ssh: improve docs on Certificate.SignCert

Document the fact that SignCert sets the Nonce field.  This makes it
clear that callers need not set it themselves.

Original change by Jakob Weisblat <> in CL 57051.

Fixes golang/go#21384

Change-Id: I161e0909ba6c8d07be5f8e68dc6e0f0392bea63f
Reviewed-by: Filippo Valsorda <>
diff --git a/ssh/certs.go b/ssh/certs.go
index 0f89aec..916c840 100644
--- a/ssh/certs.go
+++ b/ssh/certs.go
@@ -414,8 +414,8 @@
 	return nil
-// SignCert sets c.SignatureKey to the authority's public key and stores a
-// Signature, by authority, in the certificate.
+// SignCert signs the certificate with an authority, setting the Nonce,
+// SignatureKey, and Signature fields.
 func (c *Certificate) SignCert(rand io.Reader, authority Signer) error {
 	c.Nonce = make([]byte, 32)
 	if _, err := io.ReadFull(rand, c.Nonce); err != nil {