is true Security keys are now supported for SSH Git operations , as announced early this month (May 2021) on GitHub, but, as discussed here, there are still issues.

Your error message looks like a bug in progress on Debian: "issue 980393: /usr/bin/ssh-keygen -t ecdsa-sk fails with "Key enrollment failed: invalid format"".
And it is still being reported this month.

If this fails also with -t ecdsa, try and using a plugin for OpenSSH to connect to FIDO/U2F security keys through native Windows Hello APIs might help.
Type export SSH_SK_HELPER=/usr/lib/ssh/ssh-sk-helper.exe first, as seen in tavrez/openssh-sk-winhello issue 1.
Check your OpenSSH version is at least 8.2. It is on my side with the latest Git for Windows:

You'll probably want to use both includeIf and carefully-adjusted URLs.

To see how this works (plus various Git version caveats), read through the long section.

We need to separate things into two parts here. First, let's describe it: what program uses what, when, and how. Then let's worry about how to use these conveniently.

• There's the stuff Git uses when you run git commit. This is what user.name and user.email are for.¹

• Then, independent of any of that, there's the stuff that ssh uses when you run git fetch or git push with an ssh://git@github.com/path/to/repo.git or git@github.com:path/to/repo.git URL.²

You configure Git settings with git config. You configure ssh settings by editing files in $HOME/.ssh/, or wherever your system's ssh, or the auxiliary ssh, puts them.³

Let's now dive into the ssh part.

¹Whenever you make a new commit with Git, Git needs to know several things to put into the new commit:

• Your name, e.g., "A. U. Thor".
• Your email address, e.g., thor@example.com.
• The current date-and-time.
• A log message.
• A snapshot: the exact contents for every file, to put into the new commit.

Git finds the date-and-time on its own, using your computer's clock. Use whatever software is appropriate to keep your computer's clock correct to make this work right.

Git gets the log message from you. Use whatever you like to provide the right log message.

Git gets the snapshot from whatever is in Git's index. Use git add to adjust Git's index, so that you have the correct snapshot. (This is why you have to git add files all the time, even if they're not new files: it's not that Git isn't going to put them in the commit, it's that Git will put the old version in the file, because when Git checked out a commit earlier, that's the version it got out of the commit, and put in Git's index. The git add command has Git update its index copy of the file.)

The user.name and user.email settings are just for these items: author/committer name, and author/committer email address. You can put anything you want here; Git does not know or care who you are, and does not verify these. (Other software may, eventually, try to figure out who you are, and might care, so it's generally just a loss to you if you fake these, but Git itself won't care.)

²I've written these as git@github.com but you can use just github.com, or something even shorter, depending on how you configure ssh itself. See the section on ssh below. The github.com:path spelling is shorter and has the same effect as ssh://github.com/path, but I prefer the explicit ssh:// myself. They really do mean the same thing to Git—not to ssh, but Git strips this part off before invoking ssh—so you can use whichever you prefer here.

³On systems that come with a working ssh, Git generally just uses the system's ssh. On Windows, however, a lot of older Windows systems have either a defective ssh, or no ssh at all, so a lot of Git-for-Windows installations come with a private ssh implementation as well. You must find out which ssh your system uses, if you are in this situation, and see where to configure it. You may be able to configure your Git to use the system ssh; if you have a modern Windows system, this may be a good idea. I don't use Windows and hence don't have all the details here.

While ssh has lots of little side jobs to perform, its one big thing is to establish a secure communications stream. To do this, ssh needs to authenticate. For our purposes here, we'll skip over all but the simple public/private-key authentication method, and in particular how GitHub will decide who you are. This lets us ignore a lot of irrelevant-to-us details. (They do matter if you're using ssh more generally, but not if you're fetching from, and pushing to, GitHub.)

What ssh will do is:

• look up a host name to find an IP address, or take an IP address directly;
• connect to a server at that IP address, at some numeric port (default 22, which is the standard ssh port);
• collect a "fingerprint" from the server there, and see if it matches the known fingerprint from the last connection;⁴
• if all looks good, send enough information for the other end to figure out who you are: they'll send a challenge, your ssh will send a response, and at the end of all of this, they will have your public key and be reasonably certain that you have the corresponding private key.

In the end, then, they figure out who you are from your public key. They don't believe you just because you have this key: the public key is, after all, available to the public. But this particular public key is paired with a private key, which you don't give out to anyone else. They send a challenge, using your public key that you've already sent to them, and you—or your ssh—answer back, using your private key, and the fact that you can respond indicates that you hold the right private key.

What all this boils down to is:

• You must give GitHub your public key, using their web interface. This is how they will decide that you are you. If you want to be two people, "you-at-home" and "you-at-work", you need to give them two public keys.

• Later, when you come in to access some particular repository, you must give GitHub the right public key. You don't give them just any public key: if you want access to "you-at-work" repositories, you have to give them the you-at-work public key (only!).

So: how do we do that? If you have two (or more) public keys, how do we make sure that ssh hands, to GitHub, one particular key? This is where the .ssh/config entries come in. Let's look at this one:

I get a popup asking for my gitlab username and password which I enter and which fails.

Check, as commented:

• git remote -v
• git config credential.helper

If the first starts with https://, and the second is not empty, what you see is a Git credential helper trying to cache your HTTPS credentials.
That means your SSH key would be ignored anyway.

Regarding the error message, check out this thread, and test it with:

The known_hosts file on the raspmountain probably does not contain the hostkey of the server.

You will for sure get more details in curl log.

See also Why can't curl retrieve the SSH host key (key: )

If the private key format differs, that means, as I mentioned here that:

• one platform is using openssh prior to 7.8, with an old PEM 64-chars per line format.
• one is using a more recent OpenSSH format, 70-chars per line.

You can force a recent openSSH to generate the old format with: