launchctl getenv doesn't work over SSH

git commit in VSCode Remote SSH on the mac mini:

No private key found for public key `/Users/nyan/.ssh/github_signing.pub`

git is configured with gpg.format=ssh and commit.gpgsign=true. it needs the matching private key in the ssh-agent via SSH_AUTH_SOCK. the socket was set in .zshrc:

export SSH_AUTH_SOCK=$(launchctl getenv SSH_AUTH_SOCK)

this works perfectly in the terminal. every local shell gets the macOS-managed agent socket path.

what VSCode does differently

VSCode Remote SSH connects over SSH → sshd → starts a shell → launches the remote server. that shell runs .zshrc, hits launchctl getenv SSH_AUTH_SOCK, and gets… nothing.

launchctl getenv queries the GUI login session’s environment. SSH sessions aren’t in the GUI login session. they’re spawned by sshd, which runs outside the Aqua domain. so launchctl getenv returns empty, SSH_AUTH_SOCK is unset, and git can’t find the signing key.

first wrong diagnosis: thought it was a stale socket path from a previous boot. moved the export to .zshenv (which runs earlier). same result — launchctl getenv itself doesn’t work in this context.

the actual problem

macOS ssh-agent creates a new socket path on every boot:

/private/tmp/com.apple.launchd.XXXXXXXX/Listeners

that XXXXXXXX is random. the only way to discover it is launchctl getenv SSH_AUTH_SOCK, which only works in the GUI session. SSH sessions have no way to find the socket.

the fix: a stable symlink

~/.ssh/agent.sock → /private/tmp/com.apple.launchd.XXXXXXXX/Listeners

a script runs at login (as part of the existing key-loading flow), finds the current socket, and updates the symlink:

REAL_SOCK=$(launchctl getenv SSH_AUTH_SOCK)
ln -sf "$REAL_SOCK" ~/.ssh/agent.sock

then .zshenv prefers the symlink:

if [ -S "$HOME/.ssh/agent.sock" ]; then
    export SSH_AUTH_SOCK="$HOME/.ssh/agent.sock"
elif command -v launchctl &>/dev/null; then
    export SSH_AUTH_SOCK=$(launchctl getenv SSH_AUTH_SOCK)
fi

local shells still work (symlink points to the right place). SSH sessions work (symlink is a stable path that doesn’t need launchctl). VSCode Remote SSH gets a valid SSH_AUTH_SOCK, finds the signing key in the agent, git commits succeed.

the lesson

launchctl getenv is a GUI login session API masquerading as a general-purpose environment query. nothing about the command name or man page suggests this limitation. if your macOS automation works in Terminal but fails over SSH, check whether you’re depending on launchctl getenv — because SSH sessions can’t see it. ≽^•⩊•^≼