GitHub Pull Request Decoration not working after upgrade to 8.1

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube 8.1
  • what are you trying to achieve
    GitHub pull request decoration
  • what have you tried so far to achieve this
    Generating a new key, getting rid of spaces and new lines, trying random text

When SonarQube tries to decorate a PR I get this error after upgrading to 8.1:

2019.12.18 20:33:30 ERROR ce[AW8atx4mGF0pTtm1UB-t][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Execution of task class com.sonarsource.C.D.a failed
java.lang.IllegalStateException: Failed to read Github Application private key
        at com.sonarsource.C.B.B.A.D.A.B(Unknown Source)
        at com.sonarsource.C.B.B.A.D.A.A(Unknown Source)
        at com.sonarsource.C.B.B.A.A.C.A(Unknown Source)
        at com.sonarsource.C.D.E.A.C(Unknown Source)
        at com.sonarsource.C.D.E.A.A(Unknown Source)
        at com.sonarsource.C.D.E.I.A(Unknown Source)
        at com.sonarsource.C.D.a.A(Unknown Source)
        at java.base/java.util.Optional.ifPresent(
        at com.sonarsource.C.D.a.B(Unknown Source)
        at com.sonarsource.C.D.a.A(Unknown Source)
        at org.sonar.ce.async.SynchronousAsyncExecution.addToQueue(
        at com.sonarsource.C.D.a.A(Unknown Source)
        at java.base/java.util.Optional.ifPresent(
        at com.sonarsource.C.D.a.finished(Unknown Source)
        at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.executeTask(
        at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.finished(
        at org.sonar.ce.task.step.ComputationStepExecutor.executeListener(
        at org.sonar.ce.task.step.ComputationStepExecutor.execute(
        at org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(
        at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(
        at org.sonar.ce.taskprocessor.CeWorkerImpl$
        at org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(
        at org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(
        at java.base/java.util.concurrent.Executors$
        at java.base/
        at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(
        at java.base/java.util.concurrent.ThreadPoolExecutor$
        at java.base/
Caused by: Content can't be read to a private key
        ... 34 common frames omitted

I’ve tried getting rid of the white spaces and new lines, generating a new key, generating garbage text, recreating the github app on the admin page, nothing is working. What am I missing?

Hey there!

I just tested an upgrade from 7.9 to 8.1 and my PR configuration migrated fine (decoration worked before and after).

What format is your private key in? Does it start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----?

What version did you upgrade from (and out of curiosity, what’s been the version path of your SQ instance?)


I went from 7.7 to 8.1, got an error message about needing to go to LTS first, so went to LTS then to 8.1. Is there something more I can do to troubleshoot, or clear out the settings and retry it?

The error you are encountering is happening when the private key is invalid.
Could you please check again the private key you are using is valid ? Or use a new one ?

I already tried a new one, it didn’t make a difference. I’ll just roll back for now.

Before giving up on this, do you confirm that you’re using the good format (see last Colin’s question) ?

Yes it starts and ends with that, there are no spaces or new lines. This was working on the previous version, did the way sonar parses the private key change?

In 7.7, it was needed to encode the private key in base64, and now the raw text value should be sent.

In order to be sure that SonarQube has correctly converted your key, could you please call api/alm_settings/list_definitions, and check the result contains :

  "github": [
    "privateKey": "-----BEGIN RSA PRIVATE KEY-----..."

(Obvisously, please do NOT send your private key here)

When I load the private key into puttygen it is able to successfully read it, so I believe the key itself is fine.

Well this is interesting:

The BEGIN RSA PRIVATE KEY appears to have a new line in it. When I copy and paste the key out of the website into notepad++ i don’t see any new lines though. Is it supposed to look like this?

EDIT: I think this is just the text wrapping in the browser.

When I paste the key directly into the window, complete with new lines, the decorations work. If I strip the newlines from the key then paste, it fails.

Here’s an example, there are lots of \n throughout the key of course.


Great, that’s a good news !
Thanks for explaining how you’ve fixed this.