I had the same problem, and the answer from @musikele to remove the leading space from the documentation code helped. However after it still did not recognize Heroku’s host key so my deploy stalled.
#!/bin/bash -eo pipefail
git push --force git@heroku.com:$HEROKU_APP_NAME.git HEAD:refs/heads/master
The authenticity of host 'heroku.com (50.19.85.156)' can't be established.
RSA key fingerprint is SHA256:8tF0wX2WquK45aGKs/Bh1dKmBXH08vxUe0VCJJWOA/o.
Are you sure you want to continue connecting (yes/no)?
First I fixed it by adding a step in my deploy job to dynamically put heroku in ~/.ssh/known_hosts:
- run:
name: Add Heroku to known_hosts
command: ssh-keyscan -H heroku.com >> ~/.ssh/known_hosts
This doesn’t seem ideal, because the https://linux.die.net/man/1/ssh-keyscan doc describe a security risk:
If an ssh_known_hosts file is constructed using ssh-keyscan without verifying the keys, users will be vulnerable to man in the middle attacks.
To make it more secure, I changed the step to statically specify Heroku’s public key. This will break if Heroku changes their key, so I’ll have to see if that becomes a problem.
- run:
name: Add Heroku to known_hosts
environment:
HEROKU_PUBLIC_KEY: "|1|du6yP6VYFOQt2W1/LcEYuaPQhPg=|Db0+enWeW0eh8Fg3R93yFMZ/U/U= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAu8erSx6jh+8ztsfHwkNeFr/SZaSOcvoa8AyMpaerGIPZDB2TKNgNkMSYTLYGDK2ivsqXopo2W7dpQRBIVF80q9mNXy5tbt1WE04gbOBB26Wn2hF4bk3Tu+BNMFbvMjPbkVlC2hcFuQJdH4T2i/dtauyTpJbD/6ExHR9XYVhdhdMs0JsjP/Q5FNoWh2ff9YbZVpDQSTPvusUp4liLjPfa/i0t+2LpNCeWy8Y+V9gUlDWiyYwrfMVI0UwNCZZKHs1Unpc11/4HLitQRtvuk0Ot5qwwBxbmtvCDKZvj1aFBid71/mYdGRPYZMIxq1zgP1acePC1zfTG/lvuQ7d0Pe0kaw=="
command: echo $HEROKU_PUBLIC_KEY >> ~/.ssh/known_hosts
I’d love some guidance from CircleCI on the best practice to handle this problem.