gitPrivateKey from Environment Variable is Missing Newline

[philipp-holler]

How are you running Renovate?

Self-hosted Renovate

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

GitLab, 39.170.1

Please tell us more about your question or problem

I am trying to use gitPrivateKey to configure commit signing in Renovate.
In my config.js file, I have configured it via the line gitPrivateKey: process.env.COMMIT_SIGNING_KEY, loading the signing key via an environment variable (I also tried it via a secret loaded from the environment variable and {{ secrets.COMMIT_SIGNING_KEY }} as the value for gitPrivateKey, but this led to Renovate not recognizing the key as SSH anymore, because, I assume, the secret wasn't resolved to its actual value).

During the Renovate run, the key is correctly written to the file /tmp/git-private-ssh.key. However the file does not contain a trailing newline, even when there was one in the environment variable, and therefore the workaround ssh-keygen call fails with an error in libcrypto message. Everything works fine when I put my private key directly into the RENOVATE_GIT_PRIVATE_KEY variable (i.e. the same environment variable contents, just not passed through the file config).

I assume my trailing newline is trimmed out somewhere, but I'm not sure where and I don't quite understand how I am supposed to configure the key correctly through the configuration file without this happening.

I did find this existing, related discussion, not the answers in there are mostly about the need for the trailing newline, not about how to preserve it through the loading via configuration.

Logs (if relevant)

Logs

WARN: gitPrivateKey: error importing (repository=<repo>, branch=<branch>)
       "err": {
         "cmd": "/bin/sh -c ssh-keygen -y -P \"\" -f /tmp/git-private-ssh.key",
         "stderr": "Load key \"/tmp/git-private-ssh.key\": error in libcrypto\r\n",
         "stdout": "",
         "options": {
           "cwd": "<path>",
           "encoding": "utf-8",
           "env": {
             "HOME": "/home/ubuntu",
             "PATH": "/home/ubuntu/.local/bin:/home/ubuntu/bin:/home/ubuntu/.local/bin:/home/ubuntu/bin:/home/ubuntu/.local/bin:/home/ubuntu/bin:/home/ubuntu/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
             "LC_ALL": "C.UTF-8",
             "LANG": "C.UTF-8",
             "CI_PROJECT_DIR": "<path>",
             "LOG_LEVEL": "debug",
             "CONTAINERBASE_CACHE_DIR": "<path>"
           },
           "maxBuffer": 10485760,
           "timeout": 900000
         },
         "exitCode": 255,
         "name": "ExecError",
         "message": "Command failed: ssh-keygen -y -P \"\" -f /tmp/git-private-ssh.key\nLoad key \"/tmp/git-private-ssh.key\": error in libcrypto\r\n",
         "stack": "ExecError: Command failed: ssh-keygen -y -P \"\" -f /tmp/git-private-ssh.key\nLoad key \"/tmp/git-private-ssh.key\": error in libcrypto\r\n\n    at ChildProcess.<anonymous> (/usr/local/renovate/lib/util/exec/common.ts:119:11)\n    at ChildProcess.emit (node:events:536:35)\n    at ChildProcess.emit (node:domain:489:12)\n    at Process.ChildProcess._handle.onexit (node:internal/child_process:293:12)"
       }

[rarkins]

You're welcome to submit a PR which ensures a new line is present at the end of the string before writing it out to disk

[hkraal]

@philipp-holler are you certain that setting RENOVATE_GIT_PRIVATE_KEY directly solves your problem? I'm running into a similar problem when adding an private SSH key as a single line string with \n's but the error only surfaces when an actual commit needs to be made.

If Renovate is just running without any changes to make no errors occur.

Edit: Sorry rarkins, should have opened a seperated reply

[philipp-holler]

@hkraal It does indeed work for me, including getting correctly signed and platform-verified commits.
One possibly relevant detail that I didn't write in the initial context is that I am supplying the private key as a base64-encoded string with real line breaks and exporting it in the before_script of the pipeline job (export RENOVATE_GIT_PRIVATE_KEY="$(echo $COMMIT_SIGNING_KEY_B64 | base64 -d)").

[hkraal]

Not sure how you solved the issue but I only got it to work after the newline fix. PR is opened; #34674

[hkraal]

@philipp-holler this should now be fixed as #34674 is released in https://github.com/renovatebot/renovate/releases/tag/39.192.0.

Got working verified commits now on my end anyways!

[philipp-holler]

Thank you very much for contributing the fix 🙂
While it wasn't as critical for me, I appreciate the ability to configure the key "the sane way" in the future.