Integrating 1Password into My Git Workflow

As a developer, I deal with git commits and git pushes on a regular basis. I would like to document and share how my workflow has seen great quality-of-life improvements since I integrated 1Password ssh agent into the process.

Before

Authentication

Before using 1Password ssh agent, I recall having to generate an SSH key using ssh-keygen on my machine and then add the public key to my GitHub account in order to authenticate myself. The key was stored directly at the ~/.ssh directory on my machine.

Here's the problem: if someone gained access to the directory and the private key file, they could easily spoof my GitHub account identity and read/commit code all they wanted, especially if I did not set up a strong passphrase for the key, or worst case scenario, if I did not set up a passphrase at all. Also, the macOS default ssh agent has very limited functionality and requires manually typing in the password whenever it decides it's time to authenticate. It's tedious and not nearly as secure as it could be.

Commit Signing

To sign commits, I had to generate a signing key in a similar fashion using ssh-keygen, add the public key to my GitHub account, and then configure global git config to use the signing key. We have the same problem as above; anyone gaining access to my private key file means big trouble, besides, there is no further authentication step after the initial setup is completed.

Why do we bother with Commit Signing?

Admittedly, it's true that we only need a successful authentication to be able to get code related work done. However, for example, imagine a situation where multiple users have write access to the same repository. If signing our own commits is not a thing, I can simply set my email in my git config to someone else's address - and the code I commit will show up as originating from them. There's no way to verify it! That's a big red flag.

Plus, signed commits on GitHub will show a Verified badge next to them. This is a nice visual indicator that the commit was drafted by a trusted source.

How 1Password Helps

Firstly, 1Password provides a secure storage for SSH keys, just like any other type of login and credential you would store in it.

It is safer than storing the key file directly at the ~/.ssh directory because you always need to pass 1Password authentication first in order to gain access to the key. You don't have to worry about accidentally deleting the key file and having no way to recover it, and it has a much better visualization of the key information.

After generating new keys in 1Password or importing existing ones into it, we need to make sure to add the public keys to our GitHub account to let GitHub know these keys represent our own identity.

Then, follow this step-by-step guide to set up the 1Password ssh agent for authenticating ssh workflows including GitHub authentication. Likewise, after 1Password ssh agent is set up, follow this guide to configure git to use the 1Password ssh agent for signing commits.

The related entries in my global .gitconfig and allowed_signers files look like the following. (btw these are all backed up in my dotfiles repository)

[user]
  email = git@tianwei.io
  name = TIANWEI ZHANG
  signingkey = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAE6mdsKlaqk/n17bFP0+LmbilsWVvPa2gHF0PNAQaff
 
[commit]
  gpgsign = true
 
[gpg]
  format = ssh
 
[gpg "ssh"]
  program = /Applications/1Password.app/Contents/MacOS/op-ssh-sign
  allowedSignersFile = ~/.ssh/allowed_signers

# Public key of my SSH key used for signing Git commits
git@tianwei.io ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAE6mdsKlaqk/n17bFP0+LmbilsWVvPa2gHF0PNAQaff

Note: setting up the allowed_signers file is optional, but it allows us to quickly tell on our local machine if a signer is trusted or not. If we run $ git log --show-signature, there will be a Good "git" signature message next to a commit if it is signed by a trusted signer. Think of it as a local version of the 'Verified' badge on GitHub; by adding your own and your colleagues' public keys to this file, you can confirm at a glance that every commit in your history is authentic.

Results

Now, every time I commit the code I wrote, the terminal will automatically prompt me to authenticate via 1Password and use the signing key to sign the commit.

When pushing code to remote, the terminal will prompt again for authentication via 1Password and use the auth key to authenticate with GitHub.

Authentication becomes as easy as pressing the finger against the Touch ID reader. Compared to the previous approach, it is fast, convenient, secure, and you know exactly what's going on at all times.

Conclusion

1Password ssh agent has made my dev experience much better: it may not look like a game-changer at first, but the peace of mind and time saved really add up over time.

I have been a long-time 1Password user since v6, and this is arguably my favorite feature by far. As a matter of fact, I briefly considered switching to Proton Pass at one point because I purchased a lifetime plan for SimpleLogin which came bundled with a lifetime Proton Pass subscription. While the cost savings were tempting, I ultimately decided that the price I pay for 1Password is justified given the better experience over any other password manager I've tried.

If you are considering trying out a new password manager, or if you are already using 1Password but haven't found out about this feature, I would highly recommend giving this a try. It's incredibly easy to set up and represents one of the many meaningful steps that helps push us toward a more secure and convenient digital future.

Resources

• 1Password for SSH & Git
• Get started with 1Password for SSH
• Sign Git commits with SSH