adding Launchpad public key to machines

Asked by Johann Wolf

For our CI and deployed application we require the public key of Launchpad for git push/pull. We hardcoded the public key (resp. made it configurable) which is safer than to retrieve it on demand with ssh-keyscan.
When the Launchpad public key is renewed we'll also have to renew it on our infrastructure. Has this been a topic for other projects as well? Is there any automated solution to doing this?

Question information

Language:
English Edit question
Status:
Solved
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Solved by:
Johann Wolf
Solved:
Last query:
Last reply:
Revision history for this message
Tushar Gupta (tushar5526) said :
#1

I can't picture the CI flow entirely, what do you mean by public key of Launchpad (or is it a Launchpad account)? Is the project private?

For now, I am assuming you intend to get and set ssh keys of accounts via API so that they can be used in your CI flows.

You can use `ssh-import-id lp:<username>` to import ssh keys for a user.

For setting up new ssh keys, I don't think there is a user facing API. There are APIs to set ssh keys but they are only meant to be used via Ubuntu SSO service.

You can checkout add addSSHKeyFromSSO in https://api.launchpad.net/devel.html#people

It would be helpful if you can share more details either here or on MM if its private.

Revision history for this message
Johann Wolf (johannwolf) said :
#2
Revision history for this message
Johann Wolf (johannwolf) said :
#3

My question is about the public SSH host key of Launchpad, so not related to user authentication.
An entry in known_hosts with the public host key is required so that the "The authenticity of host '...' can't be established." prompt doesn't block git operations.

Revision history for this message
Clinton Fung (clinton-fung) said :
#4

I'm not aware of any specific cases in Launchpad where a scheme has been designed and implemented to solve this particular problem.

I think that the simplest and most obvious solution is to do what you've already done: provide a well-known fingerprint through a secure out-of-band mechanism, that your application can trust.

Revision history for this message
Johann Wolf (johannwolf) said :
#5

OK, thanks for the confirmation!