Sign git commits with ssh-key while ssh'd into a server?

Options
senekor
senekor
Community Member
in SSH

I have recently setup git-commit-signing with 1password, which is nice. Unfortunately, I cannot create and sign commits when I'm ssh'd into a server, since it doesn't have 1password installed.

The ssh-key is being forwarded to the server with ssh-agent-forwarding. So it should be "accessible" on the server, in my naive understanding.

As per the documented instructions, the signing program is configured as /opt/1Password/op-ssh-sign. This doesn't exist on the server.

I wonder if it's possible to write a little script that signs a commit with the key coming in from the ssh-agent? I wouldn't

But I also might just be going about it in the wrong way, I'm open to other approaches. The goal I'm trying to achieve is to be able to sign commits on a server I'm ssh'd into with the ssh-key stored in 1password. Maybe I should just install 1password CLI on the server? I would prefer not to, but I guess it's an acceptable solution if that's the only way.

1Password Version: 8.10.23
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • rellek
    rellek
    Community Member
    Options

    I would like to know that too. I have a little headless Linux box to develop on which I usually ssh into from my Mac and it'd be cool to sign commits there using the infrastructure installed on the Mac.

    SSH key forwarding itself does work. Like ssh -T git@github.com triggers then Apple Watch thing from the Mac and upon accepting, github greets me. But not sure how to sign commits.

  • rellek
    rellek
    Community Member
    Options

    Well nevermind, it does work. Only forgot the -S on the commit.

  • senekor
    senekor
    Community Member
    Options

    @rellek How does it work for you..? Part of the configuration is this, right?:

    [gpg "ssh"]
    program = /opt/1Password/op-ssh-sign

    How is that supposed to work if 1password is not installed on the server? Or do you have 1password installed on the server?

    Btw. I may have found a solution that works quite nicely for myself. Instead of ssh-ing into the server and editing files, making commits etc. with the software installed on the server, I can use sshfs to mount the server's file system into my local one. That way, I have access to all the software installed locally and it even uses my local configuration. I stumbled upon this technique while trying to reproduce the vscode remote ssh workflow with a terminal editor like helix. There are certainly a couple things that won't work like that, but git should be perfectly fine.

  • rellek
    rellek
    Community Member
    Options

    @senekor
    so here's my setup. My client machine is a MacBook. But I don't think this actually matters because the client is set up by 1Password automatically. I don't think I did anything to it.

    On my client, the ~/.gitconfig looks a little like this:

    # This is Git's per-user configuration file.
[user]
# Please adapt and uncomment the following lines:
        name = MyNameOn GitHub
        email = the-email-you-use-on-github@example.com
        signingkey = ssh-ed25519 <public key>
[gpg]
        format = ssh
[gpg "ssh"]
        program = /Applications/1Password.app/Contents/MacOS/op-ssh-sign
[commit]
        gpgsign = true

    My dev box (I ssh into) has the following ~/.gitconfig:

    # This is Git's per-user configuration file.
[user]
# Please adapt and uncomment the following lines:
        name = MyNameOn GitHub
        email = the-email-you-use-on-github@example.com
        signingkey = ssh-ed25519 <public key>
[gpg]
        format = ssh
[commit]
        gpgsign = true

    Except the program = /..... it is essentially the same as on my client. I copy-pasted the lines.

    The final step (I believe) was to adjust the ssh config on my client. ~/.ssh/config:

    Host localdev
    ForwardAgent yes

    localdev being the hostname of my dev box.

    You should try ssh -T git@github.com first on your client and then on your remote host to see if you are greeted by their server.
    Client:

    macbook:~ rellek$ ssh -T git@github.com
Hi <user>! You've successfully authenticated, but GitHub does not provide shell access.
macbook:~ rellek$

    Remote host:

    root@localdev:~# ssh -T git@github.com
Hi <user>! You've successfully authenticated, but GitHub does not provide shell access.
root@localdev:~#

    You #do# #not# #need# 1Password on your remove host. At all. This is what ForwardAgent yes does for you. If it is unsure how to connect itself to a host, it gives your local machine a shot and asks there. And on your local machine, 1Password kicks in and (hopefully) has the correct answer.

    HOWEVER. Please be aware that the admin of the remote host #can# disallow agent forwarding. In which case it would not work (obviously). On Linux, that would be the option AllowAgentForwarding in /etc/ssh/sshd_config. (If it is commented, i.e. has a # in front of it), it means that it uses the default value (which is yes). Commented options are in the sshd_config file for your information to show you what the defaults are.

    Anyway if the ssh -T git@github.com works on both your client and the remote host, that means that github (using ssh) works as well.

    Hope that helps you.

  • senekor
    senekor
    Community Member
    Options

    Awesome, thank you so much for the detailed response. My mistake was this: I had this git config snippet both on the server and locally:

    [gpg "ssh"]
    program = /opt/1Password/op-ssh-sign

    I mindlessly copy-pasted it. However, with ssh-forwarding, it is not necessary on the server and breaks stuff when the 1password program is not installed. Simply removing this from the git config on the server made it work.

    Thanks!