Search code examples
gitgithubgit-authentication

Brand-new RSA key with SHA-2 signature (generated by Puttygen) is getting rejected by Github

I'm using Gitext in windows which in turn uses Putty-Agent (pagent.exe latest version currently 0.76). I'm also using fairly recent git (ver. 2.35.1)

I have created a brand new rsa-key with SHA-2 using puttygen.exe and I have added it into my Github account. However when Gitext tries to push changes over to remote I get the following error:

  "C:\Program Files\Git\bin\git.exe" push --recurse-submodules=check --progress "origin" refs/heads/...:refs/heads/...
  fatal: Could not read from remote repository.

  Please make sure you have the correct access rights and the repository exists.
  ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
  Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.

  Done

  Press Enter or Esc to exit...

For the time being I converted the rsa-key over to openssh and loaded that into WSL ssh-agent and I can now 'git push' from the command line. It's weird that Github rejects the original rsa-key though - what am I missing?

This is how 'id_rsa.ppk' is structured:

PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20220316
Public-Lines: 6
AAAAB...fwAD//mG/
Private-Lines: 14
AAAB...xXgzQ=
Private-MAC: 37f...0d3

This is how 'id_rsa.pub' is structured:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20220316"
AAAA...AD//mG/
---- END SSH2 PUBLIC KEY ----

How can I verify that the key I generated with puttygen is indeed using SHA-2?

Solution

  • For RSA keys, the signature algorithm used doesn't depend on the type of key. All RSA SSH keys have the ability to use SHA-1, SHA-256, or SHA-512.

    The ability to use SHA-2 (that is, SHA-256 or SHA-512) requires three things: support from the server (which GitHub provides), support from the client, and support from the agent (if one is being used). In this case, Pageant 0.76 should be sufficient for the agent, so the question is the SSH client that you're using in Git Extensions. If that's PuTTY, you need to be sure that the version you're using is also 0.75 or newer.

    If you were running from the command line, you could set GIT_TRACE=1 in the environment to see what SSH program is being invoked. For example, on my Linux box, you can see this output:

    14:20:33.666178 git.c:458               trace: built-in: git ls-remote [email protected]:git/git.git
14:20:33.666370 run-command.c:654       trace: run_command: unset GIT_PREFIX; GIT_PROTOCOL=version=2 ssh -o SendEnv=GIT_PROTOCOL [email protected] 'git-upload-pack '\''git/git.git'\'''

    That indicates I'm using the ssh binary, and I'd then query that program for its version to make sure it's correct. If you're sure you're using PuTTY, then you can run putty --version to see the version number of the version you're running.