Add ssh signing configuration to setup flow

[gl-njanz]

Looking at Sources/Secretive/Controllers/ShellConfigurationController.swift I think some options (like user.signingkey) require manual intervention 😔

I'll give it a shot nonetheless, to at least get the very basic configuration out of the way.

[asmeurer]

Anyone know how to actually get this to work? Now that I'm on Sonoma, my git version should be new enough to support SSH signing. I tried

[user]
    signingkey = /Users/aaronmeurer/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/d602b5d8feb868afff5f349c72566c3f.pub

[gpg]
    format = ssh

but git gives the error

error: No private key found for public key "/Users/aaronmeurer/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/d602b5d8feb868afff5f349c72566c3f.pub"?

fatal: failed to write commit object

The other issue mentioned $SSH_AUTH_SOCK. What should that be set to? For me, it's set to /private/tmp/com.apple.launchd.QcPAws7d9k/Listeners.

[adamcstephens]

I have been using secretive to sign git successfully for a long time. I use the gpg.ssh.defaultKeyCommand config option to run a script to retrieve the public key for signing. https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgsshdefaultKeyCommand

git config:

[gpg]
    format = ssh
[gpg "ssh"]
    defaultKeyCommand = git-ssh-key.sh

with the following script which will read the public key from the agent (or falls back to a file)

#!/usr/bin/env sh

if [ -n "$SSH_AUTH_SOCK" ]; then
  key="$(ssh-add -L | head -n 1)"
elif [ -e ~/.ssh/id_ed25519 ]; then
  key="$(cat ~/.ssh/id_ed25519.pub)"
fi

if [ -z "$key" ]; then
  echo "Failed to detect key. ibailout"
  exit 1
fi

echo "key::$key"

and my ssh_auth_sock set to

SSH_AUTH_SOCK="$HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh"

[asmeurer]

and my ssh_auth_sock set to

SSH_AUTH_SOCK="$HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh"

This seems to be what I was missing. I was under the impression that Secretive would set that to what it needed to be automatically.

I use the gpg.ssh.defaultKeyCommand config option to run a script to retrieve the public key for signing. git-scm.com/docs/git-config#Documentation/git-config.txt-gpgsshdefaultKeyCommand

From what I can tell, you can also just symlink your Secretive key to ~/.ssh/signing_key.pub (or whatever) and use that for your signingkey.

At any rate, I have it working now: https://github.com/asmeurer/dotfiles/commit/ebaad0ad1105f25e1d1e3dcbf8b6fe7c8926e44e.

The only thing I'm not sure about is what I'm supposed to do for local verification. If I do git show --show-signature it says error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification. Apparently I have to create some file to tell git that my SSH key is legit https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgsshallowedSignersFile. I don't know if there's a standard way of handling that. I guess I can just make a file with my key.

Again, it would really help is Secretive could just do all this for me.

[asmeurer]

The only thing I'm not sure about is what I'm supposed to do for local verification. If I do git show --show-signature it says error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification. Apparently I have to create some file to tell git that my SSH key is legit git-scm.com/docs/git-config#Documentation/git-config.txt-gpgsshallowedSignersFile. I don't know if there's a standard way of handling that. I guess I can just make a file with my key.

I found this https://docs.gitlab.com/ee/user/project/repository/signed_commits/ssh.html#verify-commits-locally. I'm not going to bother with other people's keys, but I can at least add my own key so they show as verified.

Ideally you'd want git to use GitHub to actually verify commits based on whether the key is configured by a given user, just like GitHub does in the web interface. But I'm not sure if that sort of thing is supported.

[ryuheechul]

my go to is defaultKeyCommand = sh -c 'echo key::$(ssh-add -L)' from https://github.com/maxgoedjen/secretive/issues/262#issuecomment-997772711 as this should work both at the local host and remote host via ssh-agent forwarding; so hope that's included in the instruction

# example .git/config

# ...
[gpg]
  format = ssh
[gpg "ssh"]
  defaultKeyCommand = sh -c 'echo key::$(ssh-add -L)'

and for local verification I find this command handy, git cat-file commit HEAD

[ayashjorden]

Hello, I've commented on another (related?) issue, however, my addition here is that I'd like to continue and use the Secretive socket, over a SSH session with AgentForwarding enabled. user.signingkey and gpg.ssh.defaultKeyCommand are a conundrum to me at this point.

The SSH_AUTH_SOCK does exist in my session, however, ssh-agent -a /path/to/ssh/sock is erroring with "Address already in use` as expected.

EDIT: Found that 1Password seems to support this https://developer.1password.com/docs/ssh/git-commit-signing/

Any idea/direction?

[slimm609]

This setup seems to work over ssh agent forwarding

[gpg]
    format = ssh
[commit]
    gpgsign = true

[user]
    name = <name>
    email = <email>
    signingKey = "key::ecdsa-sha2-nistp256 AAAAE2VjZHNhLX......"
[gpg "ssh"]
    defaultKeyCommand = ssh-add -L

commit 971d2cdf833fede0adaaf78e4f4d4cffff12f48c
Good "git" signature with ECDSA key SHA256:xycz/peuOLaNgnxDrCynRU6lISF0QHhmVm/j83dZTHk

[ayashjorden]

This setup seems to work over ssh agent forwarding

[gpg]
  format = ssh
[commit]
  gpgsign = true

[user]
  name = <name>
  email = <email>
  signingKey = "key::ecdsa-sha2-nistp256 AAAAE2VjZHNhLX......"
[gpg "ssh"]
  defaultKeyCommand = ssh-add -L

commit 971d2cdf833fede0adaaf78e4f4d4cffff12f48c
Good "git" signature with ECDSA key SHA256:xycz/peuOLaNgnxDrCynRU6lISF0QHhmVm/j83dZTHk

Thanks! it works as expected