IDE fails to pull from Git on first try with 1Password SSH agent

mxmxcz

Hello! First of all, let me thank you for the SSH feature in 1Password, it's absolutely great and I love it.

One issue I found is when I am using a Jetbrains IDE - GoLand in particular but I don't think it's exclusive to it and IntelliJ IDEA will have an identical problem. Running git pull in a project with specific conditions fails on the first try; following pulls will succeed without changing anything. The issue seems to be caused by a git submodule in the project.

Steps to reproduce:
1. Create a new project on GitHub (or Gitlab or whatever), copy the SSH address.
2. mkdir 1password-poc && cd 1password-poc
3. git init && git remote add origin <your-SSH-address>
4. git submodule add git@github.com:1Password/onepassword-operator.git (or any other git repo as a submodule)
5. touch readme.md && git add readme.md
6. git commit -m "init" && git push origin master
7. Now open the project in the IDE (I used GoLand 2021.3.3) and hit Git pull (cmd+T)
8. It fails the first time (Update canceled)
9. Pull again -> now it goes through.

Error from the event log:

Update failed in 1password-poc
            1password-poc: sign_and_send_pubkey: signing failed for ED25519 "/Users/mxmx/.ssh/id_ed25519" from agent: agent refused operation
            git@github.com: Permission denied (publickey).
            Could not read from remote repository.
            Please make sure you have the correct access rights
            and the repository exists.

I wasn't able to reproduce it via Terminal and I am not sure what kind of a sequence of Git commands are executed under the hood, but I am able to reproduce the issue in GoLand with a fresh project. Having the git submodule in the project seems to be the cause of this issue; I don't get the error without it. It doesn't seem to be related to the pull method, ie. both merge and pull fail.

My SSH config (the sock is symlinked, as recommended):

Host *
    IdentityAgent "~/.1password/agent.sock"

---

1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.2.1

floris_1P

Thanks for your report, do you see anything appear in the logs when doing the Git pull? On macOS: ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

froehr

Hey, could it be that the SSH key is not in your Personal vault but in one that is called differently? I had the problem that I had SSH Keys in a vault I use for work. It was ignored. It is documented here: https://developer.1password.com/docs/ssh/agent/#eligible-keys

I still think that this is pretty intransparent and also a quite annoying to have SSH keys for work in a private vault. Can this be changed, please?

Still overall a great approach and I really like to have my SSH keys available like this.

mxmxcz

@floris_1P I've got the following (truncated to the part where I tried to pull from Git - twice):

