sign_and_send_pubkey: signing failed for ED25519 "MyKey" from agent: agent refused operation

ScottBassinScottBassin
Community Member

I created an ED25519 key to connect with GitHub. It worked once, but every time since I get the following error message:

sign_and_send_pubkey: signing failed for ED25519 "MyKey" from agent: agent refused operation
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

I've rebooted my machine and also deleted/recreated keys, but nothing's worked yet.


1Password Version: 8.8.0
Extension Version: 2.3.7
OS Version: macOs 12.5
Browser:_ Brave
Referrer: forum-search:"signing failed for" "agent refused operation"

Comments

  • ScottBassinScottBassin
    Community Member

    Not sure if this would help, but I get exactly the same error if I lock 1Password, and I'm never prompted for my vault password in that case.

  • ScottBassinScottBassin
    Community Member

    And somehow when I try to sign in with op signin using the CLI, I'm never prompted for my password and I get this error:

    [ERROR] 2022/08/08 16:32:22 authorization prompt dismissed, please try again
    
  • ScottBassinScottBassin
    Community Member

    Ah! I think I've figured this out. I've been running with my laptop closed. If I open the laptop, I'm given the opportunity to use my fingerprint to authenticate. Even with biometric unlock turned off (with the environment variable and in the 1Password settings), the application seems to be expecting me to use the fingerprint unlock.

  • MartonS1PMartonS1P

    Team Member

    Hi @ScottBassin!

    This is not expected behavior. Which version of the desktop app are you running, exactly?

    In the case when the lid is open and biometric unlock turned off, do all prompts (SSH, CLI, unlock) still show up as biometric prompts?

  • ScottBassinScottBassin
    Community Member

    Hi, @MartonS1P.

    I'm on

    1Password for Mac 8.8.0
    80800203, on PRODUCTION channel`
    

    I just turned off biometric prompts on the developer settings page and I was still prompted for a fingerprint when using git/ssh. I just ran eval $(op signin) and was asked to type in my account password.

    Thanks.

  • MartonS1PMartonS1P

    Team Member

    Hi @ScottBassin!

    I believe you're experiencing the intended behavior of the settings.

    The "Biometric unlock for 1Password CLI" setting in the developer settings is specifically for the prompts you're shown when running any of the commands of the op CLI (e.g. op signin). This does not impact the SSH agent whatsoever, as the agent is not part of the CLI.

    The prompts shown by the SSH agent (when using git/ssh) are configured by the "Touch ID" setting on the security settings screen (under "Unlock"). If you uncheck this box, the SSH agent will prompt you for the account password instead of showing you Touch ID prompts. The same will happen when you try to unlock the app for normal use.

    When you're using your laptop in clamshell mode (with the lid closed), the SSH agent will no longer show you Touch ID prompts, as it assumes that you cannot easily reach your fingerprint reader. For this reason, it will prompt you for the account password regardless of what you have configured in the settings.

    I hope this clears up the confusion. We have some improvements on the way for these authorization flows, but please let us know if any of this is not intuitive or if you have improvement suggestions. Also let me know if you have any more questions.

  • ScottBassinScottBassin
    Community Member

    Hi, @MartonS1P.

    That makes sense that the CLI behaves differently. However, I still think I might be seeing a bug.

    For this reason, it will prompt you for the account password regardless of what you have configured in the settings.

    Actually, this isn’t what is happening when I use SSH. I’m not getting prompted for the password and I’m just getting the error like in the original message above. My workaround is currently to get out of clamshell mode, which then allows the TouchID prompt to pop up.

  • MartonS1PMartonS1P

    Team Member

    Hi @ScottBassin,

    That is indeed not the expected behavior. We will look into this issue and try to reproduce it. Meanwhile you can consider switching to the beta or nightly releases and see if that fixes your error. In any case we will look into it.

  • ScottBassinScottBassin
    Community Member

    Thanks, @MartonS1P. I’ll probably stick with the production build if there’s not a known fix in the beta builds, and because my workaround isn’t too terribly painful. I’d be happy to help with any other reproduction steps and I look forward to hearing about a resolution.

  • ScottBassinScottBassin
    Community Member

    Huh. I turned on the Apple Watch unlock, and this time I was presented with the opportunity to enter my password, which worked.

  • MartonS1PMartonS1P

    Team Member

    Thanks for sharing your findings @ScottBassin. We'll further investigate this issue.

  • boldbook0372boldbook0372
    Community Member

    I had the same problem after turning on Apple Watch unlock on my Mac, just needed to turn it on in 1password too

  • garrettmoongarrettmoon
    Community Member

    I also hit this issue – no errors, nothing worked with SSH until I enabled apple watch in 1password.

  • garrettmoongarrettmoon
    Community Member

    Still hitting this issue on the newest version – I'd really prefer to not have my watch unlock 1password.

  • kimbjorkmankimbjorkman
    Community Member

    I ran into something similar. I saw the same error message agent refused operation.

    Context:
    1Password for Mac 8.9.8 (80908009)
    I'm normally using an apple watch to unlock, and my laptop is closed.

    To fix it I first tried to disconnect my watch which didn't work. I then opened my laptop and rebooted 1password, this seemed to fix it as I got a prompt to authenticate using my fingerprint. I still haven't tried adding my watch again, but this is indeed a problem.

  • Jack.P_1PJack.P_1P

    Team Member

    Hi @garrettmoon and @kimbjorkman:

    Taking a closer look at 1Password on your Mac would likely be the next best step. I'd like to ask you to create a diagnostics report from your Mac:

    Sending Diagnostics Reports (Mac)

    Attach the diagnostics to an email message addressed to [email protected].

    With your email please include:

    You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here. Thanks very much!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file