How to run step ssh on MacOS when also using GPG

[pizzasaurusrex]

This might have a better home as a knowledge base article

[thehedgefrog]

Setting up step ssh on macOS when also using gpg-agent for SSH

This assumes you are using step ssh while you also need to use a hardware-backed GPG key (such as a Yubikey) to derive an SSH key and are using gpg-agent. In my case, this derived SSH key is used for GitHub and Gitea access.

For gpg-agent to work as expected with SSH, you probably have these lines or their equivalent in your ~/.zshrc file:

export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

The effect of those lines will be to disable your ssh-agent, which is required for step ssh to work as expected.

You have two possible solutions:

1. You can use a different SSH key, such as using a FIDO2 SSH key, which will not use gpg-agent at all. Since OpenSSH v8.2, you can follow this guide and your SSH key will be decoupled from SSH. Crucially, this does not impede your ability to sign commits using gpg with a hardware device. For this to work on macOS, you will need to install the latest version of OpenSSH: brew install openssh

2. You can also use the excellent iTerm2 and simply create a second profile. You will need to login to step ssh every time you launch the profile as the ssh-agent is killed when you exit the terminal window. To that effect, create a profile and in the Send text at start box, add:

eval `ssh-agent` && step ssh login

Note: If you already have gpg-agent configured when you install step ssh, you might need to run step ssh config --force after logging in for the setup to complete successfully.