JIRA Forge: Storing private keys securely

DJO · April 27, 2022, 10:35pm

Hi team,

I want to allow JIRA Forge to safely store a rsa-2048 private key generated by us so that Forge can sign it as a JWT type and generate an assertion at runtime. But it seems that the forge variables are not allowing me to store something like this at the moment.

forge variables set --encrypt PRIVATE_KEY_USER_VAR "-----BEGIN RSA PRIVATE KEY...

Error: unknown option '-----BEGIN RSA PRIVATE KEY...

WrapperError: unknown option '-----BEGIN RSA PRIVATE KEY...
   at /usr/local/lib/node_modules/@forge/cli/out/command-line/command.js:124:19
    at Command._exitCallback (/usr/local/lib/node_modules/@forge/cli/out/command-line/command.js:42:44)
    at Command._exit (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:888:12)
    at Command._displayError (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1729:10)
    at Command.unknownOption (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1778:10)
    at checkForUnknownOptions (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1482:16)
    at Command._parseCommand (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1488:9)
    at Command._dispatchSubcommand (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1443:18)
    at Command._parseCommand (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1460:12)
    at Command._dispatchSubcommand (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1443:18)
    at Command._parseCommand (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1460:12)
    at Command.parse (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1292:10)
    at Command.parse (/usr/local/lib/node_modules/@forge/cli/out/command-line/command.js:182:22)
    at Object.exports.main (/usr/local/lib/node_modules/@forge/cli/out/command-line/index.js:64:20)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

What recommendations would you have? Thank you in advance.

ianRagudo · April 28, 2022, 1:32am

Hi @DJO ,

Can you try calling forge variables set instead? This will prompt you to input values via CLI (if the value should be encrypted, what the variable key is, and what is the intended value). This should help you address the leading hyphens causing the command to treat the variable value as an option.

Cheers,
Ian

DJO · April 28, 2022, 6:24pm

That worked, thanks @ianRagudo !

DJO · April 28, 2022, 6:33pm

@ianRagudo I have one more question while we are at this.

When we deploy this app to production, do we have to manually perform forge variables...? In the case we want to rotate keys, will we need to re-deploy the app?

ianRagudo · April 29, 2022, 1:52am

Hi @DJO ,

I confirmed with the Forge team and here are the answers to your query:

Yes, since you are promoting the app to a different environment (production), you have to do this step.

There’s no need to re-deploy the app.

Hope this helps.

Ian

DJO · May 2, 2022, 10:42pm

@ianRagudo When I do forge variables set, there is no prompt that asks me which workspace to install these environment variables to. How do I ensure I target to the right workspace, e.g. myworkspace.atlassian.net?

ianRagudo · May 3, 2022, 1:43am

Hi, @DJO . If you’re asking how to select a specific site for an environment variable being set, then that is not possible. An environment variable is tied to the app and not to the site it is installed in which means the value is consistent across all sites.

Cheers,
Ian

DJO · May 4, 2022, 7:33pm

Environment variables are tied to the app, gotcha.

Thank you for clarifying!