Skip to content

Instantly share code, notes, and snippets.

@peterwwillis

peterwwillis/.gitconfig

Created January 9, 2024 08:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save peterwwillis/c39f8ef9ababe666346bf1c1213e5ec8 to your computer and use it in GitHub Desktop.
Save peterwwillis/c39f8ef9ababe666346bf1c1213e5ec8 to your computer and use it in GitHub Desktop.
Download ZIP
Running 1Password Desktop with Docker on Alpine Linux
Raw
.gitconfig
[user]
; NOTE: Replace your name, email, and signing ssh public key here.
name = My Git User Name Here
email = MYGITEMAIL@ADDRESS.HERE
signingkey = MYLONGSSHPUBKEYHERE
; NOTE: Uncomment this if you want to set a default credential store for Git.
; On Linux, "secretservice" is the libsecret (aka keyring) method.
;[credential]
; credentialStore = secretservice
[gpg]
format = ssh
[gpg "ssh"]
; NOTE: Put the path to the op-ssh-sign.sh script on your filesystem.
program = /home/MYLINUXUSERNAMEHERE/bin/op-ssh-sign.sh
[commit]
gpgsign = true
Raw
1password.sh
#!/usr/bin/env sh
# 1password.sh - Run 1Password Desktop app in Docker
set -eu
[ "${DEBUG:-0}" = "1" ] && set -x
# NOTE:
# You may need to check where /etc/localtime points to on your system and
# add a volume-mapping entry for it below. This ensures the Docker container
# has the same timezone as your system clock.
docker run \
--name my-1password-op \
--privileged \
--rm \
--network=host \
--pid=host \
-v /tmp:/tmp \
-v /etc/passwd:/etc/passwd:ro \
-v /etc/shadow:/etc/shadow:ro \
-v /etc/group:/etc/group:ro \
-v /etc/localtime:/etc/localtime:ro \
-v /etc/zoneinfo/US/Eastern:/etc/zoneinfo/US/Eastern:ro \
-v $HOME:$HOME \
-e DISPLAY \
-u `id -u`:`id -g` \
my-1password-op \
1password --disable-gpu --log debug
Raw
README.md

Running 1Password Desktop with Docker on Alpine Linux

1Password is a commercial password manager.

You can use the password manager from their web interface, or use their browser extension, or use their desktop app, or use their command-line interface. Installation instructions for Linux are here.

It's great that 1Password supports Linux. I can't imagine how small their Linux customer base is, so the fact that they'd spend a good chunk of money to support it is impressive. But sadly, not all Linux distributions are supported.

If you are using Alpine Linux, their downloadable tarball of their application will not work, as Alpine is built with musl rather than glibc. (You can install a glibc compatibility later in Alpine, but 1Password still won't run)

Your only officially-supported option left is to use Flatpak. But sadly, again, using Flatpak leaves several important 1Password features unsupported:

If you install 1Password with Flatpak, you’ll have access to all the features 1Password for Linux has to offer except:

    You’ll need to lock and unlock 1Password in your browser separately from the app.
    You won’t be able to unlock 1Password or 1Password CLI with system authentication.
    You won’t be able to use the SSH agent.

Well that's not great! Is there any way around this limitation so we can still get all the 1Password Desktop features in unsupported platforms? Turns out there is: Docker.

Docker is a containerization runtime, like Flatpak. The benefits of Docker over Flatpak are that there's a larger ecosystem of apps, people are more familiar with it, and it's supported on more platforms (afaik).

Using Docker we can build a custom Docker container, run it on Alpine Linux, and pass the secret incantations of command-line options that will let 1Password Desktop work as we want. Even with the fancy SSH agent options and desktop/browser integration!

This method should work (in theory) on any system Docker can run on. However, I've only tested it on Alpine Linux v3.17 on an x86_64 machine.

Steps

Step 1. Install and set up Docker

There's plenty of guides on the 'net for that. Once you can run a Docker container as a normal user in Alpine, continue.

Step 2. Create a new Docker container

  1. Copy the Dockerfile attached to this gist to a new file named 1password.Dockerfile.
  2. Build a new container using it: 
    $ docker build -t my-1password-op -f 1password.Dockerfile .
  3. If your local Docker images ever get blown away, you'll need to build this container again, so don't lose these files.

Step 3. Create a 1password.sh wrapper

  1. Copy the 1password.sh file attached to this gist to a new file of the same name.
  2. Make it executable (chmod +x 1password.sh)

Step 4. Create an ssh config file

If you want to use SSH Agent forwarding for 1password, add the SSH configuration options to your SSH config file according to the 1Password SSH Agent documentation.

Make sure to add your SSH keys to 1Password, then remove them from your local machine.

  1. Turn on the ssh agent in 1Password
  2. Make the ssh directory (mkdir -p ~/.ssh && chmod 0700 ~/.ssh)
  3. Copy the contents of the ssh-config file in this gist to a file called $HOME/.ssh/config
  4. Modify your SSH config as needed.

Step 5. Sign your Git commits with 1Password

If you want to sign your Git commits with 1Password, see the docs here.

