ssh-key-algo says "you're all set" but ssh fingerprinting still failing

[ChristopherDrum]

I have two systems each running Xcode Server. Since around the 16th, both are unable to sense commits to repos and therefore do not trigger builds. When I investigate the server bot settings, I see the message that "SSH fingerprint could not be verified". I told both systems to trust the fingerprint, and all was good for one week. Then it happened again yesterday, and a colleague pointed me to the github blog post: https://github.blog/2021-09-01-improving-git-protocol-security-github/

I rotated one system to ecdsa, and this morning I realized this ssh-key-algo script exists.
So I ran ssh-key-algo on the server that is yet to update and I'm told "You're using an RSA key with SHA-2 (algorithm rsa-sha2-512). You're all set!"
That is the same key type that was failing on both of my servers. The ecdsa system also tells me "You're all set!" but this morning I see that server encountered a fingerprint problem again after updating in accordance with the blog post.

I can't tell if this means that this script is giving me a false positive, or if there is something deeper wrong.

[tgummerer]

There's two things going on here. New host keys were added, which is where your "SSH fingerprint could not be verified" is most likely coming from. Because the host key changed, your ssh library is no longer happy with the fingerprint of the server key, and is thus erroring out.

This script on the other hand is about checking whether the key on your local system will still be accepted by the server, which seems to be the case.

I'm not sure which library you are using that is telling you "SSH fingerprint could not be verified" (a quick search for that exact error message didn't seem to turn up anything, so I'm not quite sure which one it is and it's hard to give specific advice), but you probably need to make sure that this library is accepting the new host keys.

[ChristopherDrum]

@tgummerer Thank you for the information. The error is coming from within Xcode's GUI interface to the Xcode Server component. Presumably it is using whichever SSH comes with installing Xcode tools. Previously, I never had to think about this aspect of the process; it was just something Xcode Server handled automatically. I'm unclear why Xcode is unable to adapt to these new keys as gracefully as it did in the past. I'll push forward with this information, thank you.