1password SSH Agent + WSL2?

Community Member
edited May 2022 in SSH

Was wondering if any developers has had any luck configuring the newly introduced ssh-agent for 1password for any WSL2 work? This thing is incredible and works seamlessly! Would love to configure it for my WSL instances.

For some context, I've been using wincrypt-sshagent to configure & forward SSH_AUTH_SOCK from WSL to-and-from Windows Certificates. This works only for x509 certs on the PC or on smartcards.

1Password Version: 80600068
Extension Version: Not Provided
OS Version: Windows 11 Home


  • We'll be adding UNIX socket support for Windows too in the future. In the mean time, while we cannot 'officially' recommend it, we've been hearing some good responses about using socat & npiperelay to forward SSH requests to the OpenSSH pipe, see this blog post.

  • smplkiii
    Community Member
    edited September 2022

    Hello, is there any news regarding WLS2 support?

    I am trying to make commit signing to work and I am having troubles with both it and with ssh agent

    EDIT: I have managed to make signing work just by upgrading git to the latest version. But in the github commits I do see:

    even if key is added to the settings

  • @smplkiii In that box does it show that the commit is signed at all (does it display the "SSH Key Fingerprint")? If not then commit signing has not been configured correctly. If it does show a fingerprint but is unverified, then you'll need to make sure you've uploaded the correct SSH key to GitHub.

  • smplkiii
    Community Member

    SSH fingerprint is present and SSH key is added to GitHub account using the following steps:
    1. Navigate to https://github.com/settings/keys
    2. Select “New SSH Key”
    3. Select “Signing Key”
    4. Navigate to the “Key” box and select the 1Password logo
    5. Select “Create SSH Key”, fill in a title and then select “Create and Fill”
    6. Select “Add SSH Key” and you’re all set!

  • HardwareFresser
    Community Member
    edited February 11

    Commit signing works for me. I use the popular socat/npiperelay workaround to get SSH working, and had to adjust my WSL .gitconfig to point at the Windows binary:

    [gpg "ssh"]
            program = /mnt/c/Users/jonaskuske/AppData/Local/1Password/app/8/op-ssh-sign.exe

    Now signing works and GitHub displays the Verified badge.

    But local verification fails for some reason — git log --show-signature displays "Could not verify signature" for each commit.

    If I manually extract the commit and signature, the local verification works though:

    git cat-file commit ga872i9 > ./commit # then delete the ---- SSH SIGNATURE part
    git cat-file commit ga872i9 > ./signature # then delete everything but the signature, remove "gpgsig" and leading spaces before -----
    /mnt/c/Users/jonaskuske/AppData/Local/1Password/app/8/op-ssh-sign.exe -Y verify -f ~/.ssh/allowed_signers -I [email protected] -n git -s ./signature < ./commit
      Good "git" signature for [email protected] with ED25519 key ...
  • QNimbus
    Community Member
    edited March 8

    @HardwareFresser For what it's worth, I have the exact same experience. Additionally I added the allowedSignersFile option to my .gitconfig but git log --show-signature displays "Could not verify signature" for all my signed commits as well.

    Using your manual, local verification does work however.

    Edit: For what it's worth, using the allowSignersFile option and verifying the commit signatures on Windows also works (verifies correctly). It's only WSL2 that doesn't seem to properly verify for me

  • brokenmass
    Community Member
    edited August 9

    looks like that if you are using the socat/npiperelay workaround you can just remove the
    program = /mnt/c/Users/jonaskuske/AppData/Local/1Password/app/8/op-ssh-sign.exe line, then both signing and verification will work !

    this works because the socat/npiperelay workaround script is setting the SSH_AUTH_SOCK env variable

    ensure you add your own key to allowed signers if you haven't:

    echo "$(git config --global user.email) $(git config --global user.signingkey)" > ~/.allowed_signers
    git config --global gpg.ssh.allowedSignersFile "$HOME/.allowed_signers"