Deployment Keys Support

Mike-EEE's Avatar

Mike-EEE

18 Nov, 2019 09:21 PM

Since it's closed. :P

Reading this question:
https://help.appveyor.com/discussions/questions/374-deployment-keys-support#comment_38553692

States "You can see public key on General tab of project settings."

And:

"Just open main repo's "Deployment keys" settings on GitHub, remove project public key from there, grab public key on General tab of project settings"

I looked in the General tab of our project, and I do not see anything under there that states "key"... has this changed to another location? I do not see anything obvious.

Thank you for any assistance!

  1. Support Staff 1 Posted by Feodor Fitsner on 18 Nov, 2019 11:53 PM

    Feodor Fitsner's Avatar

    Hi Mike,

    What kind of project (GitHub, GitLab, generic git, etc.) is that?

  2. 2 Posted by Mike-EEE on 19 Nov, 2019 06:24 AM

    Mike-EEE's Avatar

    Ah, details! Using the GitHub app via AppVeyor here. From what I understand, it sounds like the public key should be on the General settings tab in AppVeyor, but I do not see it.

  3. 3 Posted by Mike-EEE on 19 Nov, 2019 10:11 AM

    Mike-EEE's Avatar

    Are Deployment Keys a supported scenario?

    I have configured a deployment key in the target repository, and have configured the appveyor.yml file with the necessary scripting. However, on push I am getting a hang as discussed in this article:

    https://help.appveyor.com/discussions/problems/14881-build-hanging-in-on_success-during-git-push

    So it would seem that the username prompt is being displayed as referenced in this article:

    https://help.appveyor.com/discussions/problems/123-pushing-local-git-tag-to-remote-sever

    I am aware of personal access token, but am trying to keep this from getting personal. xD

    Bad joke, but consider that with a personal access token, the repo permission is for ALL repositories that the account (mine, in this case) has access to -- read AND write. That seems like a gigantic security risk. It seems wrong to give access to one application/service that can have access to everything that I own. That's basically admin privileges.

    I hope I am misunderstanding something, but I am failing to see why PATs are prevalent and recommended throughout the documentation and Deployment Keys are not.

  4. Support Staff 4 Posted by Feodor Fitsner on 19 Nov, 2019 07:07 PM

    Feodor Fitsner's Avatar

    AppVeyor GitHub App is used to give AppVeyor access to specific repositories only: https://www.appveyor.com/blog/2018/10/02/github-apps-integration/

  5. 5 Posted by Mike-EEE on 19 Nov, 2019 08:26 PM

    Mike-EEE's Avatar

    Correct... for receiving webhook/messages for starting new builds. I dig that but unfortunately that is not what I am talking about.

    In this case, we are taking the results of a successful build and sending them to another repo with its Deployment Keys configured. This repo is not in our list of accepted repositories configured with the AppVeyor GitHub application, and is currently using a PAT, which verifies this service now has full read/write access to any repository which I am an owner.

    As mentioned, this is obviously and terribly excessive. That means any compromise of this account on the server can essentially act as me on any repository of which I am a member.

    FWIW here is our script:

    https://github.com/ExtendedXmlSerializer/ExtendedXmlSerializer/blob/master/.build/Success.ps1#L15-L32

    You can see the attempt at using Deployment Keys is commented out (as I couldn't make it work) and is using the far more vulnerable and exposed PAT ATM. Any troubleshooting efforts you can provide to assist us in getting on Deployment Keys would be much preferred and greatly appreciated.

  6. Support Staff 6 Posted by Feodor Fitsner on 20 Nov, 2019 12:20 AM

    Feodor Fitsner's Avatar

    You still can use Deployment Keys - but the their management is on you. Look at this article: https://www.appveyor.com/docs/how-to/private-git-sub-modules/#gener...

  7. 7 Posted by Mike-EEE on 20 Nov, 2019 07:07 AM

    Mike-EEE's Avatar

    Yes indeed! That is the resource that I used as the guidance for the RSA key code in the above file that is currently commented out as it doesn't work.

    Which is why I asked: is this an actually supported scenario? When git push is performed the build locks, with what I am assuming is a user prompt based on the articles above.

  8. 8 Posted by Mike-EEE on 20 Nov, 2019 08:17 AM

    Mike-EEE's Avatar

    OK! Found the issue. :)

    An important detail:

    https://gist.github.com/zhujunsan/a0becf82ade50ed06115

    ```
    Attention: make sure your repo url use git protocl not http, which means use

    git@github.com:{user}/{repo}.git
    not

    https://github.com/{user}/{repo}.git
    ```

    BOOM. Fixed and deployed SO AMAZINGYAYAYAYA :) :) :)

    On that note, so much serious respect and recognition on your RDP access, and really the quality of this service all around -- it's a joy to work with!

  9. Support Staff 9 Posted by Feodor Fitsner on 20 Nov, 2019 10:06 PM

    Feodor Fitsner's Avatar

    Thank you!

  10. Mike-EEE closed this discussion on 20 Nov, 2019 10:23 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

05 Dec, 2019 09:12 PM
04 Dec, 2019 07:46 PM
04 Dec, 2019 12:01 AM
04 Dec, 2019 12:00 AM
03 Dec, 2019 11:00 PM