Passing ssh passphrase securely when calling the signing script

[ocaisa]

If the ssh key used for signing was passphrased, the signing script has an option to pass that via an environment variable. This is not secure and there is a better way which carries less risk of exposing the passphrase. General proof of concept:

import pexpect
import sys

passphrase = "Rudolf"
key_path = "id_rsa"

cmd = f"ssh-keygen -p -f {key_path} -N ''"

child = pexpect.spawn('/bin/bash', ['-c', cmd])

try:
    index = child.expect([
        "Enter old passphrase:",
        "Your identification has been saved",
        pexpect.EOF,
        pexpect.TIMEOUT
    ], timeout=5)

    if index == 0:
        child.sendline(passphrase)
        child.expect("Your identification has been saved", timeout=5)

    child.expect(pexpect.EOF)
    print("Key conversion succeeded.")

except pexpect.exceptions.ExceptionPexpect as e:
    print("Error during key conversion:", e)

finally:
    child.close()
    if child.exitstatus != 0:
        print("ssh-keygen exited with error.")

[ocaisa]

One can imagine taking this a step further, and passing the passphrase for the key to the bot when it is started up. That would mean you can keep the key passphrase protected, and even the hosting site cannot use it.