Skip to content

Instantly share code, notes, and snippets.

@agilous

agilous/0-1Password SSH Agent Forwarding for Devcontainers-README.md

Last active March 31, 2026 14:08
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save agilous/cd29009a96bfe6e81acb5c9e643eff51 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save agilous/cd29009a96bfe6e81acb5c9e643eff51 to your computer and use it in GitHub Desktop.
Download ZIP
1Password SSH Agent Forwarding for Devcontainers
Raw
0-1Password SSH Agent Forwarding for Devcontainers-README.md

1Password SSH Agent Forwarding for Devcontainers

License: MIT

Use 1Password's SSH agent to sign Git commits inside VS Code devcontainers across macOS, Linux, and Windows.

Quick Start

  1. Read the full guide: 1password-ssh-devcontainer-guide.md
  2. Configure your host to use 1Password's SSH agent
  3. Add the devcontainer mount for your platform
  4. Add remoteEnv to your devcontainer.json — required for IDE commit signing (e.g., the Source Control panel's commit button)
  5. Use the setup script (setup-ssh-agent.sh) to auto-detect and configure the agent

What's Included

Supported Platforms

Platform Docker Status
macOS Docker Desktop Tested
Linux Native Docker Untested
Windows WSL2 + Docker Desktop Tested

License

MIT

Raw
1password-ssh-devcontainer-guide.md

1Password SSH Agent Forwarding for Devcontainers

A cross-platform guide for using 1Password's SSH agent to sign Git commits inside VS Code devcontainers, with conditional socket mounting that won't break devcontainers for users who don't use 1Password.

Tested Configurations

  • ✅ macOS Sequoia 15.2 + Docker Desktop 4.37.1 + 1Password 8.x + VS Code 1.96.x (working January 2026)
  • ⏳ Ubuntu 24.04 + Docker Engine (untested)
  • ✅ Windows 11 + WSL2 + Docker Desktop (working January 2026)
  • ✅ Windows 11 + WSL2 + Docker Desktop + Cursor (working March 2026)

The Problem

When using VS Code devcontainers with 1Password's SSH agent, signed git commits fail with errors like:

error: Couldn't find key in agent?
fatal: failed to write commit object

This happens because:

  1. 1Password manages SSH keys via its own agent socket
  2. VS Code's devcontainer SSH agent forwarding doesn't automatically detect 1Password's socket
  3. The socket forwarding mechanism differs by host operating system

Prerequisites (All Platforms)

Note: This guide is for local devcontainers running via Docker Desktop or Docker Engine. GitHub Codespaces uses different SSH forwarding mechanisms and is not covered here.

IDE Compatibility: While this guide references VS Code, it also applies to VS Code forks that support devcontainers, including Cursor and Windsurf.

  • 1Password desktop app installed
  • SSH key stored in 1Password
  • SSH key registered with your Git provider (GitHub, GitLab, etc.) as both:
    • Authentication key (for push/pull)
    • Signing key (for commit signing)
  • VS Code with Dev Containers extension
  • Docker Desktop (macOS/Windows) or Docker Engine (Linux)

macOS Setup (Docker Desktop)

Why macOS is Different

Docker Desktop on macOS runs containers inside a Linux VM. Unix sockets cannot be directly mounted from macOS into this VM. Docker Desktop provides a special "magic" socket at /run/host-services/ssh-auth.sock that forwards to whatever SSH_AUTH_SOCK is set to on your Mac.

The catch: Docker Desktop is launched by launchd, which doesn't inherit your shell environment. You must configure SSH_AUTH_SOCK globally.

Host Setup

1. Enable 1Password SSH Agent

  1. Open 1Password → SettingsDeveloper
  2. Check "Use the SSH agent"
  3. Optionally enable "Display key names when authorizing connections"

2. Create the Socket Symlink (Recommended)

1Password's actual socket path is unwieldy. Create a symlink:

mkdir -p ~/.1password
ln -sf "$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" ~/.1password/agent.sock

3. Configure SSH_AUTH_SOCK Globally for launchd

This is the critical step that makes Docker Desktop work with 1Password:

launchctl setenv SSH_AUTH_SOCK "$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

Note: This must be run after every macOS restart, or you can add it to your login items. See 1Password's documentation for making it persistent.

