Gpg agent not forwarded when using devcontainer through remote-ssh

[max06]

• VSCode Version: 1.75.0-insider (system setup)
• Local OS Version: Windows_NT x64 10.0.22621
• Remote OS Version: Ubuntu 22.04 LTS
• Remote Extension/Connection Type: Containers

Connection to dev Container through remote-ssh extension. GPG-Agent is missing inside the devcontainer.

• Logs:

  [11294 ms] Start: Run in container: touch '/vscode/vscode-server-insiders/bin/linux-x64/04b15ff231a2c3cfcdd90d90c16075a9c1e6da15-insider' && cd '/vscode/vscode-server-insiders/bin/linux-x64' && ls -td *[^_]????????????? | tail -n +10 | xargs rm -rf
  [11294 ms] Start: Launching Dev Containers helper.
  [11295 ms] ssh-agent: SSH_AUTH_SOCK in container (/tmp/vscode-ssh-auth-1fbbda1635b81e7d55a900b2a7d0dbb45d0607da.sock) forwarded to local host (\\.\pipe\openssh-ssh-agent).
  [11295 ms] X11 forwarding: DISPLAY not set on host.
  [11296 ms] Start: Run in Host: gpgconf --list-dir agent-extra-socket
  [11306 ms] /run/user/1000/gnupg/S.gpg-agent.extra
  [11306 ms] 
  [11306 ms] Start: Run in container: gpgconf --list-dir agent-socket
  [11309 ms] /home/vscode/.gnupg/S.gpg-agent

  You can see the ssh-agent being forwarded from the windows host. The gpg-agent socket is being looked up on the remote linux host, instead of on the windows host.

Comparison: DevContainer used via docker context:

[2693 ms] Start: Run in container: touch '/vscode/vscode-server/bin/linux-x64/e8a3071ea4344d9d48ef8a4df2c097372b0c5161'
[2693 ms] Start: Launching Dev Containers helper.
[2693 ms] ssh-agent: SSH_AUTH_SOCK in container (/tmp/vscode-ssh-auth-7e3a446ef6b9db23fe750a7e37db5bc8f2686e1a.sock) forwarded to local host (\\.\pipe\openssh-ssh-agent).
[2694 ms] X11 forwarding: DISPLAY not set on host.
[2694 ms] Start: Run: gpgconf --list-dir agent-extra-socket
[2696 ms] 
[2696 ms] 
[2738 ms] C:\Users\max06\AppData\Local\gnupg\S.gpg-agent.extra
[2738 ms] 
[2738 ms] Start: Run in container: gpgconf --list-dir agent-socket
[2744 ms] /root/.gnupg/S.gpg-agent

Steps to Reproduce:

1. Open remote-ssh-connection to Docker-Host.
2. Open DevContainer on remote Host
3. Run gpg2 --list-secret-keys --keyid-format long --verbose - it should list at least something

Does this issue occur when you try this locally?: No Does this issue occur when you try this locally and all extensions are disabled?: No

Happy to provide information as requested.

[chrmarti]

It would lookup the GPG socket locally if it couldn't find it remotely. We could add a setting to change the order.

[max06]

@chrmarti Based on your info I uninstalled gpg from the linux remote host. The rebuild causes some red error messages now, related to not finding gpg-conf anymore, but in the end I have access to my hosts gpg-agent. I can sign commits again. 👍🏼

A setting for reversing the lookup order sounds great, although I would reverse the order by default. I'd think the device running the vscode frontend is most likely the device holding all secrets. And you'll probably find a gpg agent on many linux machines, installed by default.

[hpe-ykoehler]

I have the same issue with ssh-agent, but in my case I need "remote" to be the one being used because my ssh keys are on my linux remote workstation, but when I use devcontainer the connection seems to be using my local windows ssh-agent. Seems very similar to this. Is there a way to control which one will be used for different credentials agent (gpg/ssh/others)?

[chrmarti]

@hpe-ykoehler Currently it will always prefer the remote one. For the ssh-agent it will check if SSH_AUTH_SOCK is set. Make sure that is being set in your ~/.profile / ~/.bash_profile by launching or reusing the ssh-agent there. See, e.g., https://stackoverflow.com/a/18915067/7857763. If that doesn't get it working, please open a new issue for us to investigate. Thanks.

[hpe-ykoehler]

I had validated that I have a remote ssh-agent working and yet it didn't take that one. Using ssh it works but using devcontainer over ssh it didn't (on that same remote). It really just wanted my windows ssh-agent nothing more.

I do have heard from others that it works for them properly, so somehow it seems like a setup issue, but I can't find why I am having this problem.

[chrmarti]

@hpe-ykoehler You can check in the containers log (F1 > Dev Containers: Show Container Log) which SSH_AUTH_SOCK it picks up. If you want to use the ssh-agent from your local machine, it's best to not set SSH_AUTH_SOCK remotely. (Maybe I misunderstood your goal earlier.) Please open a new issue if this doesn't work as described.

[max06]

I remember having similar difficulties with remote ssh and devcontainers.

I solved mine by adding ForwardAgent yes to the ssh configuration of my remote hosts.

[wittwitt]

.ssh/config ForwardAgent yes

this not work somtime

---

vscdoe version

版本: 1.75.0 提交: e2816fe719a4026ffa1ee0189dc89bdfdbafb164 日期: 2023-02-01T15:29:17.766Z Electron: 19.1.9 Chromium: 102.0.5005.194 Node.js: 16.14.2 V8: 10.2.154.23-electron.0 OS: Linux x64 5.15.0-58-generic 沙盒化: No

[wittwitt]

get_agent_identities: ssh_get_authentication_socket: No such file or directory

[avanderbergh]

In case any NixOS users encounter this issue, you need to set { programs.gnupg.agent.enableExtraSocket = true }

[ZauberNerd]

It would lookup the GPG socket locally if it couldn't find it remotely. We could add a setting to change the order.

Most systems have gpg installed by default and need it too (e.g. to validate package signatures, etc), so uninstalling it on the remote isn't always a viable solution and I would like to see an option to change it in the settings.