-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to Travis settings env var to store private key #243
Conversation
In progress. bash "-v varname" to test whether variable assinged True if the shell variable varname is set (has been assigned a value). https://stackoverflow.com/a/17538964/4651668 bash here string to input key to ssh-add https://stackoverflow.com/a/46253163/4651668 Storing private keys using environment varaible in Travis settings wp-cli/wp-cli#3798 https://github.com/Automattic/vip-go-mu-plugins/blob/5f985910c849b1eb104c3b4b19776e9be0fb5b87/ci/deploy.sh#L26-L31
Assumes newline characters use \n encoding echo: specify -e to enable interpretation of the backslash escapes
This biggest barrier to this approach is going from the private key as text in From Travis Docs:
From the Travis CI settings page:
Here is what a private key looks like (1024 bits, ours are longer):
So we have to massage this into something that works as a Travis settings environment variable. Two approaches were suggested in wp-cli/wp-cli#3798:
For |
If we determine setup environments should have python, here's a cross-platform script (Python 2 & 3 compatible) to convert import base64
key = open('deploy.key', 'rb').read()
base64_key = base64.standard_b64encode(key)
print(base64_key.decode()) And here's a version that uses "universal newlines" to make sure all newlines are encoded as import base64
text_key = open('deploy.key', 'U').read()
base64_key = base64.standard_b64encode(text_key.encode())
print(base64_key.decode()) |
The current machine I'm on has a somewhat old version of Git Bash for Windows. It has
It's hard to assess whether Git Bash or Python is more likely to be available on Windows machines of Manubot users. My uneducated guess is that Python is more common than Git Bash. If we (eventually) want to enable setup for non-technical users, they may not have either available. |
Rootstock will no longer need these files once it switches to an environment variable for the deploy key. Hoping that this will not cause conflicts with legacy manuscripts.
@agitter can you paste the man page for base64 on Windows below? Try |
base64 encoding commandsLinux and Windows with GNU coreutils version:
macOS:
|
Oddly, Git Bash doesn't have the
|
2a53b7f
to
7900c05
Compare
if [ -v MANUBOT_SSH_PRIVATE_KEY ]; then | ||
set +o xtrace # TODO: better way of temporarily disabling xtrace | ||
base64 --decode <<< "$MANUBOT_SSH_PRIVATE_KEY" | ssh-add - | ||
else |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Previously we didn't disable xtrace, which means we probably were leaking $encrypted_9befd6eddffe_key
to the build logs. However, if you check the build logs, I believe Travis CI was smart enough to remove that output.
Anyways we want a way to disable xtrace for specific commands. Ideally, after these commands finish, xtrace operates based on whether it was activate or not before the hidden commands.
@michaelmhoffman / @dongbohu any suggestions? Would also love any feedback on the changes to the bash command changes above since would be great to make this as robust as possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implemented xtrace disabling/re-enabling in c1abee3.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again I don't recommend using xtrace
routinely like this. If you must, then you can disable it temporarily in a subshell like this:
(
set +o xtrace
base64 --decode <<< "$MANUBOT_SSH_PRIVATE_KEY" | ssh-add -
)
Remember that variables changed in the subshell don't affect the parent shell. That is not a problem now here.
Here's the
In my tests, The reason I didn't use wrap=0 with the GNU version was that this suppressed a closing newline. Without the newline at the end, it is easy to copy the following command prompt as part of the previous output. However, the macOS command seems to add the final newline. |
There does seem to be one possible gotcha with base64. The character set for base64 is We could use these terminal copy commands, but those add additional dependencies. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left a few comments.
$ man openssl | grep -e "-A"
openssl enc -ciphername [-AadePp] [-base64] [-bufsize number] [-debug]
-A If the -a option is set, then base64 process the data on one
… On Jul 3, 2019, at 8:56 AM, dongbohu ***@***.***> wrote:
@dongbohu commented on this pull request.
In SETUP.md <#243 (comment)>:
>
-```sh
-# Edit ci/deploy.sh with travis secure env variables generated by travis encrypt-file
-TRAVIS_ENCRYPT_ID=`python -c "import re; \
- text = open('travis-encrypt-file.log').read(); \
- print(re.search('encrypted_([a-f0-9]+)_key', text).group(1))"`
-sed "s/9befd6eddffe/$TRAVIS_ENCRYPT_ID/g" deploy.sh > tmp && mv -f tmp deploy.sh
+# For macOS systems
+base64 --break=1000000 deploy.key
Hmm, I wonder whether -A is supported by openssl on macOS.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#243?email_source=notifications&email_token=ABJE4S7KENMLXBODAOO2GY3P5TDZZA5CNFSM4H45ONZKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOB5NHPHA#discussion_r300036112>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABJE4S5IVB675MSQ7RFUTQ3P5TDZZANCNFSM4H45ONZA>.
|
This reverts commit ecf2af9. See manubot/rootstock#243 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm starting with general comments before doing a full review. The great news is that I was able to set up a new manuscript with Git Bash on Windows, so we can advertise that as an option now.
I want to think more about whether we can restructure any of the instructions to minimize switching between the browser and command line.
I doubt we'll be able to eliminate the browser-based steps entirely, but it may be possible to create the new repository from the command line:
https://stackoverflow.com/questions/2423777/is-it-possible-to-create-a-remote-repo-on-github-from-the-cli-without-opening-br/10325316#10325316
This command worked for me on Linux but hung on Git Bash:
curl -u 'agitter' https://api.github.com/user/repos -d '{"name":"manubot-test"}'
Based on the way I have Travis CI set up, the current instructions for enabling Travis CI for the new repository weren't directly applicable for me. I had to Manage repositories on GitHub
That button let me approve the new repository for the Travis CI GitHub App through GitHub. I expect this will be the trickiest step for new users who aren't familiar with continuous integration.
