secretive failure: signing failed: agent refused operation

[j-baker]

per faq, filing issue with log. Seems git is struggling to connect to the ssh agent - have tried restarting SecretAgent a couple of times but no success.

ssh -Tv git@github.com
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/jbaker/.ssh/config
debug1: /Users/jbaker/.ssh/config line 1: Applying options for *
debug1: /Users/jbaker/.ssh/config line 26: Applying options for github.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to github.com port 22.
debug1: Connection established.
debug1: identity file /Users/jbaker/.ssh/id_rsa type 2
debug1: identity file /Users/jbaker/.ssh/id_rsa-cert type -1
debug1: identity file /Users/jbaker/.ssh/id_rsa.github type 2
debug1: identity file /Users/jbaker/.ssh/id_rsa.github-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version babeld-17a926d7
debug1: no match: babeld-17a926d7
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /Users/jbaker/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/jbaker/.ssh/id_rsa ECDSA SHA256:M+4qLlwZM61RInVskabES4bgCZ5MThbmS8cNeAJXTDw explicit agent
debug1: Will attempt key: /Users/jbaker/.ssh/id_rsa.github ECDSA SHA256:OPAoToICXNypVGa99bDlauzzSBlVg4hrHADySnMidLo explicit agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/jbaker/.ssh/id_rsa ECDSA SHA256:M+4qLlwZM61RInVskabES4bgCZ5MThbmS8cNeAJXTDw explicit agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: /Users/jbaker/.ssh/id_rsa.github ECDSA SHA256:OPAoToICXNypVGa99bDlauzzSBlVg4hrHADySnMidLo explicit agent
debug1: Server accepts key: /Users/jbaker/.ssh/id_rsa.github ECDSA SHA256:OPAoToICXNypVGa99bDlauzzSBlVg4hrHADySnMidLo explicit agent
sign_and_send_pubkey: signing failed: agent refused operation
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

[j-baker]

it's worth noting that I've been using this for the last 18 months with no issues. Great software, love it!

[maxgoedjen]

Hm that's odd. Just to cover bases, try rebooting yet? Not ideal but sometimes macOS gets a bit confused and launchd starts having issues.

[andir]

Just to add nother data point: I am seeing this as well. 10 minutes ago it worked just fine, I went away to grab a coffee and now it shows me the same error message. I'll reboot now and see if that fixes it. Stopping and starting the service via launchd (which usually resolves most of my issues with this amazing application) doesn't do it this time.

EDIT: After a reboot it works again :|

[fuomag9]

This happened to me as well :(

Btw how do I restart it? I did not find the daemon with launchctl list

[luckman212]

Any way to troubleshoot this further @maxgoedjen ? I'm hitting this issue on both of my test machines, one MacBook Air 2022 and one Mac Mini 2020, both running macOS 14.1 (23B74) + Secretive 2.3.1. I've rebooted both multiple times and confirm that the Agent is running.

Here's an example host override in my ~/.ssh/ssh_config

#test securehost
Host 20.30.40.50
    User root
    ControlPath none
    IdentitiesOnly yes
    IdentityAgent ~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
    IdentityFile none
    PasswordAuthentication no

Executing the following test command results in an error message.

$ ssh -vvv 20.30.40.50 |& grep ssh_agent
debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation

[sjmadsen]

I see this error with -vv, too, but it seems benign in my case. I have a different problem, where attempting to override the IdentityAgent in a Host section for GitHub doesn't switch to Secretive's agent, instead continuing to use my default 1Password agent. That's a SSH issue, though.

[luckman212]

I figured I'd try again with v2.4.0

I got it to work 🚀 — realized I had to specify an IdentityFile in my ~/.ssh/config file (specifying only the IdentityAgent is not enough).

Now, my question is how to properly store these keys on my 2 different Macs... I don't see any way to export or import keys to the secure enclave. The FAQ says it can't be done. It becomes a bit unweildy to have to copy 2-3 public keys to every host I manage. Wonder if anyone has any tips about that.

[sjmadsen]

@luckman212 It is not possible to export a key from the Secure Enclave. They are hardware-bound.

[luckman212]

I see. Am I missing something the about the utility of this system? What is the correct method for ensuring you don't get locked out of a critical system should you lose access to that one specific Mac? (lost, stolen, broken etc)

Or is this simply to supplement an existing disk-based key as an alternate/convenience method?

[j-baker]

In a model such as this, you'd be expected to have two different keys and set up trust for both of them. In some cases this is trivial (e.g. GitHub making it easy to support multiple SSH keys). In other cases it may be harder.

There are advantages of this model (namely one needn't worry about a software vulnerability causing the key to be shared). The disadvantage is that key management becomes somewhat harder.

If you would like to share your SSH key easily between devices, I could recommend either the 1Password support (although this does not keep the key solely in hardware), or Yubikey's support for loading in externally generated keys (as GPG keys, which can be used for SSH).

[martinpaljak]

I'm facing an issue where Git sporadically refuses to sign a commit with secretive, but trying 1..2 times will work.