[nijave]

Why are there so many private keys in repos? It seems preferable to just generate them when needed instead of risk one being misused

[codetrotter]

Committing private keys is definitely the wrong thing to do. But if the system is talking to something, then generating new keys won’t help either. What you need is some kind of system to deploy or retrieve secrets. There are various different solutions that exist for this.

[koolba]

And the system for deploying or retrieving secrets itself needs secrets to authenticate with the secrets manager.

Or you generate them on the fly at deployment so that they only exist ephemerally outside the deployment site.

[riverdroid]

Most private keys in Git repositories seem to be test data. But why are those test private keys sometimes used for other things? Probably just people lazily copying from ~/.ssh/idrsa or copying to ~/.ssh/idrsa.

[xvector]

Private keys for tests should be generated on demand, lest you induce CI failure due to key expiration some years down the line

[dilyevsky]

Keys (at least rsa,ec,ssh ones) don’t expire - certs do. Also you’re not required to set expiration at all and probably should not in test for the very reason you mentioned. Unless you’re testing expiration validation of course in which case cert will be intentionally expired.

[tyingq]

I'm somewhat surprised how many keygen type tools don't support ways to do that without putting a passphrase on a command line. Gpg is nice, with --passphrase-fd.