GITLAB CI Error loading key "/dev/fd/63": invalid format ERROR: Job failed: exit code 1

Question

Here is my code giltlab-ci.yml :

 before_script:
  ##
  ## Install ssh-agent if not already installed, it is required by Docker.
  ## (change apt-get to yum if you use an RPM-based image)
  ##
  - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'

  ##
  ## Run ssh-agent (inside the build environment)
  ##
  - eval $(ssh-agent -s)
  ##
  ## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
  ## We're using tr to fix line endings which makes ed25519 keys work
  ## without extra base64 encoding.
  ## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
  ##
  - mkdir -p ~/.ssh
  #- echo -n "$PROJECT_SSH_KEY" | ssh-add - >/dev/null
  - echo "$PROJECT_SSH_KEY"
  - ssh-add <(echo "$PROJECT_SSH_KEY")
  - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
      ##
  ## Create the SSH directory and give it the right permissions
  ##
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh

  ##
  ## Optionally, if you will be using any Git commands, set the user name and
  ## and email.
  ##
  #- git config --global user.email "user@example.com"
  #- git config --global user.name "User name"

I get this out put

Running with gitlab-runner 11.8.0 (4745a6f3) on Allence-Tunisie-docker-runner sH47eTgb Using Docker executor with image ntfactory/ci-tool:0.0.2 ... Pulling docker image ntfactory/ci-tool:0.0.2 ... Using docker image sha256:7fe7b170806f6846271eec23b41c4f79202777f62c0d7a32165dc41722900979 for ntfactory/ci-tool:0.0.2 ... Running on runner-sH47eTgb-project-11060727-concurrent-0 via a732493b4b94... Cloning repository... Cloning into '/builds/allence-tunisie/e-formation'... Checking out 0a6b48ef as feat/gitlab-ci... Skipping Git submodules setup Checking cache for default... No URL provided, cache will not be downloaded from shared cache server. Instead a local version of cache will be extracted. Successfully extracted cache $ which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y ) /usr/bin/ssh-agent $ eval $(ssh-agent -s) Agent pid 12 $ mkdir -p ~/.ssh $ echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null Error loading key "(stdin)": invalid format ERROR: Job failed: exit code 1

even though i tried - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null i get this error

Error loading key "(stdin)": invalid format

Answer 1

My case was that the key was in the variable that had a flag that it could be used only on the protected branch, but my branch was not pr

Answer 2

Step by step:

1. Generate ssh key info about generation

ssh-keygen -t ed25519 -C "<comment>"

2. Encode PRIVATE_KEY

cat /root/.ssh/id_rsa | base64 -w0
# OR
echo "-----BEGIN OPENSSH..." | base64 -w0

3. On gitlab, go to your repository > settings > CI/CD > Variables and add your variable with encoded value (also you can switch "protected variable flag")

4. In you .gitlab-ci.yml add decoding pipe

- ssh-add <(echo "$SSH_KEY" | base64 -d)

5. That's all.

But if you will have "Permission denied, please try again." error after all - try my answer here

Answer 3

I got this error from a silly mistake!- in my GitLab project settings, the Type for my variable was set to File instead of Variable.

And so, changing the Type from File to Variable fixed this for me.

Answer 4

The error I got was similar as above ones. However none of above works on my case. After I tried several times, I noticed the file is empty when my pipeline was running. Considering that I made my secrets only exposed to protected branches or protected tags, I went /-/settings/repository and added my target branches. Everything works now.

Answer 5

The documentation says that they have fixed the error. This is the new way to do it.

  ##
  ## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
  ## We're using tr to fix line endings which makes ed25519 keys work
  ## without extra base64 encoding.
  ## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
  ##

  - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -

Answer 6

For me I protected branch and tags , and then I finally did it without any errors.

Answer 7

As mentioned in this thread on GitLab's bug tracker, the issue can arise when carriage return characters (\r) are added to the variable (a.k.a. "secret"). This can be worked around by piping to tr -d "\r" to delete these characters, leaving the SSH key correctly formed.

An example in your CI would be:

ssh-add <(echo "${SSH_priv_key_b64}" | base64 --decode | tr -d "\r")

Note that base 64 encoding is necessary to use an SSH key with the "masked" and "protected" properties.

Answer 8

You must gen RSA key not OPENSSH Key. Use param "-m PEM" (ssh-keygen -m PEM) to generate RSA Key will start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----

Answer 9

If you have protected the variable then you need to have a protected branch. As mentioned in the variables settings - "They can be protected by only exposing them to protected branches or tags."

Answer 10

This error happens when the private key in $SSH_PRIVATE_KEY is malformed, you can easily test it locally if you add some random characters in it. In particular, it happens on Travis-CI when you just copy & paste the private key into the SSH_PRIVATE_KEY variable in the online form. It has to do with the new line characters after and before the -----BEGIN RSA PRIVATE KEY-----, -----END RSA PRIVATE KEY----- blocks. For this reason, I use base64 encoding to make sure the key is formatted properly.

try this:

• Encode your private RSA key

  cat my_private_key | base64 -w0

• Add the base64 string to your project variables.

• Use it in your .gitlab-ci.yml

ssh-add <(echo "$SSH_PRIVATE_KEY" | base64 -d)

https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_15038961