Feature Request: Add "name/tag" key to Agent.toml

aRustyDev
aRustyDev
Community Member
in SSH

The Use case

I have made a little git subcommand that I think is really cool. I work in a bunch of different git registries (github, gitlab, self-hosted, etc) and have different identities and keys for each. So I wanted to be able to easily clone and setup my git config (including signing) quickly and reliably. I also wanted to try and keep my system clean of secrets, so I decided to leverage the OP cli to try and call my secrets out.

From what I can gather, TOML isn't inherently schema'd, but it seems like you are very likely enforcing an schema somewhere in the application. In lieu of removing what I think is probably a schema enforcement on your end, would you consider adding an optional value for "name" that isn't actually used by the application? From my perspective it could be any arbitrary key name, like "name" or "tag" or "cn" or "CommonName" or "ExternalName", etc.

It seems like doing this could allow for others to implement similar extensions to 1Password? But perhaps I am the only one whose having this pain point?

The issue I ran into

When I tried to add an additional key to the Agent.toml (which I don't think would raise any security concerns?) it broke the functionality of the CLI. (I was unable to retrieve my SSH keys anymore. I received the ERROR: error: 1Password: No SSH private key found for the specified public key )

This is the main part of what my subcommand is doing (just FYI)

# ...
# ======================== FUNCTIONS ========================
# ...
git_unset(){
    git config --local --unset user.signingkey
    git config --local --unset user.name
    git config --local --unset user.email
    git config --local --unset gpg.ssh.allowedSignersFile
    git config --local --unset gpg.ssh.program
    git config --local --unset gpg.format
    git config --local --unset tag.gpgsign
    git config --local --unset commit.gpgsign
}

# Returns the info for the ssh key in the specified vault
op_read (){
    op item list --categories "SSH Key" --vault "$1" --format=json | \
    jq --arg TYTLE "$2" '.[] | select(.title | contains($TYTLE))' | \
    op item get --fields "$3"
}

# ======================== MAIN ========================

# Check if Registry is valid & set EnvVars
case "$1" in
    # Valid Registries
    github | gitlab | work | home)
        set_os_specific_stuff
        VAULT=$(NAME="$1" yq -oy '.ssh-keys[] | select(.name | contains(env(NAME))) | .vault' --input-format toml "$OP_AGENT_FILE")
        ITEM=$(NAME="$1" yq -oy '.ssh-keys[] | select(.name | contains(env(NAME))) | .item' --input-format toml "$OP_AGENT_FILE")
        ;;
    *)
        echo "Unknown-Target-SSH-Name: ${1}" && exit 1
esac

git_unset
git config --local init.defaultBranch main
git config --local gpg.ssh.allowedSignersFile "$SSH_ALLOWEDSIGNERS"
git config --local gpg.ssh.program "$SSH_PROGRAM"
git config --local gpg.format ssh
git config --local tag.gpgsign true
git config --local commit.gpgsign true
git config --local user.signingkey "$(op_read "$VAULT" "$ITEM" "public key")"
git config --local user.name $(op_read "$VAULT" "$ITEM" "username")
git config --local user.email $(op_read "$VAULT" "$ITEM" "email")

1Password Version: 2.29.0
Extension Version: Not Provided
OS Version: macOS 15.0 Beta
Browser: Not Provided