Skip to main content
April 20, 2023
Question

1password seems to include my SSH private key in the tag message when signing a git tag.

  • April 20, 2023
  • 7 replies
  • 353 views

I am using 1Password and the SSH agent to store my SSH keys and sign git commits, and it works great!

However, when I sign a git tag my private key is included in the tag message. This is then displayed in plane text when I push the tag to GitLab.

My .gitconfig file includes:
```
[user]
name =
email =
signingkey =

[gpg]
format = ssh

[gpg "ssh"]
program = "/Applications/1Password.app/Contents/MacOS/op-ssh-sign"
allowedSignersFile = "~/.ssh/allowed_signers"

[commit]
gpgsign = true

[tag]
gpgsign = true

```

I generate the tag with: git tag -a "tag-name" -m "tag-message"

When I run git show tag-name, I see:
```
tag tag-name
Tagger:
Date:

tag-message

commit ....

```

I am going to have to disable signing my git tags with 1Password for the time being, so any help to resolve this would be greatly appreciated!


1Password Version: 8.10.4
Extension Version: Not Provided
OS Version: MacOS 13.3.1
Browser:_ Not Provided

7 replies

floris_1P
1Password Employee
April 20, 2023

@TJGreen97 What kind of heading do you see in the part that you redacted in your snippet? -----BEGIN ...

April 20, 2023

@floris_1P , thanks for the response. I get:

tag-message
-----BEGIN SSH SIGNATURE-----
...
-----END SSH SIGNATURE-----

floris_1P
1Password Employee
April 20, 2023

Ah yes, that's the signature which can be used by GitHub and others to prove the authenticity of the tag. Not the private key, that'll stay in 1Password.

April 20, 2023

Ah yes, that is obvious in hindsight. GitLab prints out the entire signature when displaying the tags and makes it very hard to read. So I guess the issue is with GitLab, or is it that they expect it to be signed differently to GitHub?

floris_1P
1Password Employee
April 20, 2023

What do you mean here exactly with "the issue"? The human readability of the tag message in their UI?

April 21, 2023

Issue is probably the wrong word, but yes, GitHub handles the signature in its UI far more cleanly than GitLab. I'll raise a ticket with GitLab. Thanks for your help!

Jack_P_1P
1Password Employee
April 21, 2023

On behalf of Floris, you're very welcome!

Jack