From 483f357f2b7659f647134d5f1ed5b3a2cb548d11 Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Sun, 31 Oct 2021 02:24:28 -0400
Subject: [PATCH] Improve handling of SSH host keys

1. Use StrictHostKeyChecking=accept-new to implicitly accept new SSH
host keys, preventing us from having to do this manually.

2. Use VerifyHostKeyDNS=yes to allow verification of DNSSEC-signed SSHFP
records, if available.
---
 bbuilder/lib/worker.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bbuilder/lib/worker.py b/bbuilder/lib/worker.py
index 9f1dac9..bd8d775 100644
--- a/bbuilder/lib/worker.py
+++ b/bbuilder/lib/worker.py
@@ -99,7 +99,7 @@ def clone_repository(clone_url, config):
     print(f"Cloning repository...")
     if config['ssh_key'] is not None:
         ssh_key_file = config['ssh_key']
-        os.environ['GIT_SSH_COMMAND'] = f'ssh -i {ssh_key_file} -o IdentitiesOnly=yes'
+        os.environ['GIT_SSH_COMMAND'] = f'ssh -i {ssh_key_file} -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new -o VerifyHostKeyDNS=yes'
 
     os.system(f'git clone {clone_url} repo')