Community
Participate
Working Groups
This issue exists mainly to document my findings whether and how this would be possible at all. Apple has modified the OpenSSH on OS X to integrate with the OS X Keychain. The Apple version of ssh knows an additional SSH config "UseKeychain" (values yes/no); if "yes", it stores passphrases of encrypted private keys in the OS keychain after the user entered them, and retrieves them from there when needed. The source code of the modified Apple OpenSSH is available at [1]. The code files to look at here are sshconnect2.c (function load_identity_file) and keychain.m. * The existing JGit config file parsing already parses a "UseKeychain" directive. * Keychain access via JNA should be doable with JNA 5.8.0. It's a few not too complicated library calls; JNA can do this. * Callback mechanisms for prompting for passphrases already exist in Apache MINA sshd and in JGit; EGit uses them to hook up with the Eclipse secure store to do exactly the same. Relevant code in EGit is in EGitSshdSessionFactory$EGitFilePasswordProvider. It is certainly possible to hook up the IdentityPasswordProvider in JGit to try the OS keychain first. So from a code perspective this looks perfectly doable and not even too complicated. However, the Apple OpenSSH store the passphrases in the keychain with access-group "com.apple.ssh.passphrases". The executable is built with an entitlement for this access group; see file in Entitlements/ssh.entitlements in [1]. If I understand [2] correctly, this means any application wanting to access these passphrases stored by the Apple OpenSSH would also need to have this entitlement, and would need to be notarized. So while we could provide the necessary code library users would have to see for themselves to get that entitlement into their application using JGit. I don't know if we could do that for the JGit command-line tools. For Eclipse I suppose the entitlement would need to be added at [3]. [1] https://github.com/apple-opensource/OpenSSH [2] https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps [3] https://git.eclipse.org/r/plugins/gitiles/epp/org.eclipse.epp.packages/+/refs/heads/master/releng/org.eclipse.epp.config/macos/product.entitlements
On Linux similar functionality appears to be usually provided transparently by external tools that either act as a facade to the ssh-agent or replace the ssh-agent or replace ssh-askpass (such as seahorse-ssh-askpass). The ssh-askpass approaches are useless for JGit; we don't ask for passphrases via that route. (Hm. Should we?) But once JGit supports AddKeysToAgent, keyring integration on Linux could be achieved by users by running a keyring-aware SSH agent. Compare [1] https://linux.die.net/man/1/keychain [2] https://wiki.gnome.org/Projects/GnomeKeyring/Ssh [3] https://unix.stackexchange.com/questions/168062/how-to-save-an-ssh-key-passphrase-in-gnome-keyring
For Eclipse SDK the entitlement should probably go in at [1]. [1] https://git.eclipse.org/r/plugins/gitiles/platform/eclipse.platform.releng.aggregator/+/refs/heads/master/eclipse.platform.releng.tychoeclipsebuilder/entitlement/
I'm abandoning this. Per [1] "Apple won't issue a provisioning profile allowing access to com.apple.ssh.passphrases". I halfway suspected so already. [1] https://developer.apple.com/forums/thread/676891
