Question relating to GPG keys

[ghost]

Hey, I have setup GPG keys for renovate encryption and github signed commits.

Config following:

• name: RENOVATE_PRIVATE_KEY valueFrom: secretKeyRef: name: renovate-env key: renovate-encryption-key
• name: RENOVATE_GIT_PRIVATE_KEY valueFrom: secretKeyRef: name: renovate-env key: renovate-git-private-key

These values are fetched from kubernetes secrets and stored there as full output that gpg armor command outputs (instructions here: https://docs.renovatebot.com/self-hosted-configuration/ gpg --export-secret-keys --armor 92066A17F0D1707B4E96863955FEF5171C45FAE5 > private.key

private.key file is then processed to make single line so, ----BEGIN RSA PRIVATE KEY----- ..... -----END RSA PRIVATE KEY----- base64 encoded and then sealed to secrets.

But now get following error:

Error:

Get this error from renovate: WARN: gitPrivateKey: error importing (repository=ABC/renovate-encryption-ui, branch=renovate-aws-actions-configure-aws-credentials-2.x) "err": { "cmd": "/bin/sh -c gpg --import /tmp/git-private.key", "stderr": "gpg: no valid OpenPGP data found.\ngpg: Total number processed: 0\n", "stdout": "", "options": { "cwd": "/tmp/renovate/github/SharperShape/renovate-encryption-ui", "encoding": "utf-8", "env": { "HOME": "/home/ubuntu", "PATH": "/home/ubuntu/.cargo/bin:/home/ubuntu/.local/bin:/go/bin:/opt/buildpack/tools/python/3.11.2/bin:/home/ubuntu/.npm-global/bin:/home/ubuntu/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "LC_ALL": "C.UTF-8", "LANG": "C.UTF-8", "BUILDPACK_CACHE_DIR": "/tmp/renovate/containerbase", "CONTAINERBASE_CACHE_DIR": "/tmp/renovate/containerbase" }, "maxBuffer": 10485760, "timeout": 900000 }, "exitCode": 2, "name": "ExecError", "message": "Command failed: gpg --import /tmp/git-private.key\ngpg: no valid OpenPGP data found.\ngpg: Total number processed: 0\n", "stack": "ExecError: Command failed: gpg --import /tmp/git-private.key\ngpg: no valid OpenPGP data found.\ngpg: Total number processed: 0\n\n at ChildProcess. (/usr/src/app/node_modules/renovate/dist/util/exec/common.js:87:24)\n at ChildProcess.emit (node:events:525:35)\n at ChildProcess.emit (node:domain:489:12)\n at ChildProcess._handle.onexit (node:internal/child_process:291:12)"

Is there some problem with this approach?

[rarkins]

If you're using GitHub, skip the GPG key and instead configure platformCommit=true and it will get automatic signing without a need for a key

[ghost]

Ok. Thanks I will configure that.

[ghost]

That worked 👍 What about GPG keys for encrypting config.js, i need to allow renovate to access different private repositories at ECR and another places. Seems to have decryption error also when decrypting GPG encrypted passwords with renovate encryption ui, that I have now selfhosted and use GPG keys at that side?

[ghost]

Says validateError: "Failed decrypt field password. Please re-encrypt and try again" at encryption ui side i setup organization as GitHub organization and raw value only no repo name. 🤔

[rarkins]

Your questions contain <50% of the information required to help you. Please take more time to think through your questions and describe them in detail

[ghost]

Yes. More information.

I created GPG key 4096 without passphrase protection for encryption, exported private key for pod configs, which is inputed thru env variables to pod. Also exported the public key which is stored into renovate web ui for encryption purposes. So now when encrypting password by using encryption web ui and input this into configmap by using encrypted block I get that error, when renovate pod tries to decrypt that.

