Version:
All versions
Issue:
You are using a Git based project or DFS project with an attached Git repo and encounter this error on startup of a workspace or job:
ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see <github-blog>/2021-09-01-improving-git-protocol-security-github/ for more information.
Invalid remote: originRoot Cause:
This error indicates you are using a SHA-1 encrypted SSH key with a Git host that no longer supports SHA-1. SHA-1 encryption has been widely deprecated as it can be subject to brute-force attacks.
Note that Domino is not part of this authentication handshake. We simply pass on the private key entered by the user in their Domino "Account Settings>>Git Credentials"
Resolution:
In brief the resolution is create a new ssh key of the supported type. Hopefully your internal process describes to you how to create a key. But if you've run in to this error, those are possibly out of date and you need to create a new SSH key. Read below for more details.
Creating A New SSH Key
SSH keys can be created with the ssh-keygen utility. Note that the version of this utility installed will determine what kinds of keys that are created and an rsa key from an older version of ssh-keygen could generate a SHA-1 encrypted key that will not help in this case. While in newer versions of ssh-keygen, the rsa key type will generate a SHA-2 encrypted key.
A generic example of how to run this command on MS Windows, Mac IOS, and Linux is:
# ssh-keygen -t ed25519 -C "your_email@your_domain.com"
Note that the key type specified here, ed25519, is the type that GitHub notes should be used for their public servers and it will likely work for you with other Git servers as well if you have received the error above.
Your business may require other flags be used such as
-b 4096
There is no one size fits all answer here for exactly how to create an SSH key as your internal Enterprise Git server and all the major Git providers have different requirements, so inquire internally with your IT staff for a definitive answer for your environment. Pointers to the docs for the major Git providers are below:
The end result of the ssh-keygen command will be two files. You can use any name, it's not important from a technical standpoint, as long as it means something to you and works for your internal process. The private key file, if you choose the default, might be id_ed25519 or perhaps id_rsa. The public key file will be then id_ed25519.pub or id_rsa.pub.
Ok Now What?
So generically the next steps are to add contents of the public key to your Git server and the contents of the private key to Domino. You will find this process in the docs listed above for the Git server side. Every flavor of Git is a little different but the location to add this public key will typically be under the Account Settings.
The private side of the key then needs to be added to Domino. The process for doing this is thoroughly documented in the Domino documentation that is located here:
Notes/Information:
If you are not seeing the same SHA-1 error in your execution logging but still see the "Invalid remote: origin" be aware that a new key is often a good step to take regardless. Although you may not have hit this exact issue. Keys can get out of sync and a new one often resolves these problems. But you may also have a typo in the repo or server name so be sure to copy the URI directly from the git server. You might also have a connectivity issue, so if a new key doesn't help, reach out to your local administrator or Domino Support.
Comments
0 comments
Please sign in to leave a comment.