sign_and_send_pubkey: signing failed for ED25519 "MyKey" from agent: agent refused operation

ScottBassin
ScottBassin
Community Member
in SSH

I created an ED25519 key to connect with GitHub. It worked once, but every time since I get the following error message:

sign_and_send_pubkey: signing failed for ED25519 "MyKey" from agent: agent refused operation
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

I've rebooted my machine and also deleted/recreated keys, but nothing's worked yet.

1Password Version: 8.8.0
Extension Version: 2.3.7
OS Version: macOs 12.5
Browser:_ Brave
Referrer: forum-search:"signing failed for" "agent refused operation"

Comments

  • ScottBassin
    ScottBassin
    Community Member

    Not sure if this would help, but I get exactly the same error if I lock 1Password, and I'm never prompted for my vault password in that case.

  • ScottBassin
    ScottBassin
    Community Member

    And somehow when I try to sign in with op signin using the CLI, I'm never prompted for my password and I get this error:

    [ERROR] 2022/08/08 16:32:22 authorization prompt dismissed, please try again
  • ScottBassin
    ScottBassin
    Community Member

    Ah! I think I've figured this out. I've been running with my laptop closed. If I open the laptop, I'm given the opportunity to use my fingerprint to authenticate. Even with biometric unlock turned off (with the environment variable and in the 1Password settings), the application seems to be expecting me to use the fingerprint unlock.

  • MartonS1P
    MartonS1P

    Hi @ScottBassin!

    This is not expected behavior. Which version of the desktop app are you running, exactly?

    In the case when the lid is open and biometric unlock turned off, do all prompts (SSH, CLI, unlock) still show up as biometric prompts?

  • ScottBassin
    ScottBassin
    Community Member

    Hi, @MartonS1P.

    I'm on

    1Password for Mac 8.8.0
80800203, on PRODUCTION channel`

    I just turned off biometric prompts on the developer settings page and I was still prompted for a fingerprint when using git/ssh. I just ran eval $(op signin) and was asked to type in my account password.

    Thanks.

  • MartonS1P
    MartonS1P

    Hi @ScottBassin!

    I believe you're experiencing the intended behavior of the settings.

    The "Biometric unlock for 1Password CLI" setting in the developer settings is specifically for the prompts you're shown when running any of the commands of the op CLI (e.g. op signin). This does not impact the SSH agent whatsoever, as the agent is not part of the CLI.

    The prompts shown by the SSH agent (when using git/ssh) are configured by the "Touch ID" setting on the security settings screen (under "Unlock"). If you uncheck this box, the SSH agent will prompt you for the account password instead of showing you Touch ID prompts. The same will happen when you try to unlock the app for normal use.

    When you're using your laptop in clamshell mode (with the lid closed), the SSH agent will no longer show you Touch ID prompts, as it assumes that you cannot easily reach your fingerprint reader. For this reason, it will prompt you for the account password regardless of what you have configured in the settings.

    I hope this clears up the confusion. We have some improvements on the way for these authorization flows, but please let us know if any of this is not intuitive or if you have improvement suggestions. Also let me know if you have any more questions.

  • ScottBassin
    ScottBassin
    Community Member

    Hi, @MartonS1P.

    That makes sense that the CLI behaves differently. However, I still think I might be seeing a bug.

    For this reason, it will prompt you for the account password regardless of what you have configured in the settings.

    Actually, this isn’t what is happening when I use SSH. I’m not getting prompted for the password and I’m just getting the error like in the original message above. My workaround is currently to get out of clamshell mode, which then allows the TouchID prompt to pop up.

  • MartonS1P
    MartonS1P

    Hi @ScottBassin,

    That is indeed not the expected behavior. We will look into this issue and try to reproduce it. Meanwhile you can consider switching to the beta or nightly releases and see if that fixes your error. In any case we will look into it.

  • ScottBassin
    ScottBassin
    Community Member

    Thanks, @MartonS1P. I’ll probably stick with the production build if there’s not a known fix in the beta builds, and because my workaround isn’t too terribly painful. I’d be happy to help with any other reproduction steps and I look forward to hearing about a resolution.

  • ScottBassin
    ScottBassin
    Community Member

    Huh. I turned on the Apple Watch unlock, and this time I was presented with the opportunity to enter my password, which worked.

  • MartonS1P
    MartonS1P

    Thanks for sharing your findings @ScottBassin. We'll further investigate this issue.

