Exclude default ssh-keygen from custom program detection

Rename hasSSHSignProgram to hasCustomSSHSignProgram and exclude the
git default value "ssh-keygen", which works with go-git's native SSH
agent signing. Only truly external programs like 1Password's
op-ssh-sign should skip native signing.

Entire-Checkpoint: fe883bace626

Author: pfleidi

cmd/entire/cli/objectsigner.go

@@ -37,12 +37,14 @@ func RegisterObjectSigner() {
 				return nil
 			}
 
-			// When gpg.ssh.program is configured (e.g. 1Password's op-ssh-sign),
-			// signing happens via an external binary that go-git cannot invoke.
-			// Skip native signing silently — checkpoint commits will be unsigned,
-			// which is acceptable since signing is best-effort.
-			if auto.Format(merged.GPG.Format) == auto.FormatSSH && hasSSHSignProgram(merged.Raw) {
-				logging.Debug(context.Background(), "skipping native SSH commit signing: gpg.ssh.program is configured")
+			// When a custom gpg.ssh.program is configured (e.g. 1Password's
+			// op-ssh-sign), signing happens via an external binary that go-git
+			// cannot invoke. Skip native signing silently — checkpoint commits
+			// will be unsigned, which is acceptable since signing is best-effort.
+			// The default program is "ssh-keygen", which works with go-git's
+			// native SSH agent signing and does not need to be skipped.
+			if auto.Format(merged.GPG.Format) == auto.FormatSSH && hasCustomSSHSignProgram(merged.Raw) {
+				logging.Debug(context.Background(), "skipping native SSH commit signing: custom gpg.ssh.program is configured")
 				return nil
 			}
 
@@ -85,14 +87,20 @@ var scopeName = map[config.Scope]string{
 	config.SystemScope: "system",
 }
 
-// hasSSHSignProgram checks whether gpg.ssh.program is set in the raw config.
+// hasCustomSSHSignProgram checks whether gpg.ssh.program is set to a
+// non-default value in the raw config. The git default is "ssh-keygen",
+// which works with go-git's native SSH agent signing. Custom programs
+// (e.g. 1Password's op-ssh-sign) use a separate signing mechanism that
+// go-git cannot invoke.
 // go-git's Config struct does not expose this field, so we read it directly.
-func hasSSHSignProgram(raw *format.Config) bool {
+func hasCustomSSHSignProgram(raw *format.Config) bool {
 	if raw == nil {
 		return false
 	}
 
-	return raw.Section("gpg").Subsection("ssh").Option("program") != ""
+	program := raw.Section("gpg").Subsection("ssh").Option("program")
+
+	return program != "" && program != "ssh-keygen"
 }
 
 func loadScopedConfig(source plugin.ConfigSource, scope config.Scope) *config.Config {

cmd/entire/cli/objectsigner_test.go

@@ -6,7 +6,7 @@ import (
 	format "github.com/go-git/go-git/v6/plumbing/format/config"
 )
 
-func TestHasSSHSignProgram(t *testing.T) {
+func TestHasCustomSSHSignProgram(t *testing.T) {
 	t.Parallel()
 
 	tests := []struct {
@@ -25,14 +25,23 @@ func TestHasSSHSignProgram(t *testing.T) {
 			want: false,
 		},
 		{
-			name: "gpg.ssh.program set",
+			name: "custom program set",
 			raw: func() *format.Config {
 				c := format.New()
 				c.Section("gpg").Subsection("ssh").SetOption("program", "/Applications/1Password.app/Contents/MacOS/op-ssh-sign")
 				return c
 			}(),
 			want: true,
 		},
+		{
+			name: "default ssh-keygen is not custom",
+			raw: func() *format.Config {
+				c := format.New()
+				c.Section("gpg").Subsection("ssh").SetOption("program", "ssh-keygen")
+				return c
+			}(),
+			want: false,
+		},
 		{
 			name: "gpg section exists but no ssh.program",
 			raw: func() *format.Config {
@@ -48,9 +57,9 @@ func TestHasSSHSignProgram(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 
-			got := hasSSHSignProgram(tt.raw)
+			got := hasCustomSSHSignProgram(tt.raw)
 			if got != tt.want {
-				t.Errorf("hasSSHSignProgram() = %v, want %v", got, tt.want)
+				t.Errorf("hasCustomSSHSignProgram() = %v, want %v", got, tt.want)
 			}
 		})
 	}