Make ssh use gpg-agent

macOS

Make sure the SSH_AUTH_SOCK environment variable was set when you logged into the computer.

$ echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.6WLhL9ld6F/Listeners

This path will be different every time you (log in? reboot? not sure), and this value will be inherited by every process which is part of your desktop environment. This includes all of the shells in your terminal windows, any programs you run by double-clicking something from a Finder window, and so forth.

When you log in, the system creates a Unix socket with a random name, runs a copy of ssh-agent and makes it listen on that Unix socket.

Switch the socket

What we're going to do is remove that Unix socket, and create a symbolic link in its place, pointing to the Unix socket where gpg-agent is listening.

ln -sf $HOME/.gnupg/S.gpg-agent.ssh $SSH_AUTH_SOCKET

Once you do this, if any process under your login session needs to talk to ssh-agent, it will actually be talking to gpg-agent instead.

The only problems with this are ...

  • Any programs which try to make use of ssh-agent before you do this, will still be talking to the real ssh-agent (which macOS has no way to totally disable).

  • You have to remember to do this every time you log in.

Switch the socket automatically

You can make the system replace the socket with the symlink automatically by creating a "LaunchAgent". These are programs which launchd automatically runs when you log in.

Create $HOME/Library/LaunchAgents/net.jms1.gpg-agent-symlink.plist with the following contents:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/ProperyList-1.0/dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>net.jms1.gpg-agent-symlink</string>
    <key>ProgramArguments</key>
    <array>
      <string>/bin/sh</string>
      <string>-c</string>
      <string>/bin/ln -sf $HOME/.gnupg/S.gpg-agent.ssh $SSH_AUTH_SOCK</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
  </dict>
</plist>

If you're using Keybase, you can copy this file.

cd ~/Library/LaunchAgents/
cp /keybase/public/jms1/net.jms1.gpg-agent-symlink.plist .

If not, you can download this file. (Note: the curl option is an uppercase letter "O", not a digit "zero".)

cd ~/Library/Launchagents/
curl -O https://jms1.pub/net.jms1.gpg-agent-symlink.plist

When you create this file, you may get a pop-up notification from macOS.

background-item

This is expected, and can be ignored.

ℹī¸ It's unfortunate that macOS only identifies the item as "sh". If you look in Settings ⇒ General ⇒ Login Items, you will see the item identified as just "sh". And you may see other items identified as just "sh" as well, with no way to tell which one is which.

I've tried to figure out how to give it a different name, but there doesn't seem to be any documentation about how to control the name. If I find out any more about this, I'll update this page.

After creating this file, tell launchd to run it, and to run it automatically every time you log in.

launchctl load net.jms1.gpg-agent-symlink.plist

Debian 11

TODO

CentOS 7

TODO