Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How does "travis encrypt" work? #2982

Closed
jameshfisher opened this issue Nov 23, 2014 · 14 comments
Labels

Comments

@jameshfisher
Copy link

@jameshfisher jameshfisher commented Nov 23, 2014

I can't work this out from the documentation or the travis help encrypt docs. What does travis encrypt ... actually do? Obviously, it takes some plaintext and "encrypts" it to produce some kind of cyphertext. But what kind of encryption is this? Public-key? Whose public key? Who can decrypt the value, and what do they require in order to decrypt it?

@BanzaiMan

This comment has been minimized.

Copy link
Member

@BanzaiMan BanzaiMan commented Nov 24, 2014

This is documented in http://docs.travis-ci.com/user/encryption-keys/. How can we improve it?

@BanzaiMan BanzaiMan added the docs label Nov 24, 2014
@jameshfisher

This comment has been minimized.

Copy link
Author

@jameshfisher jameshfisher commented Nov 25, 2014

Hi @BanzaiMan! Ah, I had not fully read that page. So every repository that's registered on travis-ci.org has its own keypair where the private key is only known to travis-ci.org, and the public key is available to everyone. So for example for my repo tla-plus/tlaplus, the public key is available at https://api.travis-ci.org/repos/tla-plus/tlaplus/key. And encrypted values in a .travis.yml in that repository foo/bar are encrypted with using that public key, meaning those values can only be decrypted by something running on travis-ci.org. And meaning that there's no private key in my possession which I have to keep secret. Do I have that right?

(I want to be sure I understand the crypto protocol before I go throwing around encrypted strings in public repositories.)

@BanzaiMan

This comment has been minimized.

Copy link
Member

@BanzaiMan BanzaiMan commented Nov 25, 2014

Yes, your summary is correct.

@erikdw

This comment has been minimized.

Copy link

@erikdw erikdw commented Apr 6, 2016

@BanzaiMan : it would be awesome if some of @jameshfisher 's wording could be added into the docs.

@mark-jay

This comment has been minimized.

Copy link

@mark-jay mark-jay commented Dec 27, 2016

Thank you. This is something important for me that I could not be sure about from the docs.

@dlenski

This comment has been minimized.

Copy link

@dlenski dlenski commented Jan 19, 2018

Is it possible to replicate the behavior of travis encrypt using the openssl CLI?

I tried this…

echo -n 'MYPASSWORD' | openssl rsautl -encrypt -inkey MYTRAVISPUBKEY.PEM -pubin | base64 -w0

… and then I put the base64-encrypted output into my .travis.yml (as deploy.password.secure)

… but it just doesn't work :-(

UPDATE: actually, the above does work perfectly… I managed to encrypt my password correctly on the first try, but put in the wrong username. Fail by me 👎.

jameshfisher added a commit to jameshfisher/docs-travis-ci-com that referenced this issue Jan 19, 2018
@jameshfisher

This comment has been minimized.

Copy link
Author

@jameshfisher jameshfisher commented Jan 19, 2018

Three years later, added my notes to a PR travis-ci/docs-travis-ci-com#1669

@dlenski

This comment has been minimized.

Copy link

@dlenski dlenski commented Jan 20, 2018

Having to download 14 bajillion Ruby things in order to encrypt a frickin' password = Frustrating

