favicon here hometagsblogmicrobio cvtech cvgpg keys

Using SSH keys with TPM and Git

#ssh #git #security

Soc Virnyl Estela | 2024-05-05 | reading time: ~2min

So my mentor has already made a post about how to use TPMs in openSUSE.

I followed a bit, did some weird stuff because it doesn't work at first. It turns out I made a typo and missed a flag 🄓

Now that was all fixed, I was curious if I could use the key to verify my identity on GitHub or any forge e.g. Codeberg. So I tried it on GitHub. Here was the process.

Adding the SSH public key to GitHub§

First, you have to add the pubkey to your ssh directory

ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so.0 | tee ~/.ssh/id_ecdsa_tpm.pub

And then just copy the SSH pubkey. Here, I use wl-copy to copy it to my system clipboard. Make sure you clear your system clipboard after. Add it in https://github.com/settings/ssh/new. For now, set it as an Authentication Key.

ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so.0 | wl-copy

GitHub SSH AuthKey Section

Next, we might want to add this as our way to sign git commits with SSH.

git config --global user.signingKey ~/.ssh/id_ecdsa_tpm.pub

It is up to you to sign your git commits. I do this globally.

git config --global commit.gpgsign true
git config --global gpg.format ssh
git config --global format.signOff true

Then like before, just add the SSH pubkey again as your signing key. Just select key type as Signing Key.

GitHub SSH Signing Key Section

Lastly, edit your ~/.ssh/config if you have one (or do something similar) like the one below

Host github.com
   User git
   PKCS11Provider /usr/lib64/pkcs11/libtpm2_pkcs11.so.0
   PasswordAuthentication no

Some Caveats§

The issue with this configuration is that ssh-agent can't add the private key automatically or permanently as of now. So you have to do the command manually after a reboot or when ssh-agent expires (if you set it like that)

ssh-add -s /usr/lib64/pkcs11/libtpm2_pkcs11.so.0

ā„¹ļø You might want to configure that within your shell profile.

Once the private key is added, you can do basic SSH stuff with Git. šŸ˜„

Articles from blogs I follow around the net

Package Managers are Evil

n.b. This is a written version of a dialogue from a YouTube video: 2 Language Creators vs 2 Idiots | The Standup Package managers (for programming languages) are evil1. To start, I need to make a few distinctions between concepts a lot of programmers mix u…

via Articles on gingerBillSeptember 08, 2025

Podcast: Netstack.fm, story of Rust's networking with hyper

Last week I was a guest on the Netstack podcast. We talked abit about how I got into Rust, how async Rust developed, and the story behind hyper and its surrounding ecoystem. We started (and ended) with my goal of better software: On your about page, y…

via seanmonstarSeptember 02, 2025

Recently

I missed last month’s Recently because I was traveling. I’ll be pretty busy this weekend too, so I’ll publish this now: a solid double-length post to make up for it. Listening It’s been a really good time for music: both discovering new albums by bands I…

via macwright.comAugust 29, 2025

It’s a Cold Day in Developer Hell, So I Must Roll My Own Crypto

I have several projects in-flight, and I wanted to write a quick status update for them so that folks can find it easier to follow along. Please bear in mind: This is in addition to, and totally separate from, my full-time employment. Hell Frozen Over A wh…

via Dhole MomentsAugust 27, 2025

i'm bored, so here's a useless 0day

i either want my US$2.5k professional-grade device backdoored or not at all

via maia blogAugust 20, 2025

Embedding Wren in Hare

I’ve been on the lookout for a scripting language which can be neatly embedded into Hare programs. Perhaps the obvious candidate is Lua – but I’m not particularly enthusiastic about it. When I was evaluating the landscape of tools which are ā€œlike Lua, but …

via Drew DeVault's blogAugust 20, 2025

Status update, August 2025

Hi! This month I’ve spent quite some time working on vali, a C library and code generator for the Varlink IPC protocol. It was formerly named ā€œvarlinkgenā€, but the new name is shorter and more accurate (the library can be used without the code generator). …

via emersionAugust 16, 2025

PRs taking too long to be reviewed

Introduction I think there's something every developer working in an environment where PR must be reviewed has experienced: PRs taking too long to be reviewed. Every company has its own process for assigning reviews and setting the amount of minimum…

via Christian Visintin BlogAugust 14, 2025

The PoC Pollution Problem: How AI-Generated Exploits Are Poisoning Detection Engineering

As detection engineers, we live and breathe the cycle of vulnerability disclosure, proof-of-concept (PoC) analysis, and signature development. When CVE-2024-XXXXX drops on a Tuesday morning, we’re already pulling GitHub repositories, scanning blog posts, a…

via GreyNoise LabsJuly 30, 2025

Testing multiple versions of Python in parallel

Daniel Roy Greenfeld wrote about how to test your code for multiple versions of Python using `uv`. I follow up with a small improvement to the Makefile.

via Technically PersonalJuly 21, 2025

LLDB's TypeSystems Part 2: PDB

In my previous post, I described implementing PDB parsing as a can of worms. That might have been a bit of an understatement. PDB has been one "oh, it's gonna be twice as much work as I thought" after another. Implementing it has revealed many of the same …

via Cracking the ShellJuly 07, 2025

Contra Ptacek's Terrible Article On AI

A few days ago, I was presented with an article titled ā€œMy AI Skeptic Friends Are All Nutsā€ by Thomas Ptacek. I thought it was not very good, and didn't give it a second thought. To quote the formidable Baldur Bjarnason: ā€œI don’t recommend reading it, but…

via LudicityJune 19, 2025

Elevate hover/focus effects with transitions across multiple elements

You can elevate hover/focus effects by triggering transitions on more than one element. With the right orchestration, you can create more nuanced effects.

via Rob O'Leary | BlogJune 01, 2025

Generative AI will probably make blogs better

Generative AI will probably make blogs better. Have you ever searched for something on Google and found the first one, two, or three blog posts to be utter nonsense? That's because these blog posts have been optimized not for human consumption, but rather …

via pcloadletterMay 30, 2025

#Rx Writing Challenge 2025

This is a short reflection on my experience of the recent writing challenge I took part in. Over the past two weeks, I have participated in the #RxWritingChallenge 1—a daily, 30-minute writing group starting at 9 AM every morning. Surrounded by fellow doct…

via Ul-lingaApril 05, 2025

My coffee workflow

My coffee workflow by Clement Delafargue on April 1, 2025 Tagged as: coffee, espresso, flair58, v60. It is my first April cools’ and I guess I could start by talking about coffee. If you’ve seen me in person, it won’t be a surprise, I guess. This po…

via ClƩment Delafargue - RSS feedApril 01, 2025

Simple Web Augmented Generation

A guide to building a simple web application using augmented generation.

via Ishan WritesMarch 10, 2025

Backup Yubikey Strategy

After a local security meetup where I presented about Webauthn, I had a really interesting chat with a member about a possible Yubikey management strategy. Normally when you purchase a yubikey it's recommended that you buy two of them - one primary and one…

via Firstyear's blog-a-logFebruary 28, 2025

Generated by openring-rs

favicon here hometagsblogmicrobio cvtech cvgpg keys