Ned Batchelder: Secure maintainer workflow, continued :
by:
blow post content copied from Planet Python
click here to view original post
Picking up from Secure maintainer workflow, especially the comments there (thanks!), here are some more things I’m doing to keep my maintainer workflow safe.
1Password ssh: I’m using 1Password as my SSH agent. It works really well, and uses the Mac Touch ID for authorization. Now I have no private keys in my ~/.ssh directory. I’ve been very impressed with 1Password’s helpful and comprehensive approach to configuration and settings.
Improved environment variables: I’ve updated my opvars and unopvars shell functions that set environment variables from 1Password. Now I can name sets of credentials (defaulting to the current directory name), and apply multiple sets. Then unopvars knows all that have been set, and clears all of them.
Public/private GitHub hosts: There’s a problem with using a fingerprint-gated SSH agent: some common operations want an SSH key but aren’t actually security sensitive. When pulling from a public repo, you don’t want to be interrupted to touch the sensor. Reading public information doesn’t need authentication, and you don’t want to become desensitized to the importance of the sensor. Pulling changes from a git repo with a “git@” address always requires SSH, even if the repo is public. It shouldn’t require an alarming interruption.
Git lets you define “insteadOf” aliases so that you can pull using “https:” and push using “git@”. The syntax seems odd and backwards to me, partly because I can define pushInsteadOf, but there’s no pullInsteadOf:
[url "[email protected]:"]
# Git remotes of "[email protected]" should really be pushed using ssh.
pushInsteadOf = [email protected]:
[url "https://github.com/"]
# Git remotes of "[email protected]" should be pulled over https.
insteadOf = [email protected]:
This works great, except that private repos still need to be pulled using SSH. To deal with this, I have a baroque contraption arrangement using a fake URL scheme “github_private:” like this:
[url "[email protected]:"]
pushInsteadOf = [email protected]:
# Private repos need ssh in both directions.
insteadOf = github_private:
[url "https://github.com/"]
insteadOf = [email protected]:
Now if I set the remote URL to “github_private:nedbat/secret.git”, then activity will use “[email protected]:nedbat/secret.git” instead, for both pushing and pulling. (BTW: if you start fiddling with this, “git remote -v” will show you the URLs after these remappings, and “git config --get-regex ‘remote.*.url’” will show you the actual settings before remapping.)
But how to set the remote to “github_private:nedbat/secret.git”? I can set it manually for specific repos with “git remote”, but I also clone entire organizations and don’t want to have to know which repos are private. I automate the remote-setting with an aliased git command I can run in a repo directory that sets the remote correctly if the repo is private:
[alias]
# If this is a private repo, change the remote from "[email protected]:" to
# "github_private:". You can remap "github_private:" to "git@" like this:
#
# [url "[email protected]:"]
# insteadOf = github_private:
#
# This requires the gh command: https://cli.github.com/
#
fix-private-remotes = "!f() { \
vis=$(gh api 'repos/{owner}/{repo}' --template ''); \
if [[ $vis == private ]]; then \
for rem in $(git remote); do \
echo Updating remote $rem; \
git config remote.$rem.url $(git config remote.$rem.url | \
sed -e 's/[email protected]:/github_private:/'); \
done \
fi; \
}; f"
This uses GitHub’s gh command-line tool, which is quite powerful. I’m using it more and more.
This is getting kind of complex, and is still a work in progress, but it’s working. I’m always interested in ideas for improvements.
December 22, 2022 at 05:33PM
Click here for more details...
=============================
The original post is available in Planet Python by
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
Post a Comment