Use FIPS compliant SSH keys

Replace `CI_PRIV_SSH_KEY` with `CI_PRIV_SSH_KEY_2` to use a FIPS compliant SSH key. Generate FIPS compliant SSH keys when `CI_PRIV_SSH_KEY_2` env var is not defined. Signed-off-by: Miguel Martín <[email protected]>
osbuild · Nov 21, 2023 · 65c03a0 · 65c03a0
1 parent 19ae19b
commit 65c03a0
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/test/scripts/boot-image b/test/scripts/boot-image
@@ -31,7 +31,7 @@ def get_aws_config():
 def create_ssh_key():
     with TemporaryDirectory() as tmpdir:
         keypath = os.path.join(tmpdir, "testkey")
-        if ci_priv_key := os.environ.get("CI_PRIV_SSH_KEY"):
+        if ci_priv_key := os.environ.get("CI_PRIV_SSH_KEY_2"):
             # running in CI: use key from env
             with open(keypath, "w") as keyfile:
                 keyfile.write(ci_priv_key + "\n")
@@ -45,7 +45,7 @@ def create_ssh_key():
                 pubkeyfile.write(pubkey)
         else:
             # create an ssh key pair with empty password
-            cmd = ["ssh-keygen", "-N", "", "-f", keypath]
+            cmd = ["ssh-keygen", "-t", "ecdsa", "-b", "256", "-m", "pem", "-N", "", "-f", keypath]
             runcmd(cmd)
 
         yield keypath, keypath + ".pub"