Fix SSH signing for 1Password and bare public key setups#1002
Merged
Conversation
The go-git auto signer library expects a key:: prefix for literal SSH public keys, but tools like 1Password set user.signingKey to a bare public key string (e.g. "ssh-ed25519 AAAA..."). Without the prefix, the library falls through to the private-key-file codepath and fails with "reading SSH private key: open ssh-ed25519". Detect bare SSH public key strings by their key type prefix and prepend key:: so the library routes them through the SSH agent matching path. Entire-Checkpoint: 8b089d71bc99
When gpg.ssh.program is set (e.g. 1Password's op-ssh-sign), signing happens via an external binary that go-git cannot invoke. The SSH agent at SSH_AUTH_SOCK typically does not hold the signing key in this setup, causing a "no keys found matching signingKey" error. Detect gpg.ssh.program in the raw git config and skip native signing silently. Checkpoint commits will be unsigned, which is acceptable since signing is best-effort. Add a debug log for observability. Entire-Checkpoint: 68cdcfe4732a
Contributor
There was a problem hiding this comment.
Pull request overview
This PR restores best-effort checkpoint commit signing compatibility for SSH-signing setups where user.signingKey is configured as a bare SSH public key (common with 1Password and some Git configs), and avoids attempting go-git native SSH signing when Git is configured to delegate signing to an external gpg.ssh.program.
Changes:
- Add
normalizeSigningKey()to detect bare SSH public key literals and prependkey::so the auto signer routes through the SSH-agent path. - Add
hasSSHSignProgram()to detectgpg.ssh.programfrom raw git config and skip native signing (debug-log only) when external SSH signing is configured. - Add unit tests covering SSH key normalization and
gpg.ssh.programdetection.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| cmd/entire/cli/objectsigner.go | Normalizes SSH signing keys and skips native signing when gpg.ssh.program is set. |
| cmd/entire/cli/objectsigner_test.go | Adds unit tests for signing key normalization and raw-config detection of gpg.ssh.program. |
The hasSSHSignProgram check already short-circuits before reaching auto.FromConfig for external-program setups. No realistic config uses a bare public key string without gpg.ssh.program, so the normalization logic is dead code. Entire-Checkpoint: f791d4afad16
pjbgf
reviewed
Apr 21, 2026
Rename hasSSHSignProgram to hasCustomSSHSignProgram and exclude the git default value "ssh-keygen", which works with go-git's native SSH agent signing. Only truly external programs like 1Password's op-ssh-sign should skip native signing. Entire-Checkpoint: fe883bace626
computermode
approved these changes
Apr 21, 2026
pjbgf
approved these changes
Apr 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
autosigner library. This broke setups wheregpg.ssh.programis configured (e.g. 1Password'sop-ssh-sign), because go-git signs natively via the SSH agent protocol while the external program uses a separate mechanism. The signing key typically isn't in the SSH agent, causing warnings on every push.gpg.ssh.programin the raw git config and skips native signing silently with a debug log. Checkpoint commits will be unsigned in this setup, which is acceptable since signing is best-effort.Test plan
hasSSHSignProgram(4 cases: nil, empty, program set, gpg without ssh.program)mise run checkpasses (fmt, lint, unit, integration, E2E canary)git pushno longer emits signing warnings with 1Password SSH setup