Hi everyone,
We are trying to move from using saved login sessions on our CI systems to the fancy API Key methods. Once we finally convinced our security folks to allow us to try using an admin level key we were still disappointed to find that not everything is working...
For a little setup we are building on:
macOS 12.1
Xcode 13.2.1
What we are building:
a developer-id signed Mac app
It does not have an App Store version
The bundle IDs are registered in the developer page and have been for years.
It's a regular app with some subprojects bundled inside it. (It's in production on a very wide scale and has been for years.) We recently had to add an entitlement to one of the components and thus the build now requires a provisioning profile. It's the monkey's paw promise of automatic signing with an API Key in Xcode 13 that has let that profile bring a dark malaise to my world.
When trying to build, archive, and export the app with xcodebuild we've managed to get the build and archive steps to work with the API Key. We can NOT authenticate though with the API key during the export stage. Because of this it can't find the profile for the app. If I login to the ADC page in Xcode, then download the profile with the "Download Manual Profile" button, then remove the account from Xcode again it will export the archive by using the local profile. It will though continue to flail around trying to authenticate over and over and over and over and over again using the token.
2022-03-03 08:12:49.026 xcodebuild[33107:1065902] DVTServices: Received response for 78B4588E-1CB0-4E56-86E7-4A62EB8E94A0 @ <https://appstoreconnect.apple.com/xcbuild/QH65B2/listTeams.action?clientId=XABBG36SBA>. Error = Error Domain=DVTPortalResponseErrorDomain Code=0 "Communication with Apple failed" UserInfo={NSLocalizedDescription=Communication with Apple failed, NSLocalizedRecoverySuggestion=A non-HTTP 200 response was received (401) for URL https://appstoreconnect.apple.com/xcbuild/QH65B2/listTeams.action?clientId=XABBG36SBA}
One of the goals of using an API Key on CI is that we can get away from things like needing to press manual download buttons, or try to maintain the Apple IDs that time out every 20 minutes. This is blocking us from that glorious goal and driving me to the precipice of madness.
We are going to open a DTS incident on this, but I wanted to be sure that we also posted the info here for the community.
(Note that it took us a while to realize that in order to use a token you also must remove any Apple IDs from the Xcode prefs. This would be super helpful if it was in the documentation!)
Post
Replies
Boosts
Views
Activity
Hi All,
We use a small group of Mac mini units running VMs for our Apple CI system. Since you can't login to an Apple ID on an Apple Silicon VM we wanted to use an App Store Connect API token to handle all the authentication for us. In the past this has not worked but I wanted to see if it could now. The answer is no, you can not use an API token with Developer ID Cloud certificates.
The reason is that, even on an Admin role token, the DevID certificates are not enabled by default. When you are using an Apple ID this is no big deal as you can check the box to allow access, but with tokens they are minted with only the default settings for the role. This means that the option for Access to Cloud Managed Developer ID Certificates is always disabled and you can't enable it.
If we could continue logging in with an Apple ID we could stumble along with that still, but even this ability is gone on AS VMs. Right now this pretty much means that we either give up on using stateless VMs to build or we go back to manually managing all of our code signing materials. The longer term solution would be to move to Xcode Cloud, but that will take us quite some time.
I filed FB13687073 to see if there is any way to create a token that can use this checkbox.