Signing Git Commits with SSH Key doesn't work with SSH Agent on Windows

[QuAzI]

I am trying to use Signing Git Commits with SSH Key
So, I have a working SSH with the ssh-ed25519 key and I've made a few settings

git config --global commit.gpgsign true
git config --global gpg.format ssh
git config --global user.signingkey "ssh-ed25519 <public key id>"

All works fine on WSL, but not on Windows

> git commit --allow-empty --message="Testing SSH from Win"
error: Couldn't get agent socket?

fatal: failed to write commit object

OpenSSH client works with SSH Agent on Windows and on WSL. All keys are present in the agent
WSL just requires a small hack with socat in ~/.bashrc

SSH_AUTH_SOCK=$HOME/.ssh/wsl-ssh-agent.sock
if [ ! -S "$SSH_AUTH_SOCK" ]
then
  export SSH_AUTH_SOCK
  /usr/bin/socat UNIX-LISTEN:"$SSH_AUTH_SOCK",fork EXEC:"$(which npiperelay.exe) -ei -s //./pipe/openssh-ssh-agent",nofork 2>&1 &
fi

But I don't understand what I have to tweak for Git Bash while git can use SSH Agent to pull my commits from private repo

[dscho]

The problem might be a mismatch between the native Windows ("PowerShell") variant of OpenSSH and the variant bundled with Git for Windows ("MSYS").

The bug reporting template contains a suggestion to paste the contents of /etc/install-options.txt which would have helped diagnose this issue better, but I see no trace of that bug reporting template here.

You can find out which OpenSSH variant Git for Windows is using by calling grep SSH /etc/install-options.txt. If it says OpenSSH, it's the bundled variant, if it says ExternalOpenSSH it uses the native Windows variant.

[QuAzI]

Yeah, it shows OpenSSH

MINGW64 ~
$ grep SSH /etc/install-options.txt
SSH Option: OpenSSH

Full /etc/install-options.txt under the spoiler

$ cat /etc/install-options.txt Editor Option: VIM Custom Editor Path: Default Branch Option: Path Option: Cmd SSH Option: OpenSSH Tortoise Option: false CURL Option: OpenSSL CRLF Option: CRLFCommitAsIs Bash Terminal Option: MinTTY Git Pull Behavior Option: Merge Use Credential Manager: Enabled Performance Tweaks FSCache: Enabled Enable Symlinks: Disabled Enable Pseudo Console Support: Disabled Enable FSMonitor: Disabled

and next option doesn't help

git config --global core.sshcommand "C:/Windows/System32/OpenSSH/ssh.exe"

So, how can I change it?

[QuAzI]

Reinstall helps a bit

Now signing works
But git show --show-signature still shows something wrong

> git show --show-signature
commit bfd306334d3bcd4baf01a1e5d0746c217b00480d (HEAD -> master)
Unsupported certificate option "verify-time=20231202233018"^M
Unsupported certificate option "verify-time=20231202233018"
Author: R Y <[email protected]>
Date:   Sat Dec 2 23:30:18 2023

    Testing SSH from Win

Actual /etc/install-options.txt if required

Editor Option: VIM Custom Editor Path: Default Branch Option: Path Option: Cmd SSH Option: ExternalOpenSSH Tortoise Option: false CURL Option: WinSSL CRLF Option: CRLFCommitAsIs Bash Terminal Option: MinTTY Git Pull Behavior Option: Rebase Use Credential Manager: Enabled Performance Tweaks FSCache: Enabled Enable Symlinks: Disabled Enable Pseudo Console Support: Disabled Enable FSMonitor: Disabled

[EDMPhoenix]

Maybe do you have several github accounts?

[QuAzI]

I have one account but 3 SSH keys (only one of them used for GH). Under WSL I don't see Unsupported certificate option "verify-time=20231202233018"

[EDMPhoenix]

The error 'Couldn't get agent socket' happens because Git Bash can't communicate with the SSH agent to get the keys. Let's fix this.

What you need to do in Git Bash is similar to what you did in WSL. For Git Bash, you can try setting SSH_AUTH_SOCK environment variable in ~/.bashrc or ~/.bash_profile:

#~/.bashrc or ~/.bash_profile
eval `ssh-agent -s`
ssh-add ~/.ssh/id_ed25519

Note: replace id_ed25519 with your ssh key name if necessary

This ensures that every time you start Git Bash, it would automatically start the SSH agent and add your SSH key to it.

After doing this, you need to run the source command to reload the .bashrc file:

source ~/.bashrc

or

source ~/.bash_profile

give it a try and see if it works.

Please note that Git Bash derives its default keys from ~/.ssh/id_rsa so ensure to specify the correct path to your ed25519 in ssh-add. You should see a message indicating your identity has been added:

Identity added: /c/Users/[your username]/.ssh/id_ed25519 (/c/Users/username/.ssh/id_ed25519)

Now you should be able to commit without errors.

[QuAzI]

Sorry, but running multiple agents is a wrong way by design. Also, I don't have a private key on disk. I have KeePassXC which loads keys into SSH Agent. With External OpenSSH signing works just with some warnings.

[EDMPhoenix]

I understand your point, sorry for misunderstanding your use case. In that case, try the following:

You will need to let Git know where the SSH_AUTH_SOCK is. On Windows, this should be a named pipe that you can connect to, but Git Bash is a POSIX environment and the SSH client expects a UNIX domain socket.

You can use npiperelay to create a link between the UNIX domain socket that Git Bash / Mingw64 can understand, and the named pipe that ssh-pageant (or any Pageant compatible agent) provides.

Here are the basics steps:

1. Download npiperelay (or compile it using go get github.com/jstarks/npiperelay)

2. Create a script named start_agent in ~/bin/ or /usr/bin/ :

#!/bin/sh
export SSH_AUTH_SOCK=$HOME/.ssh/ssh_auth_sock
rm -f $SSH_AUTH_SOCK
setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:"/path/to/npiperelay.exe -ei -s //./pipe/ssh-pageant",nofork &

3. Add ~/bin/start_agent to your .bashrc or .bash_profile:

if [ ! -S "$SSH_AUTH_SOCK" ]; then
  eval `~/bin/start_agent`
fi

Remember to replace /path/to/npiperelay.exe with your actual path.

This way, you will have only one ssh agent running, plus you don't need to change anything in git as it will be able to connect to the SSH_AUTH_SOCK.