I am working on a project which uses swift packages hosted on GitHub from Xcode.
Recently when resolving packages over SSH I am running into this issue:
It took me a while to figure out what this
7B99811E4C91A50D5A2E2E80133F24CA even is. Typically, RSA fingerprints are given as base64 encoded SHA256 hashes. That thing looks like hexadecimal and does not have enough bits. I suspect it is an MD5 digest.
According to GitHub's SSH key fingerprints - GitHub Docs Github's RSA key fingerprint is:
I have since figured out that the MD5 digest is supposed to be:
MD5:16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 as it would more typically be written by ssh tools).
As we can see, this does not match with what Xcode tells me, hence I am reluctant to click "Trust".
~/.ssh/known_hosts file has a public key associated with github.com which matches the published SHA265 fingerprint.
~/Library/Preferences/com.apple.dt.Xcode.plist (which Xcode apparently uses for storing known hosts?) contains
github.com mapped to
1627aca576282d36631b564debdfa648. This also looks correct (except for using MD5 in 2021, but that is another issue).
Interestingly, when I try to resolve these packages using the command
xcodebuild -resolvePackageDependencies things work without changing any known hosts. The same is true when I try to clone the repositories just using
ssh-keyscan github.com also returns the RSA public key, which SHA264 hashes and MD5 hashes to the expected values.
What I would ultimately like to achieve is resolving these packages from Xcode without trusting
7B99811E4C91A50D5A2E2E80133F24CA. Or at least confirming that
7B99811E4C91A50D5A2E2E80133F24CA is trustworthy before trusting it.
Any help would be appreciated, but I have two questions in particular:
A possibility is that when resolving packages from the Xcode GUI, I am really not talking to github.com, but someone/thing else. How can I debug this. Is there some verbose mode where I can get more information? Something like what
GIT_SSH_COMMAND="ssh -vvv" git clone exampleprovides on the command line.
Another possibility is that Xcode has somehow confused itself and is asking me to trust a wrongly constructed key fingerprint. Could this be the case?
Any other possible explanations?