1password SSH Agent + WSL2?

lafcadio
lafcadio
Community Member
edited May 2022 in SSH

Was wondering if any developers has had any luck configuring the newly introduced ssh-agent for 1password for any WSL2 work? This thing is incredible and works seamlessly! Would love to configure it for my WSL instances.

For some context, I've been using wincrypt-sshagent to configure & forward SSH_AUTH_SOCK from WSL to-and-from Windows Certificates. This works only for x509 certs on the PC or on smartcards.


1Password Version: 80600068
Extension Version: Not Provided
OS Version: Windows 11 Home

Comments

  • We'll be adding UNIX socket support for Windows too in the future. In the mean time, while we cannot 'officially' recommend it, we've been hearing some good responses about using socat & npiperelay to forward SSH requests to the OpenSSH pipe, see this blog post.

  • smplkiii
    smplkiii
    Community Member
    edited September 2022

    Hello, is there any news regarding WLS2 support?

    I am trying to make commit signing to work and I am having troubles with both it and with ssh agent

    EDIT: I have managed to make signing work just by upgrading git to the latest version. But in the github commits I do see:

    even if key is added to the settings

  • @smplkiii In that box does it show that the commit is signed at all (does it display the "SSH Key Fingerprint")? If not then commit signing has not been configured correctly. If it does show a fingerprint but is unverified, then you'll need to make sure you've uploaded the correct SSH key to GitHub.

  • smplkiii
    smplkiii
    Community Member

    SSH fingerprint is present and SSH key is added to GitHub account using the following steps:
    1. Navigate to https://github.com/settings/keys
    2. Select “New SSH Key”
    3. Select “Signing Key”
    4. Navigate to the “Key” box and select the 1Password logo
    5. Select “Create SSH Key”, fill in a title and then select “Create and Fill”
    6. Select “Add SSH Key” and you’re all set!

  • HardwareFresser
    HardwareFresser
    Community Member
    edited February 2023

    Commit signing works for me. I use the popular socat/npiperelay workaround to get SSH working, and had to adjust my WSL .gitconfig to point at the Windows binary:

    [gpg "ssh"]
            program = /mnt/c/Users/jonaskuske/AppData/Local/1Password/app/8/op-ssh-sign.exe
    

    Now signing works and GitHub displays the Verified badge.

    But local verification fails for some reason — git log --show-signature displays "Could not verify signature" for each commit.

    If I manually extract the commit and signature, the local verification works though:

    git cat-file commit ga872i9 > ./commit # then delete the ---- SSH SIGNATURE part
    git cat-file commit ga872i9 > ./signature # then delete everything but the signature, remove "gpgsig" and leading spaces before -----
    
    /mnt/c/Users/jonaskuske/AppData/Local/1Password/app/8/op-ssh-sign.exe -Y verify -f ~/.ssh/allowed_signers -I mail@jonaskuske.com -n git -s ./signature < ./commit
    
    
      Good "git" signature for mail@jonaskuske.com with ED25519 key ...
    
    
    
  • QNimbus
    QNimbus
    Community Member
    edited March 2023

    @HardwareFresser For what it's worth, I have the exact same experience. Additionally I added the allowedSignersFile option to my .gitconfig but git log --show-signature displays "Could not verify signature" for all my signed commits as well.

    Using your manual, local verification does work however.

    Edit: For what it's worth, using the allowSignersFile option and verifying the commit signatures on Windows also works (verifies correctly). It's only WSL2 that doesn't seem to properly verify for me

  • brokenmass
    brokenmass
    Community Member
    edited August 2023

    looks like that if you are using the socat/npiperelay workaround you can just remove the
    program = /mnt/c/Users/jonaskuske/AppData/Local/1Password/app/8/op-ssh-sign.exe line, then both signing and verification will work !

    this works because the socat/npiperelay workaround script is setting the SSH_AUTH_SOCK env variable

    ensure you add your own key to allowed signers if you haven't:

    echo "$(git config --global user.email) $(git config --global user.signingkey)" > ~/.allowed_signers
    git config --global gpg.ssh.allowedSignersFile "$HOME/.allowed_signers"
    
  • ChrisL8
    ChrisL8
    Community Member

    I am having the same issue. If i REMOVE this part form .gitconfig

    program = "/mnt/c/Users/****/AppData/Local/1Password/app/8/op-ssh-sign-wsl"

    then VERIFY works, but then SIGNING does not work.

    it seems like while this op-ssh-sign-wsl program allows git to sign commits with 1Password, it breaks the ability for git to verify signatures locally.

  • @ChrisL8 Is the allowed signers file stored on Windows or in WSL?

  • ChrisL8
    ChrisL8
    Community Member

    @floris_1P The allowed signers file is stored in WSL, as that is where the git executable expected to see it. Should I try storing it in Windows somewhere instead?

  • @ChrisL8 Storing it in WSL should work if the allowed signers path is an absolute path. What does git config gpg.ssh.allowedSignersFile return? And what's the error message that you're seeing?

  • ChrisL8
    ChrisL8
    Community Member

    @floris_1P

    I found if I call git.exe from Windows, then it works, which is interesting. I don't think this is a good solution though, just a data point to consider.

    WSL Linux git fails:
    ❯ git verify-commit ff81f0477b7c55d86e991b5c3b0e799ba5b563f1 -v --raw
    tree 960ce5311eade9d420f2a557d630424e1a4735a9
    parent edb2f4b404a57eef4dc47aa9339bfabef69badb7
    author Christen Lofland christen@lofland.net 1704381804 -0600
    committer Christen Lofland christen@lofland.net 1704381804 -0600

    Testing commit signing.
    Could not verify signature.

    Windows git works from WSL Linux:
    ❯ git.exe verify-commit ff81f0477b7c55d86e991b5c3b0e799ba5b563f1 -v --raw
    Good "git" signature for christen@lofland.net with ED25519 key SHA256:2gc97CZMkWFFGxBFe9sPUlpSEvTf8lnIC3MBJDB4gG0
    tree 960ce5311eade9d420f2a557d630424e1a4735a9
    parent edb2f4b404a57eef4dc47aa9339bfabef69badb7
    author Christen Lofland christen@lofland.net 1704381804 -0600
    committer Christen Lofland christen@lofland.net 1704381804 -0600

    Testing commit signing.

This discussion has been closed.