INFO  2022-03-23T23:09:43.533 tokio-runtime-worker(ThreadId(4)) [1P:ssh/op-agent-controller/src/desktop.rs:285] SSH Agent has started.
INFO  2022-03-23T23:09:43.736 tokio-runtime-worker(ThreadId(9)) [1P:op-ipc/src/ipc/xpc.rs:197] XPC connected to 2BUA8C4S2C.com.1password.browser-helper
INFO  2022-03-23T23:09:43.736 tokio-runtime-worker(ThreadId(9)) [1P:native-messaging/op-native-core-integration/src/lib.rs:293] Active native core integration is awaiting messages
INFO  2022-03-23T23:09:43.736 tokio-runtime-worker(ThreadId(9)) [1P:native-messaging/op-native-core-integration/src/lib.rs:305] Extension connecting.
INFO  2022-03-23T23:09:43.736 tokio-runtime-worker(ThreadId(9)) [1P:native-messaging/op-native-core-integration/src/lib.rs:307] Extension connection accepted.
INFO  2022-03-23T23:09:49.426 tokio-runtime-worker(ThreadId(9)) [1P:op-data-layer/src/load.rs:136] loaded 566 items in 4 vaults for account: HDRAU37VLRGM5DEMPJ7NTWPBOI
INFO  2022-03-23T23:09:49.428 op_executor:invocation_loop(ThreadId(16)) [1P:op-app/src/app/backend/unlock.rs:80] Lock state changed: Unlocked
INFO  2022-03-23T23:09:49.428 tokio-runtime-worker(ThreadId(9)) [1P:op-data-layer/src/search_weighting.rs:76] Search weights loaded for account with 11 entries (555 bytes total)
INFO  2022-03-23T23:09:50.269 tokio-runtime-worker(ThreadId(11)) [1P:op-b5-client/src/internal/unauthorized_session.rs:753] Verifying MFA with server...
INFO  2022-03-23T23:09:50.414 tokio-runtime-worker(ThreadId(11)) [1P:op-b5-client/src/internal/unauthorized_session.rs:423] Server verification successful
WARN  2022-03-23T23:09:50.414 tokio-runtime-worker(ThreadId(11)) [1P:op-b5-client/src/internal/unauthorized_session.rs:439] Server did not give us a dsecret
INFO  2022-03-23T23:09:50.584 tokio-runtime-worker(ThreadId(11)) [1P:op-syncer/src/sync_job.rs:276] synced account HDRAU37VLRGM5DEMPJ7NTWPBOI (0.169922541s)
INFO  2022-03-23T23:09:50.584 tokio-runtime-worker(ThreadId(11)) [1P:op-data-layer/src/file.rs:608] find_and_complete_pending_uploads: 'HDRAU37VLRGM5DEMPJ7NTWPBOI'
INFO  2022-03-23T23:09:50.899 tokio-runtime-worker(ThreadId(4)) [1P:op-data-layer/src/sync.rs:512] The B5 Notifier for (HDRAU37VLRGM5DEMPJ7NTWPBOI) has connected, now monitoring for events.
INFO  2022-03-23T23:10:14.026 tokio-runtime-worker(ThreadId(3)) [status:op-app/src/app/backend/updater.rs:176] Available Production update to 8.7.0-12.BETA for current build (80700002)
INFO  2022-03-23T23:10:32.355 tokio-runtime-worker(ThreadId(4)) [1P:op-updater/src/apple/mod.rs:54] Downloaded updater /Users/$USER/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Update/Downloads/1Password-8.7.0-12.BETA-aarch64.zip
INFO  2022-03-23T23:10:33.068 tokio-runtime-worker(ThreadId(3)) [1P:op-automated-unlock/src/lib.rs:475] New unlock was suppressed because an attempt is still in progress.
INFO  2022-03-23T23:10:33.068 tokio-runtime-worker(ThreadId(3)) [1P:ssh/op-ssh-agent/src/lib.rs:370] Session was not authorized
INFO  2022-03-23T23:10:33.170 tokio-runtime-worker(ThreadId(2)) [1P:op-automated-unlock/src/lib.rs:475] New unlock was suppressed because an attempt is still in progress.
INFO  2022-03-23T23:10:33.170 tokio-runtime-worker(ThreadId(2)) [1P:ssh/op-ssh-agent/src/lib.rs:370] Session was not authorized
INFO  2022-03-23T23:10:33.277 tokio-runtime-worker(ThreadId(3)) [1P:op-automated-unlock/src/lib.rs:475] New unlock was suppressed because an attempt is still in progress.
INFO  2022-03-23T23:10:33.277 tokio-runtime-worker(ThreadId(3)) [1P:ssh/op-ssh-agent/src/lib.rs:370] Session was not authorized
INFO  2022-03-23T23:10:33.652 tokio-runtime-worker(ThreadId(4)) [1P:op-updater/src/apple/apple_downloaded_update.rs:152] Unzipped downloaded update: /Users/$USER/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Update/Downloads/1Password-8.7.0-12.BETA-aarch64
INFO  2022-03-23T23:10:33.812 tokio-runtime-worker(ThreadId(4)) [1P:op-updater/src/apple/apple_downloaded_update.rs:165] Code signature validation succeeded for /Users/$USER/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Update/Downloads/1Password-8.7.0-12.BETA-aarch64/1Password.app
INFO  2022-03-23T23:10:33.812 tokio-runtime-worker(ThreadId(4)) [1P:op-app/src/app/backend/updater.rs:57] Trusted downloaded update available /Users/$USER/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Update/Downloads/1Password-8.7.0-12.BETA-aarch64

The update messages are also interesting because it's downloading BETA - yet my Advanced > Release channel is set to Production. But that's another story I guess.

floris_1P

@mxmxcz We've made some improvements that could solve this problem. They're available in the latest nightly. Can you see if that fixes it for you?

@froehr Yes, we're working on a solution to let you use keys from other vaults too.

mxmxcz

@floris_1P The behavior has changed but it's not fixed. It now passes and successfully pulls on the first try, but the Touch ID dialog is shown multiple times, forcing me to touch the sensor each time. From my brief testing, it looks like it correlates with the number of submodules in the project - with 3 of them, the dialog is shown 4 times (1x extra for the main repo, I assume).

80700037, on NIGHTLY channel

floris_1P

Thanks for the info, we're looking into it!

floris_1P

@mxmxcz The issue of multiple consecutive prompts piling up has been fixed. Can you see if it works for you now?

mxmxcz

@floris_1P Yes, it looks like the issue is gone now. Great job, thanks!

floris_1P

@froehr I wanted to follow up with an update that we're working on a solution that lets you enable keys from other vaults than the Private vault. It would be great to get your feedback on our proposal, if you're (still) interested. You can do so by joining the #ssh-agent-config channel in our Slack workspace.