Multiple Deploy Keys within npm/node application failing to authenticate with Private Repos

[cbourdage]

Hi there,

I'm trying to fetch multiple private repos as dependencies in GitHub Actions for an node/npm application. I'll be upfront, I'm not very knowledgable on ssh keys and ssh authentication in general but I have done a lot of testing to try to debug where I'm going wrong. I'll outline steps I've taken and troubleshooting and results:

Steps taken so far:

1. Generated key for Private Repo A using: ssh-keygen -t ed25519 -a 100 -f ~/.ssh/keys/A - this was generated without passphrase - I ran into that issue at first
2. Copied value from A.pub into the A repo's Deploy Keys and then added the url in the comment field instead of the local identifier that was added to the comments during the keygen process. So the value was something along the lines of ssh-ed25510 *redacted* https://github.com/organization/A
3. Copied value from A into a secret within Repo C for Github Actions and named it A_PRIVATE_KEY
4. keygen the same way for B
5. Copied value from B.pub into B Deploy Keys and then added url to comment field resulting in something like: ssh-ed25510 *redacted* https://github.com/organization/B
6. Copied value from B into a secret within Repo C for Github Actions and named it B_PRIVATE_KEY
7. Added both keys per the docs (see code example 1)
8. Github Action does an npm ci but fails with "ERROR: Repository not found." which I assume is specifically failing to authenticate

Code Example 1

    - uses: webfactory/ssh-agent@v0.5.1
      with:
        ssh-private-key: |
          ${{ secrets.A_PRIVATE_KEY }}
          ${{ secrets.B_PRIVATE_KEY }}

Troubleshooting/debugging:

• I've tested with just a single key and depending on the key that is used, the errors will appropriately display (using A key, success with A repo but fails installing B repo.
• I have found that the output messaging is not what I would expect it to be:

  Key(s) added:
  256 SHA256:/*redacted* collinb@collins-mbp.lan (ED25519)
  256 SHA256:*redacted* collinb@collins-mbp.lan (ED25519)
  Configuring deployment key(s)

  Things that seem strange about this:

• I have replaced the comment collinb@ with the url of each private repo in the public keys within each private dependency A and B.
• I was expecting to see additional stdout for each key but nothing every shows other than Configuring deployment keys(s) and then it's sort of a silent failure. I did test the regex used to make sure I didn't have some sort of incorrect format and the format I was using https://github.com/organization/A was properly matching.
• I added a test clone step (code example 2) to try to mirror what you are doing in your repo but this fails with fatal: could not read Username for 'https://github.com': No such device or address

Code Example 2

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - uses: webfactory/ssh-agent@v0.5.1
      with:
        ssh-private-key: |
          ${{ secrets.B_PRIVATE_KEY }}
          ${{ secrets.A_PRIVATE_KEY }}
    - name: Test Clone
      run: |
        git clone https://github.com/organization/A.git test-fc-http
        git clone git@github.com:organization/A.git test-fc-git
        git clone ssh://git@github.com/organization/A.git test-fc-git-ssh

I have been able to successfully install doing

    - uses: webfactory/ssh-agent@v0.5.1
      with:
        ssh-private-key: ${{ secrets.A_PRIVATE_KEY }}
    - name: Debugging with Git Clone 1
       run: git clone ssh://git@github.com/organization/A.git test-a-http

in other repositories but for some reason I am really struggling to get the multiple deploy key setup to work for the private github repositories using npm install.

• Tested out different combinations of manual install and keys and have noticed that it will fail to authenticate when I use the comment field for the url of the repo in the public key. But if I switch it back to the collinb@ it will authenticate. I am pretty confident my issue relies in how I've generated the keys or configured my keys with the url and am unsure of my mistake.

I'm wondering if you might have any insight or steps that I can try out to try to get this to work on my end or point to how I've miss-configured the keys?

Thanks so much!

[cbourdage]

Have had a chance to make some progress but not a lot. I went ahead and tried regenerating keys using the -C instead of directly modifying the key's comments (per some findings on the internet saying is okay). By modifying the key gen I was able to get to this point:

Adding GitHub.com keys to /home/runner/.ssh/known_hosts
Starting ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-wShbLB9slmUz/agent.1545
SSH_AGENT_PID=1546
Adding private key(s) to agent
Identity added: (stdin) (https://github.com/org/A)
Identity added: (stdin) (https://github.com/org/B)
Key(s) added:
256 SHA256:**redacted** https://github.com/org/A (ED25519)
256 SHA256:**redacted** https://github.com/org/B (ED25519)
Configuring deployment key(s)

I still find it strange that there is no output after the Configuring deployment key(s) per the code I see in main.

Doing a direct clone is failing:

    - name: Debugging with Git Clone 1
      run: git clone ssh://git@github.com/org/B.git test-b-http

I'm still trying and may try to use the fork but I'm not really loving that b/c if that gets closed down and is no longer available that leaves us in a tough situation.

Any help is much appreciated! Thanks!

[cbourdage]

Update number 3 on this. I was able to get this to work without any problems using the forked repo here: https://github.com/shaunco/ssh-agent/tree/git-repo-mapping

I have not looked into what the forked repo is doing to understand why that is working and this implementation isn't (or at least to understand the differences in implementation to understand how I was not properly generating the keys).

I still would love to avoid using the fork but I also have no clue what I was doing wrong when configuring the keys. For now, I'm leaving the fork implementation in play and any feedback I see here I will test and try again and see if I can get it to work without using the forked repo.

