Unable to authenticate for Developer-ID app export with API Key

Hi everyone,

We are trying to move from using saved login sessions on our CI systems to the fancy API Key methods. Once we finally convinced our security folks to allow us to try using an admin level key we were still disappointed to find that not everything is working...

For a little setup we are building on:

  • macOS 12.1
  • Xcode 13.2.1

What we are building:

  • a developer-id signed Mac app
  • It does not have an App Store version
  • The bundle IDs are registered in the developer page and have been for years.

It's a regular app with some subprojects bundled inside it. (It's in production on a very wide scale and has been for years.) We recently had to add an entitlement to one of the components and thus the build now requires a provisioning profile. It's the monkey's paw promise of automatic signing with an API Key in Xcode 13 that has let that profile bring a dark malaise to my world.

When trying to build, archive, and export the app with xcodebuild we've managed to get the build and archive steps to work with the API Key. We can NOT authenticate though with the API key during the export stage. Because of this it can't find the profile for the app. If I login to the ADC page in Xcode, then download the profile with the "Download Manual Profile" button, then remove the account from Xcode again it will export the archive by using the local profile. It will though continue to flail around trying to authenticate over and over and over and over and over again using the token.

