We use a user key (from a machine user) to check out PRs. However, it looks like CircleCI generates an RSA key that uses SHA1, which GitHub is going to start rejecting in March (see Improving Git protocol security on GitHub | The GitHub Blog). We caught this today because GitHub did a scheduled brownout.
CircleCI generated this key for us (under Project Settings->SSH Keys->User key) and automatically added it to GitHub. There doesn’t seem to be a way for us to manually generate a key that GitHub is happy with, and use it here (the only way to do that is to add one under “Additional SSH Keys”, but that is quite a bit of friction as we will have to manually add the fingerprints with add_ssh_keys in all our config.ymls). Is this something that is being tracked internally?
Thank you all for letting us know about the problem. We are tracking this internally and will provide an update when we have new information.
A current workaround we have is switching to a docker image that has a newer version of OpenSSH installed or using the latest version of our machine image.
We have confirmed that this resolve the issue for several users.
I hope that this helps, and please wait for further updates.
If you need further assistance please send us a ticket.
Clients relying on older SSH implementations will need to be updated. (The standard Git client uses your operating system’s SSH implementation on Linux and macOS.) Common examples include:
To keep the discussion on this situation in a single place I created a new Discuss post that has some additional details and possible resolutions to the error:
If you have any questions or encounter any issues resolving this, please reply in the above thread, as we will be monitoring it and assisting as issues arise.