How to rotate GitHub Checkout Keys via the API

How to rotate GitHub Checkout Keys

You can delete and rotate your Deploy and User keys fairly easily using both the CircleCI and GitHub API. Utilizing these API endpoints can be done programmatically to do this automatically. 

 

How to view the keys from the API

To view the User Key and Deploy Key. This can be done via the API by the Get All Checkout Keys. endpoint. The v2 endpoint can currently return an MD5 signature. An example response is as follows:

{
  "next_page_token" : null,
  "items" : [ {
    "type" : "deploy-key",
    "preferred" : true,
    "created_at" : "...",
    "public_key" : "ssh-ed25519 ...",
    "fingerprint" : "c5:35:95:6d:a7:28:7d:47:67:6a:a0:30:a1:29:74:72"
  }, {
    "type" : "github-user-key",
    "preferred" : false,
    "created_at" : "...",
    "public_key" : "ssh-ed25519 ...",
    "fingerprint" : "50:49:fb:ba:1f:43:eb:8d:a6:91:5c:08:3e:aa:e5:59"
  } ]
}

 

How to delete the Checkout Keys 

To delete these keys, we can utilize the Delete Checkout Key endpoint, which can delete both the User and Deploy keys from CircleCI. You can utilize the fingerprint found in the response above, to delete the key in CircleCI. You can confirm this has been deleted by viewing the example response below:

{
"message" : "Checkout key deleted."
}

 

Creating a new Checkout Key on CircleCI

Once the checkout key has been deleted, you can then use the Create Checkout Key, to create a new Deploy Key in your project. You can confirm this deploy key has been created via the example response below:

{
"type" : "deploy-key",
"preferred" : true,
"created_at" : "...",
"public_key" : "ssh-ed25519 ...",
"fingerprint" : "..."
}%

 

Delete the Deploy Key from your GitHub

To delete the key from GitHub, you can utilize the v1.1 API endpoint, List Checkout Keys which will return a SHA256 signature. This can then be matched to the GitHub Deploy Key found via the GitHub List Deploy Keys endpoint. 

With the KEY_ID found, and SHA256 signatures matching, you can then delete the key via the Delete a Deploy Key API endpoint. 

 

 

Additional References: 

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.