lima-git-setup

Lima Git Setup Skill

Sets up git identity, SSH agent forwarding from a 1Password-backed Mac, and commit signing inside a Lima VM.

Context

On macOS with 1Password as the SSH agent, SSH keys are never stored as files — they live in 1Password and are served via a Unix socket. Getting them into a Lima VM requires three things to be correct simultaneously:

1. SSH_AUTH_SOCK on the Mac points to the 1Password socket (not the default macOS launchd agent)
2. The SSH connection to Lima uses ssh <vm-name> with ForwardAgent yes (not limactl shell, which bypasses agent forwarding)
3. No stale SSH ControlMaster is reusing an old agent socket

Workflow

Phase 1: Inspect host Mac configuration

Read ~/.gitconfig and ~/.ssh/config to capture the user's current setup:

cat ~/.gitconfig
cat ~/.ssh/config

Extract these values for use in Phase 3:

• user.name and user.email
• The SSH signing key fingerprint/pubkey (under user.signingKey)
• Whether commit.gpgsign is enabled

Then check whether SSH_AUTH_SOCK currently points to 1Password:

echo $SSH_AUTH_SOCK

The 1Password socket path is: ~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock

If SSH_AUTH_SOCK is pointing somewhere else (typically /private/tmp/com.apple.launchd.*/Listeners), it needs to be fixed before proceeding.

Phase 2: Fix SSH_AUTH_SOCK (if needed)

If SSH_AUTH_SOCK is not pointing to the 1Password socket:

1. Add this to ~/.zshrc (or ~/.zprofile if using login shells):

   export SSH_AUTH_SOCK="$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
   

2. Source the file in the current terminal:

   source ~/.zshrc
   

3. Verify the 1Password agent has keys:

   SSH_AUTH_SOCK="$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" ssh-add -l
   

   This should list the user's SSH keys. If it shows "no identities", the user needs to add SSH keys in the 1Password app under Settings → Developer → SSH Agent.

Phase 3: Kill any stale ControlMaster

SSH ControlMaster multiplexing caches the agent socket from the first connection. If a master is running from before SSH_AUTH_SOCK was fixed, new connections will reuse the old (empty) socket.

Check and kill:

ssh -O check <vm-name> 2>&1   # will print "Master running" if active
ssh -O exit <vm-name>          # kills it

Where <vm-name> is the Lima VM name (e.g., devbox). If no master is running, the exit command will error harmlessly.

Phase 4: Connect and verify agent forwarding

Connect via ssh, not limactl shell — only ssh respects ForwardAgent:

ssh <vm-name>

Then inside the VM, verify the keys came through:

ssh-add -l

This should list the same keys shown in Phase 2. If it shows "The agent has no identities", revisit Phase 2 and Phase 3.

Phase 5: Configure git inside the VM

Run these inside the VM (substitute actual values from Phase 1):

# Identity
git config --global user.name "Your Name"
git config --global user.email "[email protected]"
git config --global init.defaultBranch main

# SSH commit signing — no gpg.ssh.program needed on Linux;
# git uses ssh-keygen by default, which reads $SSH_AUTH_SOCK
git config --global gpg.format ssh
git config --global user.signingKey "ssh-ed25519 AAAA..."
git config --global commit.gpgsign true

Note on signing programs: On macOS, the host uses op-ssh-sign (1Password's signing binary). That binary is not available on Linux. The default ssh-keygen works correctly with the forwarded agent socket — do not set gpg.ssh.program.

Phase 6: Verify authentication and signing

Inside the VM:

# Test SSH auth to remotes
ssh -T [email protected]
ssh -T [email protected]

# Test commit signing
cd /tmp && git init test-sign && cd test-sign
git commit --allow-empty -m "test signing"
git log --show-signature

For GitHub and Bitbucket, success looks like:

• GitHub: Hi <username>! You've successfully authenticated...
• Bitbucket: logged in as <username>

1Password will show an authorization prompt on the Mac the first time each key is used.

Phase 7: (Optional) Set up allowed signers

To verify your own commit signatures with git log --show-signature:

echo "[email protected] ssh-ed25519 AAAA..." >> ~/.ssh/allowed_signers
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers

Troubleshooting

ssh-add -l shows "no identities" inside the VM Work through these in order:

1. Is SSH_AUTH_SOCK on the Mac pointing to the 1Password socket? (Phase 2)
2. Did you kill the ControlMaster? (Phase 3)
3. Did you reconnect via ssh <vm-name> after fixing SSH_AUTH_SOCK? (Phase 4)
4. Does the 1Password socket have keys? Run the verification in Phase 2 step 3.

Permission denied on ssh -T [email protected] The forwarded agent has the keys but the remote doesn't recognize them. The SSH public key probably isn't added to the GitHub/Bitbucket account. Copy the public key from ssh-add -L (inside the VM) and add it to the account's SSH key settings.

limactl shell works but agent forwarding doesn't limactl shell does not forward the SSH agent. Always use ssh <vm-name> for sessions where you need git/SSH to work.

ControlMaster keeps coming back Check ~/.ssh/config for a ControlMaster auto or ControlPath directive. If Lima or another tool sets this up automatically, you may need to re-kill the master each time you change SSH_AUTH_SOCK — or remove the ControlMaster directive for the Lima host.