Re: gpg-ssh signing with AgentForwarding

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06.11.2024 20:16, Yarden Bar wrote:

Hello Git community,
Not sure what search terms I haven't used, but I'll try to describe the use-case

On my local machine I have a SSH key, and I use AgentForwarding when I
go out and about to other hosts (dev machines)
The usual workflow of using the forwarded socket works for pull and push.

Where it gets pitch-dark is when I try to use my ssh key to sign git commits.
Following is my git config on the remote host:


Hi Jordan,
the process on the remote host is pretty much identical to your local one as long as the AgentForwarding works. When pull/push work so should the signing. One small caveat for older remote machines can be that you'll need a somewhat recent openssh version. Default redhat 7 or 8 for example will not work. The ssh-keygen command needs the `-Y sign|verify` commands. If the remote is too old you can place a newer ssh-keygen there yourself and reference it in your git config via gpg.ssh.program 


=====================
[user]
   name = John Doe
   email = jdoe@xxxxxxxx
# on my local machine(gpg-ssh signing works): signingkey =
/Users/jdoe/.ssh/id_ecdsa.pub
   signingkey = WHAT_SHOULD_I_PUT_HERE # on my laptop its the path to
the public key from Secretive, or just omit it?
A path to your public key file or the literal key prefixed with key:: is fine. 


[gpg]
   format = ssh
[commit]
   gpgsign = true
[gpg "ssh"]
   allowedSignersFile = /Users/jdoe/.gpg.ssh.allowedSignersFile #
contents is: "email1,email2 key-type public_key comment"
=====================

I've tried
1. `ssh-agent -a /path/to/ssh.sock` - errored with address already in use
2. signingkey set to a path on the remote host with my public key,
errored with "no private key found"

I sense that I should be able to employ `gpg.ssh.defaultKeyCommand` to
use the socket somehow, but I can't wrap my head around it or find
some docs/guidance.
No need for defaultKeyCommand and no need to start another agent on the remote host. If you get the "no private key found" error then the connection to the ssh agent does not work. (Maybe because you started another on the remote?) You can test this easily by running "ssh-add -l" on the remote host which should print your public keys from the agent. 

Kind regards,
Fabian



Other (related) links
https://developer.1password.com/docs/ssh/git-commit-signing/ - I think
that 1Password invested the time to make it work
https://github.com/maxgoedjen/secretive/discussions/338#discussioncomment-11170722
- asked the same on Secretive repo, which is one way to store keys
https://github.com/maxgoedjen/secretive/issues/405#issuecomment-2460948732
- also here.

Thank you,
Jordan
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux