git-auth-ssh-keys.md

Git authentication with SSH keys

When using environment variables to set up the Git authentication, the remote Git repository will automatically be accessed via https, independently of the repositoryUrl format configured in the semantic-release Configuration (the format will be automatically converted as needed).

Alternatively the Git repository can be accessed via SSH by creating SSH keys, adding the public one to your Git hosted account and making the private one available on the CI environment.

Generating the SSH keys

In your local repository root:

$ ssh-keygen -t rsa -b 4096 -C "<your_email>" -f git_deploy_key -N "<ssh_passphrase>"

your_email must be the email associated with your Git hosted account. ssh_passphrase must be a long and hard to guess string. It will be used later.

This will generate a public key in git_deploy_key.pub and a private key in git_deploy_key.

Adding the SSH public key to the Git hosted account

Step by step instructions are provided for the following Git hosted services:

• GitHub

Adding the SSH public key to GitHub

Open the git_deploy_key.pub file (public key) and copy the entire content.

In GitHub Settings, click on SSH and GPG keys in the sidebar, then on the New SSH Key button.

Paste the entire content of git_deploy_key.pub file (public key) and click the Add SSH Key button.

Delete the git_deploy_key.pub file:

$ rm git_deploy_key.pub

See Adding a new SSH key to your GitHub account for more details.

Adding the SSH private key to the CI environment

In order to be available on the CI environment, the SSH private key must be encrypted, committed to the Git repository and decrypted by the CI service.

Step by step instructions are provided for the following environments:

• Travis CI
• Circle CI

Adding the SSH private key to Travis CI

Install the Travis CLI:

$ gem install travis

Login to Travis with the CLI:

$ travis login

Add the environment variable SSH_PASSPHRASE to Travis with the value set during the SSH keys generation step:

$ travis env set SSH_PASSPHRASE <ssh_passphrase>

Encrypt the git_deploy_key (private key) using a symmetric encryption (AES-256), and store the secret in a secure environment variable in the Travis environment:

$ travis encrypt-file git_deploy_key

The travis encrypt-file will encrypt the private key into the git_deploy_key.enc file and output in the console the command to add to your .travis.yml file. It should look like openssl aes-256-cbc -K $encrypted_KKKKKKKKKKKK_key -iv $encrypted_VVVVVVVVVVVV_iv -in git_deploy_key.enc -out git_deploy_key -d.

Copy this command to your .travis.yml file in the before_install step. Change the output path to write the unencrypted key in /tmp: -out git_deploy_key => /tmp/git_deploy_key. This will avoid to commit / modify / delete the unencrypted key by mistake on the CI. Then add the commands to decrypt the ssh private key and make it available to git:

before_install:
  # Decrypt the git_deploy_key.enc key into /tmp/git_deploy_key
  - openssl aes-256-cbc -K $encrypted_KKKKKKKKKKKK_key -iv $encrypted_VVVVVVVVVVVV_iv -in git_deploy_key.enc -out /tmp/git_deploy_key -d
  # Make sure only the current user can read the private key
  - chmod 600 /tmp/git_deploy_key
  # Create a script to return the passphrase environment variable to ssh-add
  - echo 'echo ${SSH_PASSPHRASE}' > /tmp/askpass && chmod +x /tmp/askpass
  # Start the authentication agent
  - eval "$(ssh-agent -s)"
  # Add the key to the authentication agent
  - DISPLAY=":0.0" SSH_ASKPASS="/tmp/askpass" setsid ssh-add /tmp/git_deploy_key </dev/null

See Encrypting Files for more details.

Delete the local private key as it won't be used anymore:

$ rm git_deploy_key

Commit the encrypted private key and the .travis.yml file to your repository:

$ git add git_deploy_key.enc .travis.yml
$ git commit -m "ci(travis): Add the encrypted private ssh key"
$ git push

Adding the SSH private key to Circle CI

First we encrypt the git_deploy_key (private key) using a symmetric encryption (AES-256). Run the following openssl command and make sure to note the output which we'll need later:

$ openssl aes-256-cbc -e -p -in git_deploy_key -out git_deploy_key.enc -K `openssl rand -hex 32` -iv `openssl rand -hex 16`
salt=SSSSSSSSSSSSSSSS
key=KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
iv =VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV

Add the following environment variables to Circle CI:

• SSL_PASSPHRASE - the value set during the SSH keys generation step.
• REPO_ENC_KEY - the key (KKK) value from the openssl step above.
• REPO_ENC_IV - the iv (VVV) value from the openssl step above.

Then add to your .circleci/config.yml the commands to decrypt the ssh private key and make it available to git:

version: 2
jobs:
  coverage_test_publish:
    # docker, working_dir, etc
    steps:
      - run:
          # Decrypt the git_deploy_key.enc key into /tmp/git_deploy_key
          - openssl aes-256-cbc -d -K $REPO_ENC_KEY -iv $REPO_ENC_IV -in git_deploy_key.enc -out /tmp/git_deploy_key
          # Make sure only the current user can read the private key
          - chmod 600 /tmp/git_deploy_key
          # Create a script to return the passphrase environment variable to ssh-add
          - echo 'echo ${SSH_PASSPHRASE}' > /tmp/askpass && chmod +x /tmp/askpass
          # Start the authentication agent
          - eval "$(ssh-agent -s)"
          # Add the key to the authentication agent
          - DISPLAY=":0.0" SSH_ASKPASS="/tmp/askpass" setsid ssh-add /tmp/git_deploy_key </dev/null
      # checkout, restore_cache, run: yarn install, save_cache, etc.
      # Run semantic-release after all the above is set.

The unencrypted key is written to /tmp to avoid to commit / modify / delete the unencrypted key by mistake on the CI environment.

Delete the local private key as it won't be used anymore:

$ rm git_deploy_key

Commit the encrypted private key and the .circleci/config.yml file to your repository:

$ git add git_deploy_key.enc .circleci/config.yml
$ git commit -m "ci(cicle): Add the encrypted private ssh key"
$ git push