Issue #7983 resolved

Discrepancy between docs and live for deploy-key updates

Les Aker
created an issue

The API docs specify that a deploy key can be updated by sending a PUT to the key's URL:{user}/{repo}/deploy-keys/{keyid}

This worked as documented until a few weeks ago, when attempting to update a deploy key began returning a 400 error with the message "The content of a deploy key cannot be modified."

Is this an intentional change, and if so, can the documentation be updated to reflect it?

Comments (6)

  1. Marcus Bertrand staff

    I've removed the PUT from the documentation. We intentionally forbid editing keys for security reasons. To change a key, you'll need to delete the old one, then add a new one.

  2. Les Aker reporter

    Awesome; thanks for the clarification! I figured that was the case, as updating a key allowed a bypass of the security notice email.

  3. suwat ch

    May you share what security reasons are? How is delete/add gesture more secured than editing? BTW, once ones have a valid token, update SSH key is the least of your problem. More harm can be done.

  4. Les Aker reporter

    suwat ch For starters, updating a key doesn't kick off a security email. So if an attacker gets your creds and replaces one of your keys with their key, you don't know until you try to use it.

  5. suwat ch

    Honestly, if I know your cred, why bother replace the key, I can just add new one or do something else more harmful. As far as security mail is concerned, if ones' secret got exposed regardless of how long, the damage is done and all bets are off. Just me,

    BTW, this change broke certain scenario in Windows Azure (we do update key).

  6. Log in to comment