Expand description
SSH host-key fingerprint pinning for well-known Git hosting services (FR-6, FR-7).
Gitway embeds the published SHA-256 fingerprints for GitHub, GitLab, and Codeberg. On every connection the server’s presented key is hashed and the resulting fingerprint is compared against the embedded list for that host. Any mismatch aborts the connection immediately.
§Custom / self-hosted instances
Fingerprints for any host not listed below can be added via a
known_hosts-style file at ~/.config/gitway/known_hosts (FR-7).
Each non-comment line must follow the format:
hostname SHA256:<base64-encoded-fingerprint>§Fingerprint sources
- GitHub: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
- GitLab: https://docs.gitlab.com/ee/user/gitlab_com/index.html#ssh-host-keys-fingerprints
- Codeberg: https://docs.codeberg.org/security/ssh-fingerprint/
Last verified: 2026-04-11
Structs§
- Host
KeyTrust - Combined view of every
known_hostsentry that bears on the connection target.
Enums§
- Hash
Mode - Per-file format detected by
detect_hash_mode. Drives whethergitway hosts addshould emit a hashed or plaintext entry by default.
Constants§
- CODEBERG_
FINGERPRINTS - Codeberg.org’s published SSH host-key fingerprints (SHA-256).
- DEFAULT_
CODEBERG_ HOST - Primary Codeberg SSH host.
- DEFAULT_
GITHUB_ HOST - Primary GitHub SSH host (FR-1).
- DEFAULT_
GITLAB_ HOST - Primary GitLab SSH host.
- DEFAULT_
PORT - Default SSH port used by all providers.
- FALLBACK_
HOST Deprecated - Alias for
GITHUB_FALLBACK_HOST; retained so existing callers that reference the old name continue to compile. - FALLBACK_
PORT - HTTPS-port fallback for providers that support it (GitHub, GitLab).
- GITHUB_
FALLBACK_ HOST - Fallback GitHub SSH host when port 22 is unavailable (FR-1).
- GITHUB_
FINGERPRINTS - GitHub’s published SSH host-key fingerprints (SHA-256, FR-6).
- GITLAB_
FALLBACK_ HOST - Fallback GitLab SSH host when port 22 is unavailable.
- GITLAB_
FINGERPRINTS - GitLab.com’s published SSH host-key fingerprints (SHA-256).
Functions§
- all_
embedded - Returns the embedded fingerprint catalogue as
(host, fingerprint, algorithm)triples for surfacing ingitway hosts list. - append_
known_ host - Appends
host SHA256:<fingerprint>as a new plaintext line to theknown_hostsfile atpath, creating the file (and any missing parent directories) if needed. - append_
known_ host_ hashed - Appends
|1|<base64-salt>|<base64-hmac-sha1> SHA256:<fingerprint>to theknown_hostsfile atpath, generating a fresh 20-byte random salt for this entry. - default_
known_ hosts_ path - Returns the default known-hosts path:
~/.config/gitway/known_hosts(or the platform-equivalentdirs::config_dir()location). - detect_
hash_ mode - Inspects the existing
known_hostsfile atpathand decides whether new entries should be hashed (matches OpenSSH’sHashKnownHosts yesbehaviour) or plaintext. - fingerprints_
for_ host - Collects all expected fingerprints for
host. - host_
key_ trust - Returns the
HostKeyTrustforhost, combining the embedded fingerprint set, any direct pins /@cert-authority/@revokedlines from the user-supplied or defaultknown_hostsfile, and pattern-matching for the cert-authority + revoked classes. - prepend_
revoked - Prepends
@revoked <host_pattern> <fingerprint>to theknown_hostsfile atpath, atomically via a sibling tempfile + rename. Creates the file (and missing parents) if it does not yet exist.