HachiCode

Appearance

SSH keys

SSH is one of three ways to authenticate to a git host. The other two are OAuth sign-in and HTTPS personal access tokens (PATs). Use SSH when you want a long-lived credential that doesn't expire, when you prefer the SSH transport, or when the host doesn't offer OAuth (most self-hosted Gitea instances, for example).

Each SSH credential is scoped to one host. If you push to GitHub and Gitea both, you'll have two SSH credentials in the list.

Generate or import?

Two flows are available from Settings → Authentication → Add credential → (pick a host) → SSH.

  • Generate — the app produces a fresh Ed25519 keypair on device. The private key never leaves the device; the public key is shown so you can copy it to your host.
  • Import — paste a private key you generated elsewhere (e.g. with ssh-keygen on a laptop). The app derives the matching public key from what you pasted. Supports OpenSSH format keys.

Generate is the right choice for a brand-new credential. Import makes sense when you want to use a key that already authorizes you on the host.

Where keys live

Private keys are stored in the iOS Keychain, scoped to the hachicode app. They are never written to the filesystem and are not included in iCloud backups. The app reads the private key only during a git operation (clone, push, fetch); the rest of the time it's untouched.

Public keys are stored alongside in the same Keychain entry. They're not sensitive, but keeping them together makes the credential self-contained.

Generating a key on device

  1. Settings → Authentication → Add credential
  2. Pick your host (GitHub, GitLab, Gitea, etc.)
  3. Choose SSH from the method tabs
  4. Choose Generate mode
  5. Fill in the Host (e.g. github.com) and Username (the SSH user — usually git for GitHub/GitLab/Gitea)
  6. Tap Generate keypair
  7. The public key appears below — tap Copy
  8. Tap Save

Now paste the copied public key into your host's SSH-keys page:

Importing an existing key

If you already have an SSH key that's authorized on your host (say, the ~/.ssh/id_ed25519 from a laptop), you can paste the private key into the import form instead of generating.

  1. Settings → Authentication → Add credential
  2. Pick your host, choose SSH
  3. Choose Import mode
  4. Paste the private key into the field (it starts with -----BEGIN OPENSSH PRIVATE KEY-----)
  5. If the key is passphrase-protected, the form will reveal a passphrase field — enter the passphrase
  6. The app derives the public key and shows it — sanity-check that it matches what your host has
  7. Fill in Host and Username, then Save

Passphrase note

If your key is encrypted, the app uses your passphrase to decrypt it once at save time and stores the unencrypted canonical form in the Keychain. This means clone / push / fetch never re-prompt for the passphrase. The original encrypted blob you pasted is discarded.

If you'd rather keep encryption at rest, your protection comes from iOS itself: the Keychain entry is device-bound, requires the device unlock, and isn't accessible to other apps.

Public key — viewing and copying later

The credential list under Settings → Authentication shows each SSH entry with a Show public key chevron. Tap to expand; tap Copy to put the public key on the clipboard. The information icon (ⓘ) opens a sheet with the key's algorithm, bit count, and both MD5 and SHA-256 fingerprints — useful when you need to match against what your host displays.

Updating a key

Tap the refresh icon (↻) next to a credential to open the editor. You can paste a new private key (replaces the old one), or update the username. Changing the host is not supported on an existing credential — delete and re-add for a different host.

Common failures

  • "Could not derive the public key from the pasted private key." The pasted text isn't a valid OpenSSH private key. Make sure you pasted the whole thing including the -----BEGIN/END----- lines and nothing else. RSA keys in PEM format work; older formats may not.
  • "That passphrase didn't decrypt the key — try again." The key parses but the passphrase is wrong. Note that some third-party tools generate passphrases with different case handling — copy-paste rather than retyping.
  • "Could not resolve SSH key from Keychain." The Keychain entry for this credential is missing or unreadable. This can happen if iOS migrated the device between major OS versions in a way that invalidated the entry. Fix: delete the credential and add it back.
  • Permission denied (publickey) during clone/push: the key is valid but your host doesn't know it. Verify the public key in the credential editor (or in the (ⓘ) info sheet) matches what's on the host's SSH-keys page.

See also

Last updated: