Worker key generated on MacOS doesn't work


#1

I generated a worker key on my MacBook. But the doesn’t work, when starts concourse worker, it returns error:

invalid argument for flag `--tsa-worker-private-key' (expected *flag.PrivateKey): asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs8 @2

Then I noticed that MacOS generated key is slightly different from Unix generated:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAtvWua91bBsGBhK8x5VWfGlMNCTIgI2GYxNUu4L0KVfocKP4j2k1G
Fjte0gaGX9yUtwOqSBAGIovmjJNtlrPv4vpYxLHK58TIS9W7RltY7waK5EOAW1AztigG2T
NtwtlvABzej2JMwUfkInmroMQKPpxGwW6mM2Xfwa8BxI9mNJZ5xBd9YO1B2ltlxzzI3+iZ
BPWqfFs1EzvZ3bGx/dqc6Q55I+Vqqm2SovQaBr7uLkaVqMrNaMDgphsCwKe6spRBUdF+l1
f+oa9TpLAA6xw4QGowFfkrmTzNL9tTIWmbtbyta6XLl8yfVUFjrFOb15WjanZVaQwAFv28
kzTTZHNqHQAAA9i40TtiuNE7YgAAAAdzc2gtcnNhAAABAQC29a5r3VsGwYGErzHlVZ8aUw
0JMiAjYZjE1S7gvQpV+hwo/iPaTUYWO17SBoZf3JS3A6pIEAYii+aMk22Ws+/i+ljEscrn
xMhL1btGW1jvBorkQ4BbUDO2KAbZM23C2W8AHN6PYkzBR+QieaugxAo+nEbBbqYzZd/Brw
HEj2Y0lnnEF31g7UHaW2XHPMjf6JkE9ap8WzUTO9ndsbH92pzpDnkj5WqqbZKi9BoGvu4u
RpWoys1owOCmGwLAp7qylEFR0X6XV/6hr1OksADrHDhAajAV+SuZPM0v21MhaZu1vK1rpc
uXzJ9VQWOsU5vXlaNqdlVpDAAW/byTNNNkc2odAAAAAwEAAQAAAQBD2AqbuPN+J9dNSmHo
Nr3O1ykoVcwREqnBo4PElpT0mNBEaykEVE8/AzkADKdbeMI0s0k7e6WqvdH6ItkqXwL/Wf
H8zij9lLzpUhIl3s21pOlwB4/bTHxAectAU4/KBzLgCdSFut/XdD8mgZOhA9EAspaSN+Ot
f4NfoPO43av6p4jQjyFs/q584XYtYSYDQM4g6sUzFAXRrGJj046tKDmgNPR4ub+loJzEwb
b6/QqxzaAqTVxzI0vWUBtesB4+5epr/qfTrsjnQV8t2F3cWEV7fMEsDmzVRDJEr3fCuA7r
S9wz/Lph17Yiv/GTye3IJSP3Sqi8IrHQ+UtCaADmBY2JAAAAgQCb/5HfYajoArmDWw6/D1
jYyrjiDrJN1yNUEsQdywQnDlhpERHV/682/ry+sG8F7ZsS6Ba/LgDHcivlTFLgxYchdw0j
jA9OYZgU7tJaxXHfhCT0E3VNQRPhMwLCYWMYOHfyur8pT3G3cqPbXHaGS5jzc2L9FcfWJs
ZqT0XdW5jVOwAAAIEA7H3z4OIgnaVmpJSDd079D7tpIoW989Q4ESm0LjpwcLrMfcJ9eco9
+m3DoIqOy11Ey0kq3orADYXDjWtSzmhHoFv978mb49E8Omxm6O5YRVIvzMWdeFTQMMfjTE
TAJp451+KKGCGra7VdMGqUeKwUl+pcPqTyEdUPSjEYpC2k7YcAAACBAMYNRsufpMPFjD7B
gqcpfM7mTuJeYiuMkJUQCbU5WFyXRtdxA+eyUVIUCz/wvLpEWianMtAUzeniVqPX9cpGgV
6jcDOzejJ5NAQDLWRfjY138tVTm2FQrNTxpwktcH4jDFoJBlAZAdTQDXLHxE26Gu0SxbXd
aQV1CAAHL/mNlPQ7AAAAHWNoYW9sQENoYW9zLU1hY0Jvb2stUHJvLmxvY2FsAQIDBAU=
-----END OPENSSH PRIVATE KEY-----

Does anybody seeing this issue as well? Is it possible to generate key from MacOS?


#2

See https://github.com/concourse/docs/pull/124.


#3

Mojave 10.14.1 bumps OpenSSH to 7.8. Looking at http://www.openssh.com/txt/release-7.8

* ssh-keygen(1): write OpenSSH format private keys by default
   instead of using OpenSSL's PEM format. The OpenSSH format,
   supported in OpenSSH releases since 2014 and described in the
   PROTOCOL.key file in the source distribution, offers substantially
   better protection against offline password guessing and supports
   key comments in private keys. If necessary, it is possible to write
   old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments
   when generating or updating a key.

So if you generate your keys with -m PEM it should work as expected.

See also https://github.com/cloudfoundry/bosh-cli/issues/498