SSH Commit Signing

mrgrain
mrgrain
Community Member

I've stated signing my git commits using SSH.

However this only seems to work with setting the SSH_AUTH_SOCK env variable. For some reasons I cannot set that variable everywhere and have to rely on host specific IdentityAgent configuration.

This is the error

git commit -m"test"
error: Load key "/var/folders/_z/<random-string>/T//.git_signing_key_<random-string>": invalid format?

fatal: failed to write commit object

Prepending the command with SSH_AUTH_SOCK=~/.1password/agent.sock git commit -m"test" works.

This issue also applies to VSCode.

As per the git docs, to used program is ssh-keygen. I guess it doesn't read ssh config files or at least wouldn't be aware of a host to use.

Question: Does 1Password provide a binary compatible to ssh-keygen that I could set as gpg.ssh.program in my gitconfig?


1Password Version: 8.7.3
Extension Version: Not Provided
OS Version: macOS
Browser:_ Not Provided

Comments

  • mrgrain
    mrgrain
    Community Member
    edited July 2022

    In the meantime I have created a gpg-ssh-program helper script myself:

    #!/bin/sh
    SSH_AUTH_SOCK=~/.1password/agent.sock ssh-keygen "$@"
    

    And then as git config:

    [gpg "ssh"]
        program = /Users/<username>/<path-to-script>/gpg-ssh-program
    
  • We are looking into shipping something like that with the 1Password app. And what you're using now is exactly what I was about to suggest.

  • mrgrain
    mrgrain
    Community Member

    @floris_1P Great to see your version of op-ssh-sign launch!

    One thing that seems a bit odd is when 1password is not started (or active)?

    It fails with this cryptic error message:

    ✗ git commit -m"test"
    error: Error: AppError { error: could not connect to agent
    
    Caused by:
        std::io::error::Error, location: Location { file: "ssh/op-ssh-sign/src/utils.rs", line: 27, col: 14 } }
    
    fatal: failed to write commit object
    
  • The error messages in op-ssh-sign are a bit cryptic indeed, we're actively working on improving those! But I assume you did get it working now, correct?

  • mrgrain
    mrgrain
    Community Member

    Yes, it is working perfectly when 1Password is running. Good work 👍

    My workaround is to start 1Password by hand and try again. Ideally the app would just be started automatically in this situation.

  • floris_1P
    edited September 2022

    Yep, that is something we have on the roadmap. In the mean time, there's this setting on Mac that could already mostly cover it:

  • mrgrain
    mrgrain
    Community Member

    Thanks for the tip! Alas my configuration is more subtle and I already have this checked.

    If you're interested, I think this is what is causing it:

    • Disable "Keep 1Password in menu bar" (Also no browser extension. What I'm getting is: There's nothing else wanting 1Password to be running)
    • Enable "Lock on sleep, screensaver, or switching users"
    • Lock your Mac
    • Login again
    • git commit
    • 💥 Boom, error
  • mvgijssel
    mvgijssel
    Community Member

    I'm currently using a VSCode devcontainer on macOS and I'm trying to get the git commit signing to work. SSH is already working by explicitly exporting the 1Password specific SSH_AUTH_SOCK in the terminal I use before opening VSCode

    export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
    code .
    

    This enables using the SSH keys from 1Password from within the devcontainer, because VSCode does some magic with the socket in the background.

    For git commit signing I'm now running into this error

    error: Error: AppError { error: could not connect to agent
    
    Caused by:
        std::io::error::Error, location: Location { file: "ssh/op-ssh-sign/src/utils.rs", line: 27, col: 14 } }
    
    fatal: failed to write commit object
    

    I've installed 1Password within the devcontainer using this guide and updated my .gitconfig like

    ...
    [gpg]
            format = ssh
    [gpg "ssh"]
            program = /opt/1Password/op-ssh-sign
    [commit]
            gpgsign = true
    [tag]
            gpgsign = true
    ...
    

    But I'm unable to get it work. My suspicion is that op-ssh-sign is looking in the wrong place for the socket, but I can't validate this because it's closed source.

    Would folks from 1Password be able to help out? 😏

  • spocklogical
    spocklogical
    Community Member

    I ran into the

    error: could not connect to agent
    

    issue, and I keep forgetting I have 1password commit signing running, so when I go to look up the error I get all kinds of other things that have nothing to do with 1password and then after about a week I cold-start 1password and it asks me to authenticate for git signing and then I realize that's been the issue all along.

    I'm a little hesitant to edit my .gitconfig because I also have the github cli installed which has also edited it, though the github cli should only be setting itself up as an https auth provider which should be separate from the signing settings 1password sets, but I just want to mention it to make sure it's not possible it could be causing any conflicts.

  • Hey @mvgijssel:

    First I'd like to apologize for the delayed response here. op-ssh-sign exists to offer a one-click install for Git commit signing. By default, Git uses ssh-keygen to sign commits, using the SSH agent available in the SSH_AUTH_SOCK environment variable. Changing the signing command allows for a one click install. If you instead comment out the /op-ssh-sign line of your .gitconfig in your container, as well as forward your SSH_AUTH_SOCK in, is Git able to sign your commits? Let me know.

    Hi @spocklogical:

    Would you mind elaborating where you're running into trouble? Is that when pushing to a Git repo, SSHing to a server, or signing your commits? Let me know.

    Jack

  • spocklogical
    spocklogical
    Community Member

    I run into it when signing commits. Before I realized the issue was failed signing, I ran the commit command using sudo, which technically worked, though I think it probably changes things in the .git directory, and it's probably only working that way since it would use a different user's global git config that didn't have commit signing enabled.

  • Hey @spocklogical:

    Thanks for following up. In that case, I'd like to ask you to create a diagnostics report from your device:

    Sending Diagnostics Reports (Mac)

    Attach the diagnostics to an email message addressed to [email protected].

    With your email please include:

    You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here. Thanks very much!

  • spocklogical
    spocklogical
    Community Member

    Just did it. The id number is: [#ZNW-59812-231]
    Thinking more about it, it might be possible 1password gets more forcefully suspended on my dev computer since I keep running out of memory, don't know if that might affect it's ability to prompt for confirmation when signing commits.

This discussion has been closed.