favicon here hometagsblogmicrobio cvtech cvgpg keys

Using SSH keys with TPM and Git

#ssh #git #security

Soc Virnyl Estela | 2024-05-05 | reading time: ~2min

So my mentor has already made a post about how to use TPMs in openSUSE.

I followed a bit, did some weird stuff because it doesn't work at first. It turns out I made a typo and missed a flag đŸ„Ž

Now that was all fixed, I was curious if I could use the key to verify my identity on GitHub or any forge e.g. Codeberg. So I tried it on GitHub. Here was the process.

Adding the SSH public key to GitHub§

First, you have to add the pubkey to your ssh directory

ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so.0 | tee ~/.ssh/id_ecdsa_tpm.pub

And then just copy the SSH pubkey. Here, I use wl-copy to copy it to my system clipboard. Make sure you clear your system clipboard after. Add it in https://github.com/settings/ssh/new. For now, set it as an Authentication Key.

ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so.0 | wl-copy

GitHub SSH AuthKey Section

Next, we might want to add this as our way to sign git commits with SSH.

git config --global user.signingKey ~/.ssh/id_ecdsa_tpm.pub

It is up to you to sign your git commits. I do this globally.

git config --global commit.gpgsign true
git config --global gpg.format ssh
git config --global format.signOff true

Then like before, just add the SSH pubkey again as your signing key. Just select key type as Signing Key.

GitHub SSH Signing Key Section

Lastly, edit your ~/.ssh/config if you have one (or do something similar) like the one below

Host github.com
   User git
   PKCS11Provider /usr/lib64/pkcs11/libtpm2_pkcs11.so.0
   PasswordAuthentication no

Some Caveats§

The issue with this configuration is that ssh-agent can't add the private key automatically or permanently as of now. So you have to do the command manually after a reboot or when ssh-agent expires (if you set it like that)

ssh-add -s /usr/lib64/pkcs11/libtpm2_pkcs11.so.0

â„č You might want to configure that within your shell profile.

Once the private key is added, you can do basic SSH stuff with Git. 😄

Articles from blogs I follow around the net

PRs taking too long to be reviewed

Introduction I think there's something every developer working in an environment where PR must be reviewed has experienced: PRs taking too long to be reviewed. Every company has its own process for assigning reviews and setting the amount of minimum


via Christian Visintin BlogAugust 14, 2025

hyper HTTP/2 (Didn't) MadeYouReset

A new HTTP/2 attack vector was disclosed today called MadeYouReset. hyper’s h2 is negligably affected, weathering the attack well. But, we have provided patches just in case. We published patches weeks ago, so if you’ve been keeping up-to-date, you’re fine


via seanmonstarAugust 13, 2025

Improving Geographical Resilience For Distributed Open Source Teams with FREON

In a recent blog post, I laid out the argument that, if you have securely implemented end-to-end encryption in your software, then the jurisdiction where your ciphertext is stored is almost irrelevant. Where jurisdiction does come into play, unfortunately,


via Dhole MomentsAugust 09, 2025

What's new with Himitsu 0.9?

Last week, Armin and I worked together on the latest release of Himitsu, a “secret storage manager” for Linux. I haven’t blogged about Himitsu since I announced it three years ago, and I thought it would be nice to give you a closer look at the latest rele


via Drew DeVault's blogAugust 08, 2025

The PoC Pollution Problem: How AI-Generated Exploits Are Poisoning Detection Engineering

As detection engineers, we live and breathe the cycle of vulnerability disclosure, proof-of-concept (PoC) analysis, and signature development. When CVE-2024-XXXXX drops on a Tuesday morning, we’re already pulling GitHub repositories, scanning blog posts, a


via GreyNoise LabsJuly 30, 2025

Testing multiple versions of Python in parallel

Daniel Roy Greenfeld wrote about how to test your code for multiple versions of Python using `uv`. I follow up with a small improvement to the Makefile.

via Technically PersonalJuly 21, 2025

Status update, July 2025

Hi! Sway’s patch to add HDR support has finally be merged! It can be enabled via output hdr on, and requires the Vulkan renderer (which can be selected via WLR_RENDERER=vulkan). Still, lots remains to be done to improve tone mapping and compositing. Help 


via emersionJuly 18, 2025

LLDB's TypeSystems Part 2: PDB

In my previous post, I described implementing PDB parsing as a can of worms. That might have been a bit of an understatement. PDB has been one "oh, it's gonna be twice as much work as I thought" after another. Implementing it has revealed many of the same 


via Cracking the ShellJuly 07, 2025

Recently

I guess I’ll cover the context first so that we can move on to the good stuff. Man, everything is going terribly. It’s hard to overstate how bad things are for America right now. We’re just doing the thing: we’ve elected fascists and they’re funding an un


via macwright.comJuly 04, 2025

Contra Ptacek's Terrible Article On AI

A few days ago, I was presented with an article titled “My AI Skeptic Friends Are All Nuts” by Thomas Ptacek. I thought it was not very good, and didn't give it a second thought. To quote the formidable Baldur Bjarnason: “I don’t recommend reading it, but


via LudicityJune 19, 2025

#FckICE 2025 - cumulative leaks and data

let the games begin

via maia blogJune 09, 2025

Elevate hover/focus effects with transitions across multiple elements

You can elevate hover/focus effects by triggering transitions on more than one element. With the right orchestration, you can create more nuanced effects.

via Rob O'Leary | BlogJune 01, 2025

Generative AI will probably make blogs better

Generative AI will probably make blogs better. Have you ever searched for something on Google and found the first one, two, or three blog posts to be utter nonsense? That's because these blog posts have been optimized not for human consumption, but rather 


via pcloadletterMay 30, 2025

#Rx Writing Challenge 2025

This is a short reflection on my experience of the recent writing challenge I took part in. Over the past two weeks, I have participated in the #RxWritingChallenge 1—a daily, 30-minute writing group starting at 9 AM every morning. Surrounded by fellow doct


via Ul-lingaApril 05, 2025

My coffee workflow

My coffee workflow by Clement Delafargue on April 1, 2025 Tagged as: coffee, espresso, flair58, v60. It is my first April cools’ and I guess I could start by talking about coffee. If you’ve seen me in person, it won’t be a surprise, I guess. This po


via Clément Delafargue - RSS feedApril 01, 2025

Simple Web Augmented Generation

A guide to building a simple web application using augmented generation.

via Ishan WritesMarch 10, 2025

Backup Yubikey Strategy

After a local security meetup where I presented about Webauthn, I had a really interesting chat with a member about a possible Yubikey management strategy. Normally when you purchase a yubikey it's recommended that you buy two of them - one primary and one


via Firstyear's blog-a-logFebruary 28, 2025

Physics Simulations in Bevy

Bevy is the most popular and powerful game engine in Rust. Because of its flexibility, it can be used not only for games but also for (scientific) physics simulations. In this blog post, I will share my experience using Bevy for physics simulations from sc


via mo8it.comJuly 19, 2024

Generated by openring-rs

favicon here hometagsblogmicrobio cvtech cvgpg keys