4. Restart Docker Desktop

Quit Docker Desktop completely and reopen it. It will now pick up the SSH_AUTH_SOCK environment variable.

5. Verify Host Setup

# Should list your 1Password SSH keys
ssh-add -l

# Should also list your keys (proves Docker can see them)
docker run --rm -it \
  -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock \
  -e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock \
  alpine:latest sh -c "apk add --no-cache openssh-client && ssh-add -l"

Devcontainer Configuration (macOS)

devcontainer.json

{
  "name": "Your Project",
  "dockerComposeFile": "docker-compose.yml",
  "service": "app",
  "workspaceFolder": "/workspace",
  
  "mounts": [
    "source=/run/host-services/ssh-auth.sock,target=/run/host-services/ssh-auth.sock,type=bind"
  ],
  
  "remoteEnv": {
    "SSH_AUTH_SOCK": "/run/host-services/ssh-auth.sock"
  }
}

Tip: If you use the cross-platform setup (recommended), the remoteEnv path should be /tmp/ssh-agent-stable.sock instead, since the setup-ssh-agent.sh script creates a stable symlink there.

Alternative: docker-compose.yml

services:
  app:
    volumes:
      - /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock:ro
    environment:
      - SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock

Linux Setup (Native Docker)

Why Linux is Easier

On Linux with native Docker (not Docker Desktop), you can directly mount Unix sockets from the host into containers.

Host Setup

1. Enable 1Password SSH Agent

  1. Open 1Password → SettingsDeveloper
  2. Check "Use the SSH agent"

2. Configure Your Shell

Add to ~/.bashrc or ~/.zshrc:

export SSH_AUTH_SOCK=~/.1password/agent.sock

Then reload:

source ~/.bashrc  # or ~/.zshrc

3. Verify Host Setup

# Should list your 1Password SSH keys
ssh-add -l

Devcontainer Configuration (Linux)

devcontainer.json

{
  "name": "Your Project",
  "dockerComposeFile": "docker-compose.yml",
  "service": "app",
  "workspaceFolder": "/workspace",
  
  "mounts": [
    "source=${localEnv:HOME}/.1password/agent.sock,target=/home/vscode/.1password/agent.sock,type=bind"
  ],
  
  "remoteEnv": {
    "SSH_AUTH_SOCK": "/home/vscode/.1password/agent.sock"
  }
}

Tip: If you use the cross-platform setup (recommended), the remoteEnv path should be /tmp/ssh-agent-stable.sock instead, since the setup-ssh-agent.sh script creates a stable symlink there.

Alternative: docker-compose.yml

services:
  app:
    volumes:
      - ${HOME}/.1password/agent.sock:/home/vscode/.1password/agent.sock:ro
    environment:
      - SSH_AUTH_SOCK=/home/vscode/.1password/agent.sock

Windows Setup (WSL2 + Docker Desktop)

Why Windows is Complex

1Password on Windows uses a Windows named pipe (\\.\pipe\openssh-ssh-agent), not a Unix socket. WSL2 and Docker containers need a Unix socket. You must bridge between them using npiperelay and socat.

Host Setup

1. Enable 1Password SSH Agent (Windows Side)

  1. Open 1Password → SettingsDeveloper
  2. Check "Use the SSH agent"
  3. Important: Disable the Windows OpenSSH Agent service to avoid conflicts: 
    # Run in PowerShell as Administrator
Stop-Service ssh-agent
Set-Service ssh-agent -StartupType Disabled

2. Verify Windows Side

# In PowerShell (not WSL), should list your keys
ssh-add -l

3. Install npiperelay (Windows Side)

The npiperelay tool bridges Windows named pipes to WSL2. Install it using PowerShell:

# Run in PowerShell (as Administrator recommended)

# Create bin directory
mkdir $env:USERPROFILE\bin -Force

# Download and extract npiperelay
cd $env:USERPROFILE\bin
Invoke-WebRequest -Uri "https://github.com/jstarks/npiperelay/releases/download/v0.1.0/npiperelay_windows_amd64.zip" -OutFile "npiperelay.zip"
Expand-Archive npiperelay.zip -DestinationPath . -Force

# Add to PATH permanently
[Environment]::SetEnvironmentVariable("PATH", "$env:PATH;$env:USERPROFILE\bin", "User")

# Verify installation
.\npiperelay.exe -h

Note: winget install jstarks.npiperelay and scoop install npiperelay may not work reliably. The manual download method above is recommended.

