Encrypting Variables for Travis CI
So currently there’s a bug with the Travis gem on Windows so I figured I’d write my own encryption script in Python to avoid having to remote into a Linux machine to do the encryption.
EDIT: I’ve also produced a static website that performs the same task in your browser.
I found very few details on how Travis performs their encryption in their documentation so I thought I’d outline a few of the details I discovered along the way.
Travis mentions in a throwaway line that they use RSA to perform their encryption. The public keys associated with each repository are actually publicly available through their API at https://api.travis-ci.org/repos/:org/:repo/key
GET /repos/BricksandMortar/IdealPostcodes/key HTTP/1.1
Host: api.travis-ci.org
content-type: application/json
Accept: application/json
This returns a JSON payload with a key and a fingerprint to verify it with.
{
"key": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApqBhYh+dvJ30yHh36q5e\nDdE5m6t8oOgY7C4uLCsfeoTMDC0Cz+wq3+xKELRap0BRFVwvpwTvrJdhRA+HUz/5\ncxcv1mHPdG3p2WXyAMngUxd6p1fwx585jxkTmtOuI5oef87aGUcEboaH329luYvV\neoXo57JQdb0Zkg2vBPxEg6Q6wqv+3fvtBTu63IXMHyQ1+NrCi59IuQ3zlVM+ZMj3\nb1/tw3ABD5Q/cDS5gUJrwWfMiRbi66UoLNHnev3XRAAD1R2YgYXVQjghsh757NDU\nI0rlawOq4+khCyshT4JZeM6r5jIGdDdGJxrHuashf2KI21kxJChHCp6b9Dk09aGG\nPPgH2XRIsJo040O8oN2lkUWZBTo1j0QCEtYHmq9MLcQ1aqgGiG0ynDQ7EOYbM8zD\nAlnTIJUIePpZEehvySzRzznm0JdqUvwxgAgEMeSFtxU8DTlg7/i/kCxCBe6xnX/o\nFO+qxr87wKtUCA+2YHp+e+FSKqchCbEm/TFHqGzo/nHnBEXqi96dWbhtGIgm/ZBg\nYoWHzu3ysJSApRB+Sa0C7bSdvUlKbwugJbly5JANIe5L3XmdR9t2GNVyyYejrd9j\nzpbwD7jQwKwFY7JmLV3GHjZoGC27l58SovI5YG3vIoWAFsccGPDxf3pBonYo+e/d\nriLgUP9115woqkOvdLpgxv8CAwEAAQ==\n-----END PUBLIC KEY-----\n",
"fingerprint": "82:b3:02:5f:80:f2:70:4f:6e:7a:83:bf:66:fa:5e:73"
}
They (thank God) don’t use a regular RSA algorithm for encrypting variables, instead they use PKCS1 v1.5 (or v1 if you’re lazy). PKCS1 is a padding scheme but by no means the only one, or even the most secure. This Crypto Stack Exchange post does a good job explaining why padding is important in RSA, the most simple being that the algorithm without padding is deterministic.