[pinhead26]

You don't have to, it works by signing a message with your PGP or SSH key. All GitHub users' public keys are already available from their API, that's how the airdrop works.

[rvnx]

No. It's not like that at all. Otherwise there would be no controversy.

The airdrop tool takes your private key and your passphrase, does some overcomplicated (and unconventional) magic with it and asks you to post the resulting data to the public.

[pinhead26]

The Goosig (extra blinding crpyto) is also optional. With the --bare flag, its just a signature.

[rvnx]

Try it please :) I've spent several hours around this option.

[rvnx]

I've explained above why it cannot work, but I'm still digging on alternative that wouldn't consist on revealing the private key.

[rvnx]

More feedback, if I understood it right: if you extract the findNonces function, dump the 1500 files of 512 bytes, transfer them to a machine that has the ssh private key, then you should be able to sign without risking anything (encryption is RSA-OAEP), because your private key wouldn't touch the software.