Skip to content

Latest commit

 

History

History
80 lines (63 loc) · 2.77 KB

README.md

File metadata and controls

80 lines (63 loc) · 2.77 KB

Automate the retreival of a SSH certificate from GitHub using a GitHub Actions workflow and a GitHub CLI extension. With a single command, the user can request a certificate for a public SSH key. The certificate is then signed by a certificate authority, downloaded and copied in the same folder than the original public key.

See this article for more information on SSH certificates.

Configure

Create a new repository in the organization that will host the signing workflow below. At the moment, the name of the workflow is hardcoded so copy the below code in a file named .github/workflows/cert.yml.

name: Generate Cert

on:
  workflow_dispatch:
    inputs:
      key: 
        description: 'The SSH key to be signed with the certificate'
        required: true
        type: string
      email: 
        description: 'The certificate identity'
        required: true
        type: string

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Logging
        run: echo "Generating certificate for ${{github.actor}}'s key named ${{ inputs.key }}"
      - name: Flush signing key to disk
        run: |
          echo "${{ secrets.SIGNING_KEY }}" > ca
          chmod 600 ca
      - name: Flush the public key to disk
        run: echo "${{ inputs.key }}" > ${{github.actor}}-${{github.repository_owner}}.pub
      - name: Sign the key
        run: |
          ssh-keygen -s ca -V '+1d' -I ${{ inputs.email }} -n ${{github.actor}} -O extension:[email protected]=${{github.actor}} ${{github.actor}}-${{github.repository_owner}}.pub
      - name: Checking
        run: |
          ls -l
          more ${{github.actor}}-${{github.repository_owner}}-cert.pub
      - name: Save the key as an artifact
        uses: actions/[email protected]
        with:
          name: ${{github.actor}}-${{github.repository_owner}}-cert.pub
          path: ${{github.actor}}-${{github.repository_owner}}-cert.pub
          retention-days: 1
          overwrite: true

Create the signing certificate

$ ssh-keygen -t ed25519 -C [email protected] -f ca

Use the public key generated by the command above (content of the file ca.pub) to create a new certificate authority in the GitHub organization settings under Authentication security. Store the private key generated by the command above(content of the file ca) into a repository secret named SIGNING_KEY.

Usage

Install the local repo as a gh cli extension:

gh extension install helaili/gh-ssh-cert-please

Run the command:

gh ssh-cert-please --org <your org> --repo <the repo containing the worflow> --pubKey /path/to/your/public/ssh/key/sshkey.pub --email <your email>

Build

go build