I want to release the artifact of a github action to a specific update repo, so that my software can use it to update itself. To verify the update in the local update process I want to sign this artifact. I chose to store the update itself and signature in separate files for now.
My github action would take the zipped artifact and should sign it with the given RSA4096 Private Key and should use SHA512 as a digest.
My github action for that looks as follows:
- name: Sign release
run: |
echo $PRIVATE_KEY > privatekey.pem
openssl dgst -sha512 -sign privatekey.pem -out latest.sig latest.zip
env:
PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
This github action should take my private key from the repository's secrets, put it in an environment variable, and then put it in a local file so the following openssl command can take this private key to sign it. I went this way to hinder the private key itself being echo'ed to the log.
The private key value is as follows: (This is of course not the actual private key but one I created solely for testing purposes until this github action works properly. This private key is only 1024 bits instead of the above mentiond 4096 bits. I will not use this private key afterwards anymore.)
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgGwdzKeZPLdOHV+/iDpHHtEk7kephhI5eythCfmoqzy5CSx+GZ6X
Z1GiIzII+CtyN69cOgyzO99uPvquBkbo3lHL5+jZnOEue8nMub8iwPXZgDB6s8BV
sFevjLENx4LWJSZSo8rUn6al3bfoWJUySzkla9xc4g0GiO1K81zGeRH9AgMBAAEC
gYBTZbUs/vYny5i69+pkUeICoEMxgiHKQw6win0AWMwl3fGmoWqvu8hV3wTZHrQY
B1XO7gxVKZigo9Du23g6EH0UhGHZm9s4csjVXm8gVt7LghoOZq82nLmbe+XBrn+C
B3VeQbk7urD5mfdWx5zRYWGPjg/zaCGu47Apuuc1Kw0vvQJBAMhbyHvua2b/Fdbm
fbpO283aTPBaHYrexsqp5DZ8/DUet7BIB/p9yb4hVpV9nDH/WALSl1stfcfe260w
Lsm4/icCQQCKJDAi/ukBW2QpFy9evMNpR0KxtFIETxs6y5v0/EOoaqKDrFjjb7M2
svEybXa/y/AgYMxxVeNbFpfWSC4Sc+k7AkA2D2XJ4qvCD6PB51EXOv3dzkAiPf5o
oPF8b1ivRwv5/T7M5rKYaOZNUct97HV/nAkQQegq5txgWIZndW+6aBrTAkACNG2o
QVVKtkC0/y+8XVrpFUAVQgGFHBYdLB7DHDugNoN9goSwrJm5p8V9vo2Epiag/aqF
rI9CZuvpeaFynfL9AkEApFCO3IxSkXYwx4AjQwxcuVz1w5lUAL5LxvRlmqy8Jj0l
RgXLxBfGTQoTVL9/JuUjE7xLXWfYm+8u9k3KV3FJYQ==
-----END RSA PRIVATE KEY-----
The problem is the following log output of the github action when executing this step:
unable to load key file
6196:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: ANY PRIVATE KEY
Which means that whatever was echoed to the privatekey.pem is not the actual private key secret value, but something else. I couldn't get the content of the file printed in subsequent tests. Not with a necho or cat command or anything similar, so I have actually no knowledge of what is written to the file, which makes it impossible for me to get any deeper into my analysis.
Is anyone here able to deduce some helpful tips or a solution to this problem?
It's likely that part of your problem is the lack of quoting. When you don't quote a variable in shell, it is split on whitespace (space, tab, and newline), so what you're passing to echo is several different arguments which, instead of being separated by newlines, are separated by spaces via echo.
You'd probably want to write this (note the quotation marks around $PRIVATE_KEY:
- name: Sign release
run: |
echo "$PRIVATE_KEY" > privatekey.pem
openssl dgst -sha512 -sign privatekey.pem -out latest.sig latest.zip
env:
PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
In general, it's a good practice to place all variables in double quotes when using them unless you're certain that you want the shell to expand them.
Of course, all of this applies only if you're using a POSIX shell, which means that you need to be using Unix or bash on Windows, since the syntax you're using is POSIX shell syntax.
GitHub Actions, like most CI systems, tries to sanitize its output to prevent disclosing secrets that are accidentally printed to logs, which is why you were unable to print the value.