Issue with 1password SSH commit signing #290
Comments
|
Happy to take this on if you verify this issue @drewdeponte |
alondahari
added a commit
that referenced
this issue
Feb 8, 2024
The program option in git config can live under [`gpg.<format>.program`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogram) in gitconfig, so we would need to respect that. I moved fetching the program option to inside the format option match, so we can use that to namespace the call to get the program configuration, falling back to the legacy `gpg.program` config. This small refactor is done since the ssh branch should also have an optional custom program to run (the 1Password binary for example) and we would want to follow the same general path with both methods. #290 <!-- ps-id: 10064b8f-e14f-4f9e-aa06-97b8ac5b10f0 -->
alondahari
added a commit
that referenced
this issue
Feb 8, 2024
When a signing program is defined in the gitconfig, respect that and use it instead of openssh. This will make using 1password ssh integration possible, since it's using a custom binary. #290 <!-- ps-id: 29c4b5fd-26b1-4ab1-bcce-8a114faddf76 -->
|
@alondahari the proper thing for us to do here is to switch to external execution of whatever the configured command is. The same way that git proper does. So we may need to reference git proper. This will allow us to remove the ssh signing dependencies which is good but will also give us the flexibility to behave the same way that Git proper does. |
alondahari
added a commit
that referenced
this issue
Feb 8, 2024
The program option in git config can live under [`gpg.<format>.program`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogram) in gitconfig, so we would need to respect that. I moved fetching the program option to inside the format option match, so we can use that to namespace the call to get the program configuration, falling back to the legacy `gpg.program` config. This small refactor is done since the ssh branch should also have an optional custom program to run (the 1Password binary for example) and we would want to follow the same general path with both methods. #290 <!-- ps-id: 10064b8f-e14f-4f9e-aa06-97b8ac5b10f0 -->
alondahari
added a commit
that referenced
this issue
Feb 8, 2024
If the user's config specifies a program to use to sign the commits, use that over the default openssh. This allows users to use custom binaries even when the desired format is SSH. This is necessary to allow the 1Password SSH integration. #290 <!-- ps-id: 0809fc9d-09e9-4eb8-b339-fa072b978cd1 -->
alondahari
added a commit
that referenced
this issue
Feb 8, 2024
The program option in git config can live under [`gpg.<format>.program`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogram) in gitconfig, so we would need to respect that. I moved fetching the program option to inside the format option match, so we can use that to namespace the call to get the program configuration, falling back to the legacy `gpg.program` config. This small refactor is done since the ssh branch should also have an optional custom program to run (the 1Password binary for example) and we would want to follow the same general path with both methods. #290 <!-- ps-id: 10064b8f-e14f-4f9e-aa06-97b8ac5b10f0 -->
alondahari
added a commit
that referenced
this issue
Feb 9, 2024
Add a function that returns a signing key if it is a literal value in gitconfig, or None if it's not (would be a path). This is done since with SSH signing, the user.signingKey in gitconfig can either be a path to a file with the key, or a literal key (like with gpg). See: https://git-scm.com/docs/git-config#Documentation/git-config.txt-usersigningKey #290 <!-- ps-id: 46319555-2a7b-44a4-ac17-c1e1fd8cd72b -->
alondahari
added a commit
that referenced
this issue
Feb 9, 2024
Update the ssh signer methods to support both literal and path signing strings in gitconfig. #290 <!-- ps-id: eee809a0-baba-4965-8364-b045a3f8e8a3 -->
alondahari
added a commit
that referenced
this issue
Feb 9, 2024
We will use the tempfile crate to create a tempfile to be used when signing commits with SSH, so we will need to use this dependency outside of the test utils. #290 <!-- ps-id: 7bfe5444-fccf-4ed9-bca2-f451e8ad1828 -->
alondahari
added a commit
that referenced
this issue
