This git config

$ cat .gitconfig
[user]
  signingKey = /home/aim/.ssh/id_ecdsa.pub

works exactly as expected when using ssh-tpm-agent. However when using certificates for signing commits with

[user]
  signingKey = /home/aim/.ssh/id_ecdsa-cert.pub

the agent fails with

time=2024-12-17T16:27:23.307+01:00 level=DEBUG msg="called list"
time=2024-12-17T16:27:23.307+01:00 level=DEBUG msg="called signwithflags"
time=2024-12-17T16:27:23.307+01:00 level=DEBUG msg="trying to sign as proxy..."
time=2024-12-17T16:27:23.308+01:00 level=INFO msg="agent 13: no private keys match the requested public key"

I'm guessing this part

If ssh signing is anything like x509 signing you should get the entire tbs/ToBeSigned payload submitted and just sign that as usual. Then git attaches the certificate to the signature, meaning that should be all there is to it. So my guess is the issue simply stems from git not attaching the certificate if you don't specify one as the signingKey. (loads of assumptions here, don't take my word for anything I just said ;-) )

p.s.: I'm bombarding you with new issues right now, sorry about that 😆. Let me know if I can help you with any of the fixes or do some research for you. I'm heading for vacation today but can work on it in the new year.