Git FIDO Helper - Sign your Git commits with multiple resident SSH keys

Overview

gfh

Git FIDO helper, or God Fucking Help me.

gfh is a tool for helping you sign your commits in Git with resident SSH keys stored on multiple FIDO devices.

Getting Started - Usage - Installation

NB: Currently this project has only been tested with the YubiKey 5C NFC. Any FIDO2 certified device should be compatible, but please let me know if you encountered any issues with particular devices, or also if it works fine so that I can have a running list of all keys that are verified working.

Getting Started

Before you get started with gfh, you'll need to make sure that you already have a resident SSH key on your FIDO key(s). The simplest way to do this is via ssh-keygen -t ed25519-sk -O resident, but there are better guides online if you need some different stuff.

If you don't own multiple FIDO keys/only use one resident SSH key, then you more than likely do not need to use gfh. This tool has a very niche use case due to Git not supporting multiple signingkeys. If you only use one resident SSH key for signing your commits, you can just use that config option without gfh.

Caveats

I've only personally validated gfh as working on macOS, some friends of mine has had it work fine on Windows (10 & 11), but I haven't had any luck with that myself.

On Linux, gfh seems to fail with warning: gpg.ssh.defaultKeyCommand succeeded but returned no keys: key::..., which makes no sense, because the format it expects is evidently there. A friend of mine has said that running eval `ssh-agent` (or eval (ssh-agent -c) as the Fish equivalent) solved the issue for them, however I haven't had any luck with this personally so YMMV.

If you ever find out a consistent workaround for these problems, please let me know and I'll try and see if I can reproduce them.

Usage

The simplest way to add your keys to gfh is via gfh -a. This will prompt you to select the FIDO key to use, as well as the path to the public key (or private key) to use with it (this must be a resident key that you generated for that particular FIDO device).

If you prefer, you can edit the config manually by creating a file at ~/.config/gfh/keys with the following format:

serial::~/.ssh/id_ed25519_sk
serial::~/.ssh/id_ecdsa_sk

(Blank lines & lines starting with # will be ignored, but won't be retained if you use gfh -a)

After importing your keys to gfh, run the following commands to set up SSH signing with Git:

git config --global commit.gpgsign true
git config --global tag.gpgsign true
git config --global gpg.format "ssh"
git config --global gpg.ssh.program "gfh-keygen"
git config --global gpg.ssh.defaultKeyCommand "gfh"

If you're on Windows, change the last two commands to set gfh-keygen.exe and gfh.exe respectively.

(You shouldn't set user.signingkey because gfh will handle that for you automatically.)

If all goes according to plan, you should be able to create a new commit or tag with your FIDO key plugged in, and Git will correctly prompt you to sign with it.

Installation

Releases are currently pending fixed CI builds, in the meantime you can install via Cargo just fine.

Static binary builds of gfh are available on our releases page for Windows (x86), Mac (ARM & x86), and Linux (various architectures).

Homebrew

brew install ovyerus/tap/gfh

Scoop

scoop bucket add ovyerus https://github.com/Ovyerus/bucket
scoop install gfh

Crate

cargo install gfh

From source

Pull this repository and run cargo build --release, and look for the gfh and gfh-keygen binaries in ./target/release/.

When building from source or from Cargo, on Linux you will need the following packages: pkg-config libpcsclite-dev libudev-dev

License

This program is licensed under the MIT license (see LICENSE or https://opensource.org/licenses/MIT).

You might also like...
Convert private keys to PKCS#8 format in pure Rust

topk8 Convert private keys to PKCS#8 format in pure Rust. The following formats are supported at the moment: PKCS#1 PEM (RSA PRIVATE KEY) SEC1 PEM (EC

A tool to identify related SSL keys, CSRs, and certificates.

