diff --git a/openssh-8.7p1-sk-ecdsa-webauthn.patch b/openssh-8.7p1-sk-ecdsa-webauthn.patch
new file mode 100644
index 0000000..8bbc7a4
--- /dev/null
+++ b/openssh-8.7p1-sk-ecdsa-webauthn.patch
@@ -0,0 +1,30 @@
+Index: openssh-8.7p1/ssh-ecdsa-sk.c
+===================================================================
+--- openssh-8.7p1.orig/ssh-ecdsa-sk.c
++++ openssh-8.7p1/ssh-ecdsa-sk.c
+@@ -191,14 +191,17 @@ ssh_ecdsa_sk_verify(const struct sshkey
+ 		ret = SSH_ERR_INVALID_FORMAT;
+ 		goto out;
+ 	}
+-	if (is_webauthn) {
+-		if (sshbuf_get_cstring(b, &webauthn_origin, NULL) != 0 ||
+-		    sshbuf_froms(b, &webauthn_wrapper) != 0 ||
+-		    sshbuf_froms(b, &webauthn_exts) != 0) {
+-			ret = SSH_ERR_INVALID_FORMAT;
+-			goto out;
+-		}
+-	}
++	if (sshbuf_get_cstring(b, &webauthn_origin, NULL) != 0 ||
++            sshbuf_froms(b, &webauthn_wrapper) != 0 ||
++            sshbuf_froms(b, &webauthn_exts) != 0) {
++                if (is_webauthn) {
++		    ret = SSH_ERR_INVALID_FORMAT;
++		    goto out;
++                }
++        } else {
++            // webauthn signature detected based on structure
++            is_webauthn = 1;
++        }
+ 	if (sshbuf_len(b) != 0) {
+ 		ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
+ 		goto out;
diff --git a/openssh.spec b/openssh.spec
index 28ec48a..0dfe21b 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 43
+%global openssh_rel 44
 %global hyperscale_rel 2
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 5
@@ -302,6 +302,7 @@ Patch1019: openssh-9.6p1-CVE-2023-51385.patch
 #upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c
 Patch1020: openssh-8.7p1-sigpipe.patch
 Patch1021: openssh-9.8p1-upstream-cve-2024-6387.patch
+Patch1022: openssh-8.7p1-sk-ecdsa-webauthn.patch
 
 # Add a unique log session identifier to output messages for
 # each sshd process and its children.
@@ -555,6 +556,7 @@ popd
 %patch1019 -p1 -b .cve-2023-51385
 %patch1020 -p1 -b .earlypipe
 %patch1021 -p1 -b .cve-2024-6387
+%patch1022 -p1 -b .sk-ecdsa-webauthn
 
 %if 0%{?facebook} && !0%{?use_quilt}
 %patch2010 -p1 -b .log_session_id
@@ -860,6 +862,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Thu Dec 19 2024 Ben Homer <bmhomer13@gmail.com> - 8.7p1-44.2 + 0.10.4-5.2
+- Allow webauthn-sk-ecdsa signatures to be detected based on format
+
 * Wed Jul 10 2024 Raymond Colebaugh <raymondcolebaugh@gmail.com> - 8.7p1-43.2 + 0.10.4-5.43.2
 - Reenable keyperm patch in facebook builds