[abustany]

could it because of https://github.com/webfactory/ssh-agent/commit/4681241867865c064d220082c7b6cbe128c16171 and because your repos have some non-lowercase letters in their name? I just got bitten by this :-/

@mpdude any chance we could cut a new release? :pray:

[cbourdage]

oooh, yes, that very well could be it! I could've sworn I saw case-insensitivity on the check when I looked into the code...

But now that I look further it does appear that that the case insensitivity check exists in main but to your point about a release it may not exist in the release I'm using!

[abustany]

A workaround in the meanwhile is using the current master commit SHA as a "release" (after the @) in your workflow file.

[mpdude]

Sorry for taking so long to respond, I've been on vacation.

@cbourdage You've done a great job with your comprehensive bug description and the steps you've taken.

I haven't worked through all this for now, but I suspect that the case-insensitivity fix probably fixes the issue.

I have just released v0.5.2 of this action including that fix, so make sure to update your workflow file and try again. If it works, feel free to close this issue.

Thanks!

[abustany]

Nice, thanks for the release :)

[mpdude]

@cbourdage It seems you made a detour to get the key comments right. If you have an idea how the README file could be improved (so it would have saved you the hassle), feel free to open a PR for it!

[cerupcat]

I'm not sure if I should create a separate issue, but I'm running into the same issue (using v0.5.2). My repos do use Capitals in the name.

I put in key comments and the printout shows:

Adding GitHub.com keys to /Users/runner/.ssh/known_hosts
Starting ssh-agent
SSH_AUTH_SOCK=<location>
SSH_AGENT_PID=<id>
Adding private key(s) to agent
Identity added: (stdin) (github.com/<OrgName>/<RepoName1>.git)
Identity added: (stdin) (github.com/<OrgName>/<RepoName2>.git)
Key(s) added:
256 SHA256:<redacted> github.com/<OrgName>/<RepoName1>.git (ED25519)
256 SHA256:<redacted> github.com/<OrgName>/<RepoName2>.git(ED25519)
Configuring deployment key(s)
Added deploy-key mapping: Use identity '/Users/runner/.ssh/key-<redacted>' for GitHub repository <OrgName>/<RepoName1>
Added deploy-key mapping: Use identity '/Users/runner/.ssh/key-<redacted>' for GitHub repository <OrgName>/<RepoName2>
Comment for key '' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.

Cloning the first repo works, but cloning the second fails.

[mpdude]

@cerupcat

First, I noticed that in

256 SHA256:<redacted> github.com/<OrgName>/<RepoName1>.git (ED25519)
256 SHA256:<redacted> github.com/<OrgName>/<RepoName2>.git(ED25519)

... the second key has no space before the (ED25519) part. Did that happen when you redacted names, or is it really printed like this? Not sure if it is of any significance, but at least we should rule this out.

Then, you did not mention how you tried to clone the repos: Was that a direct git clone attempt, or something wrapped by a package manager or so?

Can you run direct clones as with

    - name: Test Clone
      run: |
        git clone https://github.com/organization/A.git test-fc-http
        git clone git@github.com:organization/A.git test-fc-git
        git clone ssh://git@github.com/organization/A.git test-fc-git-ssh

Also, set the environment variable GIT_SSH_COMMAND="ssh -v", so we get more details what SSH is doing.

[cbourdage]

Thanks for the update here I will give this a try here when I can find some time in the next week! I really appreciate the help!

[cerupcat]

@mpdude The first issue (missing space) is just a typo when I posted here. Apologies for that.

It does appear that cloning does work, but it fails since I am using a package manager (Swift Package Manager). Cloning directly succeeds, but cloning via Swift Package Manager fails when using multiple keys. If I use only 1 key, everything works.

I have the same issue whether I'm using the latest version or using the repo-mapping version here: https://github.com/shaunco/ssh-agent/tree/git-repo-mapping

Let me know if I should open a new issue for this particular package manager. For now, to unblock myself, I decided to use a single account SSH key instead of deploy keys.

[mpdude]

@cerupcat that definitely sounds like being related to the Swift package manager. Please open a dedicated issue for it.

As a side note, see the README for a special config setting required for Rust. This article  https://support.circleci.com/hc/en-us/articles/360044709573-Swift-Package-Manager-fails-to-clone-from-private-Git-repositories sounds similar, but for Swift?

If you open the new issue and manage to solve the problem, it would be great to have an addition to our README so other Swift users know what to do. 

[mpdude]

@cerupcat also see https://stackoverflow.com/questions/47842479/how-to-use-swift-package-manager-with-private-repos

[cerupcat]

Thanks! I'll give these a try and open an issue if they appear to be unrelated. ᐧ

On Thu, Apr 8, 2021 at 10:23 AM Matthias Pigulla @.***> wrote:

@cerupcat https://github.com/cerupcat also see https://stackoverflow.com/questions/47842479/how-to-use-swift-package-manager-with-private-repos

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/webfactory/ssh-agent/issues/72#issuecomment-816001809, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABR25ZPDDMDI6JLTKE3NVTTHXRADANCNFSM4ZZ4PJUA .

[mpdude]

@cerupcat for Swift, see #73

[mpdude]

@cbourdage have you been able to resolve this?

[cerupcat]

Apologies. I've had some other things come up so haven't had a chance to confirm yet. Really hoping to get to this soon (likely tomorrow).

[mpdude]

Closing for the time being