4. Install socat (WSL2 Side)

# In WSL2
sudo apt update && sudo apt install -y socat

5. Verify npiperelay is accessible from WSL2

Before configuring the bridge, verify WSL2 can access the Windows binary:

# Replace YOUR_WINDOWS_USERNAME with your actual Windows username
/mnt/c/Users/YOUR_WINDOWS_USERNAME/bin/npiperelay.exe -h

You should see the npiperelay help output.

6. Configure the SSH Agent Bridge

Add the following to your ~/.bashrc or ~/.zshrc:

# 1Password SSH Agent relay from Windows
# IMPORTANT: Replace YOUR_WINDOWS_USERNAME with your actual Windows username
export SSH_AUTH_SOCK="$HOME/.ssh/agent.sock"

if ! ss -a 2>/dev/null | grep -q "$SSH_AUTH_SOCK"; then
    rm -f "$SSH_AUTH_SOCK"
    (setsid socat UNIX-LISTEN:"$SSH_AUTH_SOCK",fork EXEC:"/mnt/c/Users/YOUR_WINDOWS_USERNAME/bin/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork &) >/dev/null 2>&1
fi

Important: You must use the full path to npiperelay.exe (e.g., /mnt/c/Users/billb/bin/npiperelay.exe) because Windows executables are not in WSL2's PATH by default.

7. Verify WSL2 Setup

Open a new terminal (or run source ~/.zshrc / source ~/.bashrc), then:

# Should list your 1Password SSH keys
ssh-add -l

# Should authenticate successfully
ssh -T git@github.com

Alternative: Use systemd (if WSL has systemd enabled)

Create ~/.config/systemd/user/1password-ssh-agent.service:

[Unit]
Description=1Password SSH Agent Bridge

[Service]
Type=simple
ExecStartPre=/bin/rm -f %h/.ssh/agent.sock
ExecStart=/usr/bin/socat UNIX-LISTEN:%h/.ssh/agent.sock,fork EXEC:"/mnt/c/Users/YOUR_WINDOWS_USERNAME/bin/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork
Restart=always

[Install]
WantedBy=default.target

Enable it:

systemctl --user daemon-reload
systemctl --user enable --now 1password-ssh-agent.service

Devcontainer Configuration (Windows/WSL2)

The socket is now available in WSL2 at ~/.ssh/agent.sock.

devcontainer.json

{
  "name": "Your Project",
  "dockerComposeFile": "docker-compose.yml",
  "service": "app",
  "workspaceFolder": "/workspace",

  "mounts": [
    "source=${localEnv:HOME}/.ssh/agent.sock,target=/home/vscode/.ssh/agent.sock,type=bind"
  ],

  "remoteEnv": {
    "SSH_AUTH_SOCK": "/home/vscode/.ssh/agent.sock"
  }
}

Tip: If you use the cross-platform setup (recommended), the remoteEnv path should be /tmp/ssh-agent-stable.sock instead, since the setup-ssh-agent.sh script creates a stable symlink there.

Git Configuration (All Platforms)

Inside the Devcontainer

After the container starts, configure Git for SSH signing:

# Get your public key from the agent
SIGNING_KEY=$(ssh-add -L | head -1)

# Configure git
git config --global gpg.format ssh
git config --global user.signingkey "$SIGNING_KEY"
git config --global commit.gpgsign true
git config --global tag.gpgsign true

Important: Remove op-ssh-sign from .gitconfig

If you previously configured 1Password on the host, your ~/.gitconfig may contain:

[gpg "ssh"]
    program = "/path/to/op-ssh-sign"

Remove or comment out this section. The op-ssh-sign binary doesn't exist inside the container, and it's not needed when using agent forwarding.

