fix: pin SSH host key via known_hosts instead of StrictHostKeyChecking=no (#161)

- Add knownHosts *dagger.Secret parameter to Deployer(), DeployLinux(),
  DeployApk(), PublishWebsite(), BuildWebsite(), GenerateBuildHistory()
- Mount SSH_KNOWN_HOSTS secret at /root/.ssh/known_hosts (mode 0644) in
  both the Deployer container and the GenerateBuildHistory container
- Remove all -o StrictHostKeyChecking=no flags from ssh/scp/rsync calls
  in ci/main.go and scripts/generate_build_history.py
- Update Taskfile dagger tasks (deploy-linux, deploy-apk, publish-website)
  to require SSH_KNOWN_HOSTS and pass --known-hosts env:SSH_KNOWN_HOSTS
- Fix non-Dagger Taskfile tasks to write SSH_KNOWN_HOSTS to ~/.ssh/known_hosts
- Fix .forgejo/workflows/deploy.yml to pass SSH_KNOWN_HOSTS secret
- Fix .github/workflows/ci.yml SSH setup step to write known_hosts file

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.forgejo/workflows/deploy.yml

@@ -156,6 +156,7 @@ jobs:
         if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
         env:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
           SSH_USER: ${{ secrets.SSH_USER }}
           SSH_HOST: ${{ secrets.SSH_HOST }}
           ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
@@ -197,6 +198,7 @@ jobs:
         if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
         env:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
           SSH_USER: ${{ secrets.SSH_USER }}
           SSH_HOST: ${{ secrets.SSH_HOST }}
           DAGGER_NO_NAG: "1"
@@ -238,6 +240,7 @@ jobs:
         if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
         env:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
           SSH_USER: ${{ secrets.SSH_USER }}
           SSH_HOST: ${{ secrets.SSH_HOST }}
           DAGGER_NO_NAG: "1"

.github/workflows/ci.yml

@@ -202,6 +202,8 @@ jobs:
           mkdir -p ~/.ssh
           printf '%s\n' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
+          printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts
+          chmod 644 ~/.ssh/known_hosts
 
       - name: Build Linux release
         run: |
@@ -215,20 +217,20 @@ jobs:
           REMOTE_DIR="public_html/builds/$DATE_PATH"
           TARBALL="sharedinbox-linux-amd64-$HASH.tar.gz"
           tar -czf /tmp/$TARBALL -C build/linux/x64/release bundle
-          ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+          ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-          scp -o StrictHostKeyChecking=no /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
+          scp /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
           DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$TARBALL"
-          EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" \
+          EXISTING=$(ssh "$SSH_USER@$SSH_HOST" \
             "cat public_html/latest.json 2>/dev/null || echo '{}'")
           WINDOWS_URL=$(echo "$EXISTING" | \
             python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('windows',''))" \
             2>/dev/null || true)
           if [ -n "$WINDOWS_URL" ]; then
             echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\",\"windows\":\"$WINDOWS_URL\"}" | \
-              ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+              ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
           else
             echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\"}" | \
-              ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+              ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
           fi
 
       - name: Generate build history pages
@@ -244,6 +246,5 @@ jobs:
           rsync -avz --delete \
             --exclude='*.apk' \
             --exclude='*.tar.gz' \
-            -e "ssh -o StrictHostKeyChecking=no" \
             website/public/ \
             "$SSH_USER@$SSH_HOST:public_html/"

Taskfile.yml

@@ -215,8 +215,10 @@ tasks:
     preconditions:
       - sh: test -n "$SSH_PRIVATE_KEY"
         msg: "SSH_PRIVATE_KEY is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-linux --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
+      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-linux --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
 
   build-android-bundle:
     desc: Build AAB via Dagger (cached, versionCode=1 placeholder) and export locally
@@ -251,17 +253,24 @@ tasks:
     preconditions:
       - sh: test -n "$SSH_PRIVATE_KEY"
         msg: "SSH_PRIVATE_KEY is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
       - sh: test -n "$ANDROID_KEYSTORE_BASE64"
         msg: "ANDROID_KEYSTORE_BASE64 is not set"
       - sh: test -n "$ANDROID_KEYSTORE_PASSWORD"
         msg: "ANDROID_KEYSTORE_PASSWORD is not set"
     cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-apk --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH" --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --build-number "$(git log -1 --format=%ct HEAD)"
+      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-apk --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH" --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --build-number "$(git log -1 --format=%ct HEAD)"
 
