Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » EGit / JGit » Github.com RSA key with SHA-1 no longer allowed(jGit connects with SHA1 instead of SHA256)
Github.com RSA key with SHA-1 no longer allowed [message #1850814] Thu, 17 March 2022 13:22 Go to next message
Alexander Gherschon is currently offline Alexander GherschonFriend
Messages: 1
Registered: March 2022
Junior Member
Hello,

Since March 15th Github reinforced its ssh security, and since then I can't push into our Github remote repository (I can't link the article because I'm new here).

Now, the key we're using is RSA with SHA-256:

4096 SHA256:b5y-somestuff/blablablaRY mobile@company.com (RSA)

And the error I'm getting when trying to push something with jGIt is the following:

> org.eclipse.jgit.api.errors.InvalidRemoteException: Invalid remote: origin
Cause: git@github.com:company/Project.git: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see <github-blog>/2021-09-01-improving-git-protocol-security-github/ for more information.

So why is that jGit tries to use a SHA1 key (from where even) when we supply a valid key?

Here is how we define SshTransportConfigCallback:
class SshTransportConfigCallback(val project: Project): TransportConfigCallback {

    override fun configure(transport: Transport?) {

        val sshTransport = transport as? SshTransport
        sshTransport?.sshSessionFactory = object: JschConfigSessionFactory() {

            override fun configure(hc: OpenSshConfig.Host?, session: Session?) {
                session?.setConfig("StrictHostKeyChecking", "no") // doesn't change anything
                session?.setConfig("server_host_key","ecdsa-sha2-nistp256") // doesn't change anything
            }

            override fun createDefaultJSch(fs: FS?): JSch {
                val jSch = super.createDefaultJSch(fs)

                val pathBitriseSshKey = "/root/.ssh/bitrise_step_activate_ssh_key"

                if (File(pathBitriseSshKey).exists()) {
                    jSch.addIdentity(pathBitriseSshKey)
                } else {
                    val userHome = System.getProperty("user.home", project.gradle.gradleUserHomeDir.parent)
                    val localPrivateKey = "${userHome}/.ssh/our_valid_rsa_sha256_key"
                    jSch.addIdentity(localPrivateKey)
                }

                val pathBitriseKnownHosts = "/root/.ssh/known_hosts"
                if (File(pathBitriseKnownHosts).exists()) {
                    jSch.setKnownHosts(pathBitriseKnownHosts)
                } else {
                    val userHome = System.getProperty("user.home", project.gradle.gradleUserHomeDir.parent)
                    val localKnownHosts = "${userHome}/.ssh/known_hosts"
                    jSch.setKnownHosts(localKnownHosts)
                }

                return jSch
            }
        }
    }
}

If we use git directly from our CI, we can push without any issue from bash, so what am I missing in the configuration of jGit?

Thank you in advance for your help!
Re: Github.com RSA key with SHA-1 no longer allowed [message #1850825 is a reply to message #1850814] Thu, 17 March 2022 15:59 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 477
Registered: August 2016
Senior Member
You're missing that JSch 0.1.55 does not support rsa-sha2-256 or rsa-sha2-512 signatures.

The JSch support in JGit (bundle org.eclipse.jgit.ssh.jsch) is basically end-of-life. It is no longer actively maintained. The JSch 0.1.55 it was originally done for is unmaintained, old, and buggy. You may try to use org.eclipse.jgit.ssh.jsch together with the JSch fork from https://github.com/mwiede/jsch , which should be a drop-in replacement for JSch 0.1.55, but the JGit team is not going to fix any bugs you might encounter.

The supported SSH support in JGit is based on Apache MINA sshd and can be found in bundle org.eclipse.jgit.ssh.apache.

(BTW: RSA keys are still RSA keys. There are no RSA-SHA1 or RSA-SHA256 keys. They're the same. The whole issue is just about a particular weak signature algorithm for RSA keys that was deprecated a while ago and finally disabled by default in OpenSSH. And obviously also on Github.)

