-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A JSON web token could not be decoded
error when running action
#153
Comments
The error is not very helpful, but it usually means that the private key is somehow not formatted correctly or invalid. |
What is the correct format? I tried both with and without the |
I just tried it again with those line removed and then the output becomes:
|
Can you please try to convert PKCS#1 (the current format that GitHub exports) to PKCS#8 and see if that helps? The PKCS8 key start with |
I needed a quick fix so I switched to another action to generate a token. I haven't tried converting the private key yet but I'll give it a try this week. You are of course welcome to try it yourself. |
This does not work for me :-( |
The conversion didn't work for me either. Upon initial conversion, it was unhappy with line break characters, trying to strip them results in an invalid keyData error. |
Clarifying my last response now. Using the OpenSSL method of converting the key, it is now being accepted by this action. However, this feels like a bit of a poor user experience to issue the key(s) one way but have your own vendor provided action expect them in a different format. |
We have tried to reproduce this error and have not been able to so far. Can somebody experiencing this please invalidate the private key that is not working for you and then provide it to us for closer inspection? |
Found this issue because we're having the same problem. Here is an invalidated key that isn't working when set as a Github Actions secret and fed to this action, including the trailing newline.
Converting it to PKCS#8 with OpenSSL did not work.
|
In our case this error happened because there were repo-level Github Actions values that were overriding the org-level values, so rotating a private key at the org-level had no effect. The key exported directly from Github works with this action now. |
I think we've figured out what's going on here! We were able to reproduce this error by providing a valid app ID and a private key that do not match. Please double-check that you are using the correct app ID and a valid private key that belongs to that app. We'd like to make the error more helpful for those that encounter this error in the future. Pull requests welcome! See octokit/auth-app.js#375 for more information. |
I came here to say I ran into this myself, where I had accidentally set the "installation ID" as the "app ID", and amending that fixed it. 🙈 |
In my case I was calling the "GET /app/installations/${installation_id}" endpoint, and converting from PKCS#1 to PKCS#8 was the solution. That said... I've been successfully calling other endpoints with the PCKS#1 certificate without problem, and I find the inconsistency of this behaviour to be absolutely staggering. If GitHub wants to move to PCKS#8 as the default then might I suggest that they actually RETURN A CERTIFICATE IN THAT FORMAT when we generate one? Conversion is not always readily accessible. For example, there are "serverless" cloud hosting providers that use a javascript engine without access to the full node.js crypt functionality, meaning that conversion requires a third party library that - as far as I can tell - simply doesn't exist, and of course openssl simply isn't available in that environment. If you should want to install multiple apps via manifests and don't have just the one (for which manual key conversion is less painful) then this starts to become a MAJOR issue. @gr2m listed three conversion options, none of which are suitable
GitHub needs to do better. Much Much better. |
I got this as well because I'd copied the wrong private key 🤦♂️ not sure if I'd been able to debug it without seeing this issue |
In case someone else stumbles in here due to the "Not found" error. In my case the Github Apps permission was not set to allow usage in all repositories, but you had to explicitly add which repositories it worked in. |
anyone able to get rid of this? |
I encountered a similar issue and resolved it by running this command: This reformatted the private key correctly. I hope this helps! |
I solved my issue by:
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt \
-in paleriquebot.2025-01-21.private-key.pem \
-out paleriquebot.2025-01-21.private-key-pkcs8.pem\n This resulted in a key using the specified format:
Then I copied everything, including the This step above is important (to copy the entire key), if you copy just what is in between it will fail! This solved my issue. |
Hi, I get this error when running the action:
In my workflow file I have
(full workflow file)
The corresponding app id and private key are set as secrets in my repository. The private key is copy-pasted directly from the
.pem
file that downloads when creating a private key.The app is installed
Did I do something wrong or is this a bug? Thanks.
The text was updated successfully, but these errors were encountered: