[Commandbox 6.3.3 + Github] Should HTTPS + Pat/Netrc Be Preferred Over SSH?

I ran into an issue trying to install a private GitHub repo as a CommandBox dependency using git+ssh.

This works fine from my terminal:

ssh -T git@github.com

GitHub authenticates me successfully.

But CommandBox fails when installing:

box install git+ssh://git@github.com:{username}/{repo}.git#master

The first error was:

com.jcraft.jsch.JSchException: Auth fail

I found the CommandBox docs suggesting an RSA PEM key as a workaround, so I generated one using:

ssh-keygen -t rsa -b 4096 -m PEM -f ~/.ssh/id_rsa_commandbox

After adding that key to GitHub, CommandBox got further, but GitHub rejected it with:

ERROR: You're using an RSA key with SHA-1, which is no longer allowed.
Please use a newer client or a different key type.

So my question is: does CommandBox 6.3.3 currently support modern GitHub SSH authentication for private repos, such as RSA SHA-2 signatures? Or is the recommended approach now to use HTTPS with a GitHub PAT and _netrc?

We support whatever the jGit library supports, which has always seemed a little behind. I would recommend moving to private packages stored with ForgeBox S3 storage if you need an alternative. I’m not familiar with any recent changes in GitHub’s requirements-- I don’t personally use any private Github packages with CommandBox myself.

Thanks, Brad.

I will eventually use Forgebox, but since this module is a greenfield app currently in development, I thought using Github to test would be easier, at least for now.

I got it working by creating a Github personal access token:
Profile photo → Settings → Developer settings → Personal access tokens → Tokens (classic)

Then as the Commandbox docs instruct, I created a new file:
C:\Users\{windows_username}\_netrc

With the contents:

machine github.com
login {github_username}
password {github_token}

Then, in Commandbox:
install git+https://github.com/{user}/{repo}.git#master