How do I use my GPG agent for SSH everywhere?

Solution 1:

So, I managed to find a hacky solution that achieves the same goal. It appears (???) impossible to overwrite SSH_AUTH_SOCK, and I can't disable the builtin agent because I want to preserve SIP.

However, I can abuse symlinking to get my agent working reliably. Thanks to a nice article explaining how to leverage the YubiKey on a Mac (similar to my goal), I managed to create a LaunchAgent to symlink my agent to wherever SSH_AUTH_SOCK is pointing. So far I have yet to perform heavy testing with this, but it seems to be working okay.

Just in case the source link goes down, I created a file at ~/Library/LaunchAgents/link-ssh-auth-sock.plist with the following contents:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs>
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>link-ssh-auth-sock</string>
  <key>ProgramArguments</key>
  <array>
    <string>/bin/sh</string>
    <string>-c</string>
    <string>/bin/ln -sf $HOME/.gnupg/S.gpg-agent.ssh $SSH_AUTH_SOCK</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
</dict>
</plist>

This LaunchAgent replaces the Apple-generated socket (located in /private/tmp/...) with my own, but preserves Apple's environment variable. The symlink works, and is picked up in any application that supports using native SSH (in my case, PyCharm).

It's not a true solution to the issue (the socket is being symlinked, who knows what issues this could cause), but it at least works for the time being.

I'll keep trying to find a true solution to this problem, but in the meantime I'll share this answer just for any other curious souls with the same issue.