Add (encrypted) SSH Key to Travis-CI for (Continuous) Deployment

[nelsonic]

In order to deploy "review apps" from Travis-CI we need to:

• add an encrypted SSH key to the repository
• add a line to the .travis.yml file to decrypt the key before attempting to deploy
  thankfully, I've done this before (and documented it): https://github.com/healthlocker/healthlocker/blob/a57d2741ae703b45ac8eb8465305a6e327baa152/continuous-deployment.md#encrypted-ssh-key-for-deployment
  so it should be reasonably "easy" (there are a couple more steps this time...)
• ensure that the travis user has the necessary permissions to perform the deploy.
• do a "dry run" using: https://github.com/nelsonic/hello-world-node-http-server/blob/b4b49a11cb7839af5b7449cdb425553e1b61e9f2/.bin/deploy.sh#L1-L26

[nelsonic]

Last night I spent around 4h trying to debug using an SSH Key (with a passphrase) on Travis-CI ...
https://travis-ci.org/nelsonic/hello-world-node-http-server/builds/384010921#L521

Essentially: having a passphrase on the SSH key leads to the SSH call to "hang"
because the session stays "logged-in" via SSH ...
There is no way to "exit" the session (that I can find through extensive googling)

• https://stackoverflow.com/questions/27444891/how-to-add-ssh-key-in-travis-ci
• https://stackoverflow.com/questions/19302572/how-to-put-sshpass-command-inside-a-bash-script
• https://serverfault.com/questions/146201/ssh-hangs-when-executing-command-remotely
• https://serverfault.com/questions/827362/how-to-exit-a-ssh-connection-in-a-bash-script
• etc ...

My conclusion is that I need to open a StackOverflow Question for this and move on!
(and if I get an answer to my SO Q, I can return to SSH Keys with passwords ...)

Ah... It's right there!!

This is wasting my time! 😞

[nelsonic]

Posted this question: https://stackoverflow.com/questions/50542947/how-to-run-ssh-commands-from-bash-when-rsa-key-has-a-password

Now I'm going to try this using an RSA Key without a password.
I would delighted if someone on SO can help me with my Quest,
but to avoid wasting anymore time on this "dead end",
I'm just going to crack on.

[nelsonic]

On advice from "chepner" on SO I'm trying out ssh-agent 🤞
see: https://www.ssh.com/ssh/add

[nelsonic]

obviously that errors:
https://travis-ci.org/nelsonic/hello-world-node-http-server/builds/384156902#L453

So now, after a bit more googling, I'm trying the -pass "pass:$SSH_ASKPASS" flag
in RSA key decryption stage ... 🤞

⌛️

obviously that errors too:
https://travis-ci.org/nelsonic/hello-world-node-http-server/builds/384160512#L451

A least the error message "bad magic number" is amusing (though unhelpful...)

I feel like I've looked at all the StackOverflow / SuperUser / ServerFault / Unix questions/answers on this ... 😞

• https://serverfault.com/questions/535028/adding-password-to-ssh-config/535031
• https://unix.stackexchange.com/questions/365087/running-travis-script-decypting-ssh-key-being-asked-for-passphrase-and-passwor
• https://unix.stackexchange.com/questions/12195/how-to-avoid-being-asked-passphrase-each-time-i-push-to-bitbucket
• https://askubuntu.com/questions/362280/enter-ssh-passphrase-once
• https://stackoverflow.com/questions/21375125/unable-to-run-sshpass-command-in-centos
• https://unix.stackexchange.com/questions/254063/how-can-i-avoid-always-having-to-use-eval-ssh-agent-s
• https://superuser.com/questions/988185/how-to-avoid-being-asked-enter-passphrase-for-key-when-im-doing-ssh-operatio
• https://stackoverflow.com/questions/42631711/git-keeps-prompting-me-for-passphrase-for-my-ssh-key-ubuntu-vm

Now getting:

$ ssh-add ./deploy_key
Enter passphrase for ./deploy_key: 

https://travis-ci.org/nelsonic/hello-world-node-http-server/builds/384165098#L458

• https://stackoverflow.com/questions/13033799/how-to-make-ssh-add-read-passphrase-from-a-file
• https://stackoverflow.com/questions/4780893/use-expect-in-bash-script-to-provide-password-to-ssh-command

Trying o use expect command to enter the password for me:

- expect << EOF
    expect "Enter passphrase"
    send "$SSH_ASKPASS\r"
    expect eof
  EOF

via: https://stackoverflow.com/a/13034313/1148249
Got: https://travis-ci.org/nelsonic/hello-world-node-http-server/builds/384167872#L458

"dry run" of installing expect worked:
https://travis-ci.org/nelsonic/hello-world-node-http-server/builds/384168360#L462

via: https://askubuntu.com/questions/920879/why-so-many-dependencies-for-package-expect

[nelsonic]

Ok, I've "wrestled" with this "long enough".
expect was a "dead end".
https://travis-ci.org/nelsonic/hello-world-node-http-server/builds/384178154#L479

I really wish I had someone to pair on this with ... 😞

[nelsonic]

On the advice of @pynexj I'm trying: https://github.com/clarkwang/passh

Just reading the source https://github.com/clarkwang/passh/blob/master/passh.c now ...

[nelsonic]

The script compiles: (but then Travis can't find the executable...)
https://travis-ci.org/nelsonic/hello-world-node-http-server/builds/384181218

So now I'm trying to use ./passh ...
https://travis-ci.org/nelsonic/hello-world-node-http-server/builds/384182301#L472

Enter passphrase for key './deploy_key': 

looks like I'm "back to square one" ... 😢

[nelsonic]

OK ... I've opened an issue on the passh repo: clarkwang/passh#2
Feeling like this is the "end of the line" for this Quest ... (at least for today...)

Who else is spending their ("Bank Holiday Weekend") Saturday debugging SSH deployment ...?!
What is wrong with me...?!
Surely there are "better" things to be doing ... like "Socialising" or "Sofa + Netflix"...? 🙄

[nelsonic]

Using an RSA Key without a password is easy:
https://travis-ci.org/nelsonic/hello-world-node-http-server/builds/384217141#L501

Let's crack on with this! 👍

[nelsonic]

This is totes working and PR is ready for review. 👍