Deployment key mapping: Key comments not written for some key types/formats?

[pmeth]

I tried this action and in the output for the adding ssh-agent step, I see the following message for each key i added:

Comment for key 'ssh-rsa blablamykey= (stdin)' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.

My comments are in the format [email protected]:Myorg/myrepo.git. I tried it with and without quotes.

Why doesn't it work?

[cosminionut1996]

Similar issue here. I'm using the same format for the comment, the command is something like ssh-keygen -C "[email protected]:org/repo.git".
Not sure what's going on and can't find alternatives.

[mpdude]

I am also not sure where this is coming from, but others reported similar issues before… the key comment seems to be (stdin) (sic!) only.

Can you load your keys into a ssh-agent running locally and then list keys with ssh-add -l? Does that show the same comment?

With which command did you create keys, and which tool/platform/SSH implementation did you use?

[mpdude]

#76 and #88 are similar, but were closed before we could find the root issue and/or document what to watch out for.

[pmeth]

@mpdude

the command i used was

ssh-keygen -t rsa -m PEM -C [email protected]:Myorg/myrepo.git

ssh-add -l does not show the comment, but should it? the comment is on the public key. i wasn't aware that private keys could have comments.

By the way, I was following another similar issue, where the poster said he switched from a PEM to an openssh key which got him further, so I tried to convert the PEM key to OpenSSH and it seemed to work

Adding private key(s) to agent
Identity added: (stdin) ([email protected]:Myorg/myrepo.git)
Key(s) added:
3072 SHA256:yadayadasomekey [email protected]:Myorg/myrepo.git (RSA)
Configuring deployment key(s)
Added deploy-key mapping: Use identity '/home/runner/.ssh/key-wakawakesomerandomstring' for GitHub repository Myorg/myrepo

I had tried it previously but it didn't authenticate, but I think that might have been because I forgot to update the pub key after switching to OpenSSH. With GitHub this is several steps to test different options and very easy to make a mistake :(

So maybe this problem can be solved by updating the documentation and removing the PEM mention and switch to OpenSSH?

[mpdude]

$ ssh -V
OpenSSH_7.6p1 Ubuntu-4ubuntu0.5, OpenSSL 1.0.2n  7 Dec 2017
# Start a new ssh-agent instance
$ eval `ssh-agent -s`
Agent pid 28881
# Create a key
$ ssh-keygen -t rsa -m PEM -C [email protected]:Myorg/myrepo.git -f ./key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./key.
Your public key has been saved in ./key.pub.
The key fingerprint is:
SHA256:mzloewDGtOIcqtyjYVsRLy7GboKp9fECMOxO6GRNbJU [email protected]:Myorg/myrepo.git
The key's randomart image is:
[...]
# Load the key
$ ssh-add ./key
Identity added: ./key (./key)
# Show loaded identities
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAA[...clipped...]a5tHjyBx ./key

Seems to be not what we're expecting 🤔.

[mpdude]

From man ssh-keygen:

For keys stored in the newer OpenSSH format, there is also a comment field in the key file that is only for convenience to the user to help identify the key. The comment can tell what the key is for, or whatever is useful. The comment is initialized to “user@host” when the key is created, but can be changed using the -c option.

ED25519-type keys seem to use this format by default:

$ ssh-keygen -t ed25519 -C 'key comment' -f ./key-ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./key-ed25519.
Your public key has been saved in ./key-ed25519.pub.
The key fingerprint is:
SHA256:0vHOan+MaueZCljLFCmCR23kHY8/ceYiVdaEKcA/tKI key comment
[...]
$ ssh-add ./key-ed25519
Identity added: ./key-ed25519 (key comment)
$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4kGq2pddWKmnr0QYEjmiEaextL3ELK0FK7o93iRvpy key comment
$ head key-ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBeJBqtqXXVipp69EGBI5ohGnsbS9xCytBSu6Pd4kb6cgAAAJCzK/qdsyv6
nQAAAAtzc2gtZWQyNTUxOQAAACBeJBqtqXXVipp69EGBI5ohGnsbS9xCytBSu6Pd4kb6cg
AAAEC38Ssa6uZqwX4i74LDrHG97tJfPIQ6P2Ow3ViLfJB+QV4kGq2pddWKmnr0QYEjmiEa
extL3ELK0FK7o93iRvpyAAAAC2tleSBjb21tZW50AQI=
-----END OPENSSH PRIVATE KEY-----

Some (newer?) SSH suites support -o for ssh-keygen to use this new format. I don't know if that is a contradiction to what the README says with regard to having to use the PEM key format.