[ghost]

So this is the page that I have downloaded, hosted locally and inserted public key into this https://app.renovatebot.com/encrypt

Then encrypted values by inserting Organization and Raw value and copy then encrypted value into encrypted block like this:

encrypted: { password: }

But execution from pod gives this:

ERROR: renovateRepository error (repository=SharperShape/base-images) 2023-04-07T00:38:04+03:00 "err": { 2023-04-07T00:38:04+03:00 "validationError": "Failed to decrypt field password. Please re-encrypt and try again.", 2023-04-07T00:38:04+03:00 "message": "config-validation", 2023-04-07T00:38:04+03:00 "stack": "Error: config-validation\n at decryptConfig (/usr/src/app/node_modules/renovate/dist/config/decrypt.js:163:39)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async decryptConfig (/usr/src/app/node_modules/renovate/dist/config/decrypt.js:204:47)\n at async q (/usr/src/app/src/server.js:1:44697)\n at async startWorker (/usr/src/app/src/server.js:1:45949)" 2023-04-07T00:38:04+03:00 }

[rarkins]

First question is: why do you need to put secrets in your renovate.json anyway? Can't you add these secrets to your config.js or via environment variables and avoid needing to encrypt/decrypt?

[ghost]

Yes. I mean, i put secrets into config.js, which is embed into configmap. Not into renovate.json.

[rarkins]

If they are in config.js on the "server side" then they should not be encrypted - just put the secrets direct. This encryption approach is only for when you need to commit them to a repo config.

[ghost]

Ok. But is it possible introduce private registeries to Renoate else way that config.js. Here is the config that I would like to set, so introduce private ECR registry for Renovate. It is possible to set this else were?

apiVersion: v1 kind: ConfigMap metadata: name: renovate-config-js namespace: renovate labels: app.kubernetes.io/name: renovate app.kubernetes.io/instance: renovate data:

Passwords can be encrypted here: https://app.renovatebot.com/encrypt

config.js: |- { module.exports = { hostRules: [ { matchHost: "https://.ecr.us-west-2.amazonaws.com/", username: "renovate-container-user", encrypted: { password: "wcFMA/VvxyzJuvgsAQ//SAGQKM7+OlMDl4KYxvj4+UTZOS4LGsHCo8UsIDis1oah1Z/sRo81EK7TV2fROYZ90n8SKN0mK6iuP+5aKnJNHj5D9fM5+YWu0th9xFhj2c4AQdyhWipCCgdN1O89UVHoXT0o/d31QH59jK95Utmughxm0PjC1KGiU2uUGcyYJGp3gM28XziDzmmpHbzz8wyQw2qq09ZaqoDE69NIllAzwhqrI1DL/pgC82ueqAndjDF7/0ae8KLXIvTLMoNddrTamN+FnOAUkkpxgajzMYWgm2Irg1IaZ4p9Ggld7V6sioboXeaGMQYQKHQJHLOuB7B4Jm4ztewBZE9VwQEGRS+l+nLXuJRDrfb6HQTbSKO/EaVwrkAzINe8G+yBJ+bgnkpqwCXUc0pUXN2CqE/Ii+X8jZZvn7Fb8ftbTO20ADSsxhNP8dYb4kp3vstfxi88plvOaHB++ancHryYQJ+EXBTQoMKmCMN6Ab7bq3S4PDoOKTElpvW4AA/Ep6j/+5MyJuv9c6FzIbkBOLbwXFWOweT/1oTlDLLxY7jbTBNnHXwajtYUXlmYUwalpyHwBumxDAmCf7WuHbrJ5xrL++jbGMSYNi3ctImY8fBEIRqMnVlC4NtmVKi4rRABz1M7blb9aLxJeI/uJCcDZnXpctdjVetW5U3md6Dv3gaVGgGLS2fI15fSYwHGVHSp9jtoD4+ym2nM9oNiUSrAA25AaN2xOH8EeLtW9GHvxLoG52Bq/Dh0LiywwVH2ifTCrtLjPjyvmZEKGJsxHifzKO6qL75PkhovaePCy6fsyENy1KIQ1y2+h4Aqlcpb9g" } } ]} }

But when using this approach I get that error that tells me that GPG encyption/decryption not working some reason.

