Github droped support for ssh keys with rsa

[guilhermebodin]

Hi @GunnarFarneback recently Github dropped the support for new rsa ssh keys https://github.blog/2021-09-01-improving-git-protocol-security-github/

How could we change this part Set Up Persistent git ssh Authentication that Julia Recognizes of the tutorial to manage private registries?

[GunnarFarneback]

I'm certainly open to update https://github.com/GunnarFarneback/LocalRegistry.jl/blob/master/docs/ssh_keys.md with new advice but first it's necessary to research the intersection of what Julia's versions of libgit2 and libssh2 provide and GitHub accepts. Some hints are given in this section of GitHub's blog post:

libgit2 and other Git clients If you’re using libgit2 or another piece of code using libssh2, we recommend you use libssh2 1.9.0 or newer and an ECDSA key, since it does not yet support RSA with SHA-2. Similarly, the Go SSH client also doesn’t yet support RSA with SHA-2, so we recommend using an Ed25519 key there.

[guilhermebodin]

This issue has some information about workarounds, https://github.com/JuliaLang/Pkg.jl/issues/3030. Using the julia 1.7 with ed25519 and the ENV variable to use your own git works and setting some .git-credentials also works.

[GunnarFarneback]

If you are on Julia 1.7+ I strongly recommend following https://github.com/GunnarFarneback/LocalRegistry.jl/blob/master/docs/ssh_keys.md#2-using-an-external-git-binary-with-julias-package-manager

For Julia 1.6 I don't think there is any kind of key that both works with Julia and is accepted by GitHub. Yes, libssh2 1.9 has support for ECDSA keys, but only if you build with openssl as crypto backend, which Julia doesn't.

For libssh2 1.10 (used by Julia 1.8), ECDSA is supported also with the mbedtls crypto backend, which Julia does use, but only if you tell the libssh2 build that you use an mbedtls built with ECDSA support and, presumably, also that you did build mbedtls with ECDSA support. As far as I can tell Julia does neither. This is available in Julia 1.8.0-beta1 and later. You may want to set SSH_KEY_PATH to point to your ECDSA key.

[sairus7]

What should be added to GH Actions like https://github.com/julia-actions/add-julia-registry or https://github.com/julia-actions/julia-runtest to support this?

[GunnarFarneback]

Hopefully somebody else knows. GH Actions are far outside my competence.

[Seelengrab]

By coincidence, I tried to use an ECDSA key (which is my default) with LocalRegistry and it worked fine, so I think this can be changed now. At least my gitea did not complain and it just worked :) I guess the SSH key generation recommendation can be changed to this:

ssh-keygen -t ed25519

You may want to explicitly specify -m PEM at your discretion, I think.

[GunnarFarneback]

LocalRegistry uses command line git for its operations and is thus insensitive to what does or does not work with libgit2. The question here is what works when Pkg tries to reach a registry or a package which requires an ssh key. But yes, Julia 1.8 ought to work better and maybe something has been backported to 1.6 or 1.7.

[Seelengrab]

As I said, I haven't encountered problems with those sorts of keys. All git ssh access to that server is gated behind that key, which I've added to my ssh-agent. I can see what happens when I don't explicitly add it to my agent, but I think in that case I get asked for a key location/unlock password for the key.

[GunnarFarneback]

If you are using ssh-agent, then keys are handled by the agent instead of by Julia's libgit2/libssh2 combination. If someone wants to provide documentation on how to use ssh-agent I'm happy to add that, but it's a different question from what keys are understood directly.

[Seelengrab]

Understood - then I'll test with the ssh-agent disabled and see how it goes.

[Screenhandsaw]

Maybe this is a bit late. But it's similar to what is discussed above, and maybe it'll be helpful to someone else since I spent a few hours on this.

I wanted to use LocalRegistry and private github tokens. I managed to get it to work with gh cli.

• https://cli.github.com/manual/gh_auth_login
• https://cli.github.com/manual/gh_auth_setup-git

- uses: julia-actions/setup-julia@v2
  env:
    TOKEN: ${{ GH_TOKEN }}
  run: |
    echo $TOKEN | gh auth login --with-token
    gh auth setup-git
    julia -e 'using Pkg; pkg"add LocalRegistry"'
    ....