Commit signing with SSH key uses SSH_AUTH_SOCK but ignores IdentityAgent

Commit signing with SSH key uses SSH_AUTH_SOCK but ignores IdentityAgent

[Justin Su]

I use Secretive (https://github.com/maxgoedjen/secretive) to store my
SSH keys on macOS. I've configured my ssh_config to use it as the
IdentityAgent, and Git can push and pull just fine.

However, it seems that Git ignores IdentityAgent when signing commits,
resulting in the following error message:

error: No private key found for public key "foo.pub"?
fatal: failed to write commit object

I've worked around this by setting SSH_AUTH_SOCK, but this doesn't
feel correct to me. Is this intended behaviour?

Thanks,
Justin

Re: Commit signing with SSH key uses SSH_AUTH_SOCK but ignores IdentityAgent

[Phillip Wood]

Hi Justin

On 13/09/2024 10:58, Justin Su wrote:
> I use Secretive (https://github.com/maxgoedjen/secretive) to store my
> SSH keys on macOS. I've configured my ssh_config to use it as the
> IdentityAgent, and Git can push and pull just fine.
> 
> However, it seems that Git ignores IdentityAgent when signing commits,
> resulting in the following error message:

Git just runs "ssh -Y". I can reproduce this on linux - I suspect the 
problem is that ssh does not read the IdentityAgent config when signing 
even if it is outside a Host/Match in the config file.

Best Wishes

Phillip

> error: No private key found for public key "foo.pub"?
> fatal: failed to write commit object
> 
> I've worked around this by setting SSH_AUTH_SOCK, but this doesn't
> feel correct to me. Is this intended behaviour?
> 
> Thanks,
> Justin
> 

Re: Commit signing with SSH key uses SSH_AUTH_SOCK but ignores IdentityAgent

[Justin Su]

On Fri, Sep 13, 2024 at 11:05 AM Phillip Wood <phillip.wood123@gmail.com> wrote:
>
> Hi Justin
>
> On 13/09/2024 10:58, Justin Su wrote:
> > I use Secretive (https://github.com/maxgoedjen/secretive) to store my
> > SSH keys on macOS. I've configured my ssh_config to use it as the
> > IdentityAgent, and Git can push and pull just fine.
> >
> > However, it seems that Git ignores IdentityAgent when signing commits,
> > resulting in the following error message:
>
> Git just runs "ssh -Y". I can reproduce this on linux - I suspect the
> problem is that ssh does not read the IdentityAgent config when signing
> even if it is outside a Host/Match in the config file.

Agreed, this seems like a ssh-keygen limitation. I reproduced this
directly with ssh-keygen on macOS.

According to its man page, if you pass a public key for the `-f`
option, then the private half needs to be available via ssh-agent. The
man page doesn't mention SSH_AUTH_SOCK either, but I guess it's the
best solution for my use case.

> Best Wishes
>
> Phillip
>
> > error: No private key found for public key "foo.pub"?
> > fatal: failed to write commit object
> >
> > I've worked around this by setting SSH_AUTH_SOCK, but this doesn't
> > feel correct to me. Is this intended behaviour?
> >
> > Thanks,
> > Justin
> >