op-ssh-sign to prompt for password on terminal input, rather than gui/desktop when logged in via ssh

Hey @wez:

Great question and a bit of an interesting one to figure out! The short version is that op-ssh-sign exists to make it an easy one click install. By default, Git uses ssh-keygen to sign commits, which relies on your SSH_AUTH_SOCK variable. It isn't possible for us to configure this on every platform automatically, so by using op-ssh-sign, all that's necessary to do is change the signing command in .gitconfig, rather than having to set environment variables.

With that said, there's definitely a way to do this, but it does require a bit more setup, but with an end result of being able to sign commits from your desktop using 1Password on your desktop, but when connected to your desktop from your laptop and have SSH agent forwarding enabled, approve prompts from your laptop.

1. Comment out the gpg.program line that refers to op-ssh-sign in your .gitconfig file on your desktop.
2. Ensure that SSH_AUTH_SOCK is set to point at the 1Password SSH agent socket. You'll want to configure this in your .zshrc or other shell setup script, but it's important to only set this if you're physically in front of this device. The way I have this configured on my Mac is to check what SSH_AUTH_SOCK is set to, and if that value contains launchd, then that means the current session is a local session, at which point I set SSH_AUTH_SOCK to the 1Password agent with export SSH_AUTH_SOCK=~/.1password/agent.sock. If the agent is instead contained in /tmp/ssh that means the agent is being forwarded, in which case I don't want to overwrite SSH_AUTH_SOCK and instead keep the agent forwarded from SSH.
3. At this point, when you SSH from your laptop to your desktop, all SSH operations, including Git commit signing should be using 1Password from your laptop, not your desktop.

Let me know how you get on with that, or if you run into any trouble along the way.

Jack