Getting "data too large for key size" for 128 character length secret_key_base var about travis.rb HOT 22 CLOSED

This is a known issue. 128 characters is too long for the encryption, not for an env var.

from travis.rb.

Therefore what do I do for my Rails app? What is the longest string that is supported?

from travis.rb.

You could manually encrypt a file using the same SSH key, this guide is technically pro-specific, but you should be able to do the same thing on org.

from travis.rb.

The guide should be updated with the new way to get the public key, as per http://about.travis-ci.org/docs/user/encryption-keys/. Also, it would be nice if this were fixed.

from travis.rb.

The reason the limit is 128 characters is because of the protocol used. RSA public key encryption really shouldn't be used to encrypt longer strings. A better way is to encrypt the file with a symmetric algorithm and then use travis encrypt to encrypt the symmetric passphrase.

from travis.rb.

Also ssh-keygen -e -m PKCS8 -f id_travis.pub > id_travis.pub.pem tells me that -m isn't recognized. I think the option is now -t.

from travis.rb.

I was trying to encrypt a generated id_rsa file so that I could push from a travis-ci machine, but then I discovered travis pubkey, which I think gives me the contents of ~/.ssh/id_rsa.pub on the travis-ci machine, and so I think I can just add that to the github repo to give the travis-ci machine push access.

from travis.rb.

Or maybe not. Is what I said false? It doesn't seem to work.

from travis.rb.

And on echo "$password" | openssl rsautl -encrypt -pubin -inkey id_travis.pub.pem -out secret, I get unable to load Public Key

from travis.rb.

Rather, it seems that some ssh-keygens support -m, and other's support neither -m nor the PKCS8 output format (perhaps only PKCS1?). And I seem to have one of the latter kind.

from travis.rb.

travis pubkey gives the public key of the private key we use to encrypt env vars.

We currently don't have a nice built in way to enable pushing to GitHub or other sources from Travis.

You could instead create an oauth token, encrypt it, and use that for pushing to GitHub?

On 17/08/2013, at 8:06 AM, Jason Gross [email protected] wrote:

Rather, it seems that some ssh-keygens support -m, and other's support neither -m nor the PKCS8 output format (perhaps only PKCS1?). And I seem to have one of the latter kind.

—
Reply to this email directly or view it on GitHub.

from travis.rb.

@henrikhodne Could you please provide the exact steps necessary to do this:

A better way is to encrypt the file with a symmetric algorithm and then use travis encrypt to encrypt the symmetric passphrase.

I'm trying to encrypt the 128-character secret key used by the latest version of Devise for use with Travis CI.

Thanks!

from travis.rb.

@henrikhodne when following the guide I get and empty JSON from Github, hence an empty id_travis.pub when executing the one-liner.

I also tried using 'travis pubkey' but I get this error:

travis pubkey > id_travis.pub
ssh-keygen -e -m PKCS8 -f id_travis.pub > id_travis.pub.pem

PEM_write_RSA_PUBKEY failed

from travis.rb.

The CLI can give you a pem directly: travis pubkey --pem.

from travis.rb.

Thanks, that makes it much easier. I'm very close, I'm getting this error when the before_script executes:

$ secret=`openssl rsautl -decrypt -inkey ~/.ssh/id_rsa -in secret`
Error opening Private Key /home/travis/.ssh/id_rsa
140706337064608:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/travis/.ssh/id_rsa','r')
140706337064608:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load Private Key
The command "secret=`openssl rsautl -decrypt -inkey ~/.ssh/id_rsa -in secret`" failed and exited with 1 during before_script.
Your build has been stopped.

from travis.rb.

Also getting this error. Tried on a colleague’s computer who hadn’t upgraded to OS X Mavericks and it worked.

from travis.rb.

I "solve" it by encrypting SECRET using travis cli, instead of using the /.ssh/id_rsa/.

travis encrypt secret=`cat /dev/urandom | head -c 10000 | openssl sha1` --add

before_script:
  - openssl aes-256-cbc -k "$secret" -in config.xml.enc -d -a -out config.xml

from travis.rb.

This is what worked for me

travis-enc.sh

#!/usr/bin/env sh -u

ENC_FILE='envs.yml'
ENVS=$1
USER=$2
PROJECT=$3

encrypt_file () {
  secret=$1
  file=$2
  openssl aes-256-cbc -a -k "$secret" -in $file -out $file.enc || return 1
  git add $file.enc || return 1
  git commit -m "Add encrypted travis file" || return 1
}

travis_cust_enc () {
  username=$1
  project=$2
  key=$3
  value=$4
  file=$ENC_FILE

  arg="'/$key/d'"
  eval sed "$arg" envs.yml > $file
  echo "$key: $value" >> $file
  secret=`cat /dev/urandom | head -c 10000 | md5` || return 1
  encrypt_file $secret $file || return 1
  travis encrypt -r $USER/$PROJECT secret=$secret --add
}

add_env () {
  result=$(PRINTENV $1)
  count=$(PRINTENV $1 | wc -m)

  if [ "$result" != '' ] && [ $count -gt 128 ]; then
    echo "$1 > 128 chars. adding ENV via custom encryption"
    travis_cust_enc $USER $PROJECT $1 $result
  elif [ "$result" != '' ]; then
    echo "adding $1 ENV via travis encrypt"
    travis encrypt -r $USER/$PROJECT $1=$result --add
  else
    echo $1 not found!
  fi
}

IFS=','
for ENV in $ENVS; do
  add_env $ENV || exit 1
done
unset IFS

usage: travis-enc.sh 'ENV1,ENV2,ENV3' username repo

.travis.yml

before_script:
  - openssl aes-256-cbc -d -k "$secret" -in envs.yml.enc -a -out envs.yml

file.py

import yaml

def getenv_from_file(env, yml_file):
    result = yaml.load(file(yml_file, 'r'))
    return result[env]

value = getenv_from_file(MY_ENV, 'envs.yml')

from travis.rb.

+1, would love to see a more straightforward solution for this!

from travis.rb.

see https://github.com/travis-ci/travis.rb/blob/master/examples/cli/encrypt_file.md

from travis.rb.

👍 thanks for the concise guide @rkh! I'm sure this will help a lot of people

from travis.rb.

The next release will come with an encrypt-file command to address the issue: https://github.com/travis-ci/travis.rb#encrypt-file

from travis.rb.