Git Client on Android

While doing some research for a git client for android I came across some issues. This post is not an app review or what I eventually settled on. Rather something that I hope will help someone else.

Issue History

The first issue is that I wanted to created my own SSH key to access the various git remotes. I had some proprietary and some personal, all of which were on various remote git servers. Some were Gitlab, others Github, still some Bitbucket, and several newer ones on Codeberg or somewhere else. This is not a debate here about which place is better, as each one also had a different purpose and most of them I did not have a choice in the matter. For basic usage, all of them worked great.
Wanting to create your own SSH key was a different issue that I was not expecting. I am use to making my own SSH keys, and I am very rigid about it as I make a different key per computer, per general usage, per site. Everyone is different when it comes to SSH keys, and this is my preferences. What this means that I do, is if I have a professional client on Github, my personal project on Github, and my primary job on Github, I will have 3 SSH keys on my main machine to access those 3 different usages from that main computer.
When I make my own SSH keys, I do have a naming convention to help keep organized with which key goes to what and where. Lastly, usually I make my SSH keys using the ED25519 algorithm. That security algorithm is the most secure at the time of writing this while also being accepted on all major platforms. There are other more secure algorithms, but they are not accepted on all platforms. There are others algorithms that are allowed on all platforms, but not as secure. This is where my issue came about.
NOTE: Trying to use that algorithm may be your issue as well, OR it may be similar and have the same root cause. Continue reading below.

Issue

Not all android git clients produced an error, at least nothing consistent. Eventually, I was able to find and capture pop-up of an error. Generally the error stated below…

invalid privatekey [B@4e2fd

I had a few other issues pop-up. Most of them were surrounding the same general message, “invalid private key”. Logically, one would say that I did not add the SSH key to the repo or settings on the remote server. That was not the case. A few times I did get messages saying that it could not read the private key, which was also not true.
At this point, I had used Termux to generate my SSH keys. I also downloaded a few different SSH keygen specific apps. I tried to generate the SSH key on the git server, on a Windows machine, a MacOS machine, and several different Linux servers. None of those worked and still generally gave me the same error. I did even try the built-in SSH keygen for the git clients. Those seemed to work for the most part. However, I was a bit of a control freak and would not let it just be like that. I wanted to know why those worked and not my SSH keys, what I was doing wrong, plus I wanted the ability to rename them (for organizational purposes briefly explained above), and also store the files in a location of my choosing.
Digging into things, these git clients use a specific Java library. Which is a great library, a bit old though doesn’t need updated.
I ended up finding this little snippet below.

ssh-keygen -p -f file -m pem -P passphrase -N passphrase

A few things to go over with this.
First is to make sure to have the -m pem in there. I tried a few different things and this was one of the main things that I needed.
Second, if you don’t want a passphrase, the options still need to be there and they need to be a blank string. Do this by passing the following… -P '' -N '' .
Lastly, use the type RSA and a bit of 4096. Don’t use DSA and do not use less of a bit rate. Try not to use more of a bit rate as that might not be supported on some remotes.
The complete string should look something like this…

ssh-keygen -t rsa -b 4096 -p -f ~/.ssh/keys/<my-new-key> -m pem -P '' -N ''

I tried a few different combinations, with the passwords, without passwords, blank passwords, using the m flag and various types and bytes. This works for me, it also passes my security thoughts currently (may soon to change though).

Hopefully this helps someone out there.