Feb 9, 2024
The program option in git config can live under [`gpg.<format>.program`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogram) in gitconfig, so we would need to respect that. I moved fetching the program option to inside the format option match, so we can use that to namespace the call to get the program configuration, falling back to the legacy `gpg.program` config. This small refactor is done since the ssh branch should also have an optional custom program to run (the 1Password binary for example) and we would want to follow the same general path with both methods. #290 <!-- ps-id: 10064b8f-e14f-4f9e-aa06-97b8ac5b10f0 -->
alondahari
added a commit
that referenced
this issue
Feb 9, 2024
Getting the signing key from the config should be identical no matter what the format is, so take it out of the match. This is done in a general effort to improve the readability and maintainability of this piece of code. #290 <!-- ps-id: b24c7a77-97d3-48ff-8e32-2956148724ba -->
alondahari
added a commit
that referenced
this issue
Feb 9, 2024
When signing commits with SSH, we need to use the program in gitconfig if specified. Otherwise, fallback to ssh-keygen. This aligns with how git proper is doing it. #290 <!-- ps-id: 7c04af23-f05d-43f3-91aa-8ebac634ffdf -->
alondahari
added a commit
that referenced
this issue
Feb 9, 2024
Add a function that returns a signing key if it is a literal value in gitconfig, or None if it's not (would be a path). This is done since with SSH signing, the user.signingKey in gitconfig can either be a path to a file with the key, or a literal key (like with gpg). See: https://git-scm.com/docs/git-config#Documentation/git-config.txt-usersigningKey #290 <!-- ps-id: 46319555-2a7b-44a4-ac17-c1e1fd8cd72b -->
alondahari
added a commit
that referenced
this issue
Feb 9, 2024
Add a function to create a temp file containing a ssh key if one is supplied literally in the gitconfig. The function accepts a path, since it will be in a temp dir that we need to live long enough to complete the signing. #290 <!-- ps-id: eee809a0-baba-4965-8364-b045a3f8e8a3 -->
alondahari
added a commit
that referenced
this issue
Feb 9, 2024
We will use the tempfile crate to create a tempfile to be used when signing commits with SSH, so we will need to use this dependency outside of the test utils. #290 [changelog] added: tempfile crate dependency <!-- ps-id: 7bfe5444-fccf-4ed9-bca2-f451e8ad1828 -->
alondahari
added a commit
that referenced
this issue
Feb 9, 2024
The program option in git config can live under [`gpg.<format>.program`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogram) in gitconfig, so we would need to respect that. I moved fetching the program option to inside the format option match, so we can use that to namespace the call to get the program configuration, falling back to the legacy `gpg.program` config. This small refactor is done since the ssh branch should also have an optional custom program to run (the 1Password binary for example) and we would want to follow the same general path with both methods. #290 <!-- ps-id: 10064b8f-e14f-4f9e-aa06-97b8ac5b10f0 -->
alondahari
added a commit
that referenced
this issue
Feb 9, 2024
Getting the signing key from the config should be identical no matter what the format is, so take it out of the match. This is done in a general effort to improve the readability and maintainability of this piece of code. #290 <!-- ps-id: b24c7a77-97d3-48ff-8e32-2956148724ba -->
alondahari
added a commit
that referenced
this issue
Feb 9, 2024
When signing commits with SSH, we need to use the program in gitconfig if specified. Otherwise, fallback to ssh-keygen. This aligns with how git proper is doing it. #290 [changelog] updated: ssh commit signing respects literal keys in config updated: ssh commit signing respects custom program updated: default ssh commit signing uses ssh-keygen <!-- ps-id: 7c04af23-f05d-43f3-91aa-8ebac634ffdf -->
alondahari
added a commit
that referenced
this issue
Feb 9, 2024
The ss-key dependency is no longer used, since ssh-keygen is used instead. #290 [changelog] removed: ssh-key crate dependency <!-- ps-id: 112c8505-5862-4da8-b9e4-ba0d62549997 -->
Merged
alondahari
added a commit
that referenced
this issue
Feb 12, 2024