Verification

After rebuilding your devcontainer, verify everything works:

# 1. Check agent has keys
ssh-add -l
# Expected: Lists your SSH key(s)

# 2. Test SSH connection to GitHub
ssh -T git@github.com
# Expected: "Hi username! You've successfully authenticated..."
# 1Password should prompt you to authorize

# 3. Check git config
git config --get gpg.format
# Expected: ssh

git config --get user.signingkey
# Expected: Your public key

# 4. Test a signed commit
git commit --allow-empty -m "test: verify SSH signing"
git log --show-signature -1
# Expected: Shows "Good signature"

Troubleshooting

"The agent has no identities"

  • All platforms: Make sure 1Password is unlocked
  • All platforms: Check that your SSH key is enabled for the agent in 1Password (Key settings → "Use for SSH agent")
  • macOS: Did you run launchctl setenv? Did you restart Docker Desktop afterward?
  • Windows: Is the Windows OpenSSH Agent service disabled? (It conflicts with 1Password)

"Error connecting to agent: Connection refused" or "communication with agent failed"

  • macOS: The direct socket mount doesn't work. Use /run/host-services/ssh-auth.sock instead
  • Windows: The npiperelay bridge may not be running. Check with ps aux | grep socat
  • Windows: Verify npiperelay.exe path is correct: /mnt/c/Users/YOUR_USERNAME/bin/npiperelay.exe -h
  • Windows: Make sure you're using the full path to npiperelay.exe in your shell config (not just npiperelay.exe)
  • Linux: Check socket permissions: ls -la ~/.1password/agent.sock

"Couldn't get agent socket?" when committing via the IDE UI

SSH signing works in the terminal but the IDE's commit button fails:

error: Couldn't get agent socket?
fatal: failed to write commit object

This means the IDE's Source Control panel doesn't have SSH_AUTH_SOCK set. The SCM panel runs git in a non-interactive process that doesn't source .bashrc or .zshrc.

Fix: Ensure your devcontainer.json has remoteEnv set:

"remoteEnv": {
  "SSH_AUTH_SOCK": "/tmp/ssh-agent-stable.sock"
}

And that setup-ssh-agent.sh creates the stable symlink (see Cross-Platform Setup). After making these changes, rebuild the devcontainer.

Quick workaround: Commit from the integrated terminal instead of the UI commit button — the terminal has SSH_AUTH_SOCK set correctly.

"No such file or directory" for agent socket

  • Rebuild the devcontainer after adding the mount configuration
  • macOS: Make sure you're mounting /run/host-services/ssh-auth.sock, not the 1Password socket directly

Git commit fails with "cannot run op-ssh-sign"

Your .gitconfig has the [gpg "ssh"] program setting. Remove it — it's not needed with agent forwarding and the binary doesn't exist in the container.

1Password doesn't prompt for authorization

  • Check that "Require approval for each new application" is enabled in 1Password SSH agent settings
  • Try locking and unlocking 1Password

Cross-Platform Devcontainer Setup (Recommended)

Bind mounts in devcontainer.json (type=bind) fail if the source path doesn't exist on the host. This means you can't simply list all possible socket paths — the container won't start for users who don't have 1Password configured.

The solution uses initializeCommand (which runs on the host before container creation) to detect available sockets and dynamically generate a docker-compose override file. Users without 1Password get an empty override — no mount attempted, nothing breaks.

devcontainer.json

{
  "dockerComposeFile": ["docker-compose.yml", "docker-compose.ssh.yml"],

  "initializeCommand": ".devcontainer/init-ssh.sh",

  "postStartCommand": ".devcontainer/setup-ssh-agent.sh",

  "remoteEnv": {
    "SSH_AUTH_SOCK": "/tmp/ssh-agent-stable.sock"
  }
}

Why remoteEnv? The postStartCommand script detects the correct socket and creates a symlink at /tmp/ssh-agent-stable.sock. The remoteEnv setting ensures the IDE's own processes (including the Source Control panel's git operations) have SSH_AUTH_SOCK set — something that shell rc files alone cannot accomplish, since the IDE doesn't source .bashrc.

Important: Add docker-compose.ssh.yml to your .gitignore — it is generated and host-specific.

.devcontainer/init-ssh.sh (runs on HOST)

#!/bin/bash
# Runs on the HOST via devcontainer initializeCommand.
# Detects SSH agent sockets and generates a docker-compose override
# with the appropriate volume mount. If no socket is found, generates
# an empty override so the container starts without SSH agent forwarding.

