wn/minimal-setups
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

secure enclave
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source
This commit is contained in:
Wolfgang Hottgenroth
2025-05-12 20:01:16 +02:00
parent 74ea8e6ab8
commit 318cbbd915
1 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
content/snippets/0280-secure-enclave-on-mac.md Normal file
View File

@ -0,0 +1,70 @@
<!--
title: SSH Keys in Secure Enclave on Mac
date: 2025-05-12
-->
# SSH Keys in Secure Enclave on Mac
The Secure Enclave on the Mac is a security device to generate, hold and utilize keys. A key generated in the Secure Enclave can not be read or copied, it just can be used. Comparable to keys on OpenPGP cards or YubiKeys.
## Secretive
[https://github.com/maxgoedjen/secretive](https://github.com/maxgoedjen/secretive) is a tool to generate keys and to act as an ssh agent, very important for agent-forwarding (using a key on a server where you logged in using that key).
It can be installed via brew:
```
brew install --cask secretive
```
After installation, run it, add the proposed snippets into the `~/.ssh/config` and the `~/.bashrc` (or rc file of another shell):
*`~/.ssh/config`*
```
Host *
IdentityAgent /Users/wn/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
```
*`~/.bashrc`*
```
SSH_AUTH_SOCK=/Users/wn/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
export SSH_AUTH_SOCK
```
(Obviously, use the right username.)
It worked out of the box for me!
## Git Signing using the Key
This were also just a few lines in the `~/.gitconfig`:
*`~/.gitconfig`*
```
[user]
name = Wolfgang Hottgenroth
email = wolfgang.hottgenroth@icloud.com
signingkey = /Users/wn/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/0ca69636d28c45bc99e4ac5b40785e8c.pub
[gpg]
format = ssh
[commit]
gpgsign = true
[gpg "ssh"]
allowedSignersFile = /Users/wn/.ssh/allowed_signers
```
To verify signatures locally using `git log --show-signature` the `allowed_signars` file mentioned in the last line above is required.
It holds the email address followed by the public ssh key.
That's it!
I've added the key in my local Gitea instance. Cloning via ssh worked immediately, as expected. The verification of commits was only shown after verifying the key on the keys page in the setting. Just one commandline:
```
echo -n 'a-long-token-presented-to-you-by-gitea' | ssh-keygen -Y sign -n gitea -f /path_to_PrivateKey_or_RelatedPublicKey
```
Don't be confused or scared: You list the path of the public key at `user.signingkey`, but obviously not the public key is used for signing. It is just used to identify the right private key in the Secure Enclave to be used for signing.