Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Harshit Chopra
    @arpoch

    I don't understand the problem of the decrypted key not matching with the public key

    I think my poor choice of words might have caused some confusion, what I meant was when converting an openssh formatted private key to PEM or Base64 PKCS#8 encoded format, the private key generated when used to connect to the server(github.com) returns git@github.com: Permission denied (publickey). which I think is caused due the rejection of this key because the key generated is not a valid or is being altered in the process of decryption or altered in the process while converting into a new File Format (PEM)[Higly likely] thus not forming an invalid keypair with the public key on the server.

    Mark Waite
    @MarkEWaite
    I'll need to check with others to see if we're allowed to use an LGPL 3 library in a Jenkins plugin. Jenkins plugin code is generally licensed with the less restrictive MIT license rather than the more restrictive LGPL license.
    Mark Waite
    @MarkEWaite
    I'll miss the Friday morning mentoring session due to a conflicting meeting. I plan to attend the Tuesday morning mentoring session. My interactive testing indicates that we are ready to merge the username / password credential binding and release it. Would love to have further code review and discussion ready for the Tuesday morning session.
    4 replies
    Rishabh Budhouliya
    @rishabhBudhouliya
    I was surprised to see the GSoC midterm evaluation meetup is today! @arpoch since Mark and Justin will not be available during IST daytime, let me know if you want to have a zoom call for your demo preparation and review once.
    If you have any doubts or concerns regarding the presentation, we can set up a call. Otherwise all the very best for today! See you there at 6.30PM.
    Harshit Chopra
    @arpoch
    @rishabhBudhouliya can we have a zoom call at 4:00 PM IST today, to have a discussion on the demo I am presenting in the meetup, thinking of using push command on private repo . Also could have some discussion over SSH binding as well if time allows.
    2 replies
    @MarkEWaite the getSSHExecutable method 's scope is limited/package-private need to make it pulblic, specific to windows usecase.
    Rishabh Budhouliya
    @rishabhBudhouliya
    Great presentation @arpoch ! Enjoyed the progress made so far.
    Mark Waite
    @MarkEWaite
    I agree with @rishabhBudhouliya . Great presentation @arpoch! I propose one of the topics for the mentoring meeting is to confirm that we're ready to release git plugin 4.8.0 with git credentials binding for HTTP/HTTPS repositories.
    Rishabh Budhouliya
    @rishabhBudhouliya
    @MarkEWaite +1 on the git plugin release with Harshit's work.
    Mark Waite
    @MarkEWaite
    Git plugin latest incremental build from master branch has passed my smoke tests. I'm too tired to release tonight. Will release it tomorrow and send the social media announcement.
    Mark Waite
    @MarkEWaite
    The mvn release:prepare release:perform step is running now for git plugin 4.8.0 with the git credentials binding for username and password. Thanks @arpoch, @rishabhBudhouliya , and @justinharringa:matrix.org for great work on phase 1.
    Rishabh Budhouliya
    @rishabhBudhouliya
    wohoo! Congratulations everyone!
    Mark Waite
    @MarkEWaite
    Documentation for the 4.8.0 release is already visible at https://plugins.jenkins.io/git/#credential-binding . Release should be visible in update centers very soon.
    Harshit Chopra
    @arpoch
    @MarkEWaite, @rishabhBudhouliya , @justinharringa , great news I figured out what was causing the error with PEM file format, now we can again move on with sshj library, so I will make a PR with those change, although I was ready to make a PR with maverick-synenry but since everything seems to sorted out I will make the change.
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    Awesome! Nice work!
    Harshit Chopra
    @arpoch
    Thank for pointing me I in the right direction @justinharringa:matrix.org
    Mark Waite
    @MarkEWaite
    @rishabhBudhouliya I used Google Summer of Code office hours today to create a first draft blog post for git credentials binding. Would you be willing to pull my first draft from https://github.com/MarkEWaite/jenkins.io/commits/announce-git-credentials-username-password-binding into your jenkins.io clone, make the changes that you feel should be made, then submit it as a pull request to the jenkins.io repository from your account? That makes it clear that we are both authors and allows you to make changes as needed.
    2 replies
    Harshit Chopra
    @arpoch
    The SSH binding branch is ready https://github.com/arpoch/git-plugin/tree/gitSSHPrivateKey, will make a PR tomorrow, needs some testing from my side.
    Harshit Chopra
    @arpoch
    @MarkEWaite , I cloned the jenkins-git-plugin repo to test the new binding but I am getting this message java.lang.NoSuchMethodError: No such DSL method 'GitUsernamePassword' found among steps it seems like the binding is not present, I encountered similar issue with the forked git-plugin as well, I have been working on this the whole day, I couldn't figure it out it, although when I checkout out to revision 2b5cfd1d0939a97f20c248d096f5ceeb7f76512f in my forked-git-plugin the binding is working.
    Is this something only I am encountering? I am extremelly nervous about this now.
    Mark Waite
    @MarkEWaite
    As far as I know, it is something that only you are encountering. You may need to merge the upstream master branch into your local master branch and then push your local branch to your origin repository. Steps that I usually take include:
    $ git checkout master
$ git pull --all
$ git merge upstream/master
$ git push origin
    I just ran the following command at commit a707434c10bdfedcd87e7c9ca2341f1182709de1 (upstream/master in my repository)
    $ mvn clean -Dtest=GitUsernamePasswordBindingTest test
    Harshit Chopra
    @arpoch
    Well if I am encountering this then I am totally fine, will figure out this no issue then, thanks alot Mark for such a quick response, saved my day, will report back here once the issue is solved from my side.
    Mark Waite
    @MarkEWaite
    I prefer to keep origin/master and upstream/master in sync so that I can refer to 'master' in diff and have it match the upstream repository. I know others who are more rigorous and they don't bother keeping origin/master in sync with upstream/master, they just remember to diff against upstream/master
    @arpoch we have some good feedback from Tim Jacomb at https://community.jenkins.io/t/git-username-password-credentials-binding-has-released/263 . He notes that the other symbols in the Jenkins Pipeline domain specific language almost all start with a lower case letter. I think we should change the default symbol from GitUsernamePassword to gitUsernamePassword with an extra symbol at the same location for GitUsernamePassword. However, I haven't done the experiments to see the impact of changing from @Symbol("GitUsernamePassword") to @Symbol(["gitUsernamePassword", "GitUsernamePassword"])
    Harshit Chopra
    @arpoch
    It has my attention now.
    Rishabh Budhouliya
    @rishabhBudhouliya
    I will not be attending the office hours today, have to be somewhere else early in the morning. I will be working on the draft created by @MarkEWaite and make sure that I create a pull request.
    Harshit Chopra
    @arpoch
    I will be late by few minutes today for the meeting.
    Harshit Chopra
    @arpoch

