Extended ssh-agent which supports git commit signing over ssh

ssh-agentx

The x stands for eXtended or Xtra.

ssh-agentx is a ssh-agent replacement that abuses the SSH Extension protocol to sign git commits using your existing ssh keys (that you import into this agent).

When running under windows it also supports WSL/Pageant/WSL2/Cygwin thanks to the great https://github.com/buptczq/WinCryptSSHAgent tool.

Rationale

Because the one thing I need PGP for is to sign git commits AND I'm working mostly on (shared) remote servers.
I don't want to setup a pgp/gpg configuration, keep a private key on the shared server and maintain it.
As there is already remotely running a ssh-agent containing ed25519/rsa keys that can be used to do the same thing over the SSH_AUTH_SOCK socket.

Requirements

If you only want to sign commits and never need to do git log --show-signature or git verify-commit you don't need gpg on the server.

You do need my companion tool that git will talk to when signing commits. See https://github.com/42wim/ssh-gpg-signer

Configuration ssh-agentx

If you want to run this agent instead of ssh-agent without the gpg signing stuff, you don't need a configuration.

Otherwise create a file called ssh-agentx.toml you can put in the same directory as ssh-agentx when testing or put it in ~/.config/ssh-agentx/ssh-agentx.toml or %APPDATA%\ssh-agentx\ssh-agentx.toml on windows.

This file must contain a [gpg.something] header in case you have different git identities (you can use the same key for different identities if you want)

The name and email must match the email of your git configuration and the matchcomment must match the comment of your sshkey. (you can change comments of your keys using ssh-keygen -c -f ~/.ssh/yourkey).

You can also find the comment of your keys when running ssh-add -l

( ⚠️ It's better to create a new key to use solely for the gpg signing, read up on https://security.stackexchange.com/questions/1806/why-should-one-not-use-the-same-asymmetric-key-for-encryption-as-they-do-for-sig for why, you can still use an existing one if you want though)

[gpg.github]
name="yourname" #this must match your .gitconfig name
email="youremail" #this must match your .gitconfig email
matchcomment="akeycomment" #this must match a ssh key comment

So save this config above, start ssh-agentx and set your SSH_AUTH_SOCK path correct.

When you now add your key(s) to the agent ssh-add ~/.ssh/ed25519 and it matches the matchcomment as above it'll give you a PGP public key block as shown below.

2021/04/24 17:49:43 adding public key for yourname 
-----BEGIN PGP PUBLIC KEY BLOCK-----

xjMEAAAAABYJKwYBBAHaRw8BAQdAdN2uijeJajk1p9tJ+zaGR4ZtmxrrijPzJ195
1NKx8DDNFHlvdXJuYW1lIDx5b3VyZW1haWw+wogEExYIADoFAgAAAAAJEBTLefcM
08E9FiEERSpAhAOO4sCnMMBpFMt59wzTwT0CGwMCHgECGQEDCwkHAhUIAiIBAABf
AgEAuoHPX5vGBG95czyjHBxlfa3WKBEZKO5Oq9QYzy6Hq94A/02qShQlAkQs2Plz
Iaub4hgLmJWE1jk62pdjGP/VsIwA
=KL1J
-----END PGP PUBLIC KEY BLOCK-----

You can now copy this in your github or gitea GPG settings.

This concludes the agent side configuration, you also need the companion which will interact with git to sign it and send it to ssh-agentx.

Configuration ssh-gpg-signer

Linux

Download/build https://github.com/42wim/ssh-gpg-signer and put the binary somewhere, lets assume /home/user/bin/ssh-gpg-signer.

Now change your global or local gitconfig to use ssh-gpg-signer and always sign git commits

git config --global gpg.program /home/user/bin/ssh-gpg-signer
git config --global commit.gpgSign true

Windows

Download/build https://github.com/42wim/ssh-gpg-signer and put the binary somewhere, lets assume c:\users\user\bin\ssh-gpg-signer.

Now change your global or local gitconfig to use ssh-gpg-signer and always sign git commits

git config --global gpg.program c:\\users\\user\\bin\\ssh-gpg-signer
git config --global commit.gpgSign true

Signing commits after configuration

Now git will automatically sign your commits using ssh-gpg-signer which talks over the SSH_AUTH_SOCK socket to the ssh-agentx.

