Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No ssh-certificate support #567

Open
nielsk opened this issue Aug 28, 2024 · 4 comments
Open

No ssh-certificate support #567

nielsk opened this issue Aug 28, 2024 · 4 comments

Comments

@nielsk
Copy link

nielsk commented Aug 28, 2024

There is no way to add an ssh-certificate to a key which I use extensively.
See for example here: https://lwn.net/Articles/913971/
@delfuego
Copy link

It's not clear what you're reporting here.

If you're saying that you have an existing cert/key pair that you generated on your own and use extensively, it's certainly true that Secretive can't "use" them inasmuch as Secretive doesn't have anything to do with cert/key pairs that are generated outside of its own processes. Instead, Secretive allows you to generate and use new cert/key pairs, the key of which only exists within your computer's Secure Enclave (and cannot ever be exported, seen, or otherwise used by anything but that same computer). But Secretive also doesn't prevent you from using your existing cert/key pair with whatever it is with which you want to use it.

@nielsk
Copy link
Author

nielsk commented Sep 12, 2024

For being able to use a certificate, you need to have your public key signed by a certificate authority (and the public key of the ca is on the servers).
In a normal ssh-setup you put your ssh certificate next to you public and private key and the ssh-agent will pick it up. On authentication public key and certificate are send.
So there needs to be some way to export the public key, so that it can be signed and some way to use the certificate during authentication.

@delfuego
Copy link

Oh — you're explicitly talking about using chains-of-trust certificates, rather than straightforward SSH certificates.

Secretive certainly has no issue letting you see/"export" your public keys; in the Secretive interface, you get the full path to the public key for every cert pair you generate. But if you're saying that there's no way for you to then get the signed version of that public key and place it somewhere where Secretive's SSH agent can get to it, that's almost certainly true... but I also doubt that this was/is an intended use case for the Secretive-generated secrets. (I obviously can't speak to that!)

@unreality
Copy link
Contributor

There is no way to add an ssh-certificate to a key which I use extensively.

@nielsk - There is - if Secretive creates a key with the path ~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/266b0718b08bc8653c885ae41534e1c0.pub it will check if ~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/266b0718b08bc8653c885ae41534e1c0-cert.pub exists, and return the contents as an available identity see #416 for additional details.

Just place your ssh cert in the right place and Secretive will use it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nielsk @unreality @delfuego