From 938365913b3a691afe0ffc463588a79402332deb Mon Sep 17 00:00:00 2001
From: ywcheong <personal@ywcheong.com>
Date: Wed, 1 Apr 2026 10:19:54 +0900
Subject: [PATCH] =?UTF-8?q?fix:=20MITM=20=EC=98=88=EB=B0=A9=EC=9D=84=20?=
 =?UTF-8?q?=EC=9C=84=ED=95=B4=20SSH=20keyscan=20=EB=8C=80=EC=8B=A0=20?=
 =?UTF-8?q?=EC=82=AC=EC=A0=84=20=ED=82=A4=20=EC=A3=BC=EC=9E=85=EC=9C=BC?=
 =?UTF-8?q?=EB=A1=9C=20=EB=B3=80=EA=B2=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/actions/deploy-to-ec2/action.yml | 7 +++++--
 .github/workflows/cd.yml                 | 1 +
 .github/workflows/init.yml               | 1 +
 deploy/init.sh                           | 7 +++++++
 gradle.properties                        | 2 +-
 5 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/.github/actions/deploy-to-ec2/action.yml b/.github/actions/deploy-to-ec2/action.yml
index 16def30..f82ad30 100644
--- a/.github/actions/deploy-to-ec2/action.yml
+++ b/.github/actions/deploy-to-ec2/action.yml
@@ -8,6 +8,9 @@ inputs:
   host:
     required: true
     description: SSH host
+  ssh-host-key:
+    required: true
+    description: SSH host public key for strict host verification
   username:
     required: true
     description: SSH username
@@ -30,7 +33,7 @@ runs:
         _REMOTE_COMMAND: ${{ inputs.remote-command }}
       run: |
         missing=()
-        for var in _SSH_PRIVATE_KEY _HOST _USERNAME _REMOTE_COMMAND; do
+        for var in _SSH_PRIVATE_KEY _HOST _SSH_HOST_KEY _USERNAME _REMOTE_COMMAND; do
           if [ -z "${!var}" ]; then
             missing+=("${var#_}")
           fi
@@ -47,7 +50,7 @@ runs:
         mkdir -p ~/.ssh
         echo "${{ inputs.ssh-private-key }}" > ~/.ssh/deploy_key
         chmod 600 ~/.ssh/deploy_key
-        ssh-keyscan -H "${{ inputs.host }}" >> ~/.ssh/known_hosts 2>/dev/null
+        echo "${{ inputs.host }} ${{ inputs.ssh-host-key }}" >> ~/.ssh/known_hosts
 
     - name: 파일 업로드
       if: ${{ inputs.files != '' }}
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index c37b627..8147a00 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -59,6 +59,7 @@ jobs:
         with:
           ssh-private-key: ${{ secrets.EC2_SSH_PRIVATE_KEY }}
           host: ${{ vars.EC2_HOST }}
+          ssh-host-key: ${{ vars.EC2_HOST_KEY }}
           username: ${{ vars.EC2_USERNAME }}
           files: deploy/deploy.sh deploy/secrets.env build/libs/sofia-${{ steps.version.outputs.version }}.jar
           remote-command: "/app/deploy.sh '/app/sofia-${{ steps.version.outputs.version }}.jar'"
diff --git a/.github/workflows/init.yml b/.github/workflows/init.yml
index d5b8739..587bbb5 100644
--- a/.github/workflows/init.yml
+++ b/.github/workflows/init.yml
@@ -31,6 +31,7 @@ jobs:
         with:
           ssh-private-key: ${{ secrets.EC2_SSH_PRIVATE_KEY }}
           host: ${{ vars.EC2_HOST }}
+          ssh-host-key: ${{ vars.EC2_HOST_KEY }}
           username: ${{ vars.EC2_USERNAME }}
           files: deploy/init.sh deploy/nginx-sofia.conf deploy/cert.pem deploy/key.pem
           remote-command: "bash /app/init.sh"
diff --git a/deploy/init.sh b/deploy/init.sh
index c4f2b9f..c238394 100755
--- a/deploy/init.sh
+++ b/deploy/init.sh
@@ -24,7 +24,14 @@ install_and_configure_nginx() {
     sudo systemctl enable --now nginx
 }
 
+save_host_key() {
+    echo "Saving host key..."
+    ssh-keyscan -t ed25519 localhost > /app/host_key 2>/dev/null
+    echo "Host key saved to /app/host_key"
+}
+
 # --- Main ---
 install_jdk
 install_and_configure_nginx
+save_host_key
 echo "Done."
diff --git a/gradle.properties b/gradle.properties
index 1fda163..6600801 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -1,5 +1,5 @@
 org.gradle.console=plain
 org.gradle.logging.level=quiet
 org.gradle.warning.mode=summary
-ywcheong.sofia.version=26b.04.01.2
+ywcheong.sofia.version=26b.04.01.3
 ywcheong.sofia.jdk_version=21
\ No newline at end of file