Was wondering if any developers has had any luck configuring the newly introduced https://developer.1password.com/docs/ssh for any WSL2 work? This thing is incredible and works seamlessly! Would love to configure it for my WSL instances. For some context, I've been using https://github.com/buptczq/WinCryptSSHAgent to configure & forward SSH_AUTH_SOCK from WSL to-and-from Windows Certificates. This works only for x509 certs on the PC or on smartcards. 1Password Version: 80600068 Extension Version: Not Provided OS Version: Windows 11 Home

Commit signing works for me. I use the popular https://github.com/rupor-github/wsl-ssh-agent/blob/master/docs/wsl-ssh-agent-relay/npiperelay workaround to get SSH working, and had to adjust my WSL .gitconfig to point at the Windows binary: [gpg "ssh"] program = /mnt/c/Users/jonaskuske/AppData/Local/1Password/app/8/op-ssh-sign.exe Now signing works and GitHub displays the Verified badge. But local verification fails for some reason — git log --show-signature displays "Could not verify signature" for each commit. If I manually extract the commit and signature, the local verification works though: ``` git cat-file commit ga872i9 > ./commit # then delete the ---- SSH SIGNATURE part git cat-file commit ga872i9 > ./signature # then delete everything but the signature, remove "gpgsig" and leading spaces before ----- /mnt/c/Users/jonaskuske/AppData/Local/1Password/app/8/op-ssh-sign.exe -Y verify -f ~/.ssh/allowed_signers -I mailto:mail@jonaskuske.com -n git -s ./signature < ./commit Good "git" signature for mailto:mail@jonaskuske.com with ED25519 key ... ```

We'll be adding UNIX socket support for Windows too in the future. In the mean time, while we cannot 'officially' recommend it, we've been hearing some good responses about using socat & npiperelay to forward SSH requests to the OpenSSH pipe, see this blog post.

Hello, is there any news regarding WLS2 support? I am trying to make commit signing to work and I am having troubles with both it and with ssh agent EDIT: I have managed to make signing work just by upgrading git to the latest version. But in the github commits I do see: even if key is added to the settings

@smplkiii In that box does it show that the commit is signed at all (does it display the "SSH Key Fingerprint")? If not then commit signing has not been configured correctly. If it does show a fingerprint but is unverified, then you'll need to make sure you've uploaded the correct SSH key to GitHub.

SSH fingerprint is present and SSH key is added to GitHub account using the following steps: 1. Navigate to https://github.com/settings/keys 2. Select “New SSH Key” 3. Select “Signing Key” 4. Navigate to the “Key” box and select the 1Password logo 5. Select “Create SSH Key”, fill in a title and then select “Create and Fill” 6. Select “Add SSH Key” and you’re all set!

1password SSH Agent + WSL2? | 1Password Community

12 Replies

Former Member
2 years ago
floris_1P

I found if I call git.exe from Windows, then it works, which is interesting. I don't think this is a good solution though, just a data point to consider.

WSL Linux git fails:
❯ git verify-commit ff81f0477b7c55d86e991b5c3b0e799ba5b563f1 -v --raw
tree 960ce5311eade9d420f2a557d630424e1a4735a9
parent edb2f4b404a57eef4dc47aa9339bfabef69badb7
author Christen Lofland mailto:christen@lofland.net 1704381804 -0600
committer Christen Lofland mailto:christen@lofland.net 1704381804 -0600

Testing commit signing.
Could not verify signature.

Windows git works from WSL Linux:
❯ git.exe verify-commit ff81f0477b7c55d86e991b5c3b0e799ba5b563f1 -v --raw
Good "git" signature for mailto:christen@lofland.net with ED25519 key SHA256:2gc97CZMkWFFGxBFe9sPUlpSEvTf8lnIC3MBJDB4gG0
tree 960ce5311eade9d420f2a557d630424e1a4735a9
parent edb2f4b404a57eef4dc47aa9339bfabef69badb7
author Christen Lofland mailto:christen@lofland.net 1704381804 -0600
committer Christen Lofland mailto:christen@lofland.net 1704381804 -0600

