Skip to content

SSH key pair #4

Closed
Closed
@rarkins

Description

@rarkins
Collaborator

We use an SSH key pair to support git operations. Here are some ways this can be done:

  1. Manually add public key (where script will run) to GitHub account (e.g. id_rsa.pub)
  2. Generate dedicated keypair for this script and add that manually to GitHub
  3. Script generates SSH keypair and adds it to GitHub using API - if not already present due to previous run

Activity

rarkins

rarkins commented on Dec 18, 2016

@rarkins
CollaboratorAuthor

I quite like option 3 because it means one less manual step using the GitHub web interface. i.e. user only needs to generate access token for designated bot account and not also mess with SSH keys if they're not familiar with them.

This would work well for most environments, e.g. the script could look for ~/.ssh/id_rsa.pub` and upload that via GitHub API the first run.

We could perhaps make it fail gracefully or with non-error warning message if the user doesn't want to grant key read/write permissions for the API. In a way then option 1 would be backwards compatible with option 3.

AWS lambda doesn't have the concept of a full user directory with .ssh directory, but it could pull the key pair from a secure S3 prior to run.

rarkins

rarkins commented on Dec 18, 2016

@rarkins
CollaboratorAuthor

Conclusion:

  1. Assume we will use ~/.ssh/id_rsa for now and users will manually add that public key to GitHub
  2. Add functionality later to attempt adding public key automatically using API

Leaving this issue open for part 2

rarkins

rarkins commented on Dec 18, 2016

@rarkins
CollaboratorAuthor

I realised a problem just now. I was attempting to add my public key (id_rsa.pub) to a bot account I'd set up, but GitHub gives me this error message:
image

i.e. public keys are used to identify GitHub users, so you can't add it to more than one GitHub account.

This makes me more inclined to generate a custom key pair just for this tool/bot, to avoid any such conflict.

rarkins

rarkins commented on Dec 18, 2016

@rarkins
CollaboratorAuthor

In theory it would be possible to generate a temporary key pair every run, then add it to the GitHub account, then remove it at the end.

One problem of course would be if the program crashes and doesn't remove the key, but GitHub's API lets you give a "title" to each key so we could name it renovate for example and have a first step that deletes it if found.

A second problem might be latency - e.g. does it work instantly once you add it via API, or is there a delay until it's active? This needs to be tested as it would be a problem for the first run of the script regardless.

rarkins

rarkins commented on Dec 18, 2016

@rarkins
CollaboratorAuthor

In that case, the logic would be approximately:

  1. Delete "renovate" key if exists
  2. Generate temporary key pair
  3. Add temporary public key via GitHub API, with title "renovate"
  4. [Rest of script]
  5. Delete renovate key
locked as resolved and limited conversation to collaborators on Dec 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @rarkins

        Issue actions

          SSH key pair · Issue #4 · renovatebot/renovate