Unable to access repository with SSH key managed by GnuPG (agent) #74

Closed x80486 closed 2 years ago

Generated a (Certify only) key pair with GnuPG; then added two subkeys: one for authentication and another one for signing.

Configure the environment for the integration:

enable-ssh-support in ~/.gnupg/gpg-agent.conf
Include the SECRET_SUBKEY_KEYGRIP with "authentication" capabilities in ~/.gnupg/sshcontrol — gpg --list-secret-keys --with-subkey-fingerprints
Configure .bashrc following Arch's GnuPG guide:

unset SSH_AGENT_PID

if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
  SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
  export SSH_AUTH_SOCK
fi

GPG_TTY=$(tty)
export GPG_TTY

gpg-connect-agent updatestartuptty /bye >/dev/null

Reload GnuPG agent, and make sure (ssh-add -L) the SSH agent was able to load the public key correctly. If so, add that public SSH key to GitHub, GitLab, etc.

This setup works in the terminal:

[x80486@uplink:~/Workshop/erlang_otp]$ git push --porcelain --progress origin refs/heads/main:refs/heads/main 
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 12 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 489 bytes | 489.00 KiB/s, done.
Total 3 (delta 2), reused 0 (delta 0), pack-reused 0
remote: . Processing 1 references
remote: Processed 1 references in total
To github.com:x80486/erlang_otp.git
    refs/heads/main:refs/heads/main b60473b..8e55fcf
Done

...but fails in SmartGit:

[11:18 PM] Pull (Rebase): Could not read from remote repository.
    ~/Workshop/erlang_otp> git -c credential.helper=/app/extra/smartgit/lib/credentials.sh fetch --progress --prune --no-tags --recurse-submodules=no origin
    git@github.com: Permission denied (publickey).
    Could not read from remote repository.
    Please make sure you have the correct access rights
    and the repository exists.
    Could not update branch states (green and red arrows) due to: Could not read from remote repository.

This is the debug output from both: the terminal and the Flatpak application:

[x80486@uplink:~/Workshop/erlang_otp]$ ssh -T -v git@github.com 
OpenSSH_9.0p1, OpenSSL 1.1.1o  3 May 2022
debug1: Reading configuration data /home/x80486/.ssh/config
debug1: /home/x80486/.ssh/config line 1: Applying options for github.com
debug1: /home/x80486/.ssh/config line 11: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to github.com port 22.
debug1: Connection established.
...
debug1: Authenticating to github.com:22 as 'git'
...
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in /home/x80486/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
# Here the agent returns two identities, which is exactly what I have
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: (none) ED25519 SHA256:06********/U agent
debug1: Will attempt key: (none) ED25519 SHA256:1G********kM agent
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: (none) ED25519 SHA256:06********/U agent
debug1: Server accepts key: (none) ED25519 SHA256:06********/U agent
debug1: Enabling compression at level 6.
Authenticated to github.com using "publickey".
...
Learned new hostkey: ECDSA SHA256:T9********/E
Adding new key for github.com to /home/x80486/.ssh/known_hosts: ecdsa-sha2-nistp256 SHA256:T9********/E
Hi there, x80486! You've successfully authenticated with the key named github (personal), but GitHub does not provide shell access.
...
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2576, received 2964 bytes, in 0.4 seconds
Bytes per second: sent 6404.6, received 7369.2
debug1: Exit status 0
debug1: compress outgoing: raw data 537, compressed 519, factor 0.97
debug1: compress incoming: raw data 1317, compressed 1140, factor 0.87

[08:41 PM] SmartGit's Tool Git SSH Test
~/Workshop/erlang_otp> ssh -T -v git@github.com
OpenSSH_8.9p1, OpenSSL 1.1.1n  15 Mar 2022
debug1: Reading configuration data /home/x80486/.ssh/config
debug1: /home/x80486/.ssh/config line 1: Applying options for github.com
debug1: /home/x80486/.ssh/config line 7: Applying options for *
debug1: Reading configuration data /etc/ssh_config
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to github.com port 22.
debug1: Connection established.
...
debug1: Authenticating to github.com:22 as 'git'
...
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in /home/x80486/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
# Here the agent returns nothing :/
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/x80486/.ssh/id_rsa
debug1: Trying private key: /home/x80486/.ssh/id_ecdsa
debug1: Trying private key: /home/x80486/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/x80486/.ssh/id_ed25519
debug1: Trying private key: /home/x80486/.ssh/id_ed25519_sk
debug1: Trying private key: /home/x80486/.ssh/id_xmss
debug1: Trying private key: /home/x80486/.ssh/id_dsa
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

Since this was working before setting SSH_AUTH_SOCK, looks like (bold guess) the Flatpak doesn't have access to /run/user/1000/gnupg/S.gpg-agent.ssh :roll_eyes:

[x80486@uplink:~]$ echo $SSH_AUTH_SOCK
/run/user/1000/keyring/ssh
[x80486@uplink:~]$ echo "$(gpgconf --list-dirs agent-ssh-socket)"
/run/user/1000/gnupg/S.gpg-agent.ssh

Wrote to syntevo Support and they stated:

For the system SSH to work, the most important thing is that it must not ask for anything on command line. To make something in .bashrc working, you need to launch SmartGit from the command-line (not an icon).

So I started the Flatpak via flatpak run com.syntevo.SmartGit and indeed this currently works as expected.

As a side note, I didn't initially test this with stock SmartGit. It doesn't work either with the official package (if not started in the command-line). Same issue for Windows and macOS.

flathub / com.syntevo.SmartGit

Unable to access repository with SSH key managed by GnuPG (agent) #74