COMPOSE_FILE=".devcontainer/docker-compose.ssh.yml"

write_compose() {
  local volume_entry="$1"
  cat > "$COMPOSE_FILE" << EOF
# Generated by init-ssh.sh — do not edit or commit
services:
  elixir:
    volumes:
      - ${volume_entry}
EOF
}

write_empty() {
  cat > "$COMPOSE_FILE" << 'EOF'
# Generated by init-ssh.sh — no SSH agent socket detected on host
services:
  elixir: {}
EOF
}

case "$(uname -s)" in
  Darwin)
    # macOS: Docker Desktop provides a magic socket inside the VM.
    write_compose "/run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock"
    ;;
  Linux)
    if [ -S "${HOME}/.ssh/agent.sock" ]; then
      # WSL2 with npiperelay/socat bridge to Windows 1Password
      write_compose "${HOME}/.ssh/agent.sock:/home/vscode/.ssh/agent.sock"
    elif [ -S "${HOME}/.1password/agent.sock" ]; then
      # Native Linux with 1Password
      write_compose "${HOME}/.1password/agent.sock:/home/vscode/.1password/agent.sock"
    else
      write_empty
    fi
    ;;
  *)
    write_empty
    ;;
esac

The setup-ssh-agent.sh script (which runs inside the container via postStartCommand) remains unchanged — it detects which socket was actually mounted and configures SSH_AUTH_SOCK and Git signing accordingly.

Why this works: initializeCommand runs on the host where it can check for real socket files. The generated compose override either includes the volume mount (socket exists) or is a no-op (socket missing). The container always starts successfully regardless of whether the user has 1Password configured.

References

Contributing

Found an issue or have an improvement? This guide is maintained as a Gist. Please leave a comment or suggest edits!

