I wish to create an environment file not "variable" and get a path to it in the TravisCI pipeline.
Attached is the image of how we do the same in gitlab
gitlab environment file image
I need to store secrets in a file refer is via a path in travisci pipeline.
Ex: this is how we can do the same in Jenkins:
"KUBECONFIG=/var/lib/jenkins/.kube/filename"
I am not will to upload my secrets file to github private repo.
The encrypt-file command will encrypt an entire file using symmetric (AES-256) encryption and stores the secret in a file. Let us create a file called secret.txt and add the following entries into it: SECRET_VALUE=ABCDE12345 CLIENT_ID=rocky123 CLIENT_SECRET=abc222222!
travis encrypt-file secret.txt -> give this command after creating secret.txt file and it will store result as secret.txt.enc and also shows ->add the following to your build script (before_install stage in your .travis.yml , for instance): - openssl aes-256-cbc -K $encrypted_74945c17fbe2_key -iv $encrypted_74945c17fbe2_iv -in secret.txt.enc -out secret.txt -d
Now add this entry into our .travis.yml script: ( before_install: - openssl aes-256-cbc -K $encrypted_74945c17fbe2_key -iv $encrypted_74945c17fbe2_iv -in secret.txt.enc -out secret.txt -d ) , It can then decrypt values in the secret text file for us
So it is to create a file and use command travis encrypt-file secret.txt, it will then produces an entry, copy that entry and add it into our .travis.yml file in before_install stage
make sure to add the secret.txt.enc to the git repository and make sure NOT to add the secret.txt to the git repository
Generally, we cannot keep both the encryption key and encrypted file in the same place(i.e repo). So, we store the file somewhere else. Where are you storing it? How will you fetch it?
Related
I'm following this documentation to push signed images to ACR from Azure pipelines.
However, this only describes the changes needed in yaml tasks. I'm using a classic release pipeline, and I'm facing some issues.
I'm trying to push the image using an Azure CLI script. Before the script task, I'm using the Secure files in pipeline to download the private key file and used the below CLI script -
echo '---------Create Private Delegate Key for signing--------'
mkdir -p ./docker/trust/private
echo 'Created Trust Directory'
echo 'Copying $(privateKey.secureFilePath) to ./docker/trust/private'
cp $(privateKey.secureFilePath) ./docker/trust/private
I'm getting the below error on running
echo $(SigningPassphrase) | docker push --disable-content-trust=false $(registry)/$REPOSITORY_NAME:$BUILD_TAG
Error:
no valid signing keys for delegation roles
I added the following lines in the script to load the private key -
chmod 600 ./docker/trust/private/$(KeyFileName)
echo '-----Loading Key-----'
docker trust key load ./docker/trust/private/$(KeyFileName)
But signing of the image is still failing after loading the key. I also tried changing the key file name to the repository key.
Am I placing the file in an incorrect location? It's being placed in /home/vsts/.docker/trust/private.
What should be the location to place the private key file in, so that docker can recognize it to sign the images?
I am trying to set up my local computer to be able to send files up on github but for some reason i am facing several issues while doing so.
So this is what it shows on cmd.
And this is what it shows on github page.
As you can notice it shows i made the last change a week so obviously my commits weren't pushed to the main branch.
Please help me figure out what the problem is here.
The name of my repo on github is MyWebsite and the local folder is mywebsite. Perhaps that is causing the issue? I also have generated a ssh key if that's a matter of concern.
Thanks.
I will go through step by step what you need to do:
1.Checking for existing SSH keys
Before you generate an SSH key, you should check if you already have an existing SSH key. You can easily check for existing SSH keys by using the Git bash and entering the following command that lists the files in the .ssh directory which has been located most often on following path C:\Users\Jakobson\.ssh. For this example I used my path from my local.
Command for checking the files where ssh keys have been stored after generating is:
ls -al ~/.ssh
By default, the filenames of the public keys are one of the following:
id_rsa.pub id_ecdsa.pub id_ed25519.pub .
If .ssh directory haven't any existing files, you should generate new ssh key which is described in next step.
2.Set up an SSH key
You can generate an SSH key by running the ssh-keygen procedure on your computer. You will need to remember where you have saved the generated public and private RSA key pair. The steps for generating a new SSH key are:
Open the Git bash.
