See article: Devcontainers, Little Snitch, macOS TCC - protecting developer laptops
-
Install Secretive using
brew install --cask secretive, then launch Secretive App. -
Create a new secret that requires authentication, named
gitsign. You will need to perform biometric authentication each time this key is used. -
Create a new secret that notify only, named
github. This key is used for performing git pull/push/fetch from GitHub. -
Add
gitsignpublic key to SSH "Signing keys" on Github Settings Page. Title is not required. -
Add
githubpublic key to SSH "Authentication keys" on Github Settings Page. Title is not required.
-
Edit
.zshenv.cat >> ~/.zshenv <<EOF # For git commit signing export SSH_AUTH_SOCK="$HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh" EOF # For some GPU-acceleration within podman # Setup: https://podman-desktop.io/docs/installation/macos-install#using-libkrun-as-machine-provider # Usage: https://podman-desktop.io/docs/podman/gpu cat >> ~/.zshenv <<'EOF' # Enable some GPU-acceleration within podman if [[ "$(uname -m)" == "arm64" ]]; then export CONTAINERS_MACHINE_PROVIDER=libkrun fi EOF # Activate in current shell session source ~/.zshenv
-
(Recommended) Install podman to protect against exploits that triggers immediately upon opening a git repository or workspace. See: Why are dev containers important?
# Install podman CLI using official pkg installer (from GitHub) # See: https://podman.io/docs/installation#macos open https://github.com/containers/podman/releases # Manually download and run `podman-installer-macos-arm64.pkg` from latest release # Create a virtual machine with no access to the host folders # See: https://docs.podman.io/en/latest/markdown/podman-machine-init.1.html#volume-v-source-target-options podman machine init -v '' # Use 8Gib or RAM for the VM podman machine set --memory 8192
-
Edit
.ssh/config. You may omit the first section that enables VSCode or your IDE to perform Sandboxed Development via podman (including the ability to gitsign without revealing SSH private keys), though it’s strongly recommended.cat >> ~/.ssh/config <<EOF # For git commit signing within podman Host podman-machine-default HostName localhost # From: podman machine inspect | jq '.[0].SSHConfig' IdentityFile $(podman machine inspect | jq -r '.[0].SSHConfig.IdentityPath') Port $(podman machine inspect | jq -r '.[0].SSHConfig.Port') User $(podman machine inspect | jq -r '.[0].SSHConfig.RemoteUsername') IdentitiesOnly yes StrictHostKeyChecking no UserKnownHostsFile /dev/null CheckHostIP no LogLevel ERROR SetEnv LC_ALL= ForwardAgent yes # For git authentication Host * IdentityAgent $HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh EOF
-
Install a newer version of git that supports
signingkey = key::xxxxformat. As of this writing, the latest macOS (Sequoia 15.5) comes with a pre-installed version of Git that is outdated.#/bin/bash -c "$(curl --proto '=https' --tlsv1.3 -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" brew install git -
Update
.gitconfigreplacing the name and email with your github account. Replace thesigningkeywith yourgitsignpublic key. Do remember to add back thekey::prefix.# Set user info git config --global user.name "heri16" git config --global user.email "[email protected]" # Ser user signingkey git config --global user.signingkey "key::ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMYmjVIE8ERSgs7EEHbYwhCgMx1v0ijKmmCt1ku0yBvjDIoddBi6P9QSALVXnTGp+PinT5l4JFWGV77QxfiypDw= [email protected]" git config --global gpg.format ssh # Push and signing settings git config --global commit.gpgSign true git config --global tag.gpgSign true git config --global tag.forceSignAnnotated true git config --global push.default current git config --global push.gpgSign if-asked # Enable git commit verification mkdir -p ~/.config/git echo "heri16 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMYmjVIE8ERSgs7EEHbYwhCgMx1v0ijKmmCt1ku0yBvjDIoddBi6P9QSALVXnTGp+PinT5l4JFWGV77QxfiypDw= [email protected]" >> ~/.config/git/allowed_signers git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
-
Confirm that Secretive Agent is running:
ssh-add -l. If not, restart your Terminal. -
Do a test commit. You should see
Good "git" signature for heri16 with ECDSA key SHA256:ZSJWE2tfNICQ92hpNZnfW7vihJB/ToZz5E1mil3GE10touch test.md && git add test.md && git commit -S -m "test commit" git log --show-signature git reset --soft HEAD~1
-
Ensure that your future commits on GitHub show a Green Verified badge
-
Retroactively sign your past commits:
git rebase -i --exec 'author=$(git show -s --format="%ae"); me=$(git config user.email); [ "$author" = "$me" ] && git commit --amend --no-edit -S || echo "Skip $author"' HEAD~NReplace
Nwith how many commits back you want to rebase (e.g., HEAD~10 for last 10 commits). -
Apply security hardening to podman virtual machine:
- Additional sandboxing to protect against container breakout and escapes: https://gist.github.com/heri16/60acf5b57518cd8518e62f1ce74f14a8
-
Learn how to open a git repository within a Dev Container using your preferred IDE:
- Guide for VScode
- Start the VM in Terminal:
podman machine start - Install Official Remote Development Extensions for VScode
- Set Setting -> GitHub: Git Protocol to:
ssh - Remote-SSH: Connect to Host ->
podman-machine-default - Dev Containers: Clone Repository in Container Volume -> Select repo with .devcontainer
- Start the VM in Terminal:
- Guide for IntelliJ
- Guide for VScode
Inspired by: