Skip to content

(maint) Update GitHubSig to current GitHub RSA host key#277

Merged
Magisus merged 1 commit into
mainfrom
maint/main/update-github-rsa-host-key
Jun 4, 2026
Merged

(maint) Update GitHubSig to current GitHub RSA host key#277
Magisus merged 1 commit into
mainfrom
maint/main/update-github-rsa-host-key

Conversation

@Magisus
Copy link
Copy Markdown
Contributor

@Magisus Magisus commented Jun 4, 2026

Summary

GitHubSig still held GitHub's retired RSA SSH host key. GitHub rotated its RSA host key on 2023-03-24 (after the prior private key was briefly exposed), so appending the old GitHubSig to a host's known_hosts now collides with the key GitHub actually presents. SSH then refuses the connection with:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

which breaks ssh-based git clones in pre-suites that rely on enable_git_https_access / GitHubSig (e.g. cloning private repos).

Change

  • Replace GitHubSig with GitHub's current RSA host key. Fingerprint SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s, verified against GitHub's published SSH key fingerprints.
  • Drop the pinned IP 207.97.227.239 from the entry. GitHub serves SSH from many rotating addresses, so pinning a single IP provides no security benefit and risks further stale-entry mismatches.

Verification

$ ssh-keyscan -t rsa github.com | ssh-keygen -lf -
3072 SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s github.com (RSA)

🤖 Generated with Claude Code

@Magisus Magisus requested a review from a team as a code owner June 4, 2026 20:41
@Magisus @claude
(maint) Update GitHubSig to current GitHub RSA host key
6da2e8e 
GitHub rotated its RSA SSH host key on 2023-03-24 after the prior private
key was briefly exposed. The hard-coded GitHubSig still held the retired
key, so appending it to a host's known_hosts collides with the key GitHub
now presents, producing "REMOTE HOST IDENTIFICATION HAS CHANGED" and
aborting ssh-based git clones (e.g. of private repos in pre-suites).

Replace it with the current RSA host key (fingerprint
SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s, verified against
GitHub's published value). Also drop the pinned IP 207.97.227.239 from the
entry: GitHub serves SSH from many rotating addresses, so pinning one IP
adds no security and risks further stale-entry mismatches.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Magisus Magisus force-pushed the maint/main/update-github-rsa-host-key branch from 56065fe to 6da2e8e Compare June 4, 2026 21:00
@Magisus
Copy link
Copy Markdown
Contributor Author

Magisus commented Jun 4, 2026

Confirmed this avoids the ugly warning:

* Clone bolt

      * Clone git@github.com:puppetlabs/bolt-private.git if needed

    lop-millinery.delivery.puppetlabs.net (redhat9-64-1) 15:26:18$ test -d /opt/puppet-repos || mkdir -p /opt/puppet-repos

    lop-millinery.delivery.puppetlabs.net (redhat9-64-1) executed in 0.11 seconds

    lop-millinery.delivery.puppetlabs.net (redhat9-64-1) 15:26:18$ test -d /opt/puppet-repos/bolt || git clone git@github.com:puppetlabs/bolt-private.git /opt/puppet-repos/bolt
      Cloning into '/opt/puppet-repos/bolt'...

    lop-millinery.delivery.puppetlabs.net (redhat9-64-1) executed in 3.23 seconds

@Magisus Magisus merged commit 8bbf079 into main Jun 4, 2026
8 checks passed
@Magisus Magisus deleted the maint/main/update-github-rsa-host-key branch June 4, 2026 22:29
@mhashizume mhashizume added the bug label Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@beechtom beechtom beechtom approved these changes

Assignees

No one assigned

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Magisus @beechtom @mhashizume