Enter the following command by entering your GitHub email address:
ssh-keygen -t ed25519 -C "youremailaddress"
Note: If you are using a legacy system that doesn’t support the Ed25519 algorithm, use:
ssh-keygen -t rsa -b 4096 -C "youremailaddress"
This creates a new SSH key using the provided email as a label.
Next thing git bash will ask you to enter the file destination where ssh keys will be generated like this:
> Enter a file in which to save the key (/c/Users/Jakobson/.ssh/id_ed25519):[Press enter]
If you press enter, it will be saved automatically in .ssh directory, or you can specify other destination path.
Then you will be asked to enter a passphrase. You can leave it empty.
> Enter passphrase (empty for no passphrase): [Type a passphrase]
> Enter same passphrase again: [Type passphrase again]
After this, ssh keys will be generated in your .ssh directory.
3.Adding Your SSH Key to the ssh-agent
You can start the ssh-agent in the background by typing in your git-bash:
eval `ssh-agent -s
And then you can add the private key file that you have generated by typing:
ssh-add ~/.ssh/id_rsa
4.Adding the SSH Key to Your GitHub
You need to copy SSH public key to your GitHub.
Copy all content from C:\Users\Your machine name\.ssh\id_rsa.pub file
Go to https://github.com/settings/keys -> SSH and GPG keys and click on new ssh key. Name ssh key optionally, and paste content from your file. That is all.
If you want to add ssh key to specific repository on remote server, go to your repository settings, then go to deploy keys and add ssh key on the same way we did before. You can see that at this screenshot https://i.imgur.com/lPDrFN5.png
Note: If you need to type your password when you try to push on server again, type your fingerprint which has been generated after adding ssh key on your profile/settings/keys and value is something like: SHA256:rLiDkFpEz9FT3/9cNVu9NlL8BIxCS you will find that in your ssh keys of your profile.
You can create a new token at: https://github.com/settings/tokens
Generate a new token (classic); and
then try to git clone a repo.
After inserting the login name you will be asked to enter the password. Use the generated token as the password.
I'm having trouble using a multiline Azure Key Vault value inside an Azure Release Pipeline...
I put a multiline value (RSA private key) into Azure Key Vault using the CLI:
az keyvault secret set --vault-name "vault" --name "secret" --file "pk.pem"
This works and I can see the multiline secret in the portal.
Locally using CLI I can also do:
pk=$(az keyvault secret show \
--name "ssh-private-key" \
--vault-name $vault \
--query "value")
This returns a somewhat crappy value (yes including the double quotes):
"-----BEGIN RSA PRIVATE KEY-----\nMIIG4wIBAA .... JtpyW\n-----END RSA PRIVATE KEY-----\n"
I can manage to work with this and send the value to a file like so:
pk="${pk%\"}" #remove first quote
pk="${pk#\"}" #remove last quote
echo $pk | sed 's|\\n|\n|g' | # replace with actual newlines
while IFS= read -r line; do # loop through lines
echo "$line" >> pk.pem # write to file per line
done
This works and I can login to my server using ssh -i pk.pem user#server
But when running the same script in the Azure Devops Release pipeline (also using Bash on a Linux agent) the exact same script fails... I'm also having trouble inspecting the actual value as the log masks all values related to the secret...
Any guide on how to debug or work with actually reading multiline values instead of just storing them would be hugely appreciated!
Here is a troubleshooting advice:
The error "Host key verification failed." doesn't just occur when the key is incorrect. Most of the time, it doesn't refer to your key.
So I recommend you firstly try the connection with a simple value to see if it works on Azure DevOps.
What's more, maybe an SSH service connection can help you with what you're doing. Go to Project Settings -> Service connections -> Create service connection -> SSH to create one.
I want to release the artifact of a github action to a specific update repo, so that my software can use it to update itself. To verify the update in the local update process I want to sign this artifact. I chose to store the update itself and signature in separate files for now.
My github action would take the zipped artifact and should sign it with the given RSA4096 Private Key and should use SHA512 as a digest.
My github action for that looks as follows:
- name: Sign release
run: |
echo $PRIVATE_KEY > privatekey.pem
openssl dgst -sha512 -sign privatekey.pem -out latest.sig latest.zip
env:
PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
This github action should take my private key from the repository's secrets, put it in an environment variable, and then put it in a local file so the following openssl command can take this private key to sign it. I went this way to hinder the private key itself being echo'ed to the log.
The private key value is as follows:
(This is of course not the actual private key but one I created solely for testing purposes until this github action works properly. This private key is only 1024 bits instead of the above mentiond 4096 bits. I will not use this private key afterwards anymore.)
