Windows Shared Runner & Deploy SSH Private Key - "Could not add identity: agent refused operation"

Hello all,

I’m posting here in the hope of getting some input, unlike the issue opened directly with Gitlab many months back.

My issue relates to GitLab’s Windows Shared Runners. I am experiencing trouble adding my deploy key CI variable to the SSH client. Currently I have private repos that are installed in my Electron app codebases via Node Package Manager. Obviously without my deploy key, these wont install and therefore the build fails.

I’ve had the unfortunate experience of setting up SSH on a Windows 10 VM, when I wanted to use Parallels Executor for my CI (separate problem with that though - stale issue for it) so I remembered the frustrating process.

Below is the script I use on Unix runners (and what I’m trying to replicate on Windows) in my larger pipeline configuration:

Script Used On Unix Runners

      # install ssh-agent
      - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
      # run ssh-agent
      - eval $(ssh-agent -s)
      # add ssh key stored in MY_PRIVATE_KEY_BASE64_VALUE variable to the agent store
      - ssh-add <(echo "$MY_PRIVATE_KEY_BASE64_VALUE" | base64 -d)
      # disable host key checking (NOTE: makes you susceptible to man-in-the-middle attacks)
      # WARNING: use only in docker container, if you use it with shell you will overwrite your user's ssh config
      - mkdir -p ~/.ssh
      - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
      - npm install --include-development

I “think” the script I wrote below for Windows is technically correct. Though, it fails on the very last stage where I ssh-add the private key, which results in the error Could not add identity “path/to/ssh/key: agent refused operation, causing the before_script to fail.

I am out of ideas and wonder if this is the result of an intricate restriction/permission on the runner VM itself.

My Windows Script:

      # ------------------------------------------------------------------------
      # Check if OpenSSH client running
      # ------------------------------------------------------------------------
      - Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
      - mkdir .ssh
      # ------------------------------------------------------------------------
      # Decode the Base64-Encoded CI variable and write it to the .ssh directory
      # ------------------------------------------------------------------------
      - (echo $ASSOCIATED_PRIVATE_REPOSITORY_PRIVATE_KEY) > $CI_PROJECT_DIR\.ssh\gitlab_deploy_key_base64
      - certutil -decode $CI_PROJECT_DIR\.ssh\gitlab_deploy_key_base64 $CI_PROJECT_DIR\.ssh\gitlab_deploy_key
      - Remove-Item –path $CI_PROJECT_DIR\.ssh\gitlab_deploy_key_base64
      # ------------------------------------------------------------------------
      # Set Key Permissions
      # ------------------------------------------------------------------------
      #:: # Remove Inheritance ::
      - Cmd /c Icacls $CI_PROJECT_DIR\.ssh\gitlab_deploy_key /c /t /Inheritance:d
      #:: # Set Ownership to Owner ::
      - Cmd /c Icacls $CI_PROJECT_DIR\.ssh\gitlab_deploy_key /c /t /Grant %UserName%:F
      #:: # Remove All Users, except for Owner ::
      - Cmd /c Icacls $CI_PROJECT_DIR\.ssh\gitlab_deploy_key  /c /t /Remove Administrator BUILTIN\Administrators BUILTIN Everyone System Users
      #:: # Verify ::
      - Cmd /c Icacls $CI_PROJECT_DIR\.ssh\gitlab_deploy_key
      - ls -l $CI_PROJECT_DIR\.ssh
      # ------------------------------------------------------------------------
      # Configure the SSH-Agent
      # ------------------------------------------------------------------------
      - Set-Service ssh-agent -StartupType Manual
      - Start-Service ssh-agent
      # ------------------------------------------------------------------------
      # Add SSH Key
      # ------------------------------------------------------------------------
      - ssh-add $CI_PROJECT_DIR\.ssh\gitlab_deploy_key

Has anyone been able to successfully use Deploy Keys with the Windows Shared Runners?

Facing same issue here. Anybody has tips on how to properly add ssh key in a Windows shared runner?