Download: Stable · Pre-release · Snapshot | Docs | Changes | Wishlist
It would be nice if Pageant could support a mode in which it examines a public key file at startup and immediately starts advertising the key to clients, but doesn't actually decrypt the key (hence, does not prompt for a passphrase either) until the first time it's called on to actually generate a signature. Then it would decrypt the key and load it properly.
On Windows, this almost certainly depends on
Also, depending on whether it turns out to be feasible to separate the
GUI and agent-request message queues (see discussion in the linked
issue), we might have no option but to present not-yet-decrypted keys
only to clients using named-pipe IPC, and pretend to old-style
WM_COPYDATA clients that those keys aren't loaded at all.
2021-04: implemented, including old Windows clients' ability to work with deferred decryption. (This won't work brilliantly if multiple old clients make blocking requests simultaneously, but that can't be helped.)