Last updated: March 2026

Raw
LICENSE
MIT License
Copyright (c) 2026 Bill Barnett
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Raw
setup-ssh-agent.sh
#!/bin/bash
# shellcheck shell=bash
# Setup SSH agent for 1Password in devcontainer
# Supports macOS (Docker Desktop), Linux (native Docker), and Windows (WSL2)
set -e
# Script version
SCRIPT_VERSION="1.0.0"
# Show usage information
show_help() {
cat << EOF
Usage: $(basename "$0") [OPTIONS]
Setup SSH agent for 1Password in devcontainers.
Detects and configures the appropriate SSH agent socket for macOS (Docker Desktop),
Linux (native Docker), and Windows (WSL2).
OPTIONS:
-h, --help Show this help message and exit
-v, --version Show version information and exit
ENVIRONMENT:
SSH_AUTH_SOCK Will be set to the detected socket path
HOME Used to determine user home directory
EXAMPLES:
$(basename "$0") # Run setup
source ~/.ssh-agent-env # Load the configured SSH_AUTH_SOCK
For more information, see: https://github.com/agilous/1password-ssh-devcontainer-guide
EOF
}
# Show version
show_version() {
echo "setup-ssh-agent.sh version $SCRIPT_VERSION"
}
# Parse command line arguments
parse_args() {
while [[ $# -gt 0 ]]; do
case "$1" in
-h|--help)
show_help
exit 0
;;
-v|--version)
show_version
exit 0
;;
*)
echo "Unknown option: $1" >&2
echo "Use --help for usage information." >&2
exit 1
;;
esac
shift
done
}
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
log_info() { echo -e "${GREEN}[INFO]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
# Portable stat function for getting file permissions
# Returns octal permissions (e.g., 644, 755)
get_file_perms() {
local file="$1"
if [[ "$(uname -s)" == "Darwin" ]]; then
stat -f '%Lp' "$file" 2>/dev/null
else
stat -c '%a' "$file" 2>/dev/null
fi
}
# Portable stat function for getting file group
get_file_group() {
local file="$1"
if [[ "$(uname -s)" == "Darwin" ]]; then
stat -f '%Sg' "$file" 2>/dev/null
else
stat -c '%G' "$file" 2>/dev/null
fi
}
# Get current username
get_current_user() {
whoami
}
# Possible SSH agent socket locations (checked in order of priority)
#
# 1. Docker Desktop magic socket (macOS + Docker Desktop)
# This is the ONLY method that works on macOS with Docker Desktop.
# Direct socket mounts fail because Docker runs in a VM.
DOCKER_DESKTOP_SOCK="/run/host-services/ssh-auth.sock"
# 2. Direct mount from host - Linux native Docker
# These work when the host socket is directly mounted into the container.
# Note: We use $HOME instead of hardcoded /home/vscode to support any user
ONEPASSWORD_SOCK="${HOME}/.1password/agent.sock"
# 3. Direct mount from host - Windows/WSL2
# Windows uses a different socket path via npiperelay bridge
WSL2_SSH_SOCK="${HOME}/.ssh/agent.sock"
# 4. VS Code's forwarded SSH agent (fallback)
# VS Code sometimes creates its own forwarded socket.
VSCODE_SSH_SOCK=$(ls /tmp/vscode-ssh-auth-*.sock 2>/dev/null | head -1)
setup_ssh_agent() {
# Check for Docker Desktop magic socket (macOS with Docker Desktop)
# This must be checked FIRST because on macOS, the direct mount paths
# may appear to exist but won't actually work.
if [ -S "$DOCKER_DESKTOP_SOCK" ]; then
export SSH_AUTH_SOCK="$DOCKER_DESKTOP_SOCK"
log_info "Using Docker Desktop SSH agent forwarding at $DOCKER_DESKTOP_SOCK"
# Check for 1Password socket (mounted from host - Linux native Docker)
elif [ -S "$ONEPASSWORD_SOCK" ]; then
export SSH_AUTH_SOCK="$ONEPASSWORD_SOCK"
log_info "Using 1Password SSH agent at $ONEPASSWORD_SOCK"
# Check for WSL2 socket (mounted from host - Windows/WSL2)
elif [ -S "$WSL2_SSH_SOCK" ]; then
export SSH_AUTH_SOCK="$WSL2_SSH_SOCK"
log_info "Using WSL2 SSH agent bridge at $WSL2_SSH_SOCK"
# Fallback to VS Code's forwarded agent
elif [ -S "$VSCODE_SSH_SOCK" ]; then
export SSH_AUTH_SOCK="$VSCODE_SSH_SOCK"
log_warn "1Password socket not found, using VS Code SSH agent forwarding"
log_warn "For 1Password support, ensure your host SSH_AUTH_SOCK points to 1Password"
else
log_error "No SSH agent socket found!"
log_error ""
log_error "To use 1Password SSH agent, configure your host machine:"
log_error ""
log_error " macOS (Docker Desktop):"
log_error " 1. Enable SSH agent in 1Password Settings > Developer"
log_error " 2. Run: launchctl setenv SSH_AUTH_SOCK \"\$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock\""
log_error " 3. Restart Docker Desktop"
log_error " 4. Rebuild the devcontainer"
log_error ""
log_error " Linux (native Docker):"
log_error " 1. Enable SSH agent in 1Password Settings > Developer"
log_error " 2. Add to ~/.bashrc or ~/.zshrc:"
