Using 1Password for git SSH signatures in WSL
1Password allows developers to sign git commits using SSH by setting up their own SSH agent. Doing this in your host platform e.g., Windows, is relatively straight forward but if you want to set this up in Windows Subsystem for Linux (WSL) there is additional configuration you need to perform.
While there are many different ways to configure this, many have you set up a service or autorun program but I want neither
of those affecting Windows boot and login performance for something I don’t use often throughout the course of every day.
Fortunately, I found one one such article that accomplished
exactly what I wanted using socat
and npiperelay
.
I made a few modifications including how to acquire npiperelay
given changes to the Go toolset.
1. Acquire npiperelay
You need to acquire npiperelay
in Windows. You can download it from https://github.com/jstarks/npiperelay/releases/latest
into a directory in your PATH
environment variable or, if you have Go installed, run:
go install github.com/jstarks/npiperelay@latest
2. Install socat
Next you need to install socat
in your WSL distribution. I’m assuming you are using some Debian-based distro e.g., Ubuntu.
If you are using another distro, please use appropriate commands.
apt update
apt install -y socat
3. Create startup script
You’ll need to create a bash script that will start when you log into your distro. I’m assuming bash below.
mkdir ~/.1password
touch ~/.1password/agent && chmod +x ~/.1password/agent
Open ~/.1password/agent and paste the following content:
#!/usr/bin/bash
export SSH_AUTH_SOCK=$HOME/.1password/agent.sock
ALREADY_RUNNING=$(ps -auxww | grep -q '[n]piperelay.exe -ei -s //./pipe/openssh-ssh-agent'; echo $?)
if [[ $ALREADY_RUNNING != '0' ]]; then
if [[ -S $SSH_AUTH_SOCK ]]; then
rm $SSH_AUTH_SOCK
fi
(setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:'npiperelay.exe -ei -s //./pipe/openssh-ssh-agent',nofork &) > /dev/null 2>&1
fi
4. Run script on login
To run the script when you log in interactively, edit your appropriate profile e.g., .bashrc for bash:
. ~/.1password/agent
You can restart your login session or just source ~/.1password/agent yourself.
5. Test
Assuming you have already configured 1Password’s SSH agent using the instructions at the beginning of this post, you can test and reset any git repository you have handy e.g.,
cd ~/src/some-project
echo test > test.txt
git add -A
git commit -am'test' -S
git show --show-signature
Unknown signer
If the git show --show-signature
command about shows an unknown or invalid signer, be sure you have your allowed_signers
set up for git. Unlike GPG that can use counter signatures to validate identities, SSH signatures need explicit approval:
mkdir -p ~/.config/git/
cat ~/.ssh/identity_rsa.pub > ~/.config/git/allowed_signers
git config --global gpg.ssh.allowedsignersfile $HOME/.config/git/allowed_signers
Blocks tunneling into other hosts
If you are also using SSH to tunnel into other hosts, you should configure SSH separately for github.com:
Host *
IdentityFile ~/.ssh/id_rsa.pub
Host github.com
IdentityAgent ~/.1password/agent.sock
IdentitiesOnly yes