-
-
Notifications
You must be signed in to change notification settings - Fork 269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot dev private repos: libgit2 uses protocol phased out by Github today? (SHA-1) #3030
Comments
Don't you just have to generate a new key as described in https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent? |
No, the issue is not with the RSA key itself, but with the signing algorithm employed by libgit2. My RSA key works fine through command line Just to double check, I followed the instructions in the link to generate both an RSA and an ED25519. The RSA failed as above, while the ED25519 could not be found by libgit2 (as in previous issues) |
From https://github.blog/2021-09-01-improving-git-protocol-security-github/
Julia 1.6 uses libssh 1.9.1 so it should work with ECDSA? |
I hadn't tried ECDSA before (I did now), but it runs into the same problem as using ED25519: libgit2 fails to automatically detect the private key file, prompts for the location, and then continues to prompt for the location twice more before erroring out due to "maximum number of prompts reached." From all the issues I've read, libgit2 in Julia only can handle RSA keys generated with PEM. (#911 (comment); #1516 (comment)) |
And you really need to use ssh, you cannot use https for the git remote? |
I ran into this recently, and I was able to fix it simply by doing |
That requires Julia 1.7. |
https is very painful as it requires user and password before every clone/update of private repos |
So I just tried |
Two issues
|
Apparently you need to run So, to recap, the workaround is either:
I'll close this now, but if there's any way to get that env flag into the next release of v1.6, that would be way better. I would argue it's a bugfix. |
Backporting the pkg manager would be amazing in a julia 1.6 patch, since it is LTS. |
@grahamas I could do option 2 in windows, but not in linux. |
Oh no, I use both but I only tested it on Windows; my Linux system is the one that I can't control the Julia version on, too :/ I'll poke around a bit more and report back here if I find anything. If we can't find a way to cache username and password on Linux, I'll re-open, because re-entering tokens/passwords for every pull or update is unfeasible. |
It worked on linux by fixing my .giconfig that was pointing to a netrc file. Now it is back to default and points to .git-credentials. |
Lost several hours with this... But found a surspising third solution, as they wrote in a blog-post:
So, look for an old ssh key (maybe on some other machine?), that was generated before November 2021 (If you're lucky enough). I think github wanted to make a smoooth transition, which instead resulted in a kind of a time bomb, when keys generated after November 2021 - suddenly stopped working at March 2022. |
I strongly suspect that there was a deprecation warning that libgit2 didn't propagate... |
For those coming here later looking for information:
The ECDSA support is conditional on using Also see https://discourse.julialang.org/t/local-registry-rsa-key-problem/78188/4 for more information. |
Also, I just want to say that we backported the |
I think we can keep this open for some extra visibility. |
Looking into this a bit, without any changes to Julia, you can fix the issue by using a different SSH key: you can just generate a new ECDSA key (e.g. those generated by To get RSA keys working again, we need libssh2 to implement SHA-256 signing of RSA keys with MbedTLS as the backing crypto library. I opened an issue to ask them to fix it for us, but if they dawdle, it's likely something someone with some C experience can hack together in an afternoon. It's basically hooking up the pipes from libssh2 to MbedTLS, and ensuring that you don't break SHA-1 while you're at it. |
That's great. Where is it implemented? |
It's inside of libssh2 ever since version 1.10.0; it's not in Julia code, it's just the native libgit2->libssh2->mbedtls stack. |
I guess I was confused when I thought the mbedtls support for ECDSA keys entered libssh2 after the 1.10.0 release and only was available in master. Now it would be nice if the ECDSA key could be found automatically without needing an |
So, since JuliaLang/julia#44767 is merged, why do I keep running into this and manually provide id_ecdsa path? Updating registry at `C:\Users\sairu\.julia\registries\JuliaRegistry`
Updating git-repo `[email protected]:MyPrivateOrg/JuliaRegistry.git`
Private key location for '[email protected]' [C:\Users\sairu\.ssh\id_rsa]: C:\Users\sairu\.ssh\id_ecdsa
Updating registry at `C:\Users\sairu\.julia\registries\General.toml` |
Dev'ing my private repos is failing today, where it worked yesterday.
git pull
works fine. I'm on julia v1.6.2 Ubuntu and v1.6.5 Windows.As the final phase in updating their SSH security protocols, today GitHub stopped accepting RSA keys with SHA-1.
Per GitHub:
It seems that libgit2 uses SHA-1, so I think it's libgit2's fault. At least, yesterday dev'ing worked, and today git pull still works. I'm a little confused because my RSA key was uploaded before today, but I can't argue with the error:
In theory, you could use a new key type, but libgit2 only notices RSA or something weird like that (see #911, I think).
Where does the recent PR JuliaLang/julia#43250 stand julia release-wise? Is there likely a workaround for older julia versions? (I'm on a cluster and beholden to admins for updating).
Related to #2679
The text was updated successfully, but these errors were encountered: