SPM + GitLab: The server SSH fingerprint failed to verify


Hello, we’re consuming a private Swift package which is being consumed via ssh in Xcode.
We’re unable to resolve the dependencies because we’re unable to add GitLab as a known host.

I’ve followed the instructions in this thread to no avail:

The script we are using is:

for ip in $(dig @ gitlab.com +short); do ssh-keyscan gitlab.com,$ip; ssh-keyscan $ip; done 2>/dev/null >> ~/.ssh/known_hosts

The script is placed after the SSH key activation and git clone:

The content of our lane is:

desc "Run all tests"
lane :run_all_tests do
  xcodebuild(xcargs: '-resolvePackageDependencies')
  scan(project: 'Samples.xcodeproj', scheme: 'Sample', device: 'iPhone 12 Pro Max')

Are there any known intricacies with GitLab specifically? Any ideas on how we can make this work?



Same issue here: Cant authorize Swift package installation from Gitlab



Passing the ssh key type to the ssh-keyscan command using -t ecdsa solved the problem for us!! :raised_hands:
Gitlab is using OpenSSH as the ssh client and as it turns out OpenSSH prefers ECDSA key type if the server provides it and Gitlab server does provide this type of key along with other types. If you don’t pass the key type, all the available keys are fetched from Gitlab and written to your known_hosts file. However, I noticed that in the process of fetching these keys and writing them to the ~/.ssh/known_hosts file, sometimes the ECDSA key comes after the RSA key, and that causes the verification failure. So just kill the noise and fetch the key that the client is looking for. Long story short, here is the command that should do it for you:

for ip in $(dig @ gitlab.com +short); do ssh-keyscan -t ecdsa gitlab.com,$ip; done 2>/dev/null >> ~/.ssh/known_hosts

1 Like


Solved the problem! :raised_hands:


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.