   publish-website:
     desc: Build and publish website via Dagger
+    preconditions:
+      - sh: test -n "$SSH_PRIVATE_KEY"
+        msg: "SSH_PRIVATE_KEY is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
-      - dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key file:$HOME/.ssh/id_ed25519 --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
+      - dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
 
   check-dagger:
     desc: Run full check suite via Dagger (with OTEL timing report if python3 is available)
@@ -373,25 +382,29 @@ tasks:
         msg: "SSH_USER is not set"
       - sh: test -n "$SSH_HOST"
         msg: "SSH_HOST is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
       - |
+        mkdir -p ~/.ssh
+        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
         HASH=$(git rev-parse --short HEAD)
         DATE_PATH=$(date -u +%Y/%m/%d)
         REMOTE_DIR="public_html/builds/$DATE_PATH"
         TARBALL="sharedinbox-linux-amd64-$HASH.tar.gz"
         tar -czf /tmp/$TARBALL -C build/linux/x64/release bundle
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
+        scp /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
         DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$TARBALL"
         # Merge with any existing latest.json so we don't overwrite the windows key
-        EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
+        EXISTING=$(ssh "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
         WINDOWS_URL=$(echo "$EXISTING" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('windows',''))" 2>/dev/null || true)
         if [ -n "$WINDOWS_URL" ]; then
           echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\",\"windows\":\"$WINDOWS_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
         else
           echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
         fi
         echo "Uploaded $TARBALL and updated latest.json"
 
@@ -416,24 +429,28 @@ tasks:
         msg: "SSH_USER is not set"
       - sh: test -n "$SSH_HOST"
         msg: "SSH_HOST is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
       - |
+        mkdir -p ~/.ssh
+        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
         HASH=$(git rev-parse --short HEAD)
         DATE_PATH=$(date -u +%Y/%m/%d)
         REMOTE_DIR="public_html/builds/$DATE_PATH"
         ZIPFILE="sharedinbox-windows-x64-$HASH.zip"
         cd build/windows/x64/runner && zip -r /tmp/$ZIPFILE Release/ && cd -
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no /tmp/$ZIPFILE "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$ZIPFILE"
+        scp /tmp/$ZIPFILE "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$ZIPFILE"
         DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$ZIPFILE"
-        EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
+        EXISTING=$(ssh "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
         LINUX_URL=$(echo "$EXISTING" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('linux',''))" 2>/dev/null || true)
         if [ -n "$LINUX_URL" ]; then
           echo "{\"version\":\"$HASH\",\"linux\":\"$LINUX_URL\",\"windows\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
         else
           echo "{\"version\":\"$HASH\",\"windows\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
         fi
         echo "Uploaded $ZIPFILE and updated latest.json"
 
@@ -583,14 +600,18 @@ tasks:
         msg: "SSH_USER is not set"
       - sh: test -n "$SSH_HOST"
         msg: "SSH_HOST is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
       - |
+        mkdir -p ~/.ssh
+        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
         HASH=$(git rev-parse --short HEAD)
         DATE_PATH=$(date -u +%Y/%m/%d)
         REMOTE_DIR="public_html/builds/$DATE_PATH"
         APK_NAME="sharedinbox-mua-$HASH.apk"
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no \
+        scp \
           build/app/outputs/flutter-apk/app-release.apk \
           "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$APK_NAME"
         echo "Uploaded $APK_NAME to $REMOTE_DIR"
@@ -619,12 +640,16 @@ tasks:
   website-deploy:
     desc: Deploy the website via rsync to public_html
     deps: [website-build]
+    preconditions:
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
       - |
+        mkdir -p ~/.ssh
+        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
         rsync -avz --delete \
           --exclude='*.apk' \
           --exclude='*.tar.gz' \
-          -e "ssh -o StrictHostKeyChecking=no" \
           website/public/ \
           ${SSH_USER}@${SSH_HOST}:public_html/
 

ci/main.go

@@ -318,12 +318,13 @@ func (m *Ci) Hugo() *dagger.Container {
 }
 
 // Deploy container for rsync/ssh
-func (m *Ci) Deployer(sshKey *dagger.Secret) *dagger.Container {
+func (m *Ci) Deployer(sshKey *dagger.Secret, knownHosts *dagger.Secret) *dagger.Container {
 	return dag.Container().
 		From("alpine:3.21").
 		WithExec([]string{"apk", "--no-cache", "add", "rsync", "openssh-client", "python3", "tar"}).
 		WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
-		WithEnvVariable("RSYNC_RSH", "ssh -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519")
+		WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}).
+		WithEnvVariable("RSYNC_RSH", "ssh -i /root/.ssh/id_ed25519")
 }
 
