Fastlane match cannot connect over SSH

Question

Existing solutions

I've searched SO and Github extensively before asking my question. None of the existing topics present any working solutions for our setup.

Configuration

We've got Jenkins + Fastlane configured on a remote macOS machine. Fastlane match is supposed to get the signing credentials (certificate + provisioning profile) from a dedicated repository over SSH.

Issue

The SSH connection fails (it hangs). Jenkins console output:

INFO [2019-04-09 14:09:29.05]: Cloning remote git repo...
INFO [2019-04-09 14:09:29.05]: If cloning the repo takes too long, you can use the `clone_branch_directly` option in match.
INFO [2019-04-09 14:09:29.05]: [36m$ git clone ssh://[email protected]:xxxx/cert/ios-certificates-profiles.git /var/folders/_redacted_[0m
INFO [2019-04-09 14:09:29.07]: ▸ [35mCloning into '/var/folders/_redacted_'...[0m
INFO [2019-04-09 14:09:29.19]: ▸ [35mThe authenticity of host '[xxx.xx.x.xxx:xxxx]:xxxx ([xxx.xx.x.xxx:xxxx]:xxxx)' can't be established.[0m
INFO [2019-04-09 14:09:29.19]: ▸ [35mRSA key fingerprint is _REDACTED_.

Running the "git clone ssh://[email protected]:xxxx/..." command from the terminal on the same machine:

• clones the repository successfully
• adds the host to the known_hosts file

Still Jenkins keeps hanging on the fastlane match command. Any ideas why Jenkins cannot connect over SSH to the repository? What am I missing?

Edit

Adding the clone_branch_directly option to the match command has no effect, the command still hangs.

Answer 1

Try first the same operation with Jenkins launched in an environment where the variable GIT_SSH_COMMAND is set to "ssh -vvv": that will give you full traces when Git tries and clone with SSH URL.

The OP mmvie confirms in the comments:

Adding verbose logging to SSH revealed Jenkins was ran as sudo.
Running Jenkins not as sudo and pointing to the correct SSH keys resolved the issue.

---

Other possibilities:

fastlane issue 5473 mentions the known_hosts issue, but if the remote server fingerprint is already added (assuming your Jenkins is running with the same account as your own shell session), then check if your private key is passphrase-protected:

FWIW, when I ssh-add -D and then run fastlane certs (which runs match), I get the exact same behavior. It hangs on "Cloning remote git repo..." That's expected behavior. 'ssh-add' fixes things.

Same in fastlane issue 7482:

Figured it out...was on a new box and hadn't added my key to ssh-agent.

ssh-add -K ~/.ssh/id_rsa

Other possibility: fastlane issue 11732:

I'm running into this on CircleCi 2.0 as well

Setting this in my environment configuration on Circle 2.0 helps

environment:
  TERM: xterm-256color

So check your $TERM environment variable value.