    As far as I know, it is something that only you are encountering. You may need to merge the upstream master branch into your local master branch and then push your local branch to your origin repository. Steps that I usually take include:

    $ git checkout master
$ git pull --all
$ git merge upstream/master
$ git push origin

    @MarkEWaite , After doing some investigation over this from my side, I don't think the issue that I encounter as described earlier, was related to this. The problem in my case was 

    <parent>
    <groupId>org.jenkins-ci.plugins</groupId>
    <artifactId>plugin</artifactId>
    <version>4.20</version>
    <relativePath />
  </parent>

    Changing the version to 19 solved it, now I am curious what is causing this, according to me it is just used to specify values which are not defiend in the pom.xml of the git-plugin. If so then it needs some more work on what is causing this.
    Also I am a bit confused on why only this issue is encountered by me. Do I need to install some specific dependencies or other changes in my IDE/pom.xml.

    Harshit Chopra
    @arpoch

    @MarkEWaite , @justinharringa:matrix.org , @rishabhBudhouliya , I have created a PR for the ssh binding, please note the ssh binding does not work with RSA encrypted keys in Openssh private key/RFC4716 format I outputs this error

    sign_and_send_pubkey: signing failed: error in libcrypto
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

    also dsa encrypted openssh formatted key is not support by sshj library, not our issue.
    I would suggest to test with encrypted RSA key openssh formatted, and let me know if you figure out something as well.

    Mark Waite
    @MarkEWaite
    I've released git client plugin 3.9.0 with the new API to report the SSHExecutable location.
    1 reply
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    One option for DSA is that we could document that DSA keys aren't supported. OpenSSH disables it by default these days. http://www.openssh.com/legacy.html
    Mark Waite
    @MarkEWaite
    +1 from me to declare that we don't support DSA keys.
    Harshit Chopra
    @arpoch
    Will be late by 5 minutes
    Harshit Chopra
    @arpoch
    SSH Binding Update
    . The decrypted rsa private key in openssh format generates a fingerprint which is not matching with public key's fingerprint
    . Binary format can't be used, will cause not a valid format error( headers will be missing)
    KasperHeyndrickx
    @KasperHeyndrickx

    Hi everyone, we're using the git plugin for a multibranch pipeline on github.

