CL upload fails with "The push has been rejected because we detect that it contains a private key"

[Danail Kirov]

I am trying to upload a minor change to a fix I successfully uploaded and created 6 months ago, but today "git cl upload" is failing with "The push has been rejected because we detect that it contains a private key". 

The files I've modified have no security keys in them and the rejection is because of security keys present in completely unrelated code in 

src/rtc_base/sslidentity_unitest.cc 

src/rtc_base/sslstreamadapter_unitest.cc 

as indicated by remote response

remote:     git show e1dbe05858db5dbc3425c1effac232cc71083b1f

remote:     git show ce962746009feb41bda6a178dec0a5d1a4877a22

The remote also hints to "To push these files, please run `git push -o nokeycheck`", but I am using git-cl tool for uploads and there is no "nokeycheck" option for "git cl upload".

I would assume the check for security keys was introduced sometime after 4/6/2018 and that would affect anybody contributing code and any new fix for webrtc with "git cl upload". How do you guys do it then?

If I have to use "git push -o nokeycheck", what is the complete command I should use, because just "git push -o nokeycheck" does not work on the CL branch I've created?

Here is the complete console output:

C:\w\webrtc\master\src>git cl upload

Running presubmit upload checks ...

Done processing C:\w\webrtc\master\src\video\video_quality_test.cc

Presubmit checks took 4.2s to calculate.

Presubmit checks passed.

 AUTHORS                     |  1 +

 test/run_loop.cc            |  2 +-

 test/run_loop.h             |  4 +++-

 test/win/run_loop_win.cc    | 17 ++++++++++-------

 video/video_quality_test.cc |  2 +-

 5 files changed, 16 insertions(+), 10 deletions(-)

Title for patchset [Added myself to AUTHORS as per review]:

remote: The push has been rejected because we detect that it contains a private

remote: key. Please check the following commands and confirm that it's

remote: intentional:

remote:

remote:     git show e1dbe05858db5dbc3425c1effac232cc71083b1f

remote:     git show ce962746009feb41bda6a178dec0a5d1a4877a22

remote:

remote: You can use `git rev-list --objects --all` to find the files.

remote:

remote: To push these files, please run `git push -o nokeycheck`.

remote:

To https://webrtc.googlesource.com/src.git

 ! [remote rejected]     a973f6ca77b3e21209d8bc9f18bd5a58e4300170 -> refs/for/refs/heads/master%notify=NONE,m=Added_myself_to_AUTHORS_as_per_review (found a private key)

error: failed to push some refs to 'https://webrtc.googlesource.com/src.git'

Error after CL description prompt -- saving description to C:\Users\Danail Kirov/.git_cl_description_backup

Failed to create a change. Please examine output above for the reason of the failure.

Hint: run command below to diagnose common Git/Gerrit credential problems:

  git cl creds-check

C:\w\webrtc\master\src>git cl creds-check

git is already configured to use your .gitcookies from C:\Users\Danail Kirov\.gitcookies

Your .netrc and .gitcookies have credentials for these hosts:

                          Host                           User    Which file

==============================  =============================   ===========

webrtc-review.googlesource.com  git-dkirovbroadsoft.gmail.com   .gitcookies

       webrtc.googlesource.com  git-dkirovbroadsoft.gmail.com   .gitcookies

No problems detected in your .gitcookies file.

//

// The following command shows one of the security keys is 

// src/rtc_base/sslidentity_unitest.cc 

//

C:\w\webrtc\master\src>git show e1dbe05858db5dbc3425c1effac232cc71083b1f

/*

 *  Copyright 2011 The WebRTC Project Authors. All rights reserved.

 *

 *  Use of this source code is governed by a BSD-style license

 *  that can be found in the LICENSE file in the root of the source

 *  tree. An additional intellectual property rights grant can be found

 *  in the file PATENTS.  All contributing project authors may

 *  be found in the AUTHORS file in the root of the source tree.

 */

#include <memory>

#include <string>

#include "rtc_base/fakesslidentity.h"

#include "rtc_base/gunit.h"

#include "rtc_base/helpers.h"

#include "rtc_base/ssladapter.h"

#include "rtc_base/sslfingerprint.h"

#include "rtc_base/sslidentity.h"

#include "rtc_base/stringutils.h"

using rtc::SSLIdentity;

const char kTestCertificate[] = "-----BEGIN CERTIFICATE-----\n"

    "MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV\n"

    "BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD\n"

    "VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0\n"

[Patrik Höglund]

Hi!

Yes, that error is annoying but well-meaning. It sounds like a bug since your CL (this one right?) doesn't touch anything that looks like a key. Not sure what's going on here.

