We use a user key (from a machine user) to check out PRs. However, it looks like CircleCI generates an RSA key that uses SHA1, which GitHub is going to start rejecting in March (see Improving Git protocol security on GitHub | The GitHub Blog). We caught this today because GitHub did a scheduled brownout.
CircleCI generated this key for us (under Project Settings->SSH Keys->User key) and automatically added it to GitHub. There doesn’t seem to be a way for us to manually generate a key that GitHub is happy with, and use it here (the only way to do that is to add one under “Additional SSH Keys”, but that is quite a bit of friction as we will have to manually add the fingerprints with add_ssh_keys in all our config.ymls). Is this something that is being tracked internally?
Thank you all for letting us know about the problem. We are tracking this internally and will provide an update when we have new information.
A current workaround we have is switching to a docker image that has a newer version of OpenSSH installed or using the latest version of our machine image.
We have confirmed that this resolve the issue for several users.
I hope that this helps, and please wait for further updates.
If you need further assistance please send us a ticket.