    This setup uses 'mycredentials' stored in jenkins, and works fine. However, when calling gradle release, to push a new tag, we got this error:

    Exception occurred during push: [...] not authorized

    We fixed it by using a "withcredentials" block (see below), which uses the same credentials as the git-plugin. But I was wondering if the git plugin makes these variables available as environment variables by default? Or if there's another 'cleaner' way to do this? They're the same credentials, used for the same purpose, so it feels weird to define them twice.

              stage('Release') {
                withCredentials([usernamePassword(
                    credentialsId: 'mycredentials',
                    passwordVariable: 'GIT_PASSWORD',
                    usernameVariable: 'GIT_USER')]) {
                  sh './gradlew release -Prelease.customUsername=${GIT_USER} -Prelease.customPassword=${GIT_PASSWORD} -x test'
              }
          }
    Mark Waite
    @MarkEWaite
    @KasperHeyndrickx see the blog post at https://www.jenkins.io/blog/2021/07/27/git-credentials-binding-phase-1/ and the plugin docs at https://plugins.jenkins.io/git/#credential-binding.
    Mark Waite
    @MarkEWaite
    If the gradlew release command is using command line git to push, it may work using withCredentials([gitUsernamePassword(...)]) { }. If a variable needs to be passed on the command line, the names of the variables are listed in the git plugin documentation
    Harshit Chopra
    @arpoch
    @KasperHeyndrickx, you could check https://www.jenkins.io/doc/book/pipeline/jenkinsfile/#handling-credentials, I think this might help if you are not performing an git authentication operation and only wants env variables .
    Harshit Chopra
    @arpoch
    @MarkEWaite , @justinharringa:matrix.org , @justinharringa:matrix.org , my apologies for missing the meeting today, will assure next time to inform in advance.
    Mark Waite
    @MarkEWaite
    No problem @arpoch . @rishabhBudhouliya and I talked briefly, noted that we hadn't done any work on the credentials binding project since the previous meeting, then planned our next steps for testing and exploration. Rishabh plans to investigate more on RSA and sshj. I plan to test the current implementation and to generate private key file sample data and connection tests from my collection of computers. We think those plans won't disrupt your investigations and may help the project
    Harshit Chopra
    @arpoch
    @MarkEWaite could you please check the license for Apache mina project sshd https://github.com/apache/mina-sshd won't be an issue if taken as a dependency library
    Mark Waite
    @MarkEWaite
    The Apache Mina license is not a problem. Thanks for checking @arpoch !
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch Apache mina sshd seems like an interesting choice, have you been able to use it to decrypt an OPENSSH format private key?
    Harshit Chopra
    @arpoch
    Yes I did, but it needs alot of work right now since the code is not integrated with the git plugin. Will try to make noticeable changes this weekend.
    Mark Waite
    @MarkEWaite
    I wonder if we might be able to learn something interesting by comparing the implementation of https://github.com/jenkinsci/hashicorp-vault-plugin/blob/master/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultSSHUserPrivateKeyBinding.java . It appears to have a private key binding, though I believe it is reading from Hashicorp Vault rather than reading from the Jenkins credentials store
    Rishabh Budhouliya
    @rishabhBudhouliya
    Interesting reference Mark, I've taken a cursory look at their code and from what I can understand
    • they are using the getCredentials method to get the credentials by ID, using them as is, with no custom decryption logic
    • I am not sure if they are reading the credentials from the Vault instead of the credentials store, I mean the binding is trying to establish a ssh connection with the Vault, right?
      so the credentials to connect to Vault would not be stored in the Vault itself.
    Mark Waite
    @MarkEWaite
    I thought they were reading an SSH private key from Hashicorp Vault and placing the private key in the workspace for use by the Jenkins Pipeline. If that's not the case, then the reference is not as useful as I'd hoped
    Rishabh Budhouliya
    @rishabhBudhouliya
    Sorry, maybe I have interpreted this wrong. Can you point me to the code where they are trying to establish a Vault connection?
    I believed they are using the binding as a place to interact with the Vault to get secrets safely within the Jenkins environment.
    Harshit Chopra
    @arpoch
    I think Rishabh is right, what I could tell is that they are appending the keys taken from fie sytem without any decryption logic involved. But certain bits of code do match with the impl of bindings we have created so it could be taken as a reference to improve our code further.
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    It appears that they are making a passphrase protected key and passphrase available to the environment and it appears that they're not attempting to convert it to passphraseless.