Signing is not working correctly with password-protected SSH key

[quantum9Innovation]

Version

0.14.4

Operating System

Linux

Distribution Method

deb (Linux)

Describe the issue

I have a password protected private SSH key at ~/.ssh/id_ed25519 with a corresponding public key ~/.ssh/id_ed25519.pub which I've added to GitButler through the Git project settings tab. I've also added this key to GitHub, but when testing signing I get the following error:

Signing is not working correctly

Failed to sign SSH:  ssh_askpass: exec(): No such file or directory
Load key "/home/user/.ssh/id_ed25519": incorrect passphrase supplied to decrypt private key

How to reproduce

Create a password protected private SSH key and then add it to GitButler as a signing key in the Git tab of the project settings, then test signing

Expected behavior

GitButler should ask for the decryption password for the corresponding private key and then use it to access the correct key when signing commits and testing signing

Relevant log output

2024-12-28T05:46:12.836838Z ERROR check_signing_settings: crates/gitbutler-tauri/src/repo.rs:38: error=Error(Failed to sign SSH:  ssh_askpass: exec(): No such file or directory
Load key "/home/user/.ssh/id_ed25519": incorrect passphrase supplied to decrypt private key
) id=1f9d6cd0-f50d-4595-a21e-2c20610e8b6f
2024-12-28T05:46:12.836870Z  INFO check_signing_settings: crates/gitbutler-tauri/src/repo.rs:38: close time.busy=7.22ms time.idle=30.6µs id=1f9d6cd0-f50d-4595-a21e-2c20610e8b6f

[Byron]

Thanks a lot for reporting!

GitButler does override the SSH_ASKPASS environment variable with a custom binary that it should ship with.

The error messages I saw seem to indicate the executable can't be found. Could it be that gitbutler-git-askpass isn't part of the debian bundle (anymore)?

It does seem to be bundled:

byron@debian:/Users/byron/Downloads$ dpkg-deb -c GitButler_0.14.4_amd64.deb
drwxr-xr-x 0/0               0 2024-12-13 10:32 usr
drwxr-xr-x 0/0               0 2024-12-13 10:32 usr/share
drwxr-xr-x 0/0               0 2024-12-13 10:32 usr/share/icons
[..]
drwxr-xr-x 0/0               0 2024-12-13 10:32 usr/bin
-rwxr-xr-x 0/0         2178736 2024-12-13 10:32 usr/bin/gitbutler-git-setsid
-rwxr-xr-x 0/0         1904440 2024-12-13 10:32 usr/bin/gitbutler-git-askpass
-rwxr-xr-x 0/0       331855352 2024-12-13 10:32 usr/bin/gitbutler-tauri

Could you check if /usr/bin/gitbutler-git-askpass exists on your system? It would try to find it based on the location of the gitbutler-tauri binary - it's supposed to be its sibling.

Thanks for your help.

Also CC @ndom91 .

[quantum9Innovation]

I just checked and the gitbutler-git-askpass utility does exist on my system. I can't run it because it gives an error saying it's only meant to be run by GitButler, but I assume it is working correctly.

I think the issue is that I am actually using a version of GitButler packaged for NixOS, which uses the Debian binaries under the hood. The gitbutler-git-askpass utility is bundled with the app (see https://github.com/youwen5/gitbutler-flake/blob/448e9a784f2310f73b0b2f4f16dc35d31b3bf8d9/gitbutler.nix#L36), but the main GitButler app is probably unable to locate this utility due to the package setup.

[quantum9Innovation]

@Byron @ndom91 Do you know if GitButler expects this utility to live in a specific location or just that it exists on the system path? The issue has something to do with the way GitButler locates this tool, so if I can identify how it does that this should be a simple fix.

[Byron]

Ah, that's good to know. Then it's not really the .deb distribution, but the AFAIK unofficial one for Nix.

The two binaries, gitbutler-git-askpass and gitbutler-git-setsid must be in the same folder as gitbutler-tauri. Could you check if, as seen from the gitbutler-tauri binary, these would be in the PATH? In theory, we could alter the way it finds these binaries to also cater to the Nix distribution, which I hope could at some point become official.

[quantum9Innovation]

It seems that all these utilities should be in the same directory (https://github.com/youwen5/gitbutler-flake/blob/448e9a784f2310f73b0b2f4f16dc35d31b3bf8d9/gitbutler.nix#L34C5-L36C87). @youwen5 tested the NixOS application separately and SSH signing was working, so I'm not sure exactly what went wrong in my case (probably something to do with my SSH key and the fact that it was password-protected).

I have however found that signing with a password-protected GPG key works fine, so this might be a good solution for others facing the same issue.

[Byron]

That should indeed work!

I also found a portion of code that would indicate that GitButler would produce an error early if these files weren't present. Thus it truly seems that ssh is trying to execute the askpass program, and fails to do that with the given error message.

It's unclear to me how that can happen.

Is it possible for you to follow child process invocations with strace? Maybe then one would see what ssh is trying to execute exactly.

[quantum9Innovation]

Sorry for the late reply, but this is what I've found from running strace -f -e execve gitbutler-tauri and then testing SSH signing:

/run/current-system/sw/bin/strace: Process 15921 attached
/run/current-system/sw/bin/strace: Process 15922 attached
[pid 15922] execve("/bin/sh", ["/bin/sh", "-c", "ssh-keygen -Y sign -n git -f ~/."..., "--"], 0x6240c03904b0 /* 110 vars */) = 0
[pid 15922] execve("/run/current-system/sw/bin/ssh-keygen", ["ssh-keygen", "-Y", "sign", "-n", "git", "-f", "/home/user/.ssh/id_ed25519.pub", "/tmp/.tmpdPt7Df"], 0x21dfa050 /* 111 vars */) = 0
/run/current-system/sw/bin/strace: Process 15929 attached
[pid 15929] +++ exited with 255 +++
[pid 15922] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=15929, si_uid=1000, si_status=255, si_utime=0, si_stime=0} ---
[pid 15922] +++ exited with 255 +++
[pid 15672] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=15922, si_uid=1000, si_status=255, si_utime=0, si_stime=0} ---
2025-01-07T04:49:21.744145Z ERROR check_signing_settings: crates/gitbutler-tauri/src/repo.rs:38: error=Error(Failed to sign SSH:  ssh_askpass: exec(): No such file or directory
Load key "/home/user/.ssh/id_ed25519": incorrect passphrase supplied to decrypt private key
) id=0b0bc5ad-2191-4a70-80f6-6b248c433e12
2025-01-07T04:49:21.744182Z  INFO check_signing_settings: crates/gitbutler-tauri/src/repo.rs:38: close time.busy=89.9ms time.idle=46.5µs id=0b0bc5ad-2191-4a70-80f6-6b248c433e12
[pid 15921] +++ exited with 0 +++
[pid 15727] +++ exited with 0 +++

[Byron]

Thanks a lot!

ssh-keygen is executed by GitButler and I thought that it would try to execute a program that wasn't found. From looking at the strace log I see the invocation of ssh-keygen through a shell, but nothing else from there. It's like it hides the invocation from strace or it doesn't actually try to invoke anything.

When looking at the GitButler error: ssh_askpass: exec(): No such file or directory it really looks like it tried to do that, though.

Unfortunately, even with strace, I am none the wiser :/.