log_error " export SSH_AUTH_SOCK=~/.1password/agent.sock"
log_error " 3. Rebuild the devcontainer"
log_error ""
log_error " Windows (WSL2):"
log_error " 1. Enable SSH agent in 1Password Settings > Developer"
log_error " 2. Install npiperelay on Windows:"
log_error " - Download from https://github.com/jstarks/npiperelay/releases"
log_error " - Extract to C:\\Users\\USERNAME\\bin\\"
log_error " 3. Install socat in WSL: sudo apt install socat"
log_error " 4. Add to ~/.bashrc or ~/.zshrc:"
log_error " export SSH_AUTH_SOCK=\"\$HOME/.ssh/agent.sock\""
log_error " if ! ss -a 2>/dev/null | grep -q \"\$SSH_AUTH_SOCK\"; then"
log_error " rm -f \"\$SSH_AUTH_SOCK\""
log_error " (setsid socat UNIX-LISTEN:\"\$SSH_AUTH_SOCK\",fork \\"
log_error " EXEC:\"/mnt/c/Users/USERNAME/bin/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent\",nofork &)"
log_error " fi"
log_error " 5. Use full path to npiperelay.exe (not just the filename)"
log_warn "Continuing without SSH agent; Git SSH signing will not be auto-configured."
return 0
fi
# Verify agent has identities
if ssh-add -l &>/dev/null; then
local key_count=$(ssh-add -l | wc -l)
log_info "SSH agent has $key_count key(s) available"
# Configure git to use SSH signing if keys are available
if command -v git &>/dev/null; then
SIGNING_KEY=$(ssh-add -L 2>/dev/null | head -1)
if [ -n "$SIGNING_KEY" ]; then
git config --global gpg.format ssh
git config --global user.signingkey "$SIGNING_KEY"
git config --global commit.gpgsign true
git config --global tag.gpgsign true
log_info "Git configured for SSH commit signing"
fi
fi
else
log_warn "SSH agent is available but has no identities"
log_warn "Make sure 1Password is unlocked and SSH keys are available"
fi
}
# Write SSH_AUTH_SOCK to a file that can be sourced by shells
write_env_file() {
# Create a stable symlink so remoteEnv in devcontainer.json always works.
# The IDE's SCM panel (commit button) runs git in a non-interactive process
# that doesn't source shell rc files, so it needs SSH_AUTH_SOCK set via
# remoteEnv — which requires a fixed, predictable path.
STABLE_SOCK="/tmp/ssh-agent-stable.sock"
ln -sf "$SSH_AUTH_SOCK" "$STABLE_SOCK"
export SSH_AUTH_SOCK="$STABLE_SOCK"
local env_file="${HOME}/.ssh-agent-env"
echo "export SSH_AUTH_SOCK=\"${STABLE_SOCK}\"" > "$env_file"
log_info "SSH agent config written to $env_file"
log_info "Add 'source ~/.ssh-agent-env' to your shell rc file if needed"
}
# Fix permissions for SSH agent socket access
fix_socket_permissions() {
local current_user
current_user=$(get_current_user)
# Docker Desktop magic socket (macOS) - chmod directly since it's recreated on each Docker start
if [ -S "$DOCKER_DESKTOP_SOCK" ]; then
local socket_perms
socket_perms=$(get_file_perms "$DOCKER_DESKTOP_SOCK")
if [ "$socket_perms" != "660" ] && [ "$socket_perms" != "666" ] && [ "$socket_perms" != "777" ]; then
log_info "Fixing permissions on Docker Desktop SSH socket..."
sudo chmod 660 "$DOCKER_DESKTOP_SOCK" 2>/dev/null || {
log_warn "Could not fix socket permissions. You may need to run:"
log_warn " sudo chmod 660 $DOCKER_DESKTOP_SOCK"
}
fi
fi
# Direct socket mounts (Linux) - add user to root group
if [ -S "$ONEPASSWORD_SOCK" ]; then
# Check if socket is owned by root group and we're not in it
local socket_group
socket_group=$(get_file_group "$ONEPASSWORD_SOCK")
if [ "$socket_group" = "root" ] && ! id -nG | grep -qw root; then
log_info "Adding $current_user to root group for 1Password socket access..."
sudo usermod -aG root "$current_user" 2>/dev/null || true
log_info "Group membership updated (takes effect in new terminal sessions)"
fi
fi
# WSL2 socket mounts - add user to root group if needed
if [ -S "$WSL2_SSH_SOCK" ]; then
local socket_group
socket_group=$(get_file_group "$WSL2_SSH_SOCK")
if [ "$socket_group" = "root" ] && ! id -nG | grep -qw root; then
log_info "Adding $current_user to root group for WSL2 socket access..."
sudo usermod -aG root "$current_user" 2>/dev/null || true
log_info "Group membership updated (takes effect in new terminal sessions)"
fi
fi
}
# Main
main() {
# Parse arguments first (handles --help, --version)
parse_args "$@"
log_info "Setting up SSH agent for devcontainer..."
# Create .1password directory if it doesn't exist (for mount point)
mkdir -p "${HOME}/.1password" 2>/dev/null || true
fix_socket_permissions
setup_ssh_agent
write_env_file
echo ""
log_info "SSH agent setup complete!"
}
main "$@"
@ryantullis
Copy link
Copy Markdown

ryantullis commented Mar 31, 2026

great write up, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment