sign_and_send_pubkey: signing failed for ED25519 "MyKey" from agent: agent refused operation

Thanks, @MartonS1P. I’ll probably stick with the production build if there’s not a known fix in the beta builds, and because my workaround isn’t too terribly painful. I’d be happy to help with any other reproduction steps and I look forward to hearing about a resolution.

Hi @ScottBassin,

That is indeed not the expected behavior. We will look into this issue and try to reproduce it. Meanwhile you can consider switching to the beta or nightly releases and see if that fixes your error. In any case we will look into it.

Hi, @MartonS1P.

That makes sense that the CLI behaves differently. However, I still think I might be seeing a bug.

For this reason, it will prompt you for the account password regardless of what you have configured in the settings.

Actually, this isn’t what is happening when I use SSH. I’m not getting prompted for the password and I’m just getting the error like in the original message above. My workaround is currently to get out of clamshell mode, which then allows the TouchID prompt to pop up.

Hi @ScottBassin!

I believe you're experiencing the intended behavior of the settings.

The "Biometric unlock for 1Password CLI" setting in the developer settings is specifically for the prompts you're shown when running any of the commands of the op CLI (e.g. op signin). This does not impact the SSH agent whatsoever, as the agent is not part of the CLI.

The prompts shown by the SSH agent (when using git/ssh) are configured by the "Touch ID" setting on the security settings screen (under "Unlock"). If you uncheck this box, the SSH agent will prompt you for the account password instead of showing you Touch ID prompts. The same will happen when you try to unlock the app for normal use.

When you're using your laptop in clamshell mode (with the lid closed), the SSH agent will no longer show you Touch ID prompts, as it assumes that you cannot easily reach your fingerprint reader. For this reason, it will prompt you for the account password regardless of what you have configured in the settings.

I hope this clears up the confusion. We have some improvements on the way for these authorization flows, but please let us know if any of this is not intuitive or if you have improvement suggestions. Also let me know if you have any more questions.

Hi, @MartonS1P.

I'm on

1Password for Mac 8.8.0
80800203, on PRODUCTION channel`


I just turned off biometric prompts on the developer settings page and I was still prompted for a fingerprint when using git/ssh. I just ran eval $(op signin) and was asked to type in my account password.

Thanks.

Hi @ScottBassin!

This is not expected behavior. Which version of the desktop app are you running, exactly?

In the case when the lid is open and biometric unlock turned off, do all prompts (SSH, CLI, unlock) still show up as biometric prompts?

Ah! I think I've figured this out. I've been running with my laptop closed. If I open the laptop, I'm given the opportunity to use my fingerprint to authenticate. Even with biometric unlock turned off (with the environment variable and in the 1Password settings), the application seems to be expecting me to use the fingerprint unlock.

And somehow when I try to sign in with op signin using the CLI, I'm never prompted for my password and I get this error:

[ERROR] 2022/08/08 16:32:22 authorization prompt dismissed, please try again


Not sure if this would help, but I get exactly the same error if I lock 1Password, and I'm never prompted for my vault password in that case.