From 4c869b74580401b31653ec1c52c9f8b78ffd6c8a Mon Sep 17 00:00:00 2001
From: Nicola Sella <nsella@redhat.com>
Date: Tue, 30 Sep 2025 15:28:03 +0200
Subject: [PATCH] Stat Identity file on sys con add

Fixes: https://github.com/containers/podman/issues/26016

Signed-off-by: Nicola Sella <nsella@redhat.com>
---
 cmd/podman/system/connection/add.go    |  9 +++++++++
 test/system/272-system-connection.bats | 25 +++++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/cmd/podman/system/connection/add.go b/cmd/podman/system/connection/add.go
index 40ecd8b689..c5098b62f5 100644
--- a/cmd/podman/system/connection/add.go
+++ b/cmd/podman/system/connection/add.go
@@ -16,6 +16,7 @@ import (
 	"go.podman.io/common/pkg/completion"
 	"go.podman.io/common/pkg/config"
 	"go.podman.io/common/pkg/ssh"
+	"go.podman.io/storage/pkg/fileutils"
 )
 
 var (
@@ -168,6 +169,14 @@ func add(cmd *cobra.Command, args []string) error {
 	}
 	switch uri.Scheme {
 	case "ssh":
+		if cOpts.Identity != "" {
+			if err := fileutils.Exists(cOpts.Identity); err != nil {
+				if errors.Is(err, os.ErrNotExist) {
+					return fmt.Errorf("identity file does not exist: %w", err)
+				}
+				return err
+			}
+		}
 		return ssh.Create(entities, sshMode)
 	case "unix":
 		if cmd.Flags().Changed("identity") {
diff --git a/test/system/272-system-connection.bats b/test/system/272-system-connection.bats
index e91e9d83ef..dbca1a0b85 100644
--- a/test/system/272-system-connection.bats
+++ b/test/system/272-system-connection.bats
@@ -94,6 +94,31 @@ $c2[ ]\+tcp://localhost:54321[ ]\+true[ ]\+true" \
     run_podman context rm $c1
 }
 
+# Test system connection add bad identities with ssh/unix/tcp
+@test "podman system connection --identity" {
+    run_podman system connection ls -q
+    assert "$output" == "" ""
+
+    run_podman 125 system connection add ssh-conn --identity $PODMAN_TMPDIR/nonexistent ssh://localhost
+    assert "$output" =~ \
+        "Error: failed to validate: failed to read identity *" ""
+    run_podman 125 system connection add unix-conn --identity $PODMAN_TMPDIR/identity unix://path
+    assert "$output" == \
+        "Error: --identity option not supported for unix scheme" ""
+    run_podman 125 system connection add tcp-conn --identity $PODMAN_TEMPDIR/identity tcp://path
+    assert "$output" =~ \
+        "Error: --identity option not supported for tcp scheme" ""
+
+    run touch $PODMAN_TEMPDIR/badfile
+    run chmod -r $PODMAN_TEMPDIR/badfile
+    run_podman 125 system connection add bad-conn --identity $PODMAN_TEMPDIR/badfile ssh://localhost
+    assert "$output" =~ \
+        "Error: failed to validate: failed to read identity*" ""
+    # Ensure no connections were added
+    run_podman system connection ls -q
+    assert "$output" == "" ""
+}
+
 # Test tcp socket; requires starting a local server
 @test "podman system connection - tcp" {
     unset REMOTESYSTEM_TRANSPORT REMOTESYSTEM_TLS_{CLIENT,SERVER,CA}_{CRT,KEY}