Forum Discussion
SSH commit signing inside docker
Is it possible to use commit signing inside a docker container (Visual Studio Code Remote Containers)?
1Password Version: 8.9.4
Extension Version: Not Provided
OS Version: macos 12.6
Browser:_ Not Provided
Referrer: forum-search:https://1password.community/search?Search=ssh%20commit%20signing%20docker
8 Replies
Jack_P_1P1Password Team
Hey @EERattler:
Great question. We can definitely help with this, but it'll likely take a closer look at your specific setup to determine the best course of action for you. To protect your privacy, can you please email us at
support+forum@1password.comwith a link to your post (https://1password.community/discussion/comment/673500/#Comment_673500), your usernameEERattler, and mention that SSH commit signing isn't working as it should. We'll continue the conversation via email. Thanks!Jack
floris_1P Is there a way to remove the op-ssh-sign binary by setting an alternate value in the local gitconfig. I'd like to still keep SSH signing with 1P globally but I need to remove the binary to get signing inside of the remote container to work.
floris_1P Yes! It works now! Thanks!
floris_1P@srxavi Did you get it to work?
- floris_1P
Ah, I forgot to mention that: the
op-ssh-signbinary is technically optional. The primary reason why that exists is to make sure the 1Password socket is used for signing, so that you don't have to setSSH_AUTH_SOCKyourself.However, in a forwarding scenario,
SSH_AUTH_SOCKis always there. So in that case, you can omitgpg.ssh.programin your Gitconfig, and Git will then usessh-keygeninstead. - floris_1P
Docker for Mac can forward
$SSH_AUTH_SOCKinto any container, all you need to do is add these 'magic' flags:
-v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sockA proof of concept:
docker run -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock alpine 'apk add openssh && ssh-add -l'
With the agent socket available in your container, you should be able to set up commit signing as well.
A few caveats:
-$SSH_AUTH_SOCKneeds to be set before Docker for Mac launches (so not just your container, but the entire Docker for Mac app). More info on how you can do that here.
- Your local~/.gitconfigfile will not automatically be present in your Docker container, so you should either mount it as a volume or make sure it gets created within the container.
- The SSH agent authorization model works a bit differently with Docker for Mac than you might expect: you'll only authorize Docker once and then every container that has the socket mounted will be authorized to use the key. That's something to keep in mind.
