Learn more about these different git repos.
Other Git URLs
Something has gone wrong with the deploy keys on my projects, but I am not sure what exactly...
I have a SSH public key with comment "tomcat@linode166708.beaker-project.org" which I added as a deploy key with push access in https://pagure.io/rpmdeplint some time ago. This key is used by our team Gerrit instance to replicate commits to Pagure. This was working happily (I think) up until recently.
I wanted to add the same key as a deploy key on two other projects, https://pagure.io/beah and https://pagure.io/beaker .
When I pasted the key into the "add deploy key" form for the beah project, it accepted the key. But when I did the same thing for the beaker project it refuses and says: "Deploy key already exists."
So now the deploy key is present on two out of my three projects, but it does not have push access to any of the three repos.
Is Pagure intentionally preventing me from reusing the same deploy key on multiple projects, or is that an accident of how it is stored in the database? And do you have any idea why it would no longer have access even on the project where it was originally added?
Btw another thing I noticed. On the settings page for the rpmdeplint project, the deploy shows as:
2048 20:9d:70:89:f9:9d:f6:ac:81:4d:c4:0e:03:cd:8b:db tomcat@linode166708.beaker-project.org (RSA) (PUSH ACCESS)
but on the settings page for beah project, it shows as:
2048 SHA256:lLb9CWEPSvINQcS2vvVXhwRV4xQEbEW6Ig1YQLVi8n0 tomcat@linode166708.beaker-project.org (RSA) (PUSH ACCESS)
The former is MD5 and the latter is SHA256. I guess Pagure was changed at some point to use the newer hash algo. I confirmed that both the fingerprints are indeed for the same key.
I guess this is how I was able to add the key on two of the projects even though it is a duplicate according to Pagure?
Confirming this with @puiterwijk it is indeed by design that you cannot have the same key used on multiple projects as it makes gitolite (underneath) unable to detect which user you are.
The default algorithm must have changed indeed (not in pagure, more likely on the system's openssh) which is why it didn't prevent you from adding a second time the same key.
If you remove one of them, we expect things will start working again.
Sorry for the troubles and thanks for letting us know!
Metadata Update from @pingou: - Issue tagged with: bug
In #3107 @puiterwijk made sure we always check the md5 fingerprint so we don't allow uploading twice the same key as desired.
Commit 73606a1 fixes this issue
Okay, thanks for the explanation and fixes.
It's quite an unfortunate limitation though (inability to re-use the same deploy key across multiple projects), since Gerrit does not have a way to use a separate SSH key for each project when it does replication.
Would you take an RFE to improve this limitation in Pagure?
Is it a fundamental limitation of gitolite or just some side-effect of how Pagure is constructing the ACLs? I have to admit I don't understand what you meant about "unable to detect which user you are"... The push is effectively coming from no user, it's from a deploy key, right? And it must know which repo I want to push to... so either the deploy key is allowed or not allowed?
Sorry for my ignorance about how the gitolite stuff works behinds the scenes, maybe those are not sensible questions.
If we tag this as an RFE, I might look at implementing that at some point, but it will require changing some things around.
Metadata Update from @pingou: - Issue untagged with: bug - Issue status updated to: Open (was: Closed) - Issue tagged with: RFE
might be possible on our way to release 6.0 when we remove gitolite, not sure and something that need to be discussed at some point, going to put it on the milestones for now.
Metadata Update from @wombelix: - Issue set to the milestone: 6.0
Login to comment on this ticket.