1Password x Gitpod integration

[florisvdg]

Use 1Password to sign commits in Gitpod

As discussed with @Nancy-Chauhan, @pawlean, and Michael Aring.

1Password for SSH & Git lets you pull, push, and sign commits using Touch ID, Apple Watch or Windows Hello within a remote Gitpod workspace, without the private key ever leaving 1Password. If you exit the workspace or lock 1Password, all access gets voided.

Next to the Git use case, there are other SSH use cases that could be interesting as well:

• Uploading artifacts built within a Gitpod workspace over SFTP.
• Setting up a database tunnel within a Gitpod workspace.
• Logging into another remote VM within a Gitpod workspace.

What already works today

1. Automatically generate SSH keys and upload public keys to Gitpod, right from the browser:

gitpod-autofill.mov

2. Authenticate into a Gitpod workspace locally using an SSH key stored in 1Password:

gitpod-authentication.mov

3. Make a signed Git commit from within a Gitpod workspace:

gitpod-sign-commits.mov

gitpod-verify-sig.mov

Opportunity to improve: onboarding flow

While the above videos technically already work, there are a few steps involved for the user to set this up:

1. Locally enable SSH agent forwarding for Gitpod hosts in the SSH config:

Host *.gitpod.io
  ForwardAgent yes

2. Tell Git to use SSH for signing and which SSH key to use:

git config --global gpg.format ssh
git config --global user.signingkey "ssh-ed25519 <my public key>"

3. Then, to authenticate pulls and pushes through the SSH agent as well, tell Git to use SSH instead of HTTPS:

git config --global url."ssh://git@".insteadOf https://

Have Gitpod configure a key in the Gitconfig

Gitpod already configures the Git commit author name and email in every Gitpod workspace:

To improve the commit signing setup, Gitpod could also autoconfigure user.signingkey, gpg.format = ssh, and commit.gpgsign = true.

This would need consent of the user, which could possibly be done from the the SSH Keys settings pane. Maybe through a checkbox: Use for commit signing, or a dropdown? Here's how GitHub solves it:

Opportunity to improve: Discoverability

Not a lot of people know that commit signing with SSH keys is now possible. So we could think of ways to bring this more to the forefront. For example:

• Create an entire Commit Signing settings pane just like the existing SSH Keys pane.
• Cover it in the Gitpod SSH docs and other docs.
• GitHub offers an API to check what the configured commit signing requirements are. Could be interesting to add a warning or some sort of label in Gitpod to denote that you won't be able to contribute to that repo if you don't have commit signing set up (and point the user in the direction to set it up for their Gitpod workspace).

Limitations

Desktop IDE only

All of the above only works when using Gitpod in a Desktop IDE. In the future, I'd love to also explore a full browser integration, but that would require a bit more engineering work on the Gitpod side as well.

GitHub only

Commit signing currently only works (well) with GitHub, but GitLab support is coming real soon as well.

[loujaybee]

wow, thank you for the incredibly detailed issue @florisvdg ... I think this is the best explained and detailed issue that I've ever seen in the gitpod repo 😍 ✨. We'll be sure to take a look, and hopefully we can make some progress on improving the 1password integration 🙏

I know @jacobparis is a fan: https://www.jacobparis.com/blog/auto-updating-secrets 😁

[shyim]

The workaround for the Gitconfig is to use dotfiles and overwrite the default .gitconfig from Gitpod.

Also, additional limitation is that SSH Forwarding is completely broken on Jetbrains Gateway: So only working from VSCode Desktop.

https://youtrack.jetbrains.com/issue/GTW-2133/SSH-Agent-Forward-does-not-work

[daniloraisi]

@florisvdg I also use 1Password to manage my SSH Keys. Your explanation is fantastic. I usually use Gitpod via SSH (Neovim as IDE), so the integration is valid through the Terminal too!