1password git commit signing broken after update to 24.11

I have just updated my system from 24.05 to 24.11 and it seems to have broken 1password ssh signing.

Im not sure if this is caused by a problem with polkit or with 1password itself. Here are my configurations related to polkit and 1password:

(system config)


  programs._1password = {
    enable = true;
  };
  programs._1password-gui = {
    enable = true;
    polkitPolicyOwners = [ "smc" ];
  };

  security.polkit.enable = true;

(home-manager)

  programs.git = {
    enable = true;
    userName = cfg.config.userName;
    userEmail = cfg.config.userEmail;

    extraConfig =
      {
        init.defaultBranch = "master";

        gpg.format = "ssh";

        gpg."ssh" = {
          program = "${lib.getExe' pkgs._1password-gui "op-ssh-sign"}";
        };
        commit = {
          gpgsign = true;
        };
        user.signingkey = "...";
      };
  };

 systemd = {
    user.services.polkit-gnome-authentication-agent-1 = {
      Unit = {
        Description = "polkit-gnome-authentication-agent-1";
        Wants = [ "graphical-session.target" ];
        After = [ "graphical-session-pre.target" ];
      };
      Service = {
        Type = "simple";
        ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
        Restart = "on-failure";
        KillMode = "mixed";

        RestartSec = 1;
        TimeoutStopSec = 10;
      };
      Install = {
        WantedBy = [ "graphical-session.target" ];
      };
    };
  };

After the update, git ssh singing now fails

┬─[smc@legion-smc:~/.dotfiles]─[14:54:26]─[master 9c41e44]
╰─>$ git commit -am "update nixos to 24.11"                                                                                                                                           
error: 1Password: failed to fill whole buffer

fatal: failed to write commit object

Has anyone else encountered this and figured out a solution?

If anyone else has this issue I have figured it out. the problem is with the rich approval prompt on wayland.

You can either disable it in the 1password gui settings (under developer options) to go straight to polkit, or run 1password as an x11 app.

In my hyprland config I had

  env = [
    "ELECTRON_OZONE_PLATFORM_HINT,auto"
  ];

This used to work, but it seems the newer version of 1password found in 24.11 broke the rich prompt under wayland. So I have updated my configuration to be

  env = [
    "ELECTRON_OZONE_PLATFORM_HINT,x11"
  ];

And now the 1password prompt works again.

Not sure if this is the best way to go about fixing it, I would prefer if I could just set the env for 1password instead of system wide.

1 Like

I overlayed the _1password-gui derivation to wrap the program to set this environment variable:

final: prev: {
  _1password-gui = prev._1password-gui.overrideAttrs (_old: {
    postFixup = ''
      wrapProgram $out/bin/1password --set ELECTRON_OZONE_PLATFORM_HINT x11
    '';
  });
}

This is a little inefficient because the derivation in nixpkgs already wraps the program, and this adds a second wrapper, but I think it’s fine for a temporary workaround.