 // Stalwart mail server service for backend and integration tests.
@@ -514,6 +515,7 @@ func (m *Ci) Check(ctx context.Context) (string, error) {
 func (m *Ci) GenerateBuildHistory(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 ) *dagger.Directory {
@@ -525,7 +527,7 @@ func (m *Ci) GenerateBuildHistory(
 		From("python:3.12-alpine").
 		WithExec([]string{"apk", "add", "--no-cache", "openssh-client"}).
 		WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
-		WithExec([]string{"chmod", "700", "/root/.ssh"}).
+		WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}).
 		WithEnvVariable("SSH_USER", sshUser).
 		WithEnvVariable("SSH_HOST", sshHost).
 		WithDirectory("/src", scriptSource).
@@ -538,10 +540,11 @@ func (m *Ci) GenerateBuildHistory(
 func (m *Ci) BuildWebsite(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 ) *dagger.Directory {
-	buildHistory := m.GenerateBuildHistory(ctx, sshKey, sshUser, sshHost)
+	buildHistory := m.GenerateBuildHistory(ctx, sshKey, knownHosts, sshUser, sshHost)
 
 	websiteSource := m.Source.Filter(dagger.DirectoryFilterOpts{
 		Include: []string{"website/"},
@@ -558,12 +561,13 @@ func (m *Ci) BuildWebsite(
 func (m *Ci) PublishWebsite(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 ) (string, error) {
-	public := m.BuildWebsite(ctx, sshKey, sshUser, sshHost)
+	public := m.BuildWebsite(ctx, sshKey, knownHosts, sshUser, sshHost)
 
-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithDirectory("/public", public).
 		WithExec([]string{"rsync", "-avz", "--delete",
 			"--exclude=*.apk", "--exclude=*.tar.gz",
@@ -589,6 +593,7 @@ func (m *Ci) BuildLinuxRelease() *dagger.Directory {
 func (m *Ci) DeployLinux(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 	commitHash string,
@@ -599,11 +604,11 @@ func (m *Ci) DeployLinux(
 	remoteDir := fmt.Sprintf("public_html/builds/%s", datePath)
 	tarball := fmt.Sprintf("sharedinbox-linux-amd64-%s.tar.gz", commitHash)
 
-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithDirectory("/bundle", bundle).
 		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("tar -czf /tmp/%s -C /bundle .", tarball)}).
-		WithExec([]string{"ssh", "-o", "StrictHostKeyChecking=no", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
+		WithExec([]string{"ssh", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
-		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519 /tmp/%s %s@%s:%s/%s", tarball, sshUser, sshHost, remoteDir, tarball)}).
+		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -i /root/.ssh/id_ed25519 /tmp/%s %s@%s:%s/%s", tarball, sshUser, sshHost, remoteDir, tarball)}).
 		Stdout(ctx)
 }
 
@@ -626,6 +631,7 @@ func (m *Ci) BuildAndroidApk(keystoreBase64 *dagger.Secret, keystorePassword *da
 func (m *Ci) DeployApk(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 	commitHash string,
@@ -639,10 +645,10 @@ func (m *Ci) DeployApk(
 	remoteDir := fmt.Sprintf("public_html/builds/%s", datePath)
 	apkName := fmt.Sprintf("sharedinbox-mua-%s.apk", commitHash)
 
-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithFile("/tmp/app.apk", apk).
-		WithExec([]string{"ssh", "-o", "StrictHostKeyChecking=no", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
+		WithExec([]string{"ssh", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
-		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519 /tmp/app.apk %s@%s:%s/%s", sshUser, sshHost, remoteDir, apkName)}).
+		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -i /root/.ssh/id_ed25519 /tmp/app.apk %s@%s:%s/%s", sshUser, sshHost, remoteDir, apkName)}).
 		Stdout(ctx)
 }
 

scripts/generate_build_history.py

@@ -33,9 +33,6 @@ def list_remote_files(ssh_user: str, ssh_host: str, pattern: str) -> list[str]:
     result = subprocess.run(
         [
             "ssh",
-            "-v",
-            "-o", "StrictHostKeyChecking=no",
-            "-i", "/root/.ssh/id_ed25519",
             f"{ssh_user}@{ssh_host}",
             f"find {REMOTE_BUILDS_DIR} -name '{pattern}' -type f | sort",
         ],