[Question] Git & GitHub integrations

Question

[Question] Git & GitHub integrations

Closed this issue 4 years ago · 2 comments

Hi Guys!

Recently I got to know about OnlyKey device as I was looking for a security device to help with my private keys' management and, after knowing better the product, I was impressed with the feature-richness of the product so now I'm really considering to buy a pair of them.

Some of the tasks I plan to do with this device are related to software development and although I could find the integration guide to secure GitHub and GitLab accounts with OnlyKey through the FIDO U2F protocol, I couldn't find any documentation related to using OnlyKey to authenticate with GitHub repositories through SSH Keys (although I believe this currently works) nor related to signing work on Git (tags / commits) through PGP keys.

Could you please confirm if these tasks are feasible on the current software version (app, firmware, ssh/pgp-agent...) or, at least, are they planned for future releases?

Thanks for the help and keep doing this great work!

Answer 1 · 2020-01-22T21:55:56.000Z

You would just use onlykey-agent to generate public key as shown in readme. Then you can add this public key to github. Its an ecc key, not an RSA. Then you would use onlykey-agent to run ssh commands and your OnlyKey is going to ask for a challenge code to authorize the ssh.

Another alternative, I have been meaning to try but haven't yet is that OnlyKey is supported by KeePassXC for challenge-response.

So you would create a new KeePassXC database and select additional security to add OnlyKey to encrypt your KeePass database.
Also KeePassXC supports SSH - https://blog.valouille.fr/post/2018-03-27-how-to-use-keepass-xc-with-ssh-agent/

With this setup you would protect your SSH key inside your KeePass database and your OnlyKey would be required to access it.

Answer 2 · 2020-01-23T05:01:17.000Z

Alright, I believe this answers the first question (related to SSH keys).

The suggested setup using KeePassXC is very similar to the setup that I'm used to, except that I use KeePass + KeeAgent to load the SSH Keys
(KeePass database entry containing the private key's passphrase and a reference, as an external file, to the private key stored in my PC) and run SSH commands (integrated with OpenSSH for Windows, which is still experimental, but has been working pretty well).

About the second question, I just found a doc that says GPG agent is not supported yet (https://docs.crp.to/onlykey-agent.html).

Therefore, can I assume that signing Git commits/tags using the OnlyKey agent is not possible in current release?