How to use ECDSA ssh key to connect to Github private repo?

,

I used to use a private Github repo as my personal registry.
I followed the instructions in LocalRegistry.jl/ssh_keys.md at master · GunnarFarneback/LocalRegistry.jl · GitHub to generate a RSA key stored in PEM format and set up the environment variable SSH_PUB_KEY_PATH and SSH_KEY_PATH.

It works fine for months. However, it starts to break today because the SSH key policy upgrade of Github.

It says that

If you’re using libgit2 or another piece of code using libssh2, we recommend you use libssh2 1.9.0 or newer and an ECDSA key, since it does not yet support RSA with SHA-2. Similarly, the Go SSH client also doesn’t yet support RSA with SHA-2, so we recommend using an Ed25519 key there

I generate a new ECDSA key with ssh-keygen

ssh-keygen -m PEM -t ECDSA

The generated key starts with -----BEGIN EC PRIVATE KEY-----

Then I change the environment variable SSH_PUB_KEY_PATH and SSH_KEY_PATH to point at new ECDSA key pair.

It seems that Julia cannot recognize ECDSA key but its libssh version is 1.9.0.

The platform I use is Windows 10 and the julia version is

julia> versioninfo()
Julia Version 1.7.1
Commit ac5cc99908 (2021-12-22 19:35 UTC)
Platform Info:
  OS: Windows (x86_64-w64-mingw32)
  CPU: AMD Ryzen 7 5800H with Radeon Graphics
  WORD_SIZE: 64
  LIBM: libopenlibm
  LLVM: libLLVM-12.0.1 (ORCJIT, znver3)
Environment:
  JULIA_NUM_THREADS = 16

I have no insights about ECDSA keys but if you cannot get it to work, Julia 1.7 provides the new option of using an external git executable to bypass libgit2 and libssh2 entirely. This is the relevant release notes item:

It is now possible to use an external git executable instead of the default libgit2 library for the downloads that happen via the Git protocol by setting the environment variable JULIA_PKG_USE_CLI_GIT=true.

2 Likes

Thanks!
I use this option and it works seamlessly.

By the way, there are many “Unlink file … failed” warning during the first run after switching to system git, I solve this problem by run set GIT_ASK_YESNO=false in the command line before start Julia

As a side note, I find that ECDSA support for mbedTLS is introduced in libssh2 1.10.0 but Julia currently uses 1.9.0.
This issue discusses the same problem.