Anyway: to fix this, run git cl upload -vv (or is it -v -v?). You should see a "git push" command printed somewhere in the output. Take that command, add -o nokeycheck to it and run it. That should fix the problem.

/ P

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/9880213d-8080-4b21-a0be-4a40b93f4b75%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Danail Kirov]

Hi Patrik,

The fix worked perfectly and the upload succeeded. Very useful and helpful info!

Thanks,

[Benjamin Wright]

Hi Danail,


Look for depot_tools/git_cl.py

Look for push_stdout and add '-o', 'nokeycheck' to the args.

I have filed a bug here: https://bugs.chromium.org/p/webrtc/issues/detail?id=9918 to address this going forward.

Thanks,
Ben.

[Danail Kirov]

Thanks Ben!

Are you planning to add the parameter 'nokeycheck' to git-cl, or remove the private keys from the source code with https://bugs.chromium.org/p/webrtc/issues/detail?id=9918 ?

[Niels Moller]

On Thu, Oct 25, 2018 at 10:21 AM Patrik Höglund <phog...@webrtc.org> wrote:
> Yes, that error is annoying but well-meaning. It sounds like a bug since your CL (this one right?) doesn't touch anything that looks like a key. Not sure what's going on here.
>
> Anyway: to fix this, run git cl upload -vv (or is it -v -v?). You should see a "git push" command printed somewhere in the output. Take that command, add -o nokeycheck to it and run it. That should fix the problem.

I'm now having the same problem. Tried

git cl upload -v -v

but I don't see the push command anywhere in the output. Error message

To https://webrtc.googlesource.com/src.git
! [remote rejected] a0315163687c8f5ad28f9ce2ae816c3c2c6fc4e2
-> refs/for/refs/heads/master%wip,m=Initial_upload,cc=benw...@webrtc.org,cc=kwi...@webrtc.org,cc=mbon...@webrtc.org

(found a private key)
error: failed to push some refs to 'https://webrtc.googlesource.com/src.git'

saving CL description to
/usr/local/google/home/nisse/.git_cl_description_backup

mentions a remote reference, but no command line.

So I'm a bit confused; last time I had this problem, I could find the
push command to add the -o nokeycheck option to.

[Niels Moller]

On Tue, Oct 30, 2018 at 2:54 PM Niels Moller <ni...@webrtc.org> wrote:
>
> On Thu, Oct 25, 2018 at 10:21 AM Patrik Höglund <phog...@webrtc.org> wrote:
> > Yes, that error is annoying but well-meaning. It sounds like a bug since your CL (this one right?) doesn't touch anything that looks like a key. Not sure what's going on here.
> >
> > Anyway: to fix this, run git cl upload -vv (or is it -v -v?). You should see a "git push" command printed somewhere in the output. Take that command, add -o nokeycheck to it and run it. That should fix the problem.
>
> I'm now having the same problem. Tried
>
> git cl upload -v -v
>
> but I don't see the push command anywhere in the output. Error message
>
> To https://webrtc.googlesource.com/src.git
> ! [remote rejected] a0315163687c8f5ad28f9ce2ae816c3c2c6fc4e2
> -> refs/for/refs/heads/master%wip,m=Initial_upload,cc=benw...@webrtc.org,cc=kwi...@webrtc.org,cc=mbon...@webrtc.org

Assembling a push command from these pieces seemed to work, like

git push -o nokeycheck origin 'a031[...]:refs/for/refs/heads/master%wip[...]'

Resulting cl https://webrtc-review.googlesource.com/c/src/+/108622

[Danail Kirov]

"git cl upload -vv" will trace the git push command to use directly.

On Tuesday, October 30, 2018 at 7:51:21 AM UTC-7, Niels Moller wrote:

On Tue, Oct 30, 2018 at 2:54 PM Niels Moller <ni...@webrtc.org> wrote:
>
> On Thu, Oct 25, 2018 at 10:21 AM Patrik Höglund <phog...@webrtc.org> wrote:
> > Yes, that error is annoying but well-meaning. It sounds like a bug since your CL (this one right?) doesn't touch anything that looks like a key. Not sure what's going on here.
> >
> > Anyway: to fix this, run git cl upload -vv (or is it -v -v?). You should see a "git push" command printed somewhere in the output. Take that command, add -o nokeycheck to it and run it. That should fix the problem.
>
> I'm now having the same problem. Tried
>
>   git cl upload -v  -v
>
> but I don't see the push command anywhere in the output. Error message
>
>   To https://webrtc.googlesource.com/src.git
>     ! [remote rejected]       a0315163687c8f5ad28f9ce2ae816c3c2c6fc4e2

> -> refs/for/refs/heads/master%wip,m=Initial_upload,cc=benwrig...@webrtc.org,cc=kwi...@webrtc.org,cc=mbon...@webrtc.org