  1. Follow Step #4 above.
  2. Make sure GPG is installed.
  3. Add an SSH key to 1Password that will be used for Git commit signing.
  4. Add that same SSH key to GitHub (or your DVCS or choice)
  5. Copy the entries from the .gitconfig in this gist to your $HOME/.gitconfig. Replace any entries in that file with ones from your system, such as your name, email address, the public key of the SSH key to sign your commits with, etc.
  6. Copy the contents of the op-ssh-sign.sh script to a new file on your filesystem. Give it executable permissions (chmod +x op-ssh-sign.sh) and ut the full path to that script in the .gitconfig file you created earlier.

Step 6. Run 1Password

  1. Run 1password.sh. You can do this from your desktop's preferred method of running a command-line program, or make a shortcut, or run it from a terminal. If you run it from a terminal, closing the terminal will close 1Password. If you have a task bar on your desktop, you should see an icon for 1Password appear.
  2. If you are running 1Password Desktop for the first time, you will need to sign in and unlock 1Password.
  3. Attempt to use SSH as you would before. You may need to unlock 1Password Desktop first.
  4. Attempt to commit a file in Git. It should fail if it can't sign the commit properly.

Conclusion

I hope this guide has been useful for those of you on "weird" Linux distributions! Please comment on this Gist if you have questions or comments.

I do hope 1Password finds a way to support their extra features with Flatpak or Docker, so more users can take advantage of the tool without these workarounds.

Raw
Dockerfile
# 1password.Dockerfile
#
# This Dockerfile exists to package up the files needed to run 1Password in a
# Docker container. It does this by downloading the Ubuntu package lists,
# extracting them, looking for the packages that match missing libraries,
# downloading the package, extracting the needed files, and copying them
# into a final container.
FROM ubuntu:18.04 as build-stg1
ENV CHANNEL="stable"
ENV ONEPASSWORD_KEY_URL="https://downloads.1password.com/linux/keys/1password.asc"
ENV GROUP_NAME="onepassword"
ENV HELPER_PATH="./1Password-KeyringHelper"
ENV BROWSER_SUPPORT_PATH="./1Password-BrowserSupport"
env DEBIAN_FRONTEND=noninteractive
RUN set -e; \
apt-get update && apt-get install -y --no-install-recommends \
curl gpg ca-certificates libx11-xcb1 ; \
curl -sS "$ONEPASSWORD_KEY_URL" | gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg ; \
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/amd64 ${CHANNEL} main" > /etc/apt/sources.list.d/1password.list ; \
mkdir -p /etc/debsig/policies/AC2D62742012EA22/ ; \
curl -sSo /etc/debsig/policies/AC2D62742012EA22/1password.pol https://downloads.1password.com/linux/debian/debsig/1password.pol ; \
mkdir -p /usr/share/debsig/keyrings/AC2D62742012EA22/ ; \
rm -f /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg ; \
curl -sS "$ONEPASSWORD_KEY_URL" | gpg --dearmor --output /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg ; \
apt-get update && apt-get install -y 1password ; \
cd /opt/1Password/ ; \
install -Dm0644 ./com.1password.1Password.policy -t /usr/share/polkit-1/actions/ ; \
install -Dm0644 ./resources/custom_allowed_browsers -t /usr/share/doc/1password/examples/ ; \
chmod 4755 ./chrome-sandbox ; \
if [ ! "$(getent group "${GROUP_NAME}")" ]; then \
groupadd "${GROUP_NAME}" ; \
fi ; \
chgrp "${GROUP_NAME}" $HELPER_PATH ; \
chmod u+s $HELPER_PATH ; \
chmod g+s $HELPER_PATH ; \
chgrp "${GROUP_NAME}" $BROWSER_SUPPORT_PATH ; \
chmod u+s $HELPER_PATH ; \
chmod g+s $HELPER_PATH ; \
chgrp "${GROUP_NAME}" $BROWSER_SUPPORT_PATH ; \
chmod g+s $BROWSER_SUPPORT_PATH ; \
ln -sf /opt/1Password/1password /usr/bin/1password ; \
rm -rf /var/lib/apt/lists/*
RUN apt update && apt install -y --no-install-recommends openssh-server xauth && rm -rf /var/lib/apt/lists/*
RUN sed -i -e 's/^#AddressFamily.*/AddressFamily inet/g' /etc/ssh/sshd_config ; mkdir -p /run/sshd
CMD /usr/sbin/sshd -p 2222 -D
Raw
op-ssh-sign.sh
#!/usr/bin/env sh
# op-ssh-sign.sh - pass requests to sign Git commits through to 1Password
set -eu
[ "${DEBUG:-0}" = "1" ] && set -x
# NOTE: 'my-1password-op' is the "name" of the running Docker container on your system.
# If you change the name of that container (not the image name, but the running
# container name), replace it below.
docker exec \
-i \
-t \
my-1password-op \
/opt/1Password/op-ssh-sign "$@"
Raw
ssh-config
# Send all ssh host requests to the 1Password SSH agent
Host *
IdentityAgent ~/.1password/agent.sock
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment