Community
Participate
Working Groups
I am trying to add https://github.com/eclipse-platform/eclipse.platform as a remote through egit I get the below error org.eclipse.jgit.api.errors.InvalidRemoteException: Invalid remote: upStream at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:221) at org.eclipse.egit.core.op.FetchOperation.run(FetchOperation.java:134) at org.eclipse.egit.ui.internal.fetch.FetchOperationUI.execute(FetchOperationUI.java:111) at org.eclipse.egit.ui.internal.fetch.FetchOperationUI$1.performJob(FetchOperationUI.java:137) at org.eclipse.egit.ui.internal.jobs.RepositoryJob.run(RepositoryJob.java:59) at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63) Caused by: org.eclipse.jgit.errors.NoRemoteRepositoryException: git@github.com:eclipse-platform/eclipse.platform.git: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type. Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information. at org.eclipse.jgit.transport.TransportGitSsh.cleanNotFound(TransportGitSsh.java:201) at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:325) at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:153) at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:151) at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:103) at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1321) at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:213) ... 5 more My ssh key is RSA3072 with sha256 fingerprint. I can clone the above repository using commandline. With egit I get ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type. Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
here is the configuration Eclipse SDK Version: 2022-06 (4.24) Build id: I20220601-1800 OS: Ubuntu 22.04 Linux, v.5.15.0-33-generic, x86_64 / gtk 3.24.33, WebKit 2.36.3 Java vendor: Eclipse Adoptium Java runtime version: 17.0.3+7 Java version: 17.0.3
(In reply to Sravan Kumar Lakkimsetti from comment #1) > here is the configuration > Eclipse SDK > Version: 2022-06 (4.24) > Build id: I20220601-1800 > OS: Ubuntu 22.04 Linux, v.5.15.0-33-generic, x86_64 / gtk 3.24.33, WebKit > 2.36.3 > Java vendor: Eclipse Adoptium > Java runtime version: 17.0.3+7 > Java version: 17.0.3 Which Egit version? I can clone using latest nightly SDK / EGit on Java 11 / RHEL 7.9 without issues.
Git integration for Eclipse 6.2.0.202205251150-m3 Installed using latest 2022-06 simrel repository
Same error with latest nighty (Git integration for Eclipse 6.2.0.202205312022)
using ecdsa key worked. According to https://github.blog/2021-09-01-improving-git-protocol-security-github/ RSA keys with signature types rsa-sha2-256 and rsa-sha2-512 allowed. My key has sha256 signature with 3072 bits still egit fails.
Since I have a workaround with ecdsa key I am lowering the importance.
Sravan, whether your RSA key shows a SHA256 fingerprint has nothing to do with the signature algorithm. There are only RSA keys, not RSA-SHA1 and RSA-SHA2 keys. The interesting question here is why would JGit try to use the SHA1 ssh-rsa signature as opposed to one of the SHA2 signatures. In my experience, this is most likely some configuration error somewhere. Of course, it's also possible that Apache MINA sshd has a bug. But to track that down, I'd need the debug log output when you try to clone the repo via jgit command-line tool.
Here is the output of jgit clone command prompt> ./jgit clone -v git@github.com:eclipse-platform/eclipse.platform.git Cloning into 'eclipse.platform'... The authenticity of host 'github.com' cannot be established. The EC key's fingerprints are: MD5:7b:99:81:1e:4c:91:a5:0d:5a:2e:2e:80:13:3f:24:ca SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM Accept and store this key, and continue connecting? [y/n]? y fatal: git@github.com:eclipse-platform/eclipse.platform.git does not exist
That's not the debug log. Try running _JAVA_OPTIONS="-Dorg.slf4j.simpleLogger.log.org.apache.sshd=DEBUG" jgit clone git@github.com:eclipse-platform/eclipse.platform.git This looks as if jgit is not using your normal ssh configuration in ~/.ssh. I mean, you did connect to GitHub before, so there should be a hostkey for github.com in ~/.ssh/known_hosts, so you shouldn't be asked about a new key at all. What OS are you running (which Linux flavour? Version?) Are you running an ssh-agent? Which one? It must be some SSH configuration problem on your side; I can clone that repo without problems.
(In reply to Thomas Wolf from comment #9) > What OS are you running (which Linux flavour? Version?) Scratch that; you answered that already in comment 1. > Are you running an ssh-agent? Which one? But that one I'd still like to know. Also: you wrote above you used Java 17. Can you please try with Java 11?
(In reply to Thomas Wolf from comment #10) > Also: you wrote above you used Java 17. Can you please try with Java 11? Though I don't think it's a Java version problem. I can clone fine also with temurin-17.0.3+7.
Created attachment 288592 [details] log Please find attached log. The clone works when I use commandline git. the OS is Ubuntu 20.04 and java used is Java 11.
(In reply to Sravan Kumar Lakkimsetti from comment #12) > Created attachment 288592 [details] > log > > Please find attached log. The clone works when I use commandline git. > the OS is Ubuntu 20.04 and java used is Java 11. Now that's interesting. Relevant parts of this log: 2022-06-22 19:40:17 ... SSH_MSG_USERAUTH_SUCCESS Succeeded with publickey OK, you could log in to GitHub 2022-06-22 19:40:17 ... Send SSH_MSG_CHANNEL_OPEN - type=session 2022-06-22 19:40:18 ... channelOpenConfirmation(ChannelExec[id=0, recipient=-1]-JGitClientSession[git@github.com/13.234.210.38:22]) SSH_MSG_CHANNEL_OPEN_CONFIRMATION sender=43, window-size=32000, packet-size=35000 JGit opened an SSH channel, which worked fine. 2022-06-22 19:40:18 ... Send SSH_MSG_CHANNEL_REQUEST env: {GIT_PROTOCOL=version=2} JGit requests git protocol V2 2022-06-22 19:40:18 send SSH_MSG_CHANNEL_REQUEST exec command=git-upload-pack 'eclipse-platform/eclipse.platform.git' JGit requests to fetch the repo 2022-06-22 19:40:18 ... handleExtendedData(ChannelExec[id=0, recipient=43]-JGitClientSession[git@github.com/13.234.210.38:22]) SSH_MSG_CHANNEL_EXTENDED_DATA len=227 Oops, GitHub sent an error message. 2022-06-22 19:40:18 ... handleChannelRequest(ChannelExec[id=0, recipient=43]-JGitClientSession[git@github.com/13.234.210.38:22]) SSH_MSG_CHANNEL_REQUEST exit-status wantReply=false And GitHub closes the SSH channel. (Exit code is 1) So: you can log in with your key, but then GitHub sends back an error and closes the connection. When I compare this with the debug log when I clone this repository, everything is the same, except that GitHub doesn't close the channel and starts sending data. Let's run this again with log level TRACE. That will produce a lot of output, but it'll also dump that error message from the SSH_MSG_CHANNEL_EXTENDED_DATA that GitHub sent. I suspect JGit loses that somewhere along the line. Maybe that gives us a clue.
Created attachment 288594 [details] Log with trace enable Please find attached with log level TRACE
So the error is still the same: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. ... But now apparently sent at time where JGit misses it and doesn't attach it to the exception. Or command-line JGit fails to write it. So apparently GitHub first lets you log-in, but then later closes the connection with that error message. Can we try again with some JGit logging enabled? _JAVA_OPTIONS="-Dorg.slf4j.simpleLogger.log.org.apache.sshd=TRACE -Dorg.slf4j.simpleLogger.log.org.eclipse.jgit.internal.transport=DEBUG" jgit clone git@github.com:eclipse-platform/eclipse.platform.git That'll give a more complete log with some more details, such as what signature algorithm the client actually uses. And could you show your ~/.ssh/config? (If you don't want to post it here, you could send it to me via e-mail.) Perhaps there's something there that throws JGit off.
Created attachment 288595 [details] log with trace and debug Please find attached log with trace and debug enabled
(In reply to Thomas Wolf from comment #15) > And could you show your ~/.ssh/config? (If you don't want to post it here, > you could send it to me via e-mail.) Perhaps there's something there that > throws JGit off. ~/.ssh/config doesn't exist in my system.
