SSH commit signing inside docker

srxavi
srxavi
Community Member
in SSH

Is it possible to use commit signing inside a docker container (Visual Studio Code Remote Containers)?

1Password Version: 8.9.4
Extension Version: Not Provided
OS Version: macos 12.6
Browser:_ Not Provided
Referrer: forum-search:ssh commit signing docker

Comments

  • floris_1P
    floris_1P

    Docker for Mac can forward $SSH_AUTH_SOCK into any container, all you need to do is add these 'magic' flags:
    -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock

    A proof of concept:

    docker run -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock alpine 'apk add openssh && ssh-add -l'

    With the agent socket available in your container, you should be able to set up commit signing as well.

    A few caveats:

    • $SSH_AUTH_SOCK needs to be set before Docker for Mac launches (so not just your container, but the entire Docker for Mac app). More info on how you can do that here.
    • Your local ~/.gitconfig file will not automatically be present in your Docker container, so you should either mount it as a volume or make sure it gets created within the container.
    • The SSH agent authorization model works a bit differently with Docker for Mac than you might expect: you'll only authorize Docker once and then every container that has the socket mounted will be authorized to use the key. That's something to keep in mind.
  • srxavi
    srxavi
    Community Member

    Hi! Thanks for your response!

    The problem with this is that is looking for a /Applications/1Password.app/Contents/MacOS/op-ssh-sign that does not exist inside the docker image.

  • floris_1P
    floris_1P

    Ah, I forgot to mention that: the op-ssh-sign binary is technically optional. The primary reason why that exists is to make sure the 1Password socket is used for signing, so that you don't have to set SSH_AUTH_SOCK yourself.

    However, in a forwarding scenario, SSH_AUTH_SOCK is always there. So in that case, you can omit gpg.ssh.program in your Gitconfig, and Git will then use ssh-keygen instead.

  • srxavi
    srxavi
    Community Member

    Thank you so much!

  • floris_1P
    floris_1P

    @srxavi Did you get it to work?

  • srxavi
    srxavi
    Community Member

    @floris_1P Yes! It works now! Thanks!

  • EERattler
    EERattler
    Community Member
    edited January 2023

    @floris_1P Is there a way to remove the op-ssh-sign binary by setting an alternate value in the local gitconfig. I'd like to still keep SSH signing with 1P globally but I need to remove the binary to get signing inside of the remote container to work.

  • Jack.P_1P
    Jack.P_1P

    Hey @EERattler:

    Great question. We can definitely help with this, but it'll likely take a closer look at your specific setup to determine the best course of action for you. To protect your privacy, can you please email us at support+forum@1password.com with a link to your post (https://1password.community/discussion/comment/673500/#Comment_673500), your username EERattler, and mention that SSH commit signing isn't working as it should. We'll continue the conversation via email. Thanks!

    Jack

This discussion has been closed.