[Updated on: Thu, 17 March 2022 16:19]

Report message to a moderator

Re: Github.com RSA key with SHA-1 no longer allowed [message #1851603 is a reply to message #1850825] Mon, 11 April 2022 00:54 Go to previous messageGo to next message
Martin Braun is currently offline Martin BraunFriend
Messages: 2
Registered: April 2022
Junior Member
This issue essentially broke private repositories from GitHub when using gitRepository in gradle. I am unable to add my java dependency from a private repository, because gradle uses jGit.

I also tried to bypass this issue by generating a SHA-256 RSA key by running: ssh-keygen -t rsa -b 4096 -E sha256 -m PEM

Thomas Wolf wrote on Thu, 17 March 2022 15:59
RSA keys are still RSA keys. There are no RSA-SHA1 or RSA-SHA256 keys. They're the same. The whole issue is just about a particular weak signature algorithm for RSA keys that was deprecated a while ago and finally disabled by default in OpenSSH. And obviously also on Github.


So essentially, GitHub removed RSA support altogether. The error is really misleading.

Thomas Wolf wrote on Thu, 17 March 2022 15:59
You may try to use org.eclipse.jgit.ssh.jsch together with the JSch fork from https://github.com/mwiede/jsch , which should be a drop-in replacement for JSch 0.1.55, but the JGit team is not going to fix any bugs you might encounter.


No, it would be much better if the JGit team would update their code-base with this fork or really get something else going to support new key formats. It would be a terrible decision to ignore this problem.
Re: Github.com RSA key with SHA-1 no longer allowed [message #1851614 is a reply to message #1851603] Mon, 11 April 2022 09:29 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 477
Registered: August 2016
Senior Member
Martin Braun wrote on Mon, 11 April 2022 00:54
This issue essentially broke private repositories from GitHub when using gitRepository in gradle. I am unable to add my java dependency from a private repository, because gradle uses jGit.

Report a bug against gradle. If gradle still uses JSch with JGit it is using no longer supported JGit code.

Martin Braun wrote on Mon, 11 April 2022 00:54

I also tried to bypass this issue by generating a SHA-256 RSA key by running: ssh-keygen -t rsa -b 4096 -E sha256 -m PEM

This just says that ssh-keygen should print a SHA-256 fingerprint of the key. As I wrote before, it doesn't change the key type.

Martin Braun wrote on Mon, 11 April 2022 00:54
So essentially, GitHub removed RSA support altogether. The error is really misleading.

No, they didn't. They just disabled SHA-1 signatures. Which, of course, makes Github unusable with RSA keys if you're using an SSH client that knows only this signature algorithm for RSA keys. You have two possibilities:

  1. Upgrade the SSH client. Which is your case would mean to get gradle to either use JGit with that JSch fork (and support that combination themselves), or get gradle to modernize their JGit integration to use Apache MINA sshd. Or perhaps you can make gradle use that JSch fork by overriding some dependency yourself.
  2. Don't use an RSA key. Try an ECDSA key instead. (ECDSA 256; IIRC, JSch 0.1.55 has troubles with ECDSA 384 or 521 keys.)



Re: Github.com RSA key with SHA-1 no longer allowed [message #1851701 is a reply to message #1851614] Tue, 12 April 2022 18:36 Go to previous message
Martin Braun is currently offline Martin BraunFriend
Messages: 2
Registered: April 2022
Junior Member
It's already being worked on on gradle's end: https://github.com/gradle/gradle/issues/8245

It's just a matter of time until it will be fixed on gradle's end.

[Updated on: Tue, 12 April 2022 18:37]

Report message to a moderator

Previous Topic:JGit exception java.security.spec.InvalidKeySpecException only when running unit test
Next Topic:Performance issue to a shared network drive from Windows.
Goto Forum:
  


Current Time: Mon Jun 27 20:10:33 GMT 2022

Powered by FUDForum. Page generated in 0.02165 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top