[BUG]: secretOrPrivateKey size error when size is larger enough

[padenaa]

What happened?

I'm doing some development with octokit and probot which bring jsonwebtoken as a dependency. After updating octokit/auth-app to 4.0.8 which supports jsonwebtoken 9.0.1, I'm getting this error:

"secretOrPrivateKey has a minimum key size of 2048 bits for RS256"

The private key used is definitely longer than 2048 bits, so I was not expecting to see this error.

Versions

Node version v16, octokit/auth-app 4.0.8, universal-github-app-jwt 1.1.1, octokit-auth-probot 1.2.8, probot 12.1.1

Relevant log output

Error: secretOrPrivateKey has a minimum key size of 2048 bits for RS256 at Object.sign (/app/node_modules/jsonwebtoken/sign.js:130:22) at getToken (/app/node_modules/universal-github-app-jwt/dist-src/get-token.js:3:25) at Object.githubAppJwt (/app/node_modules/universal-github-app-jwt/dist-src/index.js:14:25) at getAppAuthentication (/app/node_modules/@octokit/auth-app/dist-src/get-app-authentication.js:4:41) at hook (/app/node_modules/@octokit/auth-app/dist-src/hook.js:18:33)

Code of Conduct

• I agree to follow this project's Code of Conduct

[gr2m]

Can you generate a new private key, invalidate the current one, and share the invalid one with us so we can reproduce the problem? I'm using this library extensively in many different apps (as a sub dependency), I have not run into the problem myself yet.

[anna-safonov]

@gr2m the application @padenaa and myself are working on is a GitHub app. The private key is generated by GitHub when the app is created/registered and is the one used to sign requests for access token by the app.
This issue is intermittent - we see it for different apps we have, it always happens when integration tests are run in docker before app deployment, and sometimes the issue goes away on re-run of the pipeline. Which seems like the issue is not with the key itself.
Hopefully, this provides a bit more context, but if you still need the key for testing, I will provide one.

[anna-safonov]

@gr2m - is there any update on this issue?

[wolfy1339]

I've definitely seen this issue myself while working on the Octokit libraries.

It's been a while, so I can't find a commit/issue quickly.

I believe I had to regenerate the key, and it had a slightly different format, and the error went away