In 2022, GitHub has discontinued DSA and RSA with old signatures.

Unfortunately, JGit uses JSch which is not getting any updates and will always offer old signatures with RSA even for "good" keys, and its implementation of ECDSA/ed25519 will fail on reconnect attempt.

Is JGit usable with GitHub at all - what kind of configuration should I use? I am talking about a combination of key type, configuration settings and code invocations that would lead to reliable work against GitHub.

CodePudding user response：

There is a fork of JSch which has support for modern algorithms and should be fairly robust. I know of at least one major organization using it against GitHub with success.

However, note that it disables RSA with SHA-1 support by default, because it's insecure (which is why GitHub is phasing it out), so if you need to work with sites that don't support anything else (e.g., Azure DevOps at the moment), you'll need to set some configuration accordingly.

You may also be able to use Apache Mina in conjunction with JGit. The 5.13 release of JGit supports Mina 2.7.0, which should support modern algorithms.

CodePudding user response：

The latest JGit supports Apache MINA which can use ECDSA keys without problems.

Be wary that JGit 6.x is build for Java 11 . Use the following Maven artifacts:

        <dependency>
            <groupId>org.eclipse.jgit</groupId>
            <artifactId>org.eclipse.jgit</artifactId>
            <version>5.13.0.202109080827-r</version>
        </dependency>

        <dependency>
            <groupId>org.eclipse.jgit</groupId>
            <artifactId>org.eclipse.jgit.ssh.apache</artifactId>
            <version>5.13.0.202109080827-r</version>
        </dependency>

No code changes were needed in my use case.