Merge pull request #1002 from entireio/fix/1password-ssh-signing

Fix SSH signing for 1Password and bare public key setups

Author: pfleidi

cmd/entire/cli/objectsigner.go

@@ -7,7 +7,9 @@ import (
 	"os"
 	"sync"
 
+	"github.com/entireio/cli/cmd/entire/cli/logging"
 	"github.com/go-git/go-git/v6/config"
+	format "github.com/go-git/go-git/v6/plumbing/format/config"
 	"github.com/go-git/go-git/v6/x/plugin"
 	"github.com/go-git/x/plugin/objectsigner/auto"
 	"golang.org/x/crypto/ssh/agent"
@@ -35,6 +37,17 @@ func RegisterObjectSigner() {
 				return nil
 			}
 
+			// When a custom gpg.ssh.program is configured (e.g. 1Password's
+			// op-ssh-sign), signing happens via an external binary that go-git
+			// cannot invoke. Skip native signing silently — checkpoint commits
+			// will be unsigned, which is acceptable since signing is best-effort.
+			// The default program is "ssh-keygen", which works with go-git's
+			// native SSH agent signing and does not need to be skipped.
+			if auto.Format(merged.GPG.Format) == auto.FormatSSH && hasCustomSSHSignProgram(merged.Raw) {
+				logging.Debug(context.Background(), "skipping native SSH commit signing: custom gpg.ssh.program is configured")
+				return nil
+			}
+
 			cfg := auto.Config{
 				SigningKey: merged.User.SigningKey,
 				Format:     auto.Format(merged.GPG.Format),
@@ -74,6 +87,22 @@ var scopeName = map[config.Scope]string{
 	config.SystemScope: "system",
 }
 
+// hasCustomSSHSignProgram checks whether gpg.ssh.program is set to a
+// non-default value in the raw config. The git default is "ssh-keygen",
+// which works with go-git's native SSH agent signing. Custom programs
+// (e.g. 1Password's op-ssh-sign) use a separate signing mechanism that
+// go-git cannot invoke.
+// go-git's Config struct does not expose this field, so we read it directly.
+func hasCustomSSHSignProgram(raw *format.Config) bool {
+	if raw == nil {
+		return false
+	}
+
+	program := raw.Section("gpg").Subsection("ssh").Option("program")
+
+	return program != "" && program != "ssh-keygen"
+}
+
 func loadScopedConfig(source plugin.ConfigSource, scope config.Scope) *config.Config {
 	name := scopeName[scope]
 

cmd/entire/cli/objectsigner_test.go

@@ -0,0 +1,66 @@
+package cli
+
+import (
+	"testing"
+
+	format "github.com/go-git/go-git/v6/plumbing/format/config"
+)
+
+func TestHasCustomSSHSignProgram(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name string
+		raw  *format.Config
+		want bool
+	}{
+		{
+			name: "nil raw config",
+			raw:  nil,
+			want: false,
+		},
+		{
+			name: "empty raw config",
+			raw:  format.New(),
+			want: false,
+		},
+		{
+			name: "custom program set",
+			raw: func() *format.Config {
+				c := format.New()
+				c.Section("gpg").Subsection("ssh").SetOption("program", "/Applications/1Password.app/Contents/MacOS/op-ssh-sign")
+				return c
+			}(),
+			want: true,
+		},
+		{
+			name: "default ssh-keygen is not custom",
+			raw: func() *format.Config {
+				c := format.New()
+				c.Section("gpg").Subsection("ssh").SetOption("program", "ssh-keygen")
+				return c
+			}(),
+			want: false,
+		},
+		{
+			name: "gpg section exists but no ssh.program",
+			raw: func() *format.Config {
+				c := format.New()
+				c.Section("gpg").SetOption("format", "ssh")
+				return c
+			}(),
+			want: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := hasCustomSSHSignProgram(tt.raw)
+			if got != tt.want {
+				t.Errorf("hasCustomSSHSignProgram() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}