Using 1Password for git SSH signatures in WSL
1Password allows developers to sign git commits using SSH by setting up their own SSH agent. Doing this in your host platform e.g., Windows, is relatively straight forward but if you want to set this up in Windows Subsystem for Linux (WSL) there is additional configuration you need to perform.
While there are many different ways to configure this, many have you set up a service or autorun program but I want neither
of those affecting Windows boot and login performance for something I don’t use often throughout the course of every day.
Fortunately, I found one one such article that accomplished
exactly what I wanted using
I made a few modifications including how to acquire
npiperelay given changes to the Go toolset.
1. Acquire npiperelay
You need to acquire
npiperelay in Windows. You can download it from https://github.com/jstarks/npiperelay/releases/latest
into a directory in your
PATH environment variable or, if you have Go installed, run:
go install github.com/jstarks/npiperelay@latest
2. Install socat
Next you need to install
socat in your WSL distribution. I’m assuming you are using some Debian-based distro e.g., Ubuntu.
If you are using another distro, please use appropriate commands.
apt update apt install -y socat
3. Create startup script
You’ll need to create a bash script that will start when you log into your distro. I’m assuming bash below.
mkdir ~/.1password touch ~/.1password/agent && chmod +x ~/.1password/agent
Open ~/.1password/agent and paste the following content:
#!/usr/bin/bash export SSH_AUTH_SOCK=$HOME/.1password/agent.sock ALREADY_RUNNING=$(ps -auxww | grep -q '[n]piperelay.exe -ei -s //./pipe/openssh-ssh-agent'; echo $?) if [[ $ALREADY_RUNNING != '0' ]]; then if [[ -S $SSH_AUTH_SOCK ]]; then rm $SSH_AUTH_SOCK fi (setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:'npiperelay.exe -ei -s //./pipe/openssh-ssh-agent',nofork &) > /dev/null 2>&1 fi
4. Run script on login
To run the script when you log in interactively, edit your appropriate profile e.g., .bashrc for bash:
You can restart your login session or just source ~/.1password/agent yourself.
Assuming you have already configured 1Password’s SSH agent using the instructions at the beginning of this post, you can test and reset any git repository you have handy e.g.,
cd ~/src/some-project echo test > test.txt git add -A git commit -am'test' -S git show --show-signature
git show --show-signature command about shows an unknown or invalid signer, be sure you have your
set up for git. Unlike GPG that can use counter signatures to validate identities, SSH signatures need explicit approval:
mkdir -p ~/.config/git/ cat ~/.ssh/identity_rsa.pub > ~/.config/git/allowed_signers git config --global gpg.ssh.allowedsignersfile $HOME/.config/git/allowed_signers
Blocks tunneling into other hosts
If you are also using SSH to tunnel into other hosts, you should configure SSH separately for github.com:
Host * IdentityFile ~/.ssh/id_rsa.pub Host github.com IdentityAgent ~/.1password/agent.sock IdentitiesOnly yes