When adding the deploy key to GitHub, I didn't have to click "Add deploy key". The default view for the echoed URL was:
In the Finalize step, we now will have different unstaged changes.
$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
Changes to be committed:
(use "git reset HEAD <file>..." to unstage)
deleted: content/02.delete-me.md
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git checkout -- <file>..." to discard changes in working directory)
modified: README.md
modified: ci/deploy.key.pub
The openssl
syntax is different in Git Bash
$ openssl base64 -A -in=deploy.key
unknown option '-in=deploy.key'
options are
-in <file> input file
The python
and base64
versions worked.
Attempts to address: unknown option '-in=deploy.key'
Let's save this for another pull request. How did authentication work with the curl-based-repo-creation command?
I'm hopeful aa17153 will fix that error.
I ended up removing those because I think any system with |
👍
I was prompted for my GitHub password.
Yes, I tested the new |
PR is good to go on my end. Still haven't gotten feedback on the environment variable name ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I recommend changing line 6 of SETUP.md
now that we've confirmed Windows setup works:
Setup is supported on Linux, macOS, and Windows through Git Bash.
or
Setup is supported on Linux, macOS, and Windows. Windows setup requires Git Bash or Windows Subsystem for Linux.
We haven't tested it with Windows Subsystem for Linux, but I expect that would work.
The suggestion #243 (comment) to disable xtrace using a subshell looks like it would simplify the syntax and improve readability.
Everything else looks good to me.
Merged commit 2a5e425 had a deploy failure:
Will look into this. I did add Update: the fingerprints I'm getting locally match the public key on GitHub:
Update: I generated a new SSH key and added the public/private keys to GitHub/Travis. Deployment succeeded. Not sure what was wrong with the old key-pair. Perhaps we should add a command like the following to setup so users can test if things are configured correctly (to some degree): >>> ssh -T -o "IdentitiesOnly=yes" -i deploy.key git@github.com
Hi manubot/rootstock! You've successfully authenticated, but GitHub does not provide shell access. |
This build is based on 2a5e425. This commit was created by the following Travis CI build and job: https://travis-ci.com/manubot/rootstock/builds/118484775 https://travis-ci.com/manubot/rootstock/jobs/214507138 [ci skip] The full commit message that triggered this build is copied below: Travis CI: use settings env var to store SSH private key Merges #243 Closes #91 Closes #246 Switch to a Travis CI settings environment variable to store the SSH private key for GitHub deployment. Setup no longer requires the travis ruby gem, whose `travis encrypt` subcommand was incompatible with Windows. Setup is now supported on Windows systems with a Unix/Linux/POSIX-compliant shell with the proper dependencies, such as ssh-keygen & openssl. The SSH private key is stored in MANUBOT_SSH_PRIVATE_KEY, after being base64 encoded to remove newline characters. Remove files for the legacy encrypted file method. Deprecate the encrypted file decryption in deploy.sh. In the future, we may only support private key specification via MANUBOT_SSH_PRIVATE_KEY.
This build is based on 2a5e425. This commit was created by the following Travis CI build and job: https://travis-ci.com/manubot/rootstock/builds/118484775 https://travis-ci.com/manubot/rootstock/jobs/214507138 [ci skip] The full commit message that triggered this build is copied below: Travis CI: use settings env var to store SSH private key Merges #243 Closes #91 Closes #246 Switch to a Travis CI settings environment variable to store the SSH private key for GitHub deployment. Setup no longer requires the travis ruby gem, whose `travis encrypt` subcommand was incompatible with Windows. Setup is now supported on Windows systems with a Unix/Linux/POSIX-compliant shell with the proper dependencies, such as ssh-keygen & openssl. The SSH private key is stored in MANUBOT_SSH_PRIVATE_KEY, after being base64 encoded to remove newline characters. Remove files for the legacy encrypted file method. Deprecate the encrypted file decryption in deploy.sh. In the future, we may only support private key specification via MANUBOT_SSH_PRIVATE_KEY.
Merges manubot/rootstock#243 Closes manubot/rootstock#91 Closes manubot/rootstock#246 Switch to a Travis CI settings environment variable to store the SSH private key for GitHub deployment. Setup no longer requires the travis ruby gem, whose `travis encrypt` subcommand was incompatible with Windows. Setup is now supported on Windows systems with a Unix/Linux/POSIX-compliant shell with the proper dependencies, such as ssh-keygen & openssl. The SSH private key is stored in MANUBOT_SSH_PRIVATE_KEY, after being base64 encoded to remove newline characters. Remove files for the legacy encrypted file method. Deprecate the encrypted file decryption in deploy.sh. In the future, we may only support private key specification via MANUBOT_SSH_PRIVATE_KEY.
Merges manubot/rootstock#243 Closes manubot/rootstock#91 Closes manubot/rootstock#246 Switch to a Travis CI settings environment variable to store the SSH private key for GitHub deployment. Setup no longer requires the travis ruby gem, whose `travis encrypt` subcommand was incompatible with Windows. Setup is now supported on Windows systems with a Unix/Linux/POSIX-compliant shell with the proper dependencies, such as ssh-keygen & openssl. The SSH private key is stored in MANUBOT_SSH_PRIVATE_KEY, after being base64 encoded to remove newline characters. Remove files for the legacy encrypted file method. Deprecate the encrypted file decryption in deploy.sh. In the future, we may only support private key specification via MANUBOT_SSH_PRIVATE_KEY.
Closes #91
Closes #246
Ready for review
Using Travis environment variables set in the web settings GUI succeeded for manubot/catalog.
Removes the need for the
travis
ruby gem during setup, potentially allowing setup on Windows Bash.