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgGwdzKeZPLdOHV+/iDpHHtEk7kephhI5eythCfmoqzy5CSx+GZ6X
Z1GiIzII+CtyN69cOgyzO99uPvquBkbo3lHL5+jZnOEue8nMub8iwPXZgDB6s8BV
sFevjLENx4LWJSZSo8rUn6al3bfoWJUySzkla9xc4g0GiO1K81zGeRH9AgMBAAEC
gYBTZbUs/vYny5i69+pkUeICoEMxgiHKQw6win0AWMwl3fGmoWqvu8hV3wTZHrQY
B1XO7gxVKZigo9Du23g6EH0UhGHZm9s4csjVXm8gVt7LghoOZq82nLmbe+XBrn+C
B3VeQbk7urD5mfdWx5zRYWGPjg/zaCGu47Apuuc1Kw0vvQJBAMhbyHvua2b/Fdbm
fbpO283aTPBaHYrexsqp5DZ8/DUet7BIB/p9yb4hVpV9nDH/WALSl1stfcfe260w
Lsm4/icCQQCKJDAi/ukBW2QpFy9evMNpR0KxtFIETxs6y5v0/EOoaqKDrFjjb7M2
svEybXa/y/AgYMxxVeNbFpfWSC4Sc+k7AkA2D2XJ4qvCD6PB51EXOv3dzkAiPf5o
oPF8b1ivRwv5/T7M5rKYaOZNUct97HV/nAkQQegq5txgWIZndW+6aBrTAkACNG2o
QVVKtkC0/y+8XVrpFUAVQgGFHBYdLB7DHDugNoN9goSwrJm5p8V9vo2Epiag/aqF
rI9CZuvpeaFynfL9AkEApFCO3IxSkXYwx4AjQwxcuVz1w5lUAL5LxvRlmqy8Jj0l
RgXLxBfGTQoTVL9/JuUjE7xLXWfYm+8u9k3KV3FJYQ==
-----END RSA PRIVATE KEY-----
The problem is the following log output of the github action when executing this step:
unable to load key file
6196:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: ANY PRIVATE KEY
Which means that whatever was echoed to the privatekey.pem is not the actual private key secret value, but something else. I couldn't get the content of the file printed in subsequent tests. Not with a necho or cat command or anything similar, so I have actually no knowledge of what is written to the file, which makes it impossible for me to get any deeper into my analysis.
Is anyone here able to deduce some helpful tips or a solution to this problem?
It's likely that part of your problem is the lack of quoting. When you don't quote a variable in shell, it is split on whitespace (space, tab, and newline), so what you're passing to echo is several different arguments which, instead of being separated by newlines, are separated by spaces via echo.
You'd probably want to write this (note the quotation marks around $PRIVATE_KEY:
- name: Sign release
run: |
echo "$PRIVATE_KEY" > privatekey.pem
openssl dgst -sha512 -sign privatekey.pem -out latest.sig latest.zip
env:
PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
In general, it's a good practice to place all variables in double quotes when using them unless you're certain that you want the shell to expand them.
Of course, all of this applies only if you're using a POSIX shell, which means that you need to be using Unix or bash on Windows, since the syntax you're using is POSIX shell syntax.
GitHub Actions, like most CI systems, tries to sanitize its output to prevent disclosing secrets that are accidentally printed to logs, which is why you were unable to print the value.
I'm trying to implement Sparkle into my macOS project using cocoapod.
But when following the documentation I seem to have a problem creating the public .pem file.
Command used in Terminal;
.ssh $ ssh-keygen -t dsa -b 1024
Generating public/private dsa key pair.
Enter file in which to save the key (/Users/jorgen/.ssh/id_dsa): dsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in dsa.
Your public key has been saved in dsa.pub.
According to the documentation I should have a file called dsa_pub.pem but all I end up with is dsa.pub
If anyone has a couple of minutes to give me simple step-by-step instructions how to set this up, I would be immensely appreciative.
I was going to use a DropBox folder as the https:// address. I archive the app into a .app as far as I can understand, I would zip this and put it in the DB folder? What else goes in there?
Download sparkle: https://sparkle-project.org
go to the bin folder inside the archive
open that folder in Terminal (drag and drop from folder)
call ./generate_keys to generate dsa_priv.pem and dsa_prb.pem in the same folder