Add a function that returns a signing key if it is a literal value in gitconfig, or None if it's not (would be a path). This is done since with SSH signing, the user.signingKey in gitconfig can either be a path to a file with the key, or a literal key (like with gpg). See: https://git-scm.com/docs/git-config#Documentation/git-config.txt-usersigningKey #290 <!-- ps-id: 46319555-2a7b-44a4-ac17-c1e1fd8cd72b -->
alondahari
added a commit
that referenced
this issue
Feb 12, 2024
Add a function to create a temp file containing a ssh key if one is supplied literally in the gitconfig. The function accepts a path, since it will be in a temp dir that we need to live long enough to complete the signing. #290 <!-- ps-id: eee809a0-baba-4965-8364-b045a3f8e8a3 -->
alondahari
added a commit
that referenced
this issue
Feb 12, 2024
We will use the tempfile crate to create a tempfile to be used when signing commits with SSH, so we will need to use this dependency outside of the test utils. #290 [changelog] added: tempfile crate dependency <!-- ps-id: 7bfe5444-fccf-4ed9-bca2-f451e8ad1828 -->
alondahari
added a commit
that referenced
this issue
Feb 12, 2024
The program option in git config can live under [`gpg.<format>.program`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgltformatgtprogram) in gitconfig, so we would need to respect that. I moved fetching the program option to inside the format option match, so we can use that to namespace the call to get the program configuration, falling back to the legacy `gpg.program` config. This small refactor is done since the ssh branch should also have an optional custom program to run (the 1Password binary for example) and we would want to follow the same general path with both methods. #290 <!-- ps-id: 10064b8f-e14f-4f9e-aa06-97b8ac5b10f0 -->
alondahari
added a commit
that referenced
this issue
Feb 12, 2024
Getting the signing key from the config should be identical no matter what the format is, so take it out of the match. This is done in a general effort to improve the readability and maintainability of this piece of code. #290 <!-- ps-id: b24c7a77-97d3-48ff-8e32-2956148724ba -->
alondahari
added a commit
that referenced
this issue
Feb 12, 2024
When signing commits with SSH, we need to use the program in gitconfig if specified. Otherwise, fallback to ssh-keygen. This aligns with how git proper is doing it. #290 [changelog] updated: ssh commit signing respects literal keys in config updated: ssh commit signing respects custom program updated: default ssh commit signing uses ssh-keygen <!-- ps-id: 7c04af23-f05d-43f3-91aa-8ebac634ffdf -->
alondahari
added a commit
that referenced
this issue
Feb 12, 2024
The ss-key dependency is no longer used, since ssh-keygen is used instead. #290 [changelog] removed: ssh-key crate dependency <!-- ps-id: 112c8505-5862-4da8-b9e4-ba0d62549997 -->
alondahari
added a commit
that referenced
this issue
Feb 12, 2024
Following how git does things, we will default to openpgp if the signing format is not defined in gitconfig #290 <!-- ps-id: 4e68a19d-bdc5-40f9-8e01-8dbb8d6f3b3f -->
|
Hey! Hope you're doing well. I was having this same issue after switching to 1Password. Is there any ETA on the next release that includes the fix? |
|
@edgarjs if you build from source what is in the So, I will try and cut a release tonight or tomorrow and we can just go from there. |
|
@drewdeponte I tried that, but I get this error now (the blurred part is an array of numbers):
|
|
@edgarjs @alondahari this issue has been actually resolved now in the latest release, v7.1.1. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
After setting up SSH signing with 1password, trying to integrate or request a review on a patch results in an error:
Seems like the issue comes from the fact that the 1password setup agent is adding the public key directly to
user.signingkey, not the path to the key. What's more, I think we need to use the 1password binary to sign the commit, which they set ongpg.ssh.program.We should also fix the unwrap in
cherry_picking.rsto bubble up the issue instead of causing a panic if anything goes wrong with the signing process. We should probably print out a warning message and proceed without signing instead.The text was updated successfully, but these errors were encountered: