1password seems to include my SSH private key in the tag message when signing a git tag.

Options
TJGreen97
TJGreen97
Community Member
in SSH

I am using 1Password and the SSH agent to store my SSH keys and sign git commits, and it works great!

However, when I sign a git tag my private key is included in the tag message. This is then displayed in plane text when I push the tag to GitLab.

My .gitconfig file includes:

[user]
  name = <name>
  email = <email>
  signingkey = <public key>

[gpg]
  format = ssh

[gpg "ssh"]
  program = "/Applications/1Password.app/Contents/MacOS/op-ssh-sign"
  allowedSignersFile = "~/.ssh/allowed_signers"

[commit]
  gpgsign = true

[tag]
  gpgsign = true

I generate the tag with: git tag -a "tag-name" -m "tag-message"

When I run git show tag-name, I see:

tag tag-name
Tagger: <name> <email>
Date:   <date>

tag-message
<entire ssh private key?!>

commit ....
<further information about the tagged commit>

I am going to have to disable signing my git tags with 1Password for the time being, so any help to resolve this would be greatly appreciated!

1Password Version: 8.10.4
Extension Version: Not Provided
OS Version: MacOS 13.3.1
Browser:_ Not Provided

Comments

  • floris_1P
    floris_1P
    Options

    @TJGreen97 What kind of heading do you see in the part that you redacted in your snippet? -----BEGIN ...

  • TJGreen97
    TJGreen97
    Community Member
    Options

    @floris_1P , thanks for the response. I get:

    tag-message
-----BEGIN SSH SIGNATURE-----
...
-----END SSH SIGNATURE-----
  • floris_1P
    floris_1P
    Options

    Ah yes, that's the signature which can be used by GitHub and others to prove the authenticity of the tag. Not the private key, that'll stay in 1Password.

  • TJGreen97
    TJGreen97
    Community Member
    Options

    Ah yes, that is obvious in hindsight. GitLab prints out the entire signature when displaying the tags and makes it very hard to read. So I guess the issue is with GitLab, or is it that they expect it to be signed differently to GitHub?

  • floris_1P
    floris_1P
    edited April 2023
    Options

    What do you mean here exactly with "the issue"? The human readability of the tag message in their UI?

  • TJGreen97
    TJGreen97
    Community Member
    Options

    Issue is probably the wrong word, but yes, GitHub handles the signature in its UI far more cleanly than GitLab. I'll raise a ticket with GitLab. Thanks for your help!

  • Jack.P_1P
    Jack.P_1P
    Options

    On behalf of Floris, you're very welcome!

    Jack

This discussion has been closed.