Secure maintainer workflow, continued

Thursday 22 December 2022

Picking up from Secure maintainer workflow, especially the comments there (thanks!), here are some more things I’m doing to keep my maintainer workflow safe.

1Password ssh: I’m using 1Password as my SSH agent. It works really well, and uses the Mac Touch ID for authorization. Now I have no private keys in my ~/.ssh directory. I’ve been very impressed with 1Password’s helpful and comprehensive approach to configuration and settings.

Improved environment variables: I’ve updated my opvars and unopvars shell functions that set environment variables from 1Password. Now I can name sets of credentials (defaulting to the current directory name), and apply multiple sets. Then unopvars knows all that have been set, and clears all of them.

Public/private GitHub hosts: There’s a problem with using a fingerprint-gated SSH agent: some common operations want an SSH key but aren’t actually security sensitive. When pulling from a public repo, you don’t want to be interrupted to touch the sensor. Reading public information doesn’t need authentication, and you don’t want to become desensitized to the importance of the sensor. Pulling changes from a git repo with a “git@” address always requires SSH, even if the repo is public. It shouldn’t require an alarming interruption.

Git lets you define “insteadOf” aliases so that you can pull using “https:” and push using “git@”. The syntax seems odd and backwards to me, partly because I can define pushInsteadOf, but there’s no pullInsteadOf:

[url ""]
    # Git remotes of "" should really be pushed using ssh.
    pushInsteadOf =

[url ""]
    # Git remotes of "" should be pulled over https.
    insteadOf =

This works great, except that private repos still need to be pulled using SSH. To deal with this, I have a baroque contraption arrangement using a fake URL scheme “github_private:” like this:

[url ""]
    pushInsteadOf =
    # Private repos need ssh in both directions.
    insteadOf = github_private:

[url ""]
    insteadOf =

Now if I set the remote URL to “github_private:nedbat/secret.git”, then activity will use “” instead, for both pushing and pulling. (BTW: if you start fiddling with this, “git remote -v” will show you the URLs after these remappings, and “git config --get-regex ‘remote.*.url’” will show you the actual settings before remapping.)

But how to set the remote to “github_private:nedbat/secret.git”? I can set it manually for specific repos with “git remote”, but I also clone entire organizations and don’t want to have to know which repos are private. I automate the remote-setting with an aliased git command I can run in a repo directory that sets the remote correctly if the repo is private:

    # If this is a private repo, change the remote from "" to
    # "github_private:".  You can remap "github_private:" to "git@" like this:
    #   [url ""]
    #       insteadOf = github_private:
    # This requires the gh command:
    fix-private-remotes = "!f() { \
        vis=$(gh api 'repos/{owner}/{repo}' --template '{{.visibility}}'); \
        if [[ $vis == private ]]; then \
            for rem in $(git remote); do \
                echo Updating remote $rem; \
                git config remote.$rem.url $(git config remote.$rem.url | \
                    sed -e 's/'); \
            done \
        fi; \
    }; f"

This uses GitHub’s gh command-line tool, which is quite powerful. I’m using it more and more.

This is getting kind of complex, and is still a work in progress, but it’s working. I’m always interested in ideas for improvements.



For “Improved environment variables” have you checked out direnv ? For 1password after hooking it into my shell I put something like export API_TOKEN=$(op read op://private/direnv/API_TKEN) in .envrc and it works pretty well though every time you enter the directory it needs to make 1password api calls so that can be a little slow.


direnv is very interesting, but I don’t want my credentials to always be in the environment. I might work on a project for weeks before I need to be able to push a release to PyPI. It’s better for me to be able to get and delete the credential environment variables explicitly.


I see, it looks like there is a feature-request for something that would allow you to have a bit more control over auto-loading env variables but direnv doesn’t make it very easy right now.


The following works great for me:

  • always clone public repositories using the https:// URL
  • always clone private repositories using the git@… URL
  • git config --global url."":pushInsteadOf so that git push in a clone of a public repository will use SSH auth

Apologies, I got the git config syntax wrong despite using Preview a couple of times, and of course noticed as soon as I submitted the comment. The : should be inside the quotes (although it doesn’t matter), and there should be a . right in front of the pushInsteadOf.

My ~/.gitconfig has the right syntax.

Add a comment:

Ignore this:
Leave this empty:
Name is required. Either email or web are required. Email won't be displayed and I won't spam you. Your web site won't be indexed by search engines.
Don't put anything here:
Leave this empty:
Comment text is Markdown.