fix ssh key parsing 3
This commit is contained in:
+10
-4
@@ -191,9 +191,10 @@ deploy_to_vps:
|
||||
- |
|
||||
key_file="$(mktemp)"
|
||||
decoded_key_file="$(mktemp)"
|
||||
escaped_key_file="$(mktemp)"
|
||||
|
||||
cleanup_key_files() {
|
||||
rm -f "$key_file" "$decoded_key_file"
|
||||
rm -f "$key_file" "$decoded_key_file" "$escaped_key_file"
|
||||
}
|
||||
trap cleanup_key_files EXIT
|
||||
|
||||
@@ -206,14 +207,19 @@ deploy_to_vps:
|
||||
chmod 600 "$key_file"
|
||||
|
||||
if ! ssh-keygen -y -f "$key_file" >/dev/null 2>&1; then
|
||||
if [ ! -f "${SSH_PRIVATE_KEY:-}" ] && printf '%s' "$SSH_PRIVATE_KEY" | tr -d '\r\n\t ' | base64 -d > "$decoded_key_file" 2>/dev/null; then
|
||||
tr -d '\r' < "$decoded_key_file" > "$key_file"
|
||||
if [ ! -f "${SSH_PRIVATE_KEY:-}" ]; then
|
||||
printf '%b' "$SSH_PRIVATE_KEY" | tr -d '\r' > "$escaped_key_file"
|
||||
if ssh-keygen -y -f "$escaped_key_file" >/dev/null 2>&1; then
|
||||
cp "$escaped_key_file" "$key_file"
|
||||
elif printf '%s' "$SSH_PRIVATE_KEY" | tr -d '\r\n\t ' | base64 -d > "$decoded_key_file" 2>/dev/null; then
|
||||
tr -d '\r' < "$decoded_key_file" > "$key_file"
|
||||
fi
|
||||
chmod 600 "$key_file"
|
||||
fi
|
||||
fi
|
||||
|
||||
ssh-keygen -y -f "$key_file" >/dev/null 2>&1 || {
|
||||
echo "SSH_PRIVATE_KEY must be an unencrypted OpenSSH private key. GitLab file variables, raw multiline keys, and base64-encoded keys are supported." >&2
|
||||
echo "SSH_PRIVATE_KEY must be an unencrypted OpenSSH private key. Supported formats: GitLab file variable, raw multiline key, single-line key with literal \\n escapes, or base64-encoded key." >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
|
||||
@@ -212,6 +212,7 @@ SSH_PRIVATE_KEY=<deployment-private-key>
|
||||
|
||||
- GitLab `File` variable containing the private key
|
||||
- Standard multiline key pasted directly into the variable value
|
||||
- Single-line key with literal `\n` newline escapes
|
||||
- Base64-encoded private key stored as a single line
|
||||
|
||||
If your key is passphrase-protected, generate a dedicated deploy key without a passphrase for CI instead of reusing an interactive workstation key.
|
||||
|
||||
Reference in New Issue
Block a user