Local Registry RSA key Problem

Hello,

I have set up a private local registry with which to share packages with some collaborators. When I set the registry up I had to create and add a new SSH key to my github account because according to the local registry documentation you have to use one with the PEM format. I created the SSH key using the command (given from the docs)

ssh-keygen -t rsa -b 4096 -m PEM

I just tried to test my package (e.g. using MyPackage in a script) and I got the following error (note my local registry has already been added on this PC, I can see it when I looked in .julia/registries/)

ERROR: failed to clone from git@github.com:MyUserName/MyPackage.jl.git, error: GitError(Code:EEOF, Class:SSH, ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.

Should I:

  • try to reformat an existing key that is in the ed25519 format into PEM? The ssh-keygen manual entry mentions this
  • Create a new key in the ed25519 format somewhere other than .ssh/ (to avoid overwriting existing keys) and add that to my github account? Something like ssh-keygen -t ed25519 -b 4096 -m PEM

There is an issue with some suggestions on what you could do Cannot dev private repos: libgit2 uses protocol phased out by Github today? (SHA-1) · Issue #3030 · JuliaLang/Pkg.jl · GitHub

export JULIA_PKG_USE_CLI_GIT=true appears to have fixed it for me. Thanks for pointing that out!

I can expand on this.

  1. JULIA_PKG_USE_CLI_GIT is the preferred solution and documented in LocalRegistry.jl/ssh_keys.md at master · GunnarFarneback/LocalRegistry.jl · GitHub. The main limitation is that it’s only available from Julia 1.7 and, obviously, requires an external git installation.
  2. ssh-keygen -t rsa -b 4096 -m PEM still generates a key which Julia Pkg can use with libgit2/libssh2. However, GitHub will not accept the key, but if you’re using it with other git services they may be more accepting.
  3. There is no other key type that can be used with existing Julia binary downloads through libgit2/libssh2. Although version 1.9.0 of libssh2 does support ECDSA keys, that requires a specific crypto backend, which is not the one Julia is built with.
  4. If you build Julia yourself, it should be possible to configure it so that libssh2 understands ECDSA keys.
  5. libssh2 master 1.10.0 contains support for ECDSA keys with the mbedtls backend, which Julia uses, assuming everything is built with the appropriate feature enabled. This may eventually make its way into Julia’s binary downloads. This will be available for Julia 1.8 and later (and is already available in Julia 1.8-beta1). You may want to set the environment variable SSH_KEY_PATH to point to your ECDSA key.
  6. If you do try to use a non-RSA key with Julia you will get repeatedly prompted for the key location. The first time this is because it indeed doesn’t know where the key is (unless you have told it with SSH_KEY_PATH and SSH_PUB_KEY_PATH) but all the following times it is because libssh2 hasn’t been built with support for reading the key. Yes, this is a very unhelpful behavior and you can only find out what’s going on by patching libssh2.
  7. See item 1. There’s a possibility that this option could be backported to a future 1.6.x release. This has been backported and will be available in Julia 1.6.6.
3 Likes