verify-required flag prevents authentication with ed25519-sk and ecdsa-sk resident keys

[needs-coffee]

When creating a resident ssh key with the below command
ssh-keygen -t ed25519-sk -O resident -O application=ssh:solo2 -O verify-required

The key becomes unable to authenticate with the server with the warning message typically
sign_and_send_pubkey: signing failed for ED25519-SK "user@source" from agent: agent refused operation

this is the same for ecdsa-sk and ed25519-sk
resident keys function correctly without he verify-required flag (but lack the PIN verification that the verify-required key enforces)
if either or both server and ssh key specify the verify-required flag then the authentication fails.
this occurs on windows 10 (10.0.19044 Build 19044) and ubuntu 22.04.
Server openssh v8.9
client openssh v8.9

Below is a log excerpt of an ssh session with both the key and sever setting verify-required flags.

OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
debug1: Connection established.
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3
debug1: get_agent_identities: bound agent to hostkey
debug1: Will attempt key: /home/user/.ssh/id_ed25519 ED25519 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx agent
debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/user/.ssh/id_ed25519 ED25519 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/user/.ssh/id_ed25519_sk ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/user/.ssh/id_ed25519_sk ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: sign_and_send_pubkey: using [email protected] with ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: sign_and_send_pubkey: signing using [email protected] SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
sign_and_send_pubkey: signing failed for ED25519-SK "/home/user/.ssh/id_ed25519_sk" from agent: agent refused operation
debug1: Server accepts key: user@source ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: sign_and_send_pubkey: using [email protected] with ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: sign_and_send_pubkey: signing using [email protected] SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
sign_and_send_pubkey: signing failed for ED25519-SK "user@source" from agent: agent refused operation
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).

similar if the key specifies the flag but not the server

debug1: Server accepts key: /home/user/.ssh/id_ed25519_sk ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: sign_and_send_pubkey: using [email protected] with ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: sign_and_send_pubkey: signing using [email protected] SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
sign_and_send_pubkey: signing failed for ED25519-SK "/home/user/.ssh/id_ed25519_sk" from agent: agent refused operation
debug1: Offering public key: user@source ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug1: Server accepts key: user@source ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: sign_and_send_pubkey: using [email protected] with ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: sign_and_send_pubkey: signing using [email protected] SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
sign_and_send_pubkey: signing failed for ED25519-SK "user@source" from agent: agent refused operation

if the server has the flag but the key was created without it then the key flashes blue and the session hangs here until terminated

debug1: Server accepts key: user@source ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: sign_and_send_pubkey: using [email protected] with ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: sign_and_send_pubkey: signing using [email protected] SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx

and an except of a successful auth with neither flag set

debug1: Offering public key: user@source ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: user@source ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx authenticator agent
debug3: sign_and_send_pubkey: using [email protected] with ED25519-SK SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: sign_and_send_pubkey: signing using [email protected] SHA256:solo2solo2solo2solo2solo2solo2solo2solo2xxx
debug3: send packet: type 50
debug3: receive packet: type 52
Authenticated to server.lan ([192.168.0.22]:22) using "publickey".
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open

This issue looks to be similar to that posted in discussion 108 by @darses

[needs-coffee]

solokeys/solo2#108