Xcodebuild and SPM dependency SSH fingerprint failed to verify


Hello everyone. I added a dependency to my Xcode project using Swift Package Manager. The dependency is a private repo on Bitbucket. No problem building locally, but on Bitrise I get:

Could not resolve package dependencies:
  The server SSH fingerprint failed to verify.

I found this discussion from last year. It suggests to add an activate SSH key step (I already had one) and add a script step to add Bitbucket to the known_hosts file (based on Xcode 11 release notes even though I’m using Xcode 12.2).

I did that but my build still fails with the same error message so I’m wondering if that workaround no longer applies. Has anybody else run into this?


SPM + GitLab: The server SSH fingerprint failed to verify

The solution you refer to still works. The SSH key step you likely have is a deployment key Bitrise adds to clone the project repository, This will not have access to any private dependencies in other repositories. You can use this key to clone the project then add the ‘known_hosts’ and ‘ssh’. If you have a single private dependency you can use a deployment key from that repository, if there are multiple ones you will likely need a key from a user who has access to each of these.

YAML (put between clone and build steps with SSH key as a secret):

    - script@1.1:
    title: Add 'github' to known_hosts
    - content: |-
        #!/usr/bin/env bash
        for ip in $(dig @ github.com +short); do ssh-keyscan github.com,$ip; ssh-keyscan $ip; done 2>/dev/null >> ~/.ssh/known_hosts
- activate-ssh-key@4.0:
    title: Activate SSH key
    - ssh_rsa_private_key: "$GITHUB_SSH_KEY"


Thanks John but still no luck. Following your advice I created another SSH key pair, added the public one to the private dependency repo in Bitbucket, then added the private one to a secret in Bitrise. But I’m still getting the fingerprint failed to verify. I also tried other options in case that made any difference.

- script@1:
    - content: |
        for ip in $(dig @ bitbucket.com +short); do ssh-keyscan bitbucket.com,$ip; ssh-keyscan $ip; done 2>/dev/null >> ~/.ssh/known_hosts
    title: Add Bitbucket to known hosts
- activate-ssh-key@4:
    - ssh_rsa_private_key: "$PRIVATE_DEP_SSH_KEY"
    - ssh_key_save_path: "$HOME/.ssh/bitrise_step_activate_ssh_key_private_dep"
    - is_remove_other_identities: 'false'


Got it.

The problem was that I had bitbucket.COM in the add to known_hosts step, but it really should have been bitbucket.ORG.

Well, it’s the little things right. :roll_eyes:


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.