Cannot sign app with xcodebuild and authenticationKey

I'm trying automated signing suggested in WWDC21 session with xcodebuild and authenticationKey. I have unsigned xcarchive, .p8 key generated on portal as suggested in WWDC session, and trying to sign it with:

xcodebuild -exportArchive -archivePath ./myapp.xcarchive -exportPath ./1 -exportOptionsPlist exportoptions.plist -authenticationKeyIssuerID <removed> -authenticationKeyID <removed> -authenticationKeyPath <full path to p8> -allowProvisioningUpdates

However it fails, and I can see in IDEDistributionProvisioning.log the following response from Apple:

Payload:
{"urlEncodedQueryParams":"teamId=<removed>&filter%5BcertificateType%5D=DISTRIBUTION_MANAGED&limit=200"}

2021-09-23 10:19:23 +0000  2021-09-23 10:19:23 +0000 IDEProvisioningRepair(<removed>): 2021-09-23 10:19:23 +0000 IDEProvisioningRepair(<removed>): Received response for B50672C5-10E6-40CF-996A-097BADBD0EEF @ <https://appstoreconnect.apple.com/xcbuild/v1/certificates>. Code = 0

2021-09-23 10:19:23 +0000  2021-09-23 10:19:23 +0000 IDEProvisioningRepair(<removed>): 2021-09-23 10:19:23 +0000 IDEProvisioningRepair(<removed>): Response payload: {
  "errors" : [ {
    "id" : "8f50dfff-8ca6-442b-aa64-92f0a91730ec",
    "status" : "403",
    "code" : "FORBIDDEN_ERROR",
    "title" : "This request is forbidden for security reasons",
    "detail" : "You are not allowed to perform this operation.  Please check with one of your Team Admins, or, if you need further assistance, please contact Apple Developer Program Support. https://developer.apple.com/support"
  } ]
}


If I'm trying to sign with my Dev account logged in into XCode, xcodebuil uses it instead and signing completes with no issues.

Did I miss something?

Answered by Artem_XZ in 688650022

I found that it's necessary to have Admin role for the p8 key to succeed with this. Wondering why should it have Admin role, if my regular XCode account with AppManager role works as well?

Accepted Answer

I found that it's necessary to have Admin role for the p8 key to succeed with this. Wondering why should it have Admin role, if my regular XCode account with AppManager role works as well?

@Artem_XZ can you describe how did you manage to work Cloud-managed distribution certificates, please? Even using the Admin API key, I get the following error:

Error Domain=IDEDistributionErrorDomain Code=10 "Failed to log in." UserInfo={IDEDistributionErrorsAccountIssues=(
), NSLocalizedDescription=Failed to log in., NSLocalizedRecoverySuggestion=App Store Connect access for “$TEAM_ID” is required. Ensure that your Apple ID account usernames and passwords are correct in the Accounts preference pane.}

Does the API key-based distribution still work for you?

I ran into the same issue and also updated the rights but didn't get it to work. I fixed it with exporting it locally first and then using altool to upload it.

For xcodebuild -exportArchive you'd need to do the following

  • Set the export option plist destination to export
  • add -exportPath <your preferred ipa folder> to the command

Validate or Upload

 xcrun altool --validate-app/--upload-app -f <ipa-folder/ipa-file.ipa> -t iOS --apiIssuer ... --apiKey ...

altool wants a key file stored in the folder where its executed from: private_keys/AuthKey_<keyid>.p8

if you use github action and secrets, setting up the key could look like this:

echo "${{ secrets.<idToYourStoredKeyContent> }}" > ${{ format('private_keys/AuthKey_{0}.p8', secrets.<idToYourStoredKeyId>) }}
Cannot sign app with xcodebuild and authenticationKey
 
 
Q