favicon here hometagsblogmicrobio cvtech cvgpg keys

Using SSH keys with TPM and Git

#ssh #git #security

Soc Virnyl Estela | 2024-05-05 | reading time: ~2min

So my mentor has already made a post about how to use TPMs in openSUSE.

I followed a bit, did some weird stuff because it doesn't work at first. It turns out I made a typo and missed a flag 🄓

Now that was all fixed, I was curious if I could use the key to verify my identity on GitHub or any forge e.g. Codeberg. So I tried it on GitHub. Here was the process.

Adding the SSH public key to GitHub§

First, you have to add the pubkey to your ssh directory

ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so.0 | tee ~/.ssh/id_ecdsa_tpm.pub

And then just copy the SSH pubkey. Here, I use wl-copy to copy it to my system clipboard. Make sure you clear your system clipboard after. Add it in https://github.com/settings/ssh/new. For now, set it as an Authentication Key.

ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so.0 | wl-copy

GitHub SSH AuthKey Section

Next, we might want to add this as our way to sign git commits with SSH.

git config --global user.signingKey ~/.ssh/id_ecdsa_tpm.pub

It is up to you to sign your git commits. I do this globally.

git config --global commit.gpgsign true
git config --global gpg.format ssh
git config --global format.signOff true

Then like before, just add the SSH pubkey again as your signing key. Just select key type as Signing Key.

GitHub SSH Signing Key Section

Lastly, edit your ~/.ssh/config if you have one (or do something similar) like the one below

Host github.com
   User git
   PKCS11Provider /usr/lib64/pkcs11/libtpm2_pkcs11.so.0
   PasswordAuthentication no

Some Caveats§

The issue with this configuration is that ssh-agent can't add the private key automatically or permanently as of now. So you have to do the command manually after a reboot or when ssh-agent expires (if you set it like that)

ssh-add -s /usr/lib64/pkcs11/libtpm2_pkcs11.so.0

ā„¹ļø You might want to configure that within your shell profile.

Once the private key is added, you can do basic SSH stuff with Git. šŸ˜„

Articles from blogs I follow around the net

Porteur bag 2

Back in May, I wrote about a custom porteur bag that I sewed for use on my bike. That bag served me well on two trips - a solo ride up to Brewster and back, and my semi-yearly ride on the Empire State Trail, from Poughkeepsie to Brooklyn in two days. But …

via macwright.comSeptember 27, 2025

Cloudflare bankrolls fascists

US politics has been pretty fascist lately. The state is filling up concentration camps, engaging in mass state violence against people on the basis of racialized traits, deporting them to random countries without any respect for habeas corpus, exerting st…

via Drew DeVault's blogSeptember 24, 2025

Baseline 2024 newly available - text-wrap: pretty

I was trying out text-wrap: pretty on my website. It didn’t appear to do anything. Is it a bug?

via Rob O'Leary | BlogSeptember 22, 2025

Are You Under the Influence? The Tail That Wags The Dog

It is tempting and forgivable to believe that we’re in control of our social media experiences. After all, we write what we want in our bio, select our avatars, and even come up with our own handles. We decide who we follow, what we post, and which recomme…

via Dhole MomentsSeptember 17, 2025

Package Managers are Evil

n.b. This is a written version of a dialogue from a YouTube video: 2 Language Creators vs 2 Idiots | The Standup Package managers (for programming languages) are evil1. To start, I need to make a few distinctions between concepts a lot of programmers mix u…

via Articles on gingerBillSeptember 08, 2025

Podcast: Netstack.fm, story of Rust's networking with hyper

Last week I was a guest on the Netstack podcast. We talked abit about how I got into Rust, how async Rust developed, and the story behind hyper and its surrounding ecoystem. We started (and ended) with my goal of better software: On your about page, y…

via seanmonstarSeptember 02, 2025

i'm bored, so here's a useless 0day

i either want my US$2.5k professional-grade device backdoored or not at all

via maia blogAugust 20, 2025

Status update, August 2025

Hi! This month I’ve spent quite some time working on vali, a C library and code generator for the Varlink IPC protocol. It was formerly named ā€œvarlinkgenā€, but the new name is shorter and more accurate (the library can be used without the code generator). …

via emersionAugust 16, 2025

PRs taking too long to be reviewed

Introduction I think there's something every developer working in an environment where PR must be reviewed has experienced: PRs taking too long to be reviewed. Every company has its own process for assigning reviews and setting the amount of minimum…

via Christian Visintin BlogAugust 14, 2025

The PoC Pollution Problem: How AI-Generated Exploits Are Poisoning Detection Engineering

As detection engineers, we live and breathe the cycle of vulnerability disclosure, proof-of-concept (PoC) analysis, and signature development. When CVE-2024-XXXXX drops on a Tuesday morning, we’re already pulling GitHub repositories, scanning blog posts, a…

via GreyNoise LabsJuly 30, 2025

Testing multiple versions of Python in parallel

Daniel Roy Greenfeld wrote about how to test your code for multiple versions of Python using `uv`. I follow up with a small improvement to the Makefile.

via Technically PersonalJuly 21, 2025

LLDB's TypeSystems Part 2: PDB

In my previous post, I described implementing PDB parsing as a can of worms. That might have been a bit of an understatement. PDB has been one "oh, it's gonna be twice as much work as I thought" after another. Implementing it has revealed many of the same …

via Cracking the ShellJuly 07, 2025

Contra Ptacek's Terrible Article On AI

A few days ago, I was presented with an article titled ā€œMy AI Skeptic Friends Are All Nutsā€ by Thomas Ptacek. I thought it was not very good, and didn't give it a second thought. To quote the formidable Baldur Bjarnason: ā€œI don’t recommend reading it, but…

via LudicityJune 19, 2025

Generative AI will probably make blogs better

Generative AI will probably make blogs better. Have you ever searched for something on Google and found the first one, two, or three blog posts to be utter nonsense? That's because these blog posts have been optimized not for human consumption, but rather …

via pcloadletterMay 30, 2025

#Rx Writing Challenge 2025

This is a short reflection on my experience of the recent writing challenge I took part in. Over the past two weeks, I have participated in the #RxWritingChallenge 1—a daily, 30-minute writing group starting at 9 AM every morning. Surrounded by fellow doct…

via Ul-lingaApril 05, 2025

My coffee workflow

My coffee workflow by Clement Delafargue on April 1, 2025 Tagged as: coffee, espresso, flair58, v60. It is my first April cools’ and I guess I could start by talking about coffee. If you’ve seen me in person, it won’t be a surprise, I guess. This po…

via ClƩment Delafargue - RSS feedApril 01, 2025

Simple Web Augmented Generation

A guide to building a simple web application using augmented generation.

via Ishan WritesMarch 10, 2025

Backup Yubikey Strategy

After a local security meetup where I presented about Webauthn, I had a really interesting chat with a member about a possible Yubikey management strategy. Normally when you purchase a yubikey it's recommended that you buy two of them - one primary and one…

via Firstyear's blog-a-logFebruary 28, 2025

Generated by openring-rs

favicon here hometagsblogmicrobio cvtech cvgpg keys