When using pkgs.fetchgit with an SSH URL: "error: cannot run ssh: No such file or directory"

[pikajude]

Describe the bug

See title.

Steps To Reproduce

$ nix-build -E 'with import <nixpkgs> {}; pkgs.fetchgit { url = "git@github.com:nixos/nix.git"; }'       
these derivations will be built:
  /nix/store/z5bp1jslnim2a54hhixw5fdy86wkc745-nix.drv
building '/nix/store/z5bp1jslnim2a54hhixw5fdy86wkc745-nix.drv'...
exporting git@github.com:nixos/nix.git (rev HEAD) into /nix/store/4i4cgg10d8g6nfvm56j7av37g8363k4b-nix
Initialized empty Git repository in /nix/store/4i4cgg10d8g6nfvm56j7av37g8363k4b-nix/.git/
error: cannot run ssh: No such file or directory
fatal: unable to fork
error: cannot run ssh: No such file or directory
fatal: unable to fork
error: cannot run ssh: No such file or directory
fatal: unable to fork
error: cannot run ssh: No such file or directory
fatal: unable to fork
Unable to checkout HEAD from git@github.com:nixos/nix.git.
builder for '/nix/store/z5bp1jslnim2a54hhixw5fdy86wkc745-nix.drv' failed with exit code 1
error: build of '/nix/store/z5bp1jslnim2a54hhixw5fdy86wkc745-nix.drv' failed

Expected behavior

Nix should be able to fetch the repo.

Additional context

I'm using an SSH url because the repo I'm trying to fetch is private, but this error appears to be reproducible with any SSH url pointing anywhere.

Metadata

 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.0-47-generic, Ubuntu, 22.04.1 LTS (Jammy Jellyfish), nobuild`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.15`
 - channels(root): `"nixpkgs-22.11pre415372.7b06206fa24"`
 - channels(jude): `"home-manager"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixpkgs`

[tie]

FWIW GitHub and GitLab require SSH public key to be associated with an account, yikes. I’d assume that other Git hosts have the same behavior, so that’s likely the reason why clone over SSH is not supported out-of-the-box.

As a workaround, it’s possible to instruct Git to rewrite SSH clone URLs to HTTPS.

(fetchFromGitHub {
  owner = "…";
  repo = "…";
  rev = "…";
  hash = "…";
  fetchSubmodules = true;
}).overrideAttrs (_: {
  GIT_CONFIG_COUNT = 1;
  GIT_CONFIG_KEY_0 = "url.https://github.com/.insteadOf";
  GIT_CONFIG_VALUE_0 = "git@github.com:";
})

cc @gou4shi1 as you’ve also stumbled on this issue recently 🥲

Edit: as mentioned below, this workaround is for Git repositories with submodules that use SSH instead of HTTPS on GitHub/GitLab. It will not work for private repositories.

[gangaram-tii]

@tie It doesn't work for private repository.

[gangaram-tii]

I am able to fetch private repository using ssh:

fetchGit {
    url = "ssh://git@github.com/user/example.git";
    rev = "?";
    ref = "?";  #Branch name
  };

Preconditions: 1) Your ssh keys to access the repository are available in ~/.ssh 2) ssh://git@github.com/user/example.git must be there in your known hosts ~/.ssh/known_hosts

[the-argus]

Just had exactly the same issue as OP. Using builtins.fetchGit instead of pkgs.fetchgit fixed it for me.

[pluiedev]

Encountered the same error while trying to package a Flutter project with pub2nix. If builtins.fetchGit works, then should we try to change all instances of fetchgit to that?

[c0sco]

I think I'm also hitting the same issue when attempting to package a Rust-based tool that has an ssh://git@github.com URL in its Cargo.lock. Switch to https seems to have solved this for me for now.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/derivations-that-depend-on-git-submodules/48872/2

[jonboh]

For those hitting this issue using rustPlatform.buildRustPackage. Using cargoLock.allowBuiltinFetchGit = true; allows you to still use ssh and keep the repo private (the https solution won't work for private repos) https://nixos.org/manual/nixpkgs/stable/#importing-a-cargo.lock-file

rustPlatform.buildRustPackage {
  cargoLock = {
    lockFile = ./Cargo.lock;
    allowBuiltinFetchGit = true;
  };
}