We use a user key (from a machine user) to check out PRs. However, it looks like CircleCI generates an RSA key that uses SHA1, which GitHub is going to start rejecting in March (see Improving Git protocol security on GitHub | The GitHub Blog). We caught this today because GitHub did a scheduled brownout.
CircleCI generated this key for us (under Project Settings->SSH Keys->User key) and automatically added it to GitHub. There doesn’t seem to be a way for us to manually generate a key that GitHub is happy with, and use it here (the only way to do that is to add one under “Additional SSH Keys”, but that is quite a bit of friction as we will have to manually add the fingerprints with
add_ssh_keys in all our
config.ymls). Is this something that is being tracked internally?