[rarkins]

Don't encrypt in config.js

[ghost]

Aah ok, thanks. So renovate.json then. Is there any global option for introducing private registeries else ways? Just wondering have to add this quite many places, but maybe this is ok still 🤔

[ghost]

Ok. Just transferred these to renovate.json, so

Get this error from pod: INFO: Repository has invalid config (repository=ABC/image-configuration) "error": { "validationError": "Failed to decrypt field password. Please re-encrypt and try again.", "message": "config-validation", "stack": "Error: config-validation\n at decryptConfig (/usr/src/app/node_modules/renovate/dist/config/decrypt.js:163:39)\n at async decryptConfig (/usr/src/app/node_modules/renovate/dist/config/decrypt.js:204:47)\n at async mergeRenovateConfig (/usr/src/app/node_modules/renovate/dist/workers/repository/init/merge.js:212:29)\n at async getRepoConfig (/usr/src/app/node_modules/renovate/dist/workers/repository/init/config.js:11:14)\n at async initRepo (/usr/src/app/node_modules/renovate/dist/workers/repository/init/index.js:34:14)\n at async Object.renovateRepository (/usr/src/app/node_modules/renovate/dist/workers/repository/index.js:45:18)\n at async q (/usr/src/app/src/server.js:1:44834)\n at async startWorker (/usr/src/app/src/server.js:1:45949)" }

renovate.json looks like following:

{ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:base" ], "branchPrefix": "renovate-", "rangeStrategy": "pin", "packageRules": [ { "matchUpdateTypes": ["digest"] } ], "hostRules": [ { "matchHost": "https://.dkr.ecr.us-west-2.amazonaws.com/", "username": "renovate-user", "encrypted": { "password": "wcFMA/VvxyzJuvgsAQ/6A8rcoAP4v8bQ2vXmIbRcRR1azo61n3RmdUjyh1CsDMpDgW5C4YDpWjdVlqNSAyqUaZ00CoP26VScuVdU28V+5WFeN+nJ+XL/YcmE8SiWdb/THi2Z0rH7AZ7okwhjcs47DAr6QdOrtmF7OdoZWJrlTMYzSMV/5FZBz6WbVjOz5I9Gsw73tNOER3gB4HlXyJ2CC0x8fP5k0XpJzavI6g2HX9w3VZ9C8l9daBiWI+Y0AvO2PDvApiUF1VXRPxLoPbarzygWeeaMl547Bc/9o+484E9qaC7FOP1iZIdCffhW6HYfTbSsf0tT186p5dAi1qnqsxnOI3MS79GL+SBCy6ZUo9r7ZUBfeuZarYGbR7MOdNwU8cWvSKR9+8tlJ0IhVBXEC4F7zmZuBw9K1ykXCGXw8EoXePArnOHHoj6e4FxZqWnR8S46kjpYJG/5LzkE1nGUX6AYCWkyngECA7atY5cyoqkv+FBWMg/kRYAFC6EMoLDztBxkyB0GCvikzF1ogszrhxJcm0L3kCc6HVukj9/h2UFpqsq++QvXEH4vfwjLwMiwZ1DjmJanGrifMnkmCjAZNWV9P0wtdXY8EJOvqsGdb9EMqlOP/33elih7flzds9vhsms0itOGLd/0ulWmRTw/uAz/pppkoNMt/qcYfDivEqk6upVTLqW6ULsgQkR/4u7SXwEExJVlSezqYzR5k5i/XSUiYJCH5THt7q50RvblNK+M6jjn0wYHy5E+Ec7NQgK7H2JEpONPi/bXT81ROa7usciBbwUqMrVVVFsFomWLYlTjPRrCvxGxKB9q5RdA2X2x" } } ] }

And, deployment.yaml contains:

• name: RENOVATE_PRIVATE_KEY valueFrom: secretKeyRef: name: renovate-env key: renovate-encryption-key

Also double check keys and those are ok. So maybe some problem with the keys then, also set this private key directly from value, so not used secrets and same thing.

[ghost]

Storing that private key into secrets, raises up questions do I have to remove all whitespaces and new lines from private GPG key? Or does it matter. Keys I have created thru renovate whitesource instructions.

[ghost]

Any solutions for this encryption problem? Get decryption not working error still.

[ghost]

Back comments for this. Instructions introduces to set RENOVATE_PRIVATE_KEY without \n newline feeds so remove those, but not sure about spaces?

Should these be removed also?

[ghost]

Tested also without spaces, no luck. Have to take another approach for releasing, this clearly not seems to work unfortenatelly. 😞