iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
🔑

Easily Store Git Authentication/Signing Keys in the Secure Enclave with Secretive [macOS]

に公開
Git
Security
macOS
SSH
crypto
tech

With the recent increase in supply chain attacks, signing Git commits has become a fundamental security best practice. The challenge, however, lies in where to store the private key used for these signatures.

Technically, you could sign with a passwordless SSH key, but if a malicious program reads your private key, every signature you have ever created becomes meaningless. On the other hand, being forced to type a secure, long password for every commit or push is cumbersome and significantly reduces development motivation.

While you could use password managers like 1Password to act as an SSH agent for signing and authentication, this adds risks by syncing unnecessary data and often comes with limitations, such as requiring a paid plan.

This is where Secretive comes in.
https://github.com/maxgoedjen/secretive

TL;DR

Install Secretive, follow the on-screen instructions to set the SSH_AUTH_SOCK environment variable, generate a key, and then add the following settings to your configuration files using an editor of your choice.

~/.gitconfig 

[gpg]
	format = ssh
[commit]
	gpgsign = true

[user]
	name = <name>
	email = <email>
        # >>> Use the public key retrieved via ssh-add -L *after* setting the environment variable, NOT the one shown in the app <<<
        # The string should start with "ecdsa-sha2-nistp256" and end with the key name (or similar identifier).
	signingKey = "key::[Public Key]"

[gpg "ssh"]
	defaultKeyCommand = ssh-add -L

~/.ssh/config 

Host github.com
        IdentityAgent /Users/[Username]/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh

Common Pitfalls

  • The signingKey specified in .gitconfig must be the key retrieved via ssh-add -L with key:: prefixed to it, not the public key viewed within the app interface.
    • Note that the key will not be displayed until you execute the command after applying the environment variable as instructed during the app setup.

Detailed Explanation

Typically, SSH private keys are stored on disk in an encrypted state. Every time a signature is requested for operations like commit or push, an SSH agent decrypts the key to perform the task. However, this carries risks: the private key might be stored unencrypted, the key password might be leaked, the SSH agent or the OS itself might have vulnerabilities, or there could be side-channel attacks against the CPU.

Secretive significantly mitigates these issues by storing keys in the Secure Enclave on macOS. The Secure Enclave is a type of TEE (Trusted Execution Environment) [Citation Needed] that operates independently of the main OS (in this case, macOS) where you perform your daily tasks.
TEE technology is not exclusive to Apple devices; similar environments are available in almost all modern mobile devices (TrustZone) and Windows PCs (Intel TXT, SGX / AMD PSP).

Private keys stored in the Secure Enclave are never accessible from the main OS. Because the core used by the Secure Enclave is isolated and its memory cannot be seen by the main OS CPU (it is encrypted with an Enclave-specific key), it is protected from side-channel attacks targeting the main OS. When a task requiring the private key—such as signing—is requested, the request is forwarded to the Secure Enclave via Secretive's resident agent, and the processing involving the private key happens exclusively within the Secure Enclave.

Furthermore, the Secure Enclave is resistant to physical attacks and, on Apple Silicon devices, is embedded within the SoC, ensuring that the device remains secure even if stolen. (Of course, absolute security doesn't exist, so it is always better not to get your device stolen.)

Usage

Since it is a GUI application, operation should be straightforward. You will be asked during key generation whether to require TouchID for operations, and it is generally recommended to enable this if your hardware supports it.

Note that even if you disable the TouchID requirement, you will still receive notifications.

Using with devcontainer

In VSCode, if you have the above settings configured, the agent will be automatically forwarded, allowing you to use the key inside containers.

Other Limitations

  • Naturally, because the key never leaves the Secure Enclave, it cannot be used on other devices. (Since GitHub allows multiple SSH keys, this should not be a major issue for Git-related workflows.)
  • Due to Secure Enclave specifications, only NIST P-256 (Elliptic Curve) keys can be used. This limitation should also be acceptable for most standard environments.

Discussion