Hello,
I am working on a project which uses swift packages hosted on GitHub from Xcode.
Recently when resolving packages over SSH I am running into this issue:
It took me a while to figure out what this 7B99811E4C91A50D5A2E2E80133F24CA
even is. Typically, RSA fingerprints are given as base64 encoded SHA256 hashes. That thing looks like hexadecimal and does not have enough bits. I suspect it is an MD5 digest.
According to GitHub's SSH key fingerprints - GitHub Docs Github's RSA key fingerprint is:
SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
I have since figured out that the MD5 digest is supposed to be:
1627aca576282d36631b564debdfa648
(or MD5:16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
as it would more typically be written by ssh tools).
As we can see, this does not match with what Xcode tells me, hence I am reluctant to click "Trust".
My ~/.ssh/known_hosts
file has a public key associated with github.com which matches the published SHA265 fingerprint.
My ~/Library/Preferences/com.apple.dt.Xcode.plist
(which Xcode apparently uses for storing known hosts?) contains github.com
mapped to 1627aca576282d36631b564debdfa648
. This also looks correct (except for using MD5 in 2021, but that is another issue).
Interestingly, when I try to resolve these packages using the command xcodebuild -resolvePackageDependencies
things work without changing any known hosts. The same is true when I try to clone the repositories just using git
. doing ssh-keyscan github.com
also returns the RSA public key, which SHA264 hashes and MD5 hashes to the expected values.
What I would ultimately like to achieve is resolving these packages from Xcode without trusting 7B99811E4C91A50D5A2E2E80133F24CA
. Or at least confirming that 7B99811E4C91A50D5A2E2E80133F24CA
is trustworthy before trusting it.
Any help would be appreciated, but I have two questions in particular:
-
A possibility is that when resolving packages from the Xcode GUI, I am really not talking to github.com, but someone/thing else. How can I debug this. Is there some verbose mode where I can get more information? Something like what
GIT_SSH_COMMAND="ssh -vvv" git clone example
provides on the command line. -
Another possibility is that Xcode has somehow confused itself and is asking me to trust a wrongly constructed key fingerprint. Could this be the case?
Any other possible explanations?