favicon here hometagsblogmicrobio cvtech cvgpg keys

Using SSH keys with TPM and Git

#ssh #git #security

Soc Virnyl Estela | 2024-05-05 | reading time: ~2min

So my mentor has already made a post about how to use TPMs in openSUSE.

I followed a bit, did some weird stuff because it doesn't work at first. It turns out I made a typo and missed a flag 🥴

Now that was all fixed, I was curious if I could use the key to verify my identity on GitHub or any forge e.g. Codeberg. So I tried it on GitHub. Here was the process.

Adding the SSH public key to GitHub§

First, you have to add the pubkey to your ssh directory

ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so.0 | tee ~/.ssh/id_ecdsa_tpm.pub

And then just copy the SSH pubkey. Here, I use wl-copy to copy it to my system clipboard. Make sure you clear your system clipboard after. Add it in https://github.com/settings/ssh/new. For now, set it as an Authentication Key.

ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so.0 | wl-copy

GitHub SSH AuthKey Section

Next, we might want to add this as our way to sign git commits with SSH.

git config --global user.signingKey ~/.ssh/id_ecdsa_tpm.pub

It is up to you to sign your git commits. I do this globally.

git config --global commit.gpgsign true
git config --global gpg.format ssh
git config --global format.signOff true

Then like before, just add the SSH pubkey again as your signing key. Just select key type as Signing Key.

GitHub SSH Signing Key Section

Lastly, edit your ~/.ssh/config if you have one (or do something similar) like the one below

Host github.com
   User git
   PKCS11Provider /usr/lib64/pkcs11/libtpm2_pkcs11.so.0
   PasswordAuthentication no

Some Caveats§

The issue with this configuration is that ssh-agent can't add the private key automatically or permanently as of now. So you have to do the command manually after a reboot or when ssh-agent expires (if you set it like that)

ssh-add -s /usr/lib64/pkcs11/libtpm2_pkcs11.so.0

ℹ️ You might want to configure that within your shell profile.

Once the private key is added, you can do basic SSH stuff with Git. 😄

Articles from blogs I follow around the net

Status update, November 2024

Hi all! This month I’ve spent a lot of time triaging Sway and wlroots issues following the Sway 1.10 release. There are a few regressions, some of which are already fixed (thanks to all contributors for sending patches!). Kenny has added support for softwa…

via emersionNovember 21, 2024

Key Transparency and the Right to be Forgotten

This post is the first in a new series covering some of the reasoning behind decisions made in my project to build end-to-end encryption for direct messages on the Fediverse. (Collectively, Fedi-E2EE.) Although the reasons for specific design decisions sho…

via Dhole MomentsNovember 21, 2024

The Ethereum MEV Bots are a scam

Several months ago, I wrote this article: The Fascinating Ethereum MEV Bot Scam, where I dived deep into the technical aspects of a scam that has been circulating for years on platforms like X.com and YouTube. These scams revolve around deploying smart…

via Christian Visintin BlogNovember 19, 2024

hyper in curl Needs a Champion

tl;dr - hyper in curl is nearly complete, but it needs a champion. Without a partner actively engaged that wants to enable and ship, it’s now on the path for being deprecated and removed. It needs a champion, a backing vendor or distro. Will that be you? …

via seanmonstarNovember 19, 2024

Swift observations from a reluctant Rustacean

Recently I've been thinking about Swift in terms of Rust, & have appreciated anew some of the choices made. In Rust. There's been a proliferation of X vs Y posts on the web, especially since the advent of LLM AI, so I try to resist the format. It's often e…

via Mike KreuzerNovember 16, 2024

Go Concurrency Patterns

Goroutines Channels Select Statement Wait Groups Mutex Conditions Atomic Operations Once Context Map Real Examples Goroutines The go keyword is used to start a goroutine. A goroutine is a lightweight, managed thread used by the Go runtime to run functions …

via Posts on integralistNovember 15, 2024

Generated by openring-rs

favicon here hometagsblogmicrobio cvtech cvgpg keys