Host key verification failed (bitbucket)

I get “Host key verification failed” when trying to install a npm private package from bitbucket.

What I have done is:

• Copied the Deploy key from Deploy settings of my site.
• Pasted in Bibucket account under /account/settings/ssh-keys/

Reading the doc i see that the npm package should be in the format

"package-name": "git+https://<user>:<app-password>@bitbucket.org/<user>/<repo>.git"

Isn’t unsecure to put the app-passoword in my public package.json?

Shouldn’t be enough to set the SSH key? I usually use only that key and I get access of evrything on the Bitbucket account.

What I am not seeing?

Thank you

Here the full build log

7:58:19 PM: Build ready to start
7:58:21 PM: build-image version: be42e453d6c8f171cc2f654acc29c0a8b60e6d93
7:58:21 PM: build-image tag: v3.7.1
7:58:21 PM: buildbot version: b47b671c7e5601877c51968241eb899bf590a815
7:58:21 PM: Fetching cached dependencies
7:58:21 PM: Starting to download cache of 113.3MB
7:58:23 PM: Finished downloading cache in 2.162767087s
7:58:23 PM: Starting to extract cache
7:58:28 PM: Finished extracting cache in 4.414767916s
7:58:28 PM: Finished fetching cache in 6.62534392s
7:58:28 PM: Starting to prepare the repo for build
7:58:28 PM: Preparing Git Reference refs/heads/urn
7:58:32 PM: Different functions path detected, going to use the one specified in the Netlify configuration file: 'dist/.uranio/repo/functions' versus 'api' in the Netlify UI
7:58:32 PM: Starting build script
7:58:32 PM: Installing dependencies
7:58:32 PM: Python version set to 2.7
7:58:33 PM: Started restoring cached node version
7:58:36 PM: Finished restoring cached node version
7:58:36 PM: v12.18.0 is already installed.
7:58:37 PM: Now using node v12.18.0 (npm v6.14.4)
7:58:37 PM: Started restoring cached build plugins
7:58:37 PM: Finished restoring cached build plugins
7:58:37 PM: Attempting ruby version 2.7.1, read from environment
7:58:39 PM: Using ruby version 2.7.1
7:58:39 PM: Using PHP version 5.6
7:58:39 PM: Started restoring cached node modules
7:58:39 PM: Finished restoring cached node modules
7:58:39 PM: Installing NPM modules using NPM version 6.14.4
7:58:42 PM: npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but package-lock.json was generated for lockfileVersion@2. I'll try to do my best with it!npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/enquirer-eb384812/lib/prompts/index.js'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/@nodelib/fs.stat-5c4a437a/out/adapters/fs.d.ts'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/enquirer-eb384812/lib/types/index.js'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/@nodelib/fs.stat-5c4a437a/out/adapters/fs.spec.d.ts'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/enquirer-eb384812/lib/prompts/input.js'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/eslint-plugin-import-ef8b0033/lib/rules/export.js'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/enquirer-eb384812/lib/interpolate.js'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/enquirer-eb384812/lib/prompts/invisible.js'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/enquirer-eb384812/lib/keypress.js'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/eslint-8e85d10d/lib/rules/array-bracket-newline.js'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/@nodelib/fs.stat-5c4a437a/out/index.d.ts'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/enquirer-eb384812/lib/prompts/list.js'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/eslint-8e85d10d/lib/rules/array-bracket-spacing.js'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/@nodelib/fs.stat-5c4a437a/out/types/index.d.ts'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/enquirer-eb384812/lib/prompts/multiselect.js'
7:58:42 PM: npm WARN tar ENOENT: no such file or directory, open '/opt/build/repo/node_modules/.staging/@nodelib/fs.stat-5c4a437a/out/index.spec.d.ts'
...
7:58:44 PM: npm WARN netlify-test@0.0.1 No description
7:58:44 PM: npm WARN netlify-test@0.0.1 No license field.
7:58:44 PM: npm ERR! Error while executing:
7:58:44 PM: npm ERR! /usr/bin/git ls-remote -h -t ssh://git@bitbucket.org/user/myrepo.git
7:58:44 PM: npm ERR!
7:58:44 PM: npm ERR! Host key verification failed.
7:58:44 PM: npm ERR! fatal: Could not read from remote repository.
7:58:44 PM: npm ERR!
7:58:44 PM: npm ERR! Please make sure you have the correct access rights
7:58:44 PM: npm ERR! and the repository exists.
7:58:44 PM: npm ERR!
7:58:44 PM: npm ERR! exited with error code: 128
7:58:44 PM: npm ERR! A complete log of this run can be found in:
7:58:44 PM: npm ERR!     /opt/buildhome/.npm/_logs/2021-04-21T17_58_44_029Z-debug.log
7:58:44 PM: Error during NPM install
7:58:44 PM: Build was terminated: Build script returned non-zero exit code: 1
7:58:44 PM: Failing build: Failed to build site
7:58:44 PM: Finished processing build request in 22.926066434s

hey there, can you point us to the doc that you are trying to use to follow along with this? thanks.

Absolutely, sorry I didn’t post it.

Here is the link:

hi there, it does indeed say that! i am not sure, exactly, but I am going to pass this on to someone else who might know more.

There are two different approaches, depending on whether you are working with the private repo strickly via Git itself or accessing it via npm.

As the logs show you using npm, I believe these are the correct instructions for you:

If you were getting the error as party of a submodule clone or a Git command run in the build command itself, then this would be the support guide to follow (but again, I do think the guide above is the right one for the issue in logs you posted):

If the solution in the top support guide above doesn’t work for you, please reply here to let us know what steps you tried and what the results were. Similarly, if there are questions about any of this, please let us know.

Unfortunately, even though I am using a private repo with npm, the first article doesn’t cover my situation.
The article is explaining what to do with a private NPM module hosted on NPM, while my dependecies are hosted on Bitbucket.

I’ve made the cleanest possible set up in order to debug better.

package.json

{
  "name": "netlify-site",
  "version": "0.0.1",
  "repository": {
    "type": "git",
    "url": "https://github.com/ndr4/netlify-site.git"
  },
  "dependencies": {
    "my-dep": "git+ssh://git@bitbucket.org/ndr4/my-dep.git"
  }
}

Even if I set the Deploy key from Netlify to my Bitbucket account, this fails.

However if I set my dependency, in the package.json above, with an App Password, like this:

"my-dep": "https://ndr4:{MYAPPPASSWORD}@bitbucket.org/ndr4/my-dep.git"

it will install the dependecy but this will show the password in my public github repo “netlify-site”.

Plus this is a very simple situation. In reality this private dependecy has other private dependencies and as you can imagine I cannot use the APP-PASSWORD method for all my dependencies since they are also used in other cases other than Netlify.

It seems the build is not using the Deploy key and I am wondering why.

Hey there, @ndr4

Thanks for your patience here! I want to assure you that we haven’t forgotten about this thread, we have just been a bit underwater this past week.

Are you still encountering issues? If so, let me know and I will bump this back up to our Support Engineers. If this has resolved, please let us know what steps you took

Hello Hilary,
thanks for getting back to me.

Actually nothing has changed. I still face the same issue and I cannot find any solutions.

Thank you

Can’t you make use of env vars which you can store in our UI, away from your public repo?

Repository_permissions_and_linking___Netlify_Docs697×357 31 KB

I’ve tried creating app passwords in Bitbucket and using them in the package location but this doesn’t solve the issue.

interesting - I couldn’t get this to work but agree this info being visible is not great!