From 03f6c269404a9cbd73a5d1b7987bec489a5b6229 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 4 Jun 2026 00:51:25 -0400 Subject: [PATCH] fix ssh key parsing 3 --- .gitlab-ci.yml | 14 ++++++++++---- docs/DOCKER.md | 1 + 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index fc3b56f..d2e4b80 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -191,9 +191,10 @@ deploy_to_vps: - | key_file="$(mktemp)" decoded_key_file="$(mktemp)" + escaped_key_file="$(mktemp)" cleanup_key_files() { - rm -f "$key_file" "$decoded_key_file" + rm -f "$key_file" "$decoded_key_file" "$escaped_key_file" } trap cleanup_key_files EXIT @@ -206,14 +207,19 @@ deploy_to_vps: chmod 600 "$key_file" if ! ssh-keygen -y -f "$key_file" >/dev/null 2>&1; then - if [ ! -f "${SSH_PRIVATE_KEY:-}" ] && printf '%s' "$SSH_PRIVATE_KEY" | tr -d '\r\n\t ' | base64 -d > "$decoded_key_file" 2>/dev/null; then - tr -d '\r' < "$decoded_key_file" > "$key_file" + if [ ! -f "${SSH_PRIVATE_KEY:-}" ]; then + printf '%b' "$SSH_PRIVATE_KEY" | tr -d '\r' > "$escaped_key_file" + if ssh-keygen -y -f "$escaped_key_file" >/dev/null 2>&1; then + cp "$escaped_key_file" "$key_file" + elif printf '%s' "$SSH_PRIVATE_KEY" | tr -d '\r\n\t ' | base64 -d > "$decoded_key_file" 2>/dev/null; then + tr -d '\r' < "$decoded_key_file" > "$key_file" + fi chmod 600 "$key_file" fi fi ssh-keygen -y -f "$key_file" >/dev/null 2>&1 || { - echo "SSH_PRIVATE_KEY must be an unencrypted OpenSSH private key. GitLab file variables, raw multiline keys, and base64-encoded keys are supported." >&2 + echo "SSH_PRIVATE_KEY must be an unencrypted OpenSSH private key. Supported formats: GitLab file variable, raw multiline key, single-line key with literal \\n escapes, or base64-encoded key." >&2 exit 1 } diff --git a/docs/DOCKER.md b/docs/DOCKER.md index dacce9f..e8f033c 100644 --- a/docs/DOCKER.md +++ b/docs/DOCKER.md @@ -212,6 +212,7 @@ SSH_PRIVATE_KEY= - GitLab `File` variable containing the private key - Standard multiline key pasted directly into the variable value +- Single-line key with literal `\n` newline escapes - Base64-encoded private key stored as a single line If your key is passphrase-protected, generate a dedicated deploy key without a passphrase for CI instead of reusing an interactive workstation key.