Skip to main content
September 13, 2022
Question

SSH commit signing inside docker

  • September 13, 2022
  • 8 replies
  • 2052 views

Is it possible to use commit signing inside a docker container (Visual Studio Code Remote Containers)?


1Password Version: 8.9.4
Extension Version: Not Provided
OS Version: macos 12.6
Browser:_ Not Provided
Referrer: forum-search:https://1password.community/search?Search=ssh%20commit%20signing%20docker

8 replies

floris_1P
1Password Employee
September 13, 2022

Docker for Mac can forward $SSH_AUTH_SOCK into any container, all you need to do is add these 'magic' flags:
-v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock

A proof of concept:

docker run -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock alpine 'apk add openssh && ssh-add -l'

With the agent socket available in your container, you should be able to set up commit signing as well.

A few caveats:
- $SSH_AUTH_SOCK needs to be set before Docker for Mac launches (so not just your container, but the entire Docker for Mac app). More info on how you can do that here.
- Your local ~/.gitconfig file will not automatically be present in your Docker container, so you should either mount it as a volume or make sure it gets created within the container.
- The SSH agent authorization model works a bit differently with Docker for Mac than you might expect: you'll only authorize Docker once and then every container that has the socket mounted will be authorized to use the key. That's something to keep in mind.

September 13, 2022

Hi! Thanks for your response!

The problem with this is that is looking for a /Applications/1Password.app/Contents/MacOS/op-ssh-sign that does not exist inside the docker image.

floris_1P
1Password Employee
September 14, 2022

Ah, I forgot to mention that: the op-ssh-sign binary is technically optional. The primary reason why that exists is to make sure the 1Password socket is used for signing, so that you don't have to set SSH_AUTH_SOCK yourself.

However, in a forwarding scenario, SSH_AUTH_SOCK is always there. So in that case, you can omit gpg.ssh.program in your Gitconfig, and Git will then use ssh-keygen instead.

September 14, 2022

Thank you so much!

floris_1P
1Password Employee
September 14, 2022

@srxavi Did you get it to work?

September 16, 2022

@floris_1P Yes! It works now! Thanks!

January 26, 2023

@floris_1P Is there a way to remove the op-ssh-sign binary by setting an alternate value in the local gitconfig. I'd like to still keep SSH signing with 1P globally but I need to remove the binary to get signing inside of the remote container to work.

Jack_P_1P
1Password Employee
January 26, 2023

Hey @EERattler:

Great question. We can definitely help with this, but it'll likely take a closer look at your specific setup to determine the best course of action for you. To protect your privacy, can you please email us at support+forum@1password.com with a link to your post (https://1password.community/discussion/comment/673500/#Comment_673500), your username EERattler, and mention that SSH commit signing isn't working as it should. We'll continue the conversation via email. Thanks!

Jack