SSH on MacOS provides the UseKeychain option (man ssh_config) that makes it possible to decrypt encrypted ssh identity files on-the-fly by retrieving the passphrase from MacOS' keychain.

This works with git clone and other git cli commands, but fails when using certain dvc operations (dvc exp list, dvc get, ...) because the ssh vendor we use for git operations and for remote operations (asyncssh) does not support Apple keychain integration.

Using UseKeychain can result in authentication issues (unexpected CloneError or Permission Denied errors).

The solution is to decrypt the ssh key and add it to the ssh agent:

ssh-add --apple-load-keychain ~/.ssh/ed255

(note that --apple-load-keychain used to be -A)

By adding the key to the ssh-agent, asyncssh is able to properly use the (decrypted) key.

First noted by @shcheklein in iterative/dvc#7702 (comment)_