Testing commit signing.
floris_1P
1Password Team
2 years ago
@ChrisL8 Storing it in WSL should work if the allowed signers path is an absolute path. What does git config gpg.ssh.allowedSignersFile return? And what's the error message that you're seeing?
Former Member
2 years ago
floris_1P The allowed signers file is stored in WSL, as that is where the git executable expected to see it. Should I try storing it in Windows somewhere instead?
floris_1P
1Password Team
2 years ago
@ChrisL8 Is the allowed signers file stored on Windows or in WSL?
Former Member
2 years ago
I am having the same issue. If i REMOVE this part form .gitconfig

program = "/mnt/c/Users/****/AppData/Local/1Password/app/8/op-ssh-sign-wsl"

then VERIFY works, but then SIGNING does not work.

it seems like while this op-ssh-sign-wsl program allows git to sign commits with 1Password, it breaks the ability for git to verify signatures locally.
Former Member
3 years ago
looks like that if you are using the socat/npiperelay workaround you can just remove the
program = /mnt/c/Users/jonaskuske/AppData/Local/1Password/app/8/op-ssh-sign.exe line, then both signing and verification will work !

this works because the socat/npiperelay workaround script is setting the SSH_AUTH_SOCK env variable

ensure you add your own key to allowed signers if you haven't:

echo "$(git config --global user.email) $(git config --global user.signingkey)" > ~/.allowed_signers git config --global gpg.ssh.allowedSignersFile "$HOME/.allowed_signers"
Former Member
3 years ago
@HardwareFresser For what it's worth, I have the exact same experience. Additionally I added the allowedSignersFile option to my .gitconfig but git log --show-signature displays "Could not verify signature" for all my signed commits as well.

Using your manual, local verification does work however.

Edit: For what it's worth, using the allowSignersFile option and verifying the commit signatures on Windows also works (verifies correctly). It's only WSL2 that doesn't seem to properly verify for me
Former Member
3 years ago
Commit signing works for me. I use the popular https://github.com/rupor-github/wsl-ssh-agent/blob/master/docs/wsl-ssh-agent-relay/npiperelay workaround to get SSH working, and had to adjust my WSL .gitconfig to point at the Windows binary:

[gpg "ssh"] program = /mnt/c/Users/jonaskuske/AppData/Local/1Password/app/8/op-ssh-sign.exe

Now signing works and GitHub displays the Verified badge.

But local verification fails for some reason — git log --show-signature displays "Could not verify signature" for each commit.

If I manually extract the commit and signature, the local verification works though:

```
git cat-file commit ga872i9 > ./commit # then delete the ---- SSH SIGNATURE part
git cat-file commit ga872i9 > ./signature # then delete everything but the signature, remove "gpgsig" and leading spaces before -----

/mnt/c/Users/jonaskuske/AppData/Local/1Password/app/8/op-ssh-sign.exe -Y verify -f ~/.ssh/allowed_signers -I mailto:mail@jonaskuske.com -n git -s ./signature < ./commit

Good "git" signature for mailto:mail@jonaskuske.com with ED25519 key ...
```
Former Member
3 years ago
SSH fingerprint is present and SSH key is added to GitHub account using the following steps:
1. Navigate to https://github.com/settings/keys
2. Select “New SSH Key”
3. Select “Signing Key”
4. Navigate to the “Key” box and select the 1Password logo
5. Select “Create SSH Key”, fill in a title and then select “Create and Fill”
6. Select “Add SSH Key” and you’re all set!
Former Member
3 years ago
@smplkiii In that box does it show that the commit is signed at all (does it display the "SSH Key Fingerprint")? If not then commit signing has not been configured correctly. If it does show a fingerprint but is unverified, then you'll need to make sure you've uploaded the correct SSH key to GitHub.

Forum Discussion

1password SSH Agent + WSL2?

12 Replies

Recent discussions

1PW extension bug: autofill theme detection fails when using oklch color scheme

Feature Request - Access vault from inside docker container

Connection reset when `podman login` runs `op`

request: remember application approval for SSH agent

SSH Bookmarks don't support Port Numbers