With GitLab, getting "fatal: mismatched algorithms: client sha1; server sha256" error when running pipeline on fork

I have a CI pipeline which runs a basic Python unit test command. It uses the python:3.11 Docker base image.

When the pipeline runs in the main repo, everything works fine. However, when running the pipeline in a fork, I get the following error message.

Preparing environment
Running on runner-xxx-concurrent-0 via runner-xxx...
Getting source from Git repository
Fetching changes with git depth set to 20...
Initialized empty Git repository in /builds/<username>/<project_name>/.git
Created fresh repository.
fatal: mismatched algorithms: client sha1; server sha256
Cleaning up project directory and file based variables
ERROR: Job failed: exit code 1

I’ve confirmed that my repo, my local git, and all commits in the repo, are using SHA256 (in both the main repo and the fork).

The error indicates that the Git client and server are using mismatched hash algorithms for communication. Specifically, the client (your CI pipeline environment) uses SHA-1, while the server requires SHA-256. This issue is often related to differences in Git versions or configurations between environments. Here’s how to troubleshoot and resolve it:


Steps to Resolve

  1. Ensure Both Git Client and Server Use SHA-256
  • Verify that the Git version in the CI runner environment (within the python:3.11 Docker image) supports SHA-256:
git --version

Git versions 2.29 and newer support SHA-256 repositories. If the version is outdated, consider updating the Git client by modifying the Docker image or base environment.
2. Update the Docker Image

  • By default, the python:3.11 image may not include the latest Git version. Update Git in the Docker image used in your CI pipeline:
FROM python:3.11
RUN apt-get update && apt-get install -y git
  • Rebuild your Docker image with this updated configuration.
  1. Explicitly Set Hash Algorithm
  • Ensure the hash algorithm is set to SHA-256 in your Git configuration. Add this step to your CI pipeline:
git config --global protocol.version 2

This forces Git to negotiate capabilities with the latest protocol version.
4. Check CI Runner Configuration

  • If you are using a shared runner, confirm its Git configuration supports SHA-256 repositories. You might need to configure a dedicated runner with the appropriate environment.
  1. Debug Environment Mismatch
  • Add debugging steps in your CI pipeline to check the environment and Git settings:
git config --list
git config --global --list
  1. Force SHA-1 Compatibility
  • As a temporary workaround (if you cannot update Git), you can allow SHA-1 in your repository:
git config --global transfer.fsckObjects false
git config --global fetch.fsckObjects false
git config --global receive.fsckObjects false

Further Troubleshooting

If the issue persists, investigate:

  • Fork-Specific Configurations: Compare .git configuration files between the main repository and the fork.
  • GitLab Runner Logs: Examine the runner’s logs for additional details.
  • SSH/HTTP Differences: Ensure both repositories use the same protocol (e.g., SSH or HTTPS).

Would you like help with adding these changes to your CI configuration?