Thank you. I think we've got it now: 2022-06-23 12:05:56 ... Requesting identities from SSH agent 2022-06-23 12:05:56 ... Got 1 key(s) from the SSH agent So you have an SSH agent running, and it is being used. 2022-06-23 12:05:56 ... send SSH_MSG_USERAUTH_REQUEST request publickey type=ssh-rsa - fingerprint=SHA256:YMiV5TiFowbk3pusUGUAfebIGJ8Q4ZhPfUyQFOcPpoE JGit asks GitHub: "would you accept a log-in with this key with an RSA-SHA1 signature?" 2022-06-23 12:05:56 ... processAuthDataRequest(JGitClientSession[git@github.com/13.234.210.38:22])[ssh-connection][publickey] SSH_MSG_USERAUTH_PK_OK type=ssh-rsa, fingerprint=SHA256:YMiV5TiFowbk3pusUGUAfebIGJ8Q4ZhPfUyQFOcPpoE GitHub replied "yes, I would" 2022-06-23 12:05:56 ... processAuthDataRequest(JGitClientSession[git@github.com/13.234.210.38:22])[ssh-connection][publickey]: signing with algorithm ssh-rsa 2022-06-23 12:05:56 ... sign(JGitClientSession[git@github.com/13.234.210.38:22]): signing request to SSH agent for ssh-rsa key, ssh-rsa signature; flags=0 2022-06-23 12:05:56 ... sign(JGitClientSession[git@github.com/13.234.210.38:22]): signature reply from SSH agent for ssh-rsa key, ssh-rsa signature 2022-06-23 12:05:56 ... encode(JGitClientSession[git@github.com/13.234.210.38:22]) packet #6 sending command=50[SSH_MSG_USERAUTH_REQUEST] len=865 JGit goes ahead and sends an authentication request with this key and an RSA-SHA1 signature 2022-06-23 12:05:56 ... processUserAuth(JGitClientSession[git@github.com/13.234.210.38:22]) SSH_MSG_USERAUTH_SUCCESS Succeeded with publickey GitHub did allow the log-in... ... but as we know will later close the connection. There's two problems here: 1. GitHub: it should never have accepted this log-in! It shouldn't even have replied "yes, I would"; it should have said "no, I won't". I can see why they did it that way: if they refuse this already before or at the log-in, they have no way to send back a nice error message. They could only say "no" by answering with SSH_MSG_USERAUTH_FAILURE, but that message does not carry any reason field in the SSH protocol. 2. JGit (or Apache MINA sshd) somehow uses a ssh-rsa signature. It shouldn't, it should use a rsa-sha2-512 signature. After digging into the code I think I see where the problem is. For RSA keys from an ssh-agent, Apache MINA sshd mistakenly always uses ssh-rsa signatures. The problem is caused ultimately by too convoluted code in Apache MINA sshd, which resulted in me overlooking a corner case. I'll push a fix upstream for Apache MINA sshd 2.9.0, but luckily it's also fixable locally in JGit. I'll push a fix in JGit (will become available in EGit nightly then, and will be in the next 6.3 release later), and if Apache MINA sshd releases 2.9.0 in time, we'll include that one in EGit/JGit 6.3 anyway. Work-arounds for you right now are: 1. Don't use an SSH agent. Disable it in the preferences in Eclipse. On the command line, use SSH_AUTH_SOCK= jgit clone git@github.com:eclipse-platform/eclipse.platform.git or, if that doesn't work, unset SSH_AUTH_SOCK jgit clone git@github.com:eclipse-platform/eclipse.platform.git or create a ~/.ssh/config with contents Host github.com Hostname github.com IdentityAgent none 2. Or modify the list of acceptable signature types for GitHub. Doing this should make JGit/Apache MINA sshd pick it up. Create a ~/.ssh/config with content Host github.com Hostname github.com PubkeyAcceptedKeyTypes ^rsa-sha2-512, rsa-sha2-256 3. Or modify the list of acceptable signature types globally by having the following in your ~/.ssh/config: PubkeyAcceptedKeyTypes ^rsa-sha2-512, rsa-sha2-256 Please try these work-arounds and tell whether they do resolve the problem.
New Gerrit change created: https://git.eclipse.org/r/c/jgit/jgit/+/194362
All three workarounds mentioned in comment 18 work for me. Apart from that I switched to ecdsa key for my work now so not exactly blocked with this problem. Thanks for identifying the problem and fix. And sorry for not responding sooner.
Gerrit change https://git.eclipse.org/r/c/jgit/jgit/+/194362 was merged to [master]. Commit: http://git.eclipse.org/c/jgit/jgit.git/commit/?id=db4f7dffb78113a6ba7bea35f7a27b6260e31646
The fix is available via EGit nightly now; update site is https://download.eclipse.org/egit/updates-nightly/ .
Verified in Git integration for Eclipse 6.3.0.202206231853 With Eclipse version Eclipse SDK Version: 2022-06 (4.25) Build id: I20220622-1800 OS: Linux, v.5.4.0-110-generic, x86_64 / gtk 3.24.20 Java vendor: Private Build Java runtime version: 11.0.15+10-Ubuntu-0ubuntu0.20.04.1 Java version: 11.0.15
Thanks for verifying, Sravan!