We attempted to put "EnableSSHKeysign yes" in a "Match canonical host" block and discovered that it didn't work. Looking at the code, ssh does 2 config passes handling canonicalization, but ssh-keysign does not. I'm not sure if ssh-keysign should implement the same 2-pass logic, or just pass want_final_pass=1 to read_config_file, but I'm pretty sure the current behaviour is undesirable.