[cosminionut1996]

@mpdude Hello. I did try using the example you provided (ssh-keygen -t ed25519 -C 'key comment' -f ./key-ed25519), but this didn't work either. I'm still getting the same error. Here's a complete output:

Run webfactory/[email protected]
  with:
    ssh-private-key: ***
  env:
    DOCKER_PASS: ***
    DOCKER_USER: <company>
    pythonLocation: /opt/hostedtoolcache/Python/3.9.0/x64
    LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.9.0/x64/lib
Identity added: (stdin) ([email protected]:<company>/<repo>.git)
Adding GitHub.com keys to /home/runner/.ssh/known_hosts
Starting ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-2aKj2C0YRq55/agent.1876
SSH_AGENT_PID=1877
Adding private key(s) to agent
Key(s) added:
256 SHA256:<somekeydatahere> [email protected]:<company>/<repo>.git (ED25519)
Configuring deployment key(s)
Added deploy-key mapping: Use identity '/home/runner/.ssh/key-<someotherkeydatahere>' for GitHub repository <company>/<repo>
Comment for key '' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.

[mpdude]

@cosminionut1996 it worked, see the second last line. (There must be a glitch causing the last line, ignore it.)

[wblessen]

I'm using an existing private Key to access another library via composer

      - uses: webfactory/[email protected]
        with:
           ssh-private-key: ${{ secrets.MY_PRIVATE_KEY }} -C "[email protected]:owner/repository"

Question: Can I also use -C with existing Keys, is this what you are talking about with KNOWN_HOSTS?

My Output fails with:

Adding GitHub.com keys to /home/runner/.ssh/known_hosts
Starting ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-UuY1zWt2wlA6/agent.2139
SSH_AGENT_PID=2140
Adding private key(s) to agent
Error loading key "(stdin)": invalid format
Error: Command failed: ssh-add -
Error loading key "(stdin)": invalid format

It would be very nice, when you extend your documentation with working Examples on known Hosts with github

Thank you !!!

[mindflayer]

Not using PEM format worked for me. So, basically:

ssh-keygen -t rsa -b 4096 -C [email protected]:foo/bar.git

[dmoored4]

Thanks for all the work on this! New to GitHubCI but I think my CI failing is related to this. I'm using ed22519 keys and for one repo which is referencing one other private repo it works. When I have a repo that has to access 2+ repos it fails. I saw the ReadMe about adding comments to the keys to direct which url that key should be used for. Here's the overall setup for where the CI is failing for the third repo.

GitHub Enterprise ([email protected]:my-enterprise)

Private Repos

FirstRepo ([email protected]:my-enterprise/FirstRepo.git)

• Deploy Key: FirstRepo_Pub

SecondRepo ([email protected]:my-enterprise/SecondRepo.git)

• Deploy Key: SeoncdRepo_Pub

ThirdRepo ([email protected]:my-enterprise/ThirdRepo.git)

• Secrets/Actions/Repository Secrets:

  • FirstRepo_Priv:

    -----BEGIN OPENSSH PRIVATE KEY-----
    <redacted>= [email protected]:my-enterprise/FirstRepo.git
    -----END OPENSSH PRIVATE KEY-----
    

  • SecondRepo_Priv

    -----BEGIN OPENSSH PRIVATE KEY-----
    <redacted>= [email protected]:my-enterprise/SecondRepo.git
    -----END OPENSSH PRIVATE KEY-----
    

in my CI.yml

- uses: webfactory/[email protected]
   with:
       ssh-private-key: |
                  ${{ secrets.FirstRepo_Priv}}
                  ${{ secrets.SecondRepo_Priv}}

Is the issue with how I've set up the keys or how I've added the comments to my private keys? If I run ssh-keygen -t ed22519 -C " [email protected]:my-enterprise/FirstRepo.git" the URL is only added to the public key. From reading other posts it seemed that the url hint would just be able to be added as a plaintext comment to the end of the SSH key. Is this wrong in general or just not working for ed25519 or something else altogether? Thanks!

[lexun]

Just a note for anyone using tools like 1Password - it seems that sometimes they'll strip the comment out when you import your private key. In my case, I was generating the key locally, then updating a 1password entry before using 1password to autofill the keys in GitHub. It turns out that upon being imported to 1Password, the private key was modified and shortened, removing the comment from the public key later generated from the private key.

[eppisapiafsl]

I'm facing this issue with both keys 👀

ssh-keygen -t ed25519 -C [email protected]:foo/bar.git

ssh-keygen -t rsa -b 4096 -C [email protected]:foo/bar.git

[rupurt]

@eppisapiafsl it seems like Github is now stripping the comment from the key #228