GitLab CI Windows Shared Runners & Deploy Keys

Hi all,

Opened issues on the respective GitLab repositories, to which no response has been received. This is my last hope!

Having trouble with GitLab’s Shared Windows Runner (Windows 10 1809) and the OpenSSH client. I cannot ssh-add without receiving error:

Could not add identity “path/to/ssh/key: agent refused operation.

More specifically, the problem arose whilst using GitLab’s Windows Shared Runner in my development Continuous Integration pipeline. I’m basically trying to add a private key so the VM can access some private Git repositories.

This the SSH-key adding process I use on Unix runners for the above functionality (and what I’m trying to replicate on Windows):

Script Used On Unix Runners

      # install ssh-agent
      - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
      # run ssh-agent
      - eval $(ssh-agent -s)
      # add ssh key stored in MY_PRIVATE_KEY_BASE64_VALUE variable to the agent store
      - ssh-add <(echo "$MY_PRIVATE_KEY_BASE64_VALUE" | base64 -d)
      # disable host key checking (NOTE: makes you susceptible to man-in-the-middle attacks)
      # WARNING: use only in docker container, if you use it with shell you will overwrite your user's ssh config
      - mkdir -p ~/.ssh
      - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
      - npm install --include-development

I “think” the script I wrote below for Windows is technically correct. Though, it fails on the very last stage where I ssh-add the private key, which results in the error Could not add identity “path/to/ssh/key: agent refused operation, causing the before_script to fail.

My Windows Script:

      # ------------------------------------------------------------------------
      # Check if OpenSSH client running
      # ------------------------------------------------------------------------
      - Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
      - mkdir .ssh
      # ------------------------------------------------------------------------
      # Decode the Base64-Encoded CI variable and write it to the .ssh directory
      # ------------------------------------------------------------------------
      - (echo $MY_PRIVATE_KEY_BASE64_VALUE) > $CI_PROJECT_DIR\.ssh\gitlab_deploy_key_base64
      - certutil -decode $CI_PROJECT_DIR\.ssh\gitlab_deploy_key_base64 $CI_PROJECT_DIR\.ssh\gitlab_deploy_key
      - Remove-Item –path $CI_PROJECT_DIR\.ssh\gitlab_deploy_key_base64
      # ------------------------------------------------------------------------
      # Set Key Permissions
      # ------------------------------------------------------------------------
      #:: # Remove Inheritance ::
      - Cmd /c Icacls $CI_PROJECT_DIR\.ssh\gitlab_deploy_key /c /t /Inheritance:d
      #:: # Set Ownership to Owner ::
      - Cmd /c Icacls $CI_PROJECT_DIR\.ssh\gitlab_deploy_key /c /t /Grant %UserName%:F
      #:: # Remove All Users, except for Owner ::
      - Cmd /c Icacls $CI_PROJECT_DIR\.ssh\gitlab_deploy_key  /c /t /Remove Administrator BUILTIN\Administrators BUILTIN Everyone System Users
      #:: # Verify ::
      - Cmd /c Icacls $CI_PROJECT_DIR\.ssh\gitlab_deploy_key
      - ls -l $CI_PROJECT_DIR\.ssh
      # ------------------------------------------------------------------------
      # Configure the SSH-Agent
      # ------------------------------------------------------------------------
      - Set-Service ssh-agent -StartupType Manual
      - Start-Service ssh-agent
      # ------------------------------------------------------------------------
      # Add SSH Key
      # ------------------------------------------------------------------------
      - ssh-add $CI_PROJECT_DIR\.ssh\gitlab_deploy_key

I’m trying to determine whether this is solely a Windows and OpenSSH issue, or something more configuration-related (i.e. permissions/restrictions enforced by GitLab in their VM container). Hey maybe it’s a problem with my code too!

Should the above function as I intend?