Fastlane match cannot connect over SSH

Question

Existing solutions

I've searched SO and Github extensively before asking my question. None of the existing topics present any working solutions for our setup.

Configuration

We've got Jenkins + Fastlane configured on a remote macOS machine. Fastlane match is supposed to get the signing credentials (certificate + provisioning profile) from a dedicated repository over SSH.

Issue

The SSH connection fails (it hangs). Jenkins console output:

INFO [2019-04-09 14:09:29.05]: Cloning remote git repo...
INFO [2019-04-09 14:09:29.05]: If cloning the repo takes too long, you can use the `clone_branch_directly` option in match.
INFO [2019-04-09 14:09:29.05]: [36m$ git clone ssh://git@xxx.xx.x.xxx:xxxx/cert/ios-certificates-profiles.git /var/folders/_redacted_[0m
INFO [2019-04-09 14:09:29.07]: ▸ [35mCloning into '/var/folders/_redacted_'...[0m
INFO [2019-04-09 14:09:29.19]: ▸ [35mThe authenticity of host '[xxx.xx.x.xxx:xxxx]:xxxx ([xxx.xx.x.xxx:xxxx]:xxxx)' can't be established.[0m
INFO [2019-04-09 14:09:29.19]: ▸ [35mRSA key fingerprint is _REDACTED_.

Running the "git clone ssh://git@xxx.xx.x.xxx:xxxx/..." command from the terminal on the same machine:

• clones the repository successfully
• adds the host to the known_hosts file

Still Jenkins keeps hanging on the fastlane match command. Any ideas why Jenkins cannot connect over SSH to the repository? What am I missing?

Edit

Adding the clone_branch_directly option to the match command has no effect, the command still hangs.

Answer 1

Try first the same operation with Jenkins launched in an environment where the variable GIT_SSH_COMMAND is set to "ssh -vvv": that will give you full traces when Git tries and clone with SSH URL.

The OP mmvie confirms in the comments:

Adding verbose logging to SSH revealed Jenkins was ran as sudo.
Running Jenkins not as sudo and pointing to the correct SSH keys resolved the issue.

---

Other possibilities:

fastlane issue 5473 mentions the known_hosts issue, but if the remote server fingerprint is already added (assuming your Jenkins is running with the same account as your own shell session), then check if your private key is passphrase-protected:

FWIW, when I ssh-add -D and then run fastlane certs (which runs match), I get the exact same behavior. It hangs on "Cloning remote git repo..." That's expected behavior. 'ssh-add' fixes things.

Same in fastlane issue 7482:

Figured it out...was on a new box and hadn't added my key to ssh-agent.

ssh-add -K ~/.ssh/id_rsa

Other possibility: fastlane issue 11732:

I'm running into this on CircleCi 2.0 as well

Setting this in my environment configuration on Circle 2.0 helps

environment:
  TERM: xterm-256color

So check your $TERM environment variable value.

Answer 2

I solved a similar issue with

ssh-keyscan myserver.com >> ~/.ssh/known_hosts

Answer 3

I have frozen task on Circle CI on fastlane match step. The reason was I ran 'checkout' step on linux and get it throw workspace to macos vm. So the 'checkout' command was newer setted up on macos machine and ssh didn't know a bitbucket host name.

It was solved by adding extra 'checkout' command to macos env job. It take a little time because everything is synced by workspace.

Answer 4

I had a similar issue. And had a similar resolution as @VonC , I hadn't added my passphrase to .ssh/config file. Every time I would clone a repo using SSH I would enter a passphrase manually. This made my fastlane hang . It would make the fastlane hang because it would essentially need the passphrase, but it didn't have the manner of prompting me for it.

The GitHub document for resolving this is here https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#adding-your-ssh-key-to-the-ssh-agent

I hope this helps someone at least approach their problem from a fresh angle.