redmine gitolite admin key

[tomhub]

I'm trying to get rid of an old rsa key which was replaced with ed25519 key. I made updates in redmine git hosting plugin to poing to 'redmine_gitolite_admin_ed25519' and 'redmine_gitolite_admin_ed25519.pub' keys. gitolite-admin repository is already updated, contains ed25519 pub key, old rsa key removed, and gitolite.conf updated use ed25519 keys.

In redmine, I clicked git hosting plugin settings, rescue tab (all 3 ticked) and applied. However, in git_hosting.log I see:

[INFO] Enable RW access on all Gitolite repositories
[INFO] enable_rw_access : '@all' repository already configured, check for RedmineGitHosting key presence
[INFO] enable_rw_access : RedmineGitHosting key is not present, add it !
[INFO] enable_rw_access : commiting to Gitolite...

And if look at gitolite.conf, I see '@all' got back 'redmine_gitolite_admin_id_rsa'. I think it shouldn't have: could it be that admin key name is hardcoded and configuration is ignored?

[pkoevesdi]

I just stumbled upon exact the same problem: Want to switch over to ed25519 key type. I can confirm the problem and I can answer the question: The key name is hardcoded all over the place and redmine-git-hosting is at least in parts ignoring the setting on the SSH page.

redmine@redmine redmine$ grep -rnw ".*redmine_gitolite_admin_id_rsa.*" plugins/redmine_git_hosting
plugins/redmine_git_hosting/.github/workflows/test.yml:117:          ssh-keygen -N '' -f plugins/redmine_git_hosting/ssh_keys/redmine_gitolite_admin_id_rsa
plugins/redmine_git_hosting/.github/workflows/test.yml:125:          sudo cp plugins/redmine_git_hosting/ssh_keys/redmine_gitolite_admin_id_rsa.pub /home/git/
plugins/redmine_git_hosting/.github/workflows/test.yml:126:          sudo chown git.git /home/git/redmine_gitolite_admin_id_rsa.pub
plugins/redmine_git_hosting/.github/workflows/test.yml:127:          sudo -n -u git -i bin/gitolite setup -pk redmine_gitolite_admin_id_rsa.pub
plugins/redmine_git_hosting/db/migrate/20130807223227_migrate_parameters.rb:10:      gitolite_ssh_private_key: Rails.root.join('plugins/redmine_git_hosting/ssh_keys/redmine_gitolite_admin_id_rsa').to_s,
plugins/redmine_git_hosting/db/migrate/20130807223227_migrate_parameters.rb:11:      gitolite_ssh_public_key: Rails.root.join('plugins/redmine_git_hosting/ssh_keys/redmine_gitolite_admin_id_rsa.pub').to_s,
plugins/redmine_git_hosting/CHANGELOG.md:349:    └── redmine_gitolite_admin_id_rsa.pub
plugins/redmine_git_hosting/lib/default_settings.yml:6:gitolite_ssh_private_key:       <%= Rails.root.join('plugins', 'redmine_git_hosting', 'ssh_keys', 'redmine_gitolite_admin_id_rsa') %>
plugins/redmine_git_hosting/lib/default_settings.yml:7:gitolite_ssh_public_key:        <%= Rails.root.join('plugins', 'redmine_git_hosting', 'ssh_keys', 'redmine_gitolite_admin_id_rsa.pub') %>
plugins/redmine_git_hosting/lib/redmine_git_hosting/mirror_keys_installer.rb:7:    GITOLITE_MIRRORING_KEYS_NAME = 'redmine_gitolite_admin_id_rsa_mirroring'
plugins/redmine_git_hosting/lib/redmine_git_hosting/gitolite_wrappers/global/common.rb:8:          'redmine_gitolite_admin_id_rsa'
plugins/redmine_git_hosting/.gitignore:9:/ssh_keys/redmine_gitolite_admin_id_rsa*
plugins/redmine_git_hosting/app/models/gitolite_public_key.rb:75:  #   redmine_gitolite_admin_id_rsa.pub
plugins/redmine_git_hosting/spec/lib/redmine_git_hosting/config_spec.rb:7:    'hello redmine_gitolite_admin_id_rsa, this is gitolite v2.3.1-0-g912a8bd-dt running on git 1.7.2.5',
plugins/redmine_git_hosting/spec/lib/redmine_git_hosting/config_spec.rb:14:    'hello redmine_gitolite_admin_id_rsa, this is git@dev running gitolite3 v3.3-11-ga1aba93 on git 1.7.2.5'

I'd really like to see this fixed, it is an unnecessary and undocumented restriction in the naming convention of the local SSH keys. Took me hours to figure out the problem with my new keys.

[pkoevesdi]

In the following spots I replaced each string redmine_gitolite_admin_id_rsa with redmine_gitolite_admin_id_ed25519:

plugins/redmine_git_hosting/lib/redmine_git_hosting/gitolite_wrappers/global/common.rb:8:          'redmine_gitolite_admin_id_rsa'
plugins/redmine_git_hosting/lib/default_settings.yml:6:gitolite_ssh_private_key:       <%= Rails.root.join('plugins', 'redmine_git_hosting', 'ssh_keys', 'redmine_gitolite_admin_id_rsa') %>
plugins/redmine_git_hosting/lib/default_settings.yml:7:gitolite_ssh_public_key:        <%= Rails.root.join('plugins', 'redmine_git_hosting', 'ssh_keys', 'redmine_gitolite_admin_id_rsa.pub') %>
plugins/redmine_git_hosting/lib/redmine_git_hosting/mirror_keys_installer.rb:7:    GITOLITE_MIRRORING_KEYS_NAME = 'redmine_gitolite_admin_id_rsa_mirroring'

At least it isn't overwriting redmine_gitolite_admin_id_ed25519's access to gitolite-admin any more (only due to the change in plugins/redmine_git_hosting/lib/redmine_git_hosting/gitolite_wrappers/global/common.rb). But the rest of the problem persists. It writes now

repo    @all
  RW+                            = redmine_gitolite_admin_id_rsa redmine_gitolite_admin_id_ed25519

repo    gitolite-admin
  RW+                            = redmine_gitolite_admin_id_ed25519

into conf/gitolite.conf. Which at least doesn't lock himself out any more, but still there's some persintent existence of the string redmine_gitolite_admin_id_rsa.
I'll give up for now and name my ed25519 key back to "redmine_gitolite_admin_id_rsa", and make a note somewhere for future admins, that this is no RSA key, despite it's name.
Did I say, I'd really like to see this fixed? ;-) I'd be glad to help, if I can.

[pkoevesdi]

Now I still have one problem, I'm not sure if I overread it in the docu: redmine-git-hositng ist constantly overwriting my entries in gitolite.conf with

repo    gitolite-admin
  RW+                            = redmine_gitolite_admin_id_rsa

So, I'm not able to add admins there. Is there any "official" redmine-git-hosting-way of adding admins to gitolite-admin.git or is this part of this hard-coded-bug?

[pavelsky75]

I keep other admins added by hand and not existing in Redmine and one other from Redmine, nothing is being overwritten here. Maybe you should use sync (Rescue tab->Resync) before you do anything else.