Streamlining Devcontainer Workflow: SSH Authentication and Key Signing with 1Password

Max Harley
4 min readNov 12, 2023

Effortlessly Integrating Advanced SSH Techniques into Your Development Environment

I’m going to keep it a buck fifty with y’all: I had this problem, wrote a lil markdown file with bullet points about how I solved it, and fed it to ChatGPT to fill in the post. It even came up with this horrible and verbose title. What’s wild to me is that it messed up the numbers and skipped step 3. Counting is hard for everybody.

I didn’t want to write a whole blog post, but I felt like I needed to post it because this issue was really annoying to figure out but super cool once it’s working. I probably spent more time with that “featured image” edit than I did the post. I love AI. Now for the robot talk.

As a Windows user utilizing Docker Desktop, 1Password, and VSCode devcontainers, I’ve encountered a frustrating problem: I wanted to start a container with VSCode and use my SSH key stored in 1Password automatically, without having to add it to the ~/.ssh/ folder every time (it also enables commit signing, but the robot forgot to say that). In this blog post, I'll guide you through the steps to achieve this seamlessly.

Step 1: Configure SSH Key

Firstly, create an SSH key in 1Password. This key will be used later in the process.

Creating a new SSH key in 1Password

Then, add this SSH key as a signing key to your GitHub account. Note that an authentication key and signing key are different things. Click the dropdown for “Key type” and set “Signing Key” as shown in the screenshot attached.

Adding a SSH Signing Key to GitHub. This SSH key has since been deleted

Step 2: 1Password SSH Agent

1Password includes an SSH agent within their client. To enable it, navigate to 1Password --> Settings --> Developer and check the "Use the SSH agent" option.

Starting the SSH Agent

It actually didn’t start the first time I ran it. Unclicking the checkbox and checking it again will restart the service. You can validate it’s working by opening PowerShell and running ssh-add -l. If nothing comes up after you've created the key or an error pops up, then you have an issue with the service.

Step 4: Add Configuration to .gitconfig

Modify your .gitconfig file. It's important to note that setting a profile %USERPROFILE%\.gitconfig in .gitconfig will automatically copy that configuration to your devcontainer. However, you will need to delete the [gpg "ssh"] section because the devcontainer won't have access to the file path of that binary.

Clicking the “Configure Commit Signing” button
Copy the .gitconfig

Also, ensure your VSCode is configured correctly to copy the .gitconfig. This might be a default setting in newer VSCode versions, but it's worth checking.

{
...
"settings": {
"remote.containers.copyGitConfig": true
}
...
}

Step 5: VSCode SSH Agent Forwarding

This process should be configured automatically. If you have an SSH agent running on your host machine, it will automatically be forwarded to your devcontainer. You can verify this by running echo $SSH_AUTH_SOCK.

codespace ➜ /workspaces/intel-go (master) $ echo $SSH_AUTH_SOCK 
/tmp/vscode-ssh-auth-AAAAAAAAAAAAAAAAAAAAAAAAAA.sock

Step 6: Testing

Here’s my config for devcontainer.json and Dockerfile.

{
"build": {
"dockerfile": "Dockerfile"
},
"containerUser": "codespace",
"customizations": {
"vscode": {
"extensions": [
"golang.Go"
]
},
"settings": {
"remote.containers.copyGitConfig": true
}
}
}
FROM mcr.microsoft.com/devcontainers/universal:2
ARG USERNAME=codespace
RUN apt-get update \
&& apt-get install -y sudo \
&& echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \
&& chmod 0440 /etc/sudoers.d/$USERNAME
USER ${USERNAME}
# Rest of config goes here...

It’s essential to use a non-root user in your devcontainer (like codespace) with the universal package. This is because a ~/.gitconfig will automatically be created if you're using the root user.

Finally, open the devcontainer, check for $SSH_AUTH_SOCK and .gitconfig, ensuring the options from 1Password are enabled. Then, try to commit inside the devcontainer session to see if authentication works and the commit is signed. A commit that shows up as signed will have the "Verified" badge.

Proof of a verified signature

This setup streamlines the integration of 1Password’s SSH keys with Docker and VSCode, making the developer’s workflow much more efficient.

--

--