Repository.Push fails with You're using an RSA key with SHA-1 even if ssh key works ok from CLI

[shaftoe]

We recently migrated all our codebase from GitLab to GitHub and one of our internal tools (go v1.18) suddenly stopped working.

This example should help to better describe and reproduce the issue: https://github.com/plato-app/alex-test-gitpush/blob/master/main.go

This is the output running go run main.go on my Macbook Air M1:

FATA[2022-04-13T09:02:51-04:00] unknown error: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.

The commit gets created correclty, only the push fails, but pushing the very same commit from Git CLI (git version 2.32.0 (Apple Git-132)) it works correctly:

Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 8 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 279 bytes | 279.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (1/1), completed with 1 local object.
To github.com:plato-app/alex-test-gitpush.git
   b7ab13c..3045da8  master -> master

SSH key loaded via SSH agent, ssh-key -l shows 4092 SHA256:PZfI8AJp6diTWnUZ1jh[cut...] (RSA)

[shaftoe]

I'm gathering feedback from other colleagues and this seems to be another error:

FATA[2022-04-13T17:11:30+04:00] ssh: handshake failed: knownhosts: key mismatch

Please note that the ssh key is properly loaded in the ssh agent and Git CLI works correctly

[smveloso]

I'm gathering feedback from other colleagues and this seems to be another error:

FATA[2022-04-13T17:11:30+04:00] ssh: handshake failed: knownhosts: key mismatch

Please note that the ssh key is properly loaded in the ssh agent and Git CLI works correctly

Maybe you are facing this issue: #411

Hope it helps.

[shaftoe]

@smveloso thanks a lot, it appears to help indeed. For the records this seems to be the actual magic trick:

ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts
ssh-keyscan -t ecdsa github.com >> ~/.ssh/known_hosts

[robnester-rh]

I'm running into the same issue, but trying the suggested fixes of:

ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts
ssh-keyscan -t ecdsa github.com >> ~/.ssh/known_hosts

doesn't seem to work for me. Is anyone else seeing this and, if so, have you found a workaround?

[manno]

Since go-git is using x/crypto/ssh via github.com/gliderlabs/ssh, I think it is affected by golang/go#49952
Which means it doesn't use the strongest possible cipher with older keys.

[juicemia]

Hello everybody,

I'm seeing this happen on clones as well.

Just doing a plain clone like this:

				_, err := git.PlainClone(cloneDir, false, &git.CloneOptions{
					URL: repo.URL,
				})

Results in this error:

unknown error: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.

This SSH key was created using this command:

ssh-keygen -t rsa -b 2048 -f ~/.ssh/github

[juicemia]

Just got the following working as a workaround.

# Generate an ECDSA key since it doesn't seem to be affected by this SHA-1 RSA thing.
ssh-keygen -t ecdsa -f /path/to/github/ecdsa/key

Then in my code:

auth, err := ssh.NewPublicKeysFromFile("git", "/path/to/github/ecdsa/key", "")
if err != nil {
        // handle it
}

_, err = git.PlainClone(cloneDir, false, &git.CloneOptions{
	Auth: auth,
	URL:  repo.URL,
})

[bk2204]

I believe this will be fixed if you upgrade golang.org/x/crypto to v0.3.0. I've just tested a test program with that version against GitHub with an RSA key and it appears to work correctly.

If folks want, I can even send a PR with that change.

[pjbgf]

#620 already updates golang.org/x/crypto to v0.3.0, once that gets merged folks could try again using the version from master. Alternatively, the replace directive can be used on your go.mod to force the use of golang.org/x/crypto@v0.3.0.

[pjbgf]

Fixed as per #620 merge.