Sign git commits with ssh-key while ssh'd into a server?

senekor
senekor
Community Member
in SSH

I have recently setup git-commit-signing with 1password, which is nice. Unfortunately, I cannot create and sign commits when I'm ssh'd into a server, since it doesn't have 1password installed.

The ssh-key is being forwarded to the server with ssh-agent-forwarding. So it should be "accessible" on the server, in my naive understanding.

As per the documented instructions, the signing program is configured as /opt/1Password/op-ssh-sign. This doesn't exist on the server.

I wonder if it's possible to write a little script that signs a commit with the key coming in from the ssh-agent? I wouldn't

But I also might just be going about it in the wrong way, I'm open to other approaches. The goal I'm trying to achieve is to be able to sign commits on a server I'm ssh'd into with the ssh-key stored in 1password. Maybe I should just install 1password CLI on the server? I would prefer not to, but I guess it's an acceptable solution if that's the only way.

1Password Version: 8.10.23
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • rellek
    rellek
    Community Member

    I would like to know that too. I have a little headless Linux box to develop on which I usually ssh into from my Mac and it'd be cool to sign commits there using the infrastructure installed on the Mac.

    SSH key forwarding itself does work. Like ssh -T git@github.com triggers then Apple Watch thing from the Mac and upon accepting, github greets me. But not sure how to sign commits.

  • rellek
    rellek
    Community Member

    Well nevermind, it does work. Only forgot the -S on the commit.

  • senekor
    senekor
    Community Member

    @rellek How does it work for you..? Part of the configuration is this, right?:

    [gpg "ssh"]
    program = /opt/1Password/op-ssh-sign

    How is that supposed to work if 1password is not installed on the server? Or do you have 1password installed on the server?

    Btw. I may have found a solution that works quite nicely for myself. Instead of ssh-ing into the server and editing files, making commits etc. with the software installed on the server, I can use sshfs to mount the server's file system into my local one. That way, I have access to all the software installed locally and it even uses my local configuration. I stumbled upon this technique while trying to reproduce the vscode remote ssh workflow with a terminal editor like helix. There are certainly a couple things that won't work like that, but git should be perfectly fine.

  • rellek
    rellek
    Community Member

    @senekor
    so here's my setup. My client machine is a MacBook. But I don't think this actually matters because the client is set up by 1Password automatically. I don't think I did anything to it.

    On my client, the ~/.gitconfig looks a little like this:

    # This is Git's per-user configuration file.
[user]
# Please adapt and uncomment the following lines:
        name = MyNameOn GitHub
        email = the-email-you-use-on-github@example.com
        signingkey = ssh-ed25519 <public key>
[gpg]
        format = ssh
[gpg "ssh"]
        program = /Applications/1Password.app/Contents/MacOS/op-ssh-sign
[commit]
        gpgsign = true

    My dev box (I ssh into) has the following ~/.gitconfig:

    # This is Git's per-user configuration file.
[user]
# Please adapt and uncomment the following lines:
        name = MyNameOn GitHub
        email = the-email-you-use-on-github@example.com
        signingkey = ssh-ed25519 <public key>
[gpg]
        format = ssh
[commit]
        gpgsign = true

    Except the program = /..... it is essentially the same as on my client. I copy-pasted the lines.

    The final step (I believe) was to adjust the ssh config on my client. ~/.ssh/config:

    Host localdev
    ForwardAgent yes

    localdev being the hostname of my dev box.

    You should try ssh -T git@github.com first on your client and then on your remote host to see if you are greeted by their server.
    Client:

    macbook:~ rellek$ ssh -T git@github.com
Hi <user>! You've successfully authenticated, but GitHub does not provide shell access.
macbook:~ rellek$

    Remote host:

    root@localdev:~# ssh -T git@github.com
Hi <user>! You've successfully authenticated, but GitHub does not provide shell access.
root@localdev:~#

    You #do# #not# #need# 1Password on your remove host. At all. This is what ForwardAgent yes does for you. If it is unsure how to connect itself to a host, it gives your local machine a shot and asks there. And on your local machine, 1Password kicks in and (hopefully) has the correct answer.

    HOWEVER. Please be aware that the admin of the remote host #can# disallow agent forwarding. In which case it would not work (obviously). On Linux, that would be the option AllowAgentForwarding in /etc/ssh/sshd_config. (If it is commented, i.e. has a # in front of it), it means that it uses the default value (which is yes). Commented options are in the sshd_config file for your information to show you what the defaults are.

    Anyway if the ssh -T git@github.com works on both your client and the remote host, that means that github (using ssh) works as well.

    Hope that helps you.

  • senekor
    senekor
    Community Member

    Awesome, thank you so much for the detailed response. My mistake was this: I had this git config snippet both on the server and locally:

    [gpg "ssh"]
    program = /opt/1Password/op-ssh-sign

    I mindlessly copy-pasted it. However, with ssh-forwarding, it is not necessary on the server and breaks stuff when the 1password program is not installed. Simply removing this from the git config on the server made it work.

    Thanks!

This discussion has been closed.