⛓ sslchains A tool to identify related SSL keys, CSRs, and certificates. Usage Default Display Mode Run with any number of path arguments to define th

MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust
MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust

MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust

Project Masterpass is a deterministic databaseless key management algorithm, aimed to help those who cannot protect their encryption keys in storage

Project Masterpass (working title) Attention! This project is still under heavy development, and SHOULD NOT be used in practice, as the algorithms cou

Ethereum key tool - Lightweight CLI tool to deal with ETH keys written in rust

ekt - Etherum Key Tool ekt is a lightweight tool to generate ethereum keys and addresses. Installation Either clone it and run it with cargo or instal

🗂️ A simple, opinionated, tool, written in Rust, for declaratively managing Git repos on your machine.

gitrs 🗂️ A simple, opinionated, tool, written in Rust, for declaretively managing Git repos on your machine. "simple" - limited in what it supports.

Bitcoin Push Notification Service (BPNS) allows you to receive notifications of Bitcoin transactions of your non-custodial wallets on a provider of your choice, all while respecting your privacy

Bitcoin Push Notification Service (BPNS) Description Bitcoin Push Notification Service (BPNS) allows you to receive notifications of Bitcoin transacti

Trustworthy encrypted command line authenticator app compatible with multiple backups.
Trustworthy encrypted command line authenticator app compatible with multiple backups.

cotp - command line totp authenticator I believe that security is of paramount importance, especially in this digital world. I created cotp because I

A Rust binary for file encryption to multiple participants.

Kaspa-miner A Rust binary for file encryption to multiple participants. Installation From Sources With Rust's package manager cargo, you can install k

Owner
Michael Mitchell
21, he/any, gen z, creative.
Michael Mitchell
use your GitHub SSH keys to authenticate to sshd

aeneid If you squint, GitHub is basically a free, zero-ops IdP that provides SSH public keys. Let's use it to authenticate to OpenSSH! What / How? The

Nikhil Jha 21 Dec 6, 2022
Authorize an ssh session using your keys on GitHub.

GitHub AuthorizedKeysCommand (hubakc) Heavily inspired by https://github.com/sequencer/gitakc . It allows someone login to the server using their ssh

Wenzhuo Liu 5 Nov 11, 2022
Harness the power of signify(1) to sign arbitrary git objects

git-signify A tool to sign arbitrary objects in a git repository. Generating keys Signing keys can be generated with signify, from the OpenBSD project

Tiago Carvalho 3 Jul 27, 2023
Retrieving SSH and GPS keys from GitHub and GitLab

Dormarch Retrieving SSH and GPS keys from GitHub and GitLab Usage After having installed Dormarch, you can see all the options with dormarch -h. To re

Riccardo Padovani 2 Dec 24, 2021
Helper library for interacting with Terra assets (SDK coins and CW20 tokens)

terra-asset Helpers for interacting with Terra assets, including native coins and CW20 tokens Usage This crate contains two struct types: AssetInfo st

larry 9 Jan 3, 2022
Simple, bare-minimum recaptcha verifier helper

recaptcha-verify Simple, bare-minimum recaptcha verifier helper Quick Start This library is supposed to be a (near) drop-in replacement for recaptcha-

Ivan Ganev 4 Oct 20, 2023
Use Touch ID / Secure Enclave for SSH Authentication!

SeKey About SeKey is a SSH Agent that allow users to authenticate to UNIX/Linux SSH servers using the Secure Enclave How it Works? The Secure Enclave

SeKey 2.3k Jan 5, 2023
In addition to encryption library, pure RUST implementation of SSH-2.0 client protocol

In addition to encryption library, pure RUST implementation of SSH-2.0 client protocol

陈年旧事。 73 Jan 1, 2023
Pure Rust implementation of components of the Secure Shell (SSH) protocol

RustCrypto: SSH Pure Rust implementation of components of the Secure Shell (SSH) protocol. Crates Name crates.io Docs Description ssh—encoding Decoder

Rust Crypto 27 Dec 27, 2022
A collection of algorithms that can do join between two parties while preserving the privacy of keys on which the join happens

Private-ID Private-ID is a collection of algorithms to match records between two parties, while preserving the privacy of these records. We present tw

Meta Research 169 Dec 5, 2022