API Tokens for old repositories too long for Travis CI encrypt

[bryevdv]

Just FYI, the current form of tokens seems to be too long for travis encrypt

(base) ❯ travis encrypt PYPI_TOKEN=pypi:<token>
Detected repository as bokeh/bokeh, is this correct? |yes|
data too large - consider using travis encrypt-file or travis env set

Obviously this is not exactly "your" problem, but I contend that it will seriously hamper the utility of these tokens in a primary use-case scenario. At almost 200 characters, the PyPI tokens are considerably longer than any token I have ever personally encountered on other services. Is it possible to make them shorter?

[di]

Thanks for the report. This looks like a duplicate of #6338 and #6287. Can you try escaping the colon in the token and seeing if this problem remains? e.g.:

-travis encrypt PYPI_TOKEN=pypi:<token>
+travis encrypt PYPI_TOKEN=pypi\:<token>

[bryevdv]

Wow I totally tried to search for existing issues, sorry about that. Escaping the colon did not help, and neither did shortening by removing boilerplate "pypi:" altogether.

[bryevdv]

I should add, it does seem possible to add these as per-project hidden vars in the Travis web UI, I just checked. (I have not actually tested that a token so-added actually works yet) but all things being equal I'd prefer to have these in .travis.yml if possible.

I should add that Travis claims adding hidden env vars in repository settings is suitable for things that "contain sensitive data, such as third-party credentials." so I assume this workaround is safe

[di]

Can you add more details about your platform? Trying this myself, it looks like the total length of the variable name and value must be less than 500 characters:

$ travis encrypt FOO=`python -c "print('a'*497)"`
Please add the following to your .travis.yml file:

  secure: "<encrypted string>"

Pro Tip: You can add it automatically by running with --add.

$ travis encrypt FOO=`python -c "print('a'*498)"`
data too large - consider using travis encrypt-file or travis env set

[bryevdv]

I ran the travis encrypt command on OSX 10.14.6, with travis version 1.8.10

I will note that

travis encrypt FOO=`python -c "print('a'*497)"`

does work

Edit: I swear it did once, but it now no longer does.

[di]

Interesting, I am on a similar platform:

$ sw_vers -productVersion
10.14.5

$ travis --version
1.8.10

Can you try running the same commands I used? Can you see if your token contains any special characters besides the pypi: prefix?

[bryevdv]

There was an underscore. I tried removing it just to see if that made things work, but it did not. The result (without the underscore) appears to not have any other special characters:

>>> token.isalnum()
True

[bryevdv]

OK so this is weird, I started trying the command repeatedly, removing 10 characters from the end, until it worked. It failed until I got to exactly:

travis encrypt "PYPI_TOKEN=<106 characters>

[bryevdv]

OK literally this 107 characters fails:

(base) ❯ travis encrypt "PYPI_TOKEN=22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222221"
data too large - consider using travis encrypt-file or travis env set

but removing the "1" at the end works.

Willing to chalk this up to a bug on Travis side at this point

[di]

What OpenSSL are you using?

$ gem list | grep openssl
openssl (default: 2.1.2)

$ openssl version
LibreSSL 2.6.5

[bryevdv]

~/work/demo.bokeh.org master*
(base) ❯ gem list | grep openssl

~/work/demo.bokeh.org master*
(base) ❯ openssl version
OpenSSL 1.1.1c  28 May 2019

[di]

Seems like this might be due to some weirdness in the underlying openssl library. I'll leave this open for now to see if we get any additional reports.

[foobarna]

Have you tried to check the length of encryption key?