So just run git commit -m "acommit"

If you have gpg installed and you run git log --show-signature it'll show you something like this:

" [uncertain] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 452A 4084 038E E2C0 A730 C069 14CB 79F7 0CD3 C13D Author: yourname AuthorDate: Fri Apr 23 22:26:45 2021 +0200 Commit: yourname CommitDate: Fri Apr 23 22:26:45 2021 +0200 acommit ">
commit 73e3d4e2a897c921f207f5a1ae65c7b6175b1afe (HEAD -> master)
gpg: Signature made Sat 24 Apr 2021 05:18:00 PM CEST
gpg:                using EDDSA key 452A4084038EE2C0A730C06914CB79F70CD3C13D
gpg: Good signature from "yourname " [uncertain]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 452A 4084 038E E2C0 A730  C069 14CB 79F7 0CD3 C13D
Author:     yourname 
AuthorDate: Fri Apr 23 22:26:45 2021 +0200
Commit:     yourname 
CommitDate: Fri Apr 23 22:26:45 2021 +0200

    acommit
Similar Resources

Go Library to Execute Commands Over SSH at Scale

Go Library to Execute Commands Over SSH at Scale

vSSH Go library to handle tens of thousands SSH connections and execute the command(s) with higher-level API for building network device / server auto

Dec 9, 2022

Serve traffic (HTTP/gRPC) over SSH using Domain Sockets

Serve On SSH Introduction There is often a need to offer services for administrative purposes on servers or even for microservices that are running on

Nov 10, 2022

Chat over SSH.

ssh-chat Custom SSH server written in Go. Instead of a shell, you get a chat prompt. Demo Join the party: $ ssh ssh.chat Please abide by our project'

Jan 7, 2023

SSHWaiterUtil - Wait for file to appear over an SSH connection

SSHWaiterUtil Simple util to wait for a remote file to appear, over SSH using pr

Jan 11, 2022

Clidle - Wordle over SSH with golang

Clidle - Wordle over SSH with golang

clidle Wordle, now over SSH. Try it: ssh clidle.ddns.net -p 3000 Or, run it loca

Dec 28, 2022

A pokedex over SSH project.

A pokedex over SSH project.

Charmeleon A pokedex over SSH project. Installation Clone the repository to get the server and pokemon data: git clone https://github.com/sha65536/cha

Dec 17, 2022

Gsshrun - Running commands via ssh on the server/hosting (if ssh support) specified in the connection file

Gsshrun - Running commands via ssh on the server/hosting (if ssh support) specified in the connection file

Sep 8, 2022

A small GoLang app which can bruteforce ssh credentials

A small GoLang app which can bruteforce ssh credentials, was used before for a ctf and is now optimized for future ctf events.

Nov 8, 2022

ACN - Agent Communication Network

The libp2p_node is an integral part of the ACN. ACN - Agent Communication Network The agent communication network (ACN) provides a system for agents t

Sep 28, 2022
The devs are over here at devzat, chat over SSH!

Devzat Where are the devs at? Devzat! Devzat is chat over SSH Try it out: ssh sshchat.hackclub.com Add this to ~/.ssh/config: Host chat HostName s

Jan 7, 2023
🤘 The native golang ssh client to execute your commands over ssh connection. 🚀🚀
🤘 The native golang ssh client to execute your commands over ssh connection. 🚀🚀

Golang SSH Client. Fast and easy golang ssh client module. Goph is a lightweight Go SSH client focusing on simplicity! Installation ❘ Features ❘ Usage

Dec 24, 2022
Golang `net/rpc` over SSH using installed SSH program

Golang net/rpc over SSH using installed SSH program This package implements a helper functions to launch an RPC client and server. It uses the install

Nov 16, 2022
A very simple ssh-agent that signs requests in parallel

ssh-agent A very simple ssh-agent that signs requests in parallel. Usage To install and run the agent simply run: $ go install github.com/Woellchen/ss

Dec 14, 2022
Examples using the stomp package from git://github.com/gmallard/stompngo.git

stompngo_examples - A collection of examples for package stompngo Features Full demonstration of support for STOMP protocols: Protocol Level 1.0 Proto

Jan 22, 2021
Caddy-git - Git Plugin for Caddy v2

caddy-git Git Plugin for Caddy v2. Inspired by this comment. Please ask question

Jan 1, 2023
Simple and lightweight SSH git hosting with just a directory.

go-gitdir This project makes it incredibly easy to host a secure git server with a config that can be easily rolled back. It aims to solve a number of

Dec 20, 2022
Switch git user easily with ssh identity.
Switch git user easily with ssh identity.

gitusr A cli tool to easily manage multiple git users and their ssh identity. Add a new git user to gitusr config. Delete a git user from gitusr confi

Aug 22, 2021
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH.
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH.

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

Jan 1, 2023