From 23561ad34ab5cbe4412b48ce3a9cf0c3c9f8c74c Mon Sep 17 00:00:00 2001
From: Bryson Steck <me@brysonsteck.xyz>
Date: Thu, 6 Mar 2025 20:35:40 -0700
Subject: [PATCH] show hash of untrusted hosts

---
 package.Dockerfile |  2 +-
 src/refractr.rs    | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/package.Dockerfile b/package.Dockerfile
index 05ffa57..5bc1dc6 100644
--- a/package.Dockerfile
+++ b/package.Dockerfile
@@ -10,7 +10,7 @@ RUN cargo build --release
 RUN cargo install --locked --path .
 
 RUN groupadd -g $GID refractr
-RUN useradd -u $UID -g $GID -MN refractr
+RUN useradd -u $UID -g $GID -mN refractr
 RUN mkdir /etc/refractr && chown refractr:refractr /etc/refractr
 USER refractr
 
diff --git a/src/refractr.rs b/src/refractr.rs
index cf46d7b..cdf4eae 100644
--- a/src/refractr.rs
+++ b/src/refractr.rs
@@ -1,5 +1,5 @@
 use git2::build::CheckoutBuilder;
-use git2::{Cred, PushOptions, RemoteCallbacks, Repository};
+use git2::{CertificateCheckStatus, Cred, PushOptions, RemoteCallbacks, Repository};
 use sha2::{Sha256, Digest};
 
 use crate::common;
@@ -124,6 +124,14 @@ impl Refractr {
       common::verbose(self.verbose, 1, format!("Pushing to remote: {}", remote.url().unwrap()));
       let mut callbacks = RemoteCallbacks::new();
       callbacks.credentials(|_,_,_| Cred::ssh_key("git", None, &Path::new(&cfg.git.ssh_identity_file), None));
+      callbacks.certificate_check(|cert, url| {
+        let mut sha256 = String::new();
+        for i in cert.as_hostkey().unwrap().hash_sha256().unwrap().to_vec() {
+          sha256.push_str(&hex::encode(i.to_string()));
+        }
+        eprintln!("warning: trusting unknown host {} with sha256 host key {}", url, hex::encode(cert.as_hostkey().unwrap().hash_sha256().unwrap().to_vec()));
+        Ok(CertificateCheckStatus::CertificateOk)
+      });
       let mut push_options = PushOptions::new();
       push_options.remote_callbacks(callbacks);