Gitfox
🌙

SSH Signing: Couldn't Find Key in Agent

When you sign a commit with an SSH key, Gitfox may report:

Exit status 128: error: Couldn't find key in agent?

fatal: failed to write commit object

This means Git reached an SSH agent, but the agent could not provide the private key that matches the SSH public key configured for the commit. That public key can come from the selected Gitfox identity or from Git's repository or global configuration. A key can appear in Gitfox's signing key picker even when it is not loaded in the agent.

Why SSH configuration is not enough

This common configuration does not preload every private key from ~/.ssh:

Host *
    UseKeychain yes
    AddKeysToAgent yes

UseKeychain lets SSH use the macOS keychain for passphrases. AddKeysToAgent adds a private key after the ssh client loads that key for a host connection.

Commit signing uses ssh-keygen without connecting to a host, so it does not trigger these Host settings. The selected signing key must already be available through the agent used by Gitfox.

Check whether the agent has the key

First, identify the SSH public key Git is trying to use:

git config --show-origin --get user.signingkey

The command shows the configuration file and signing key value Git uses. If the value starts with key::, the public key follows that prefix. If it names a public key file, use the key stored in that file.

Then list every public key available through the current agent:

ssh-add -L

The configured key type and key data must appear in the output. The comment at the end may differ.

If the configured key has a matching .pub file in ~/.ssh, you can test that exact key, replacing the example filename with yours:

ssh-add -T ~/.ssh/id_ed25519.pub

No output means the agent can use the key. If the key is missing from the list or the test fails, load the matching private key:

ssh-add ~/.ssh/id_ed25519

To also store the key's passphrase in the macOS keychain, use this command instead:

ssh-add --apple-use-keychain ~/.ssh/id_ed25519

Run the test again, then retry the commit in Gitfox.

For persistent ssh-agent configuration, see SSH Remotes.

Use 1Password or another SSH agent

Unlock the agent and make sure it exposes the selected signing key.

For 1Password, follow 1Password's official SSH agent setup guide to enable Use the SSH Agent and configure its socket. To use the 1Password agent in the current Terminal session, run:

export SSH_AUTH_SOCK="$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
ssh-add -L

The public key configured for the commit must appear in the output. For another custom agent, set SSH_AUTH_SOCK to the socket path from that agent's documentation before running ssh-add -L.

Make the same SSH_AUTH_SOCK value available in your login shell, then fully quit and reopen Gitfox so Gitfox and Terminal use the same agent. If the public key file changed after you created the Gitfox identity, remove and recreate the identity so its stored signing key is current.

SSH authentication and commit signing use the agent differently. A working fetch or push does not necessarily mean the signing key is available to Git's SSH signing process.

Never enter a private key in Gitfox's manual SSH signing key field. That field accepts public keys only.