wn/minimal-setups
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
main
minimal-setups/content/snippets/0280-secure-enclave-on-mac.md
Wolfgang Hottgenroth 318cbbd915
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
secure enclave
2025-05-12 20:01:16 +02:00

2.3 KiB
Raw Permalink Blame History

SSH Keys in Secure Enclave on Mac

The Secure Enclave on the Mac is a security device to generate, hold and utilize keys. A key generated in the Secure Enclave can not be read or copied, it just can be used. Comparable to keys on OpenPGP cards or YubiKeys.

Secretive

https://github.com/maxgoedjen/secretive is a tool to generate keys and to act as an ssh agent, very important for agent-forwarding (using a key on a server where you logged in using that key).

It can be installed via brew:

brew install --cask secretive

After installation, run it, add the proposed snippets into the ~/.ssh/config and the ~/.bashrc (or rc file of another shell):

~/.ssh/config

Host *
  IdentityAgent /Users/wn/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh

~/.bashrc

SSH_AUTH_SOCK=/Users/wn/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
export SSH_AUTH_SOCK

(Obviously, use the right username.)

It worked out of the box for me!

Git Signing using the Key

This were also just a few lines in the ~/.gitconfig:

~/.gitconfig

[user]
        name = Wolfgang Hottgenroth
        email = wolfgang.hottgenroth@icloud.com
        signingkey = /Users/wn/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/0ca69636d28c45bc99e4ac5b40785e8c.pub
[gpg]
        format = ssh
[commit]
        gpgsign = true
[gpg "ssh"]
        allowedSignersFile = /Users/wn/.ssh/allowed_signers

To verify signatures locally using git log --show-signature the allowed_signars file mentioned in the last line above is required.

It holds the email address followed by the public ssh key.

That's it!

I've added the key in my local Gitea instance. Cloning via ssh worked immediately, as expected. The verification of commits was only shown after verifying the key on the keys page in the setting. Just one commandline:

echo -n 'a-long-token-presented-to-you-by-gitea' | ssh-keygen -Y sign -n gitea -f /path_to_PrivateKey_or_RelatedPublicKey

Don't be confused or scared: You list the path of the public key at user.signingkey, but obviously not the public key is used for signing. It is just used to identify the right private key in the Secure Enclave to be used for signing.