Git commit signing with onlykey-agent

I’m using the onlykey-agent with SSH for git. It works fine for SSH (git pull/push etc) but not for signing commits.

I generated a public key with:

onlykey-agent identity@myhost > ~/.ssh/identity@myhost.pub

I have configured git:

[user]
       email = EMAIL
        name = NAME
  signingkey = ~/.ssh/identity@myhost.pub
[commit]
  gpgsign = true
[tag]
  gpgsign = true
[gpg]
  format = ssh

Git pushes/pulls etc work fine but when I try and sign a commit I get a fail:

$ onlykey-agent identity@myhost -- git commit -m "commit message"

2023-06-24 15:42:53,329 ERROR        signature with "<ssh://identity@myhost|ed25519>" key failed                                     [protocol.py:152]
Traceback (most recent call last):
  File "/home/user/.local/lib/python3.11/site-packages/libagent/ssh/protocol.py", line 148, in sign_message
    signature = self.conn.sign(blob=blob, identity=key['identity'])
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/lib/python3.11/site-packages/libagent/ssh/__init__.py", line 246, in sign
    return conn.sign_ssh_challenge(blob=blob, identity=identity)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/lib/python3.11/site-packages/libagent/ssh/client.py", line 48, in sign_ssh_challenge
    msg['user'].decode('ascii'), identity.to_string(),
    ~~~^^^^^^^^
KeyError: 'user'
error: Signing file /tmp/.git_signing_buffer_tmppiE3DO
Couldn't sign message (signer): communication with agent failed?
Signing /tmp/.git_signing_buffer_tmppiE3DO failed: communication with agent failed?

2023-06-24 15:42:53,330 WARNING      error: 'user'                                                                                        [server.py:100]
Traceback (most recent call last):
  File "/home/user/.local/lib/python3.11/site-packages/libagent/server.py", line 95, in handle_connection
    reply = handler.handle(msg=msg)
            ^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/lib/python3.11/site-packages/libagent/ssh/protocol.py", line 106, in handle
    reply = method(buf=buf)
            ^^^^^^^^^^^^^^^
  File "/home/user/.local/lib/python3.11/site-packages/libagent/ssh/protocol.py", line 148, in sign_message
    signature = self.conn.sign(blob=blob, identity=key['identity'])
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/lib/python3.11/site-packages/libagent/ssh/__init__.py", line 246, in sign
    return conn.sign_ssh_challenge(blob=blob, identity=identity)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/lib/python3.11/site-packages/libagent/ssh/client.py", line 48, in sign_ssh_challenge
    msg['user'].decode('ascii'), identity.to_string(),
    ~~~^^^^^^^^
KeyError: 'user'
fatal: failed to write commit object

Am I doing this right or is there a problem in my setup? Thanks.

Answering myself it was fixed in Jan this year by activescott: fix: eleminates error when using SSHSIG when using onlykey-agent

But there’s been no release since the fix was merged unfortunately.

So instead I’ve applied that fix manually, i.e. adding these two lines to site-packages/libagent/ssh/client.py around line 72:

res['user'] = b'SSHSIG' # logging statements in client.py expect this to be there and raise without it
res['key_type'] = res['hashalg'] # logging statements in client.py expect this to be there and raise without it

…and SSH signing now works for me.

Once the next version of lib-agent after v1.0.5 is released this patch no longer be necessary.

lib-agent v1.0.6 was just released and contains the fix: Release v1.0.6 · onlykey/lib-agent