Skip to content

helaili/gh-ssh-cert-please

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Automate the retreival of a SSH certificate from GitHub using a GitHub Actions workflow and a GitHub CLI extension. With a single command, the user can request a certificate for a public SSH key. The certificate is then signed by a certificate authority, downloaded and copied in the same folder than the original public key.

See this article for more information on SSH certificates.

Configure

Create a new repository in the organization that will host the signing workflow below. At the moment, the name of the workflow is hardcoded so copy the below code in a file named .github/workflows/cert.yml.

name: Generate Cert

on:
  workflow_dispatch:
    inputs:
      key: 
        description: 'The SSH key to be signed with the certificate'
        required: true
        type: string
      email: 
        description: 'The certificate identity'
        required: true
        type: string

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Logging
        run: echo "Generating certificate for ${{github.actor}}'s key named ${{ inputs.key }}"
      - name: Flush signing key to disk
        run: |
          echo "${{ secrets.SIGNING_KEY }}" > ca
          chmod 600 ca
      - name: Flush the public key to disk
        run: echo "${{ inputs.key }}" > ${{github.actor}}-${{github.repository_owner}}.pub
      - name: Sign the key
        run: |
          ssh-keygen -s ca -V '+1d' -I ${{ inputs.email }} -n ${{github.actor}} -O extension:login@github.com=${{github.actor}} ${{github.actor}}-${{github.repository_owner}}.pub
      - name: Checking
        run: |
          ls -l
          more ${{github.actor}}-${{github.repository_owner}}-cert.pub
      - name: Save the key as an artifact
        uses: actions/upload-artifact@v4.3.1
        with:
          name: ${{github.actor}}-${{github.repository_owner}}-cert.pub
          path: ${{github.actor}}-${{github.repository_owner}}-cert.pub
          retention-days: 1
          overwrite: true

Create the signing certificate

$ ssh-keygen -t ed25519 -C ca@github.com -f ca

Use the public key generated by the command above (content of the file ca.pub) to create a new certificate authority in the GitHub organization settings under Authentication security. Store the private key generated by the command above(content of the file ca) into a repository secret named SIGNING_KEY.

Usage

Install the local repo as a gh cli extension:

gh extension install helaili/gh-ssh-cert-please     

Run the command:

gh ssh-cert-please --org <your org> --repo <the repo containing the worflow> --pubKey /path/to/your/public/ssh/key/sshkey.pub --email <your email>

Build

go build

About

Request a fresh SSH Certificate

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages