Spring Cloud Config Documented key type no longer compatible with github

Describe the bug

Hi

Although the documentation recommends generating a key such as ssh-keygen -m PEM -t rsa -b 4096 -f ~/config_server_deploy_key.rsa, this is no longer compatible with Github as of https://github.blog/2021-09-01-improving-git-protocol-security-github/ .

Github's recommended algorithm ed25519 doesn't seem to be supported by Spring Cloud.

Is there a viable alternative?

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'defaultEnvironmentRepository' defined in class path resource [org/springframework/cloud/config/server/config/DefaultRepositoryConfiguration.class]: Invocation of init method failed; nested exception is org.eclipse.jgit.api.errors.InvalidRemoteException: Invalid remote: origin
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1804) ~[spring-beans-5.3.16.jar:5.3.16]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:620) ~[spring-beans-5.3.16.jar:5.3.16]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542) ~[spring-beans-5.3.16.jar:5.3.16]
    at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335) ~[spring-beans-5.3.16.jar:5.3.16]
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-5.3.16.jar:5.3.16]
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333) ~[spring-beans-5.3.16.jar:5.3.16]
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208) ~[spring-beans-5.3.16.jar:5.3.16]
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:953) ~[spring-beans-5.3.16.jar:5.3.16]
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:918) ~[spring-context-5.3.16.jar:5.3.16]
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:583) ~[spring-context-5.3.16.jar:5.3.16]
    at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:145) ~[spring-boot-2.6.4.jar:2.6.4]
    at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:740) ~[spring-boot-2.6.4.jar:2.6.4]
    at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:415) ~[spring-boot-2.6.4.jar:2.6.4]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:303) ~[spring-boot-2.6.4.jar:2.6.4]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1312) ~[spring-boot-2.6.4.jar:2.6.4]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1301) ~[spring-boot-2.6.4.jar:2.6.4]
    at com.vw.odp.cte.config_service.ConfigServiceApplication.main(ConfigServiceApplication.java:15) ~[classes/:na]
Caused by: org.eclipse.jgit.api.errors.InvalidRemoteException: Invalid remote: origin
    at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:221) ~[org.eclipse.jgit-5.12.0.202106070339-r.jar:5.12.0.202106070339-r]
    at org.eclipse.jgit.api.CloneCommand.fetch(CloneCommand.java:303) ~[org.eclipse.jgit-5.12.0.202106070339-r.jar:5.12.0.202106070339-r]
    at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:178) ~[org.eclipse.jgit-5.12.0.202106070339-r.jar:5.12.0.202106070339-r]
    at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.cloneToBasedir(JGitEnvironmentRepository.java:658) ~[spring-cloud-config-server-3.1.1.jar:3.1.1]
    at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.initClonedRepository(JGitEnvironmentRepository.java:363) ~[spring-cloud-config-server-3.1.1.jar:3.1.1]
    at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.afterPropertiesSet(JGitEnvironmentRepository.java:284) ~[spring-cloud-config-server-3.1.1.jar:3.1.1]
    at org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentRepository.afterPropertiesSet(MultipleJGitEnvironmentRepository.java:66) ~[spring-cloud-config-server-3.1.1.jar:3.1.1]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1863) ~[spring-beans-5.3.16.jar:5.3.16]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1800) ~[spring-beans-5.3.16.jar:5.3.16]
    ... 16 common frames omitted
Caused by: org.eclipse.jgit.errors.NoRemoteRepositoryException: git@github.com:pintomau/fluffy-octo-meme.git: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.


    at org.eclipse.jgit.transport.TransportGitSsh.cleanNotFound(TransportGitSsh.java:201) ~[org.eclipse.jgit-5.12.0.202106070339-r.jar:5.12.0.202106070339-r]
    at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:325) ~[org.eclipse.jgit-5.12.0.202106070339-r.jar:5.12.0.202106070339-r]
    at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:153) ~[org.eclipse.jgit-5.12.0.202106070339-r.jar:5.12.0.202106070339-r]
    at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:142) ~[org.eclipse.jgit-5.12.0.202106070339-r.jar:5.12.0.202106070339-r]
    at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:94) ~[org.eclipse.jgit-5.12.0.202106070339-r.jar:5.12.0.202106070339-r]
    at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1309) ~[org.eclipse.jgit-5.12.0.202106070339-r.jar:5.12.0.202106070339-r]
    at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:213) ~[org.eclipse.jgit-5.12.0.202106070339-r.jar:5.12.0.202106070339-r]
    ... 24 common frames omitted

Tried with both Cloud Hoxton.SR12 and 2021.0.1.

Comment From: iolo

I have a same problem. See also https://stackoverflow.com/questions/71489256/spring-cloud-config-server-github-sha-1-error

For right now, I have a dirty workaround: use https uri, username and password(github personal secret token).

Comment From: daviddob

I believe this is due to the dependency on com.jcraft.jsch.JSch (link) which does not support the new signing algorithms and has not been updated since 2018. It should support rsa-sha2-256 or rsa-sha2-512 but instead only supports ssh-rsa

Comment From: surajkarkera

I am also facing the same issue, so there is no solution to it than using the username/token with https url which is not the recommended approach for production?

Comment From: jovica-krstevski

if you previously used ssh from the local host, then RSA key should be changed with ecdsa command : ssh-keygen -m PEM -t ecdsa -b 256 and your config file in the ./ssh folder should look like

Host github.com
        User git
        Hostname github.com
    IdentityFile ~/.ssh/id_ecdsa

If you override the local ssh in property files :

spring:
  cloud:
    config:
      server:
        git:
          host-key:  this can be found in know hosts example  : AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIb...........
          host-key-algorithm: ecdsa-sha2-nistp256
          ignore-local-ssh-settings: false
          private-key: |
                       -----BEGIN EC PRIVATE KEY-----
                       .................
                       .................
                       .........................
                       -----END EC PRIVATE KEY-----

Comment From: pintomau

The above also works without local settings (ignore-local-ssh-settings: true, remove host-key-algorithm)

Comment From: abarring-pinc

I have a same problem. See also https://stackoverflow.com/questions/71489256/spring-cloud-config-server-github-sha-1-error

For right now, I have a dirty workaround: use https uri, username and password(github personal secret token).

I have added my findings & solution to the SO question (handle abh) to get ssh key based git operations working, always appreciate an upvote if it helps you out.

I am not certain of the path forward for the ultimate fix in this project, but the workaround I put in place, was to switch out the com.jcraft.jsch library with a fork, com.github.mwiede:jsch:0.2.0. It needed an additional small shim to handle how the JGit project configured JSch, as I could not override that class due to jar signing. I did this with an @Configuration class to add an entry to the JSch configuration HashTable before any clone calls were made.

Comment From: ryanjbaxter

This was resolved with https://github.com/spring-cloud/spring-cloud-config/pull/2113