CircleCI User Key uses RSA with SHA1, which GitHub has deprecated

We use a user key (from a machine user) to check out PRs. However, it looks like CircleCI generates an RSA key that uses SHA1, which GitHub is going to start rejecting in March (see Improving Git protocol security on GitHub | The GitHub Blog). We caught this today because GitHub did a scheduled brownout.

CircleCI generated this key for us (under Project Settings->SSH Keys->User key) and automatically added it to GitHub. There doesn’t seem to be a way for us to manually generate a key that GitHub is happy with, and use it here (the only way to do that is to add one under “Additional SSH Keys”, but that is quite a bit of friction as we will have to manually add the fingerprints with add_ssh_keys in all our config.ymls). Is this something that is being tracked internally?

We are facing the same issue. It would be nice to get an update on this.

This issue causes my pipelines to fail. Are there any update as for why it happened tonight, and how can it be mitigated?

Hi all,

Thank you all for letting us know about the problem. We are tracking this internally and will provide an update when we have new information.

A current workaround we have is switching to a docker image that has a newer version of OpenSSH installed or using the latest version of our machine image.
We have confirmed that this resolve the issue for several users.

I hope that this helps, and please wait for further updates.

If you need further assistance please send us a ticket.

some quote from ssh-troubleshooting: Improving Git protocol security on GitHub - The GitHub Blog

Clients relying on older SSH implementations will need to be updated. (The standard Git client uses your operating system’s SSH implementation on Linux and macOS.) Common examples include:

  • OpenSSH before version 7.2
  • PuTTY before 0.75

FYI: Rust users might run into SSH key priority / failover on CircleCI+GitHub · Issue #10280 · rust-lang/cargo · GitHub

Hi All!

To keep the discussion on this situation in a single place I created a new Discuss post that has some additional details and possible resolutions to the error:

If you have any questions or encounter any issues resolving this, please reply in the above thread, as we will be monitoring it and assisting as issues arise.

Thanks!
-Nick