  • boldbook0372
    boldbook0372
    Community Member

    I had the same problem after turning on Apple Watch unlock on my Mac, just needed to turn it on in 1password too

  • garrettmoon
    garrettmoon
    Community Member

    I also hit this issue – no errors, nothing worked with SSH until I enabled apple watch in 1password.

  • garrettmoon
    garrettmoon
    Community Member

    Still hitting this issue on the newest version – I'd really prefer to not have my watch unlock 1password.

  • kimbjorkman
    kimbjorkman
    Community Member

    I ran into something similar. I saw the same error message agent refused operation.

    Context:
    1Password for Mac 8.9.8 (80908009)
    I'm normally using an apple watch to unlock, and my laptop is closed.

    To fix it I first tried to disconnect my watch which didn't work. I then opened my laptop and rebooted 1password, this seemed to fix it as I got a prompt to authenticate using my fingerprint. I still haven't tried adding my watch again, but this is indeed a problem.

  • Jack.P_1P
    Jack.P_1P

    Hi @garrettmoon and @kimbjorkman:

    Taking a closer look at 1Password on your Mac would likely be the next best step. I'd like to ask you to create a diagnostics report from your Mac:

    Sending Diagnostics Reports (Mac)

    Attach the diagnostics to an email message addressed to support+forum@1password.com.

    With your email please include:

    You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here. Thanks very much!

  • jtesmeriqnox
    jtesmeriqnox
    Community Member

    I received several agent refused operation messages until i opened my cover and saw the fingerprint prompt, authed with the fingerprint. I was then able to connect. I'm using Ventura 13.0.1 on M1 Pro with 1Password 8.9.8.

  • Jack.P_1P
    Jack.P_1P

    Hi @jtesmeriqnox:

    If you run into trouble using the SSH agent when in clamshell mode again, we'd be happy to take a closer look.

    Jack

  • cornusamomum
    cornusamomum
    Community Member

    Hello! I think I just ran into this issue as well. When I use my laptop in clamshell mode, I often get an error like sign_and_send_pubkey: signing failed for ED25519 "REDACTED" from agent: agent refused operation. If I launch my terminal prior to clamshell mode and authenticate with my fingerprint, this error doesn't occur when I re-enter clamshell mode and any ssh key operations (such as git push origin HEAD) work without issue. Though this work around is effective, it took me a while to figure out, so I imagine other users are running into it. Is there some way I can help debug this issue to fix it?

  • luxus
    luxus
    Community Member

    i have the same issue, and i know for sure that i didn't change anything on my config in the last week

  • joe232
    joe232
    Community Member

    Same issue, on a fresh install of Ubuntu 22.04. All configured per instructions, to the best of my knowledge.

  • kiener
    kiener
    Community Member

    I was able to solve this issue by completely quitting 1Password (i.e. close it from the menubar not just the app itself) and restarting the macOS ssh agent process. Once I did that the issue went away. I suspect that restarting the macOS ssh agent would have been enough, but I neglected to try only that.

  • scottymcraig
    scottymcraig
    Community Member

    Confirming kiener's solution above works. You cannot just restart the ssh agent - quitting 1password, restarting the agent, and then restarting 1password does work.

  • MatiasLGonzalez
    MatiasLGonzalez
    Community Member

    I also had to reboot my Windows 11 machine after enabling the 1password agent to stop getting the agent refused error, thanks @kiener

  • chris.db_1p
    chris.db_1p

    @luxus @joe232 @kiener @scottymcraig @MatiasLGonzalez Glad to see a workaround was found here, however we'd love to know if this behaviour still happen on the latest version of the Production or Beta release channels?

    If so, please provide your logs using the instructions Jack posted above and we'll take a closer look.

  • chris.db_1p
    chris.db_1p

    @cornusamomum Although we have fixes for these agent refused operation errors the case with clamshell mode may be slightly different, are you still experiencing this behaviour?

  • drpep
    drpep
    Community Member

    Confirming this also worked for me:

    I was able to solve this issue by completely quitting 1Password (i.e. close it from the menubar not just the app itself) and restarting the macOS ssh agent process. Once I did that the issue went away. I suspect that restarting the macOS ssh agent would have been enough, but I neglected to try only that.

  • MatiasLGonzalez
    MatiasLGonzalez
    Community Member

    @chris.db_1p I was using the production version at the time, if I ever have to set it up again on a new machine, I'll make sure to share the logs :)

  • ryanfitzer
    ryanfitzer
    Community Member

    Same thing just happened to me. Quitting both the app and menubar item was the solution!

This discussion has been closed.