So I created a bash-script version of travis-encrypt: dlenski/travis-encrypt-sh

$ travis-encrypt user repo 'value'
Fetched key...
Encrypting with openssl rsautl...
TyBKNWYAIL0Yn4UPtJTUSaHB5nv1vXvzFGgUyU3Rh7Y8Pc282rt/TYQ43jcfeNP6k07ujja5ad1GOheBFeteVIDcHomYy6rlmfAdZRRcSIyzG+KDAm2Fe6IY/rk4auEoBSjimxbMefwHVLI4YrNtq2DyrQcjVST0gnGlIKMH6KzxuC7o8CtXinnw630GvOVwRlc4O3bobuwEy7kPtJW2YPfF2sz4qU8wMvDZyybMyrxJY43XRS4iv8cD0TqiYfDCFvF1uN2XKA5DSKxGOhDExCihznLAOAsyyLEiuzP+PYsP2O0L3Lj25jdOkCPWkYXBzfZK4FAyL8M5tzLok/4AyxBbevRgmz0/bWJzEXpwcEfpJJE2WMGqrh0reoRgXFfy23ja3/WY+YBs+RrrG4WBW2+ciSyJdBDbAcw8k48FVAL873ptraovJwp25ySQtM04367musnrOaN4oQyowmYNYU0OUDgyT1JYhvT4r9it4KmVOK6sWZeqKa7g1VoBzOFIcO/Ii1SzTjLPM/ys+YYfgEYbmSloE/uJ4iFYyAkyG2gt66e9JKitPoS1/mSvwF8HGnGM3IO/eVgAdV3FCifuScrfUcZOefgi4xEToCyWr+CDm0+tlk43smEZizDezeHm8mN9V2gz/WSI4QK0Nf2qExKQihsbOGAX1XdzHmPTZ9I=
Success.
@saiduttphenom

This comment has been minimized.

Copy link

@saiduttphenom saiduttphenom commented Jul 28, 2018

@jameshfisher I am working on secure code review of a project. While going through the code I have observed that in the travis.yml file there is api secure key in the file like below:

api_key:
secure: c5qZod9MXoBTGMe2sztpvXjzgamgJi4Vm7BJSNzHcWJkG87DPgtVD (I didn't put the actual key here. It's little long)

So my question is, is it fine to publicly display this secure key in the source code. As per my assumption, it is security concern to display this key but I am not able to prove how this secure key can help the hackers in real time. To summarize, following are my questions:

  1. Is it ok display the api secure key in the travis.yml publicly.
  2. If should not be displayed publicly, why it shouldn't be displayed.
@dlenski

This comment has been minimized.

Copy link

@dlenski dlenski commented Jul 28, 2018

@saiduttphenom: the "API key" is encrypted with the travis-encrypt RSA public key for the project. Only Travis-CI itself has the corresponding RSA private key.

As long as Travis-CI doesn't mishandle/leak the private key, and the RSA cryptosystem is secure… the actual plaintext value is only accessible by Travis-CI itself.

@saiduttphenom

This comment has been minimized.

Copy link

@saiduttphenom saiduttphenom commented Jul 28, 2018

@dlenski : I got that. Thank you.

So the secure key displayed in the below image is a public key ???. Please refer the image:

key

Sorry if I am asking anything wrong, but I want to clear it out.

@dlenski

This comment has been minimized.

Copy link

@dlenski dlenski commented Jul 28, 2018

@saiduttphenom:

So the secure key displayed in the below image is a public key ???

No it is not. As I wrote in my previous comment, it is a value that has been encrypted with an RSA public key, and it can only be decrypted with the corresponding private key, which only Travis-CI itself has.

@saiduttphenom

This comment has been minimized.

Copy link

@saiduttphenom saiduttphenom commented Jul 29, 2018

@dlenski Thanks for the response. I understood it now.

And I got another new question about "DANGER_GITHUB_API_TOKEN".

As told earlier I am working on secure code review of a project. While going through the travis CI logs I am able to see the “Danger_GITHUB_API_TOKEN” in the logs publicly.

But I am not able to come to a conclusion if it is a security bug because I am not sure what an external attacker can do with that token.

To summarize following are my questions:

  1. Is it ok from security perspective to display these danger github API token publicly in the travis logs?
  2. If it is security bug to display that, how can an external person use the token to exploit that?

Screenshot for reference:

p3

Please see the highlighted part.

@dlenski

This comment has been minimized.

Copy link

@dlenski dlenski commented Jul 29, 2018

@saiduttphenom, I have no idea what DANGER_GITHUB_API_TOKEN is, or where it came from.

Presumably it's embedded in the travis.yml or some other config script?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.