If you are using GitKraken versions 7.6.x, 7.7.x, or 8.0.0, this article explains what steps you can take to maintain secure SSH key connections to remote repositories on GitHub, GitLab, Bitbucket, and Azure DevOps.
How to Fix the Weak SSH Key Issue
This issue only affects GitKraken users who generated SSH keys through the GitKraken interface using versions 7.6.x, 7.7.x, 8.0.0. If you are not sure what version you used to generate your SSH key, we encourage you to renew your key through the following process.
Affected users need to:
1. Remove all old GitKraken-generated SSH keys stored locally.
2. Generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers.
Follow these instructions to generate and connect an SSH key in GitKraken for:
If you have any questions or concerns, please contact our support team at email@example.com.
More Information About the Issue
In late September, the GitKraken team discovered a flaw in the open source SSH key generation library that was implemented in versions 7.6.x, 7.7.x, 8.0.0, released between 5/12/21 and 9/27/21. This flaw resulted in a weaker form of public SSH keys being created. Weak keys are created with low entropy, meaning there is a higher probability of key duplication.
The GitKraken engineering team has fixed this issue as of version 8.0.1 by replacing the previous SSH key generation library with a new one. Note: Users who have upgraded to version 8.0.1 or later will still need to replace their GitKraken generated keys if they were generated in the affected versions.
The team also contacted Git hosting service providers GitHub, Bitbucket, GitLab, and Azure DevOps to alert them to the issue. Working closely with all of these providers, we invalidated the weak public keys that were in use. Where possible, the affected keys are now permanently blocked by the Git hosting service providers.
We will continue to work toward the highest security standards possible for all of our users.