Skip to main content
July 5, 2022
Question

SSH Commit Signing

  • July 5, 2022
  • 13 replies
  • 2152 views

I've stated signing my git commits using SSH.

However this only seems to work with setting the SSH_AUTH_SOCK env variable. For some reasons I cannot set that variable everywhere and have to rely on host specific IdentityAgent configuration.

This is the error
```
git commit -m"test"
error: Load key "/var/folders/z//T//.git_signing_key": invalid format?

fatal: failed to write commit object
```

Prepending the command with SSH_AUTH_SOCK=~/.1password/agent.sock git commit -m"test" works.

This issue also applies to VSCode.

As per the https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogram, to used program is ssh-keygen. I guess it doesn't read ssh config files or at least wouldn't be aware of a host to use.

Question: Does 1Password provide a binary compatible to ssh-keygen that I could set as gpg.ssh.program in my gitconfig?


1Password Version: 8.7.3
Extension Version: Not Provided
OS Version: macOS
Browser:_ Not Provided

13 replies

July 6, 2022

In the meantime I have created a gpg-ssh-program helper script myself:

```sh

!/bin/sh

SSH_AUTH_SOCK=~/.1password/agent.sock ssh-keygen "$@"
```

And then as git config:
config
[gpg "ssh"]
program = /Users/<username>/<path-to-script>/gpg-ssh-program

floris_1P
1Password Employee
July 7, 2022

We are looking into shipping something like that with the 1Password app. And what you're using now is exactly what I was about to suggest.

September 8, 2022

@floris_1P Great to see your version of op-ssh-sign launch!

One thing that seems a bit odd is when 1password is not started (or active)?

It fails with this cryptic error message:

```
✗ git commit -m"test"
error: Error: AppError { error: could not connect to agent

Caused by:
std::io::error::Error, location: Location { file: "ssh/op-ssh-sign/src/utils.rs", line: 27, col: 14 } }

fatal: failed to write commit object
```

floris_1P
1Password Employee
September 9, 2022

The error messages in op-ssh-sign are a bit cryptic indeed, we're actively working on improving those! But I assume you did get it working now, correct?

September 9, 2022

Yes, it is working perfectly when 1Password is running. Good work 👍

My workaround is to start 1Password by hand and try again. Ideally the app would just be started automatically in this situation.

floris_1P
1Password Employee
September 9, 2022

Yep, that is something we have on the roadmap. In the mean time, there's this setting on Mac that could already mostly cover it:

September 9, 2022

Thanks for the tip! Alas my configuration is more subtle and I already have this checked.

If you're interested, I think this is what is causing it:

  • Disable "Keep 1Password in menu bar" (Also no browser extension. What I'm getting is: There's nothing else wanting 1Password to be running)
  • Enable "Lock on sleep, screensaver, or switching users"
  • Lock your Mac
  • Login again
  • git commit
  • 💥 Boom, error
October 26, 2022

I'm currently using a https://code.visualstudio.com/docs/remote/containers on macOS and I'm trying to get the git commit signing to work. SSH is already working by explicitly exporting the 1Password specific SSH_AUTH_SOCK in the terminal I use before opening VSCode


export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
code .

This enables using the SSH keys from 1Password from within the devcontainer, because VSCode does some magic with the socket in the background.

For git commit signing I'm now running into this error

```
error: Error: AppError { error: could not connect to agent

Caused by:
std::io::error::Error, location: Location { file: "ssh/op-ssh-sign/src/utils.rs", line: 27, col: 14 } }

fatal: failed to write commit object
```

I've installed 1Password within the devcontainer using https://support.1password.com/install-linux/#other-distributions-or-arm-targz and updated my .gitconfig like


...
[gpg]
format = ssh
[gpg "ssh"]
program = /opt/1Password/op-ssh-sign
[commit]
gpgsign = true
[tag]
gpgsign = true
...

But I'm unable to get it work. My suspicion is that op-ssh-sign is looking in the wrong place for the socket, but I can't validate this because it's closed source.

Would folks from 1Password be able to help out? 😏

December 27, 2022

I ran into the

error: could not connect to agent

issue, and I keep forgetting I have 1password commit signing running, so when I go to look up the error I get all kinds of other things that have nothing to do with 1password and then after about a week I cold-start 1password and it asks me to authenticate for git signing and then I realize that's been the issue all along.

I'm a little hesitant to edit my .gitconfig because I also have the github cli installed which has also edited it, though the github cli should only be setting itself up as an https auth provider which should be separate from the signing settings 1password sets, but I just want to mention it to make sure it's not possible it could be causing any conflicts.

Jack_P_1P
1Password Employee
January 5, 2023

Hey @mvgijssel:

First I'd like to apologize for the delayed response here. op-ssh-sign exists to offer a one-click install for Git commit signing. By default, Git uses ssh-keygen to sign commits, using the SSH agent available in the SSH_AUTH_SOCK environment variable. Changing the signing command allows for a one click install. If you instead comment out the /op-ssh-sign line of your .gitconfig in your container, as well as forward your SSH_AUTH_SOCK in, is Git able to sign your commits? Let me know.

Hi @spocklogical:

Would you mind elaborating where you're running into trouble? Is that when pushing to a Git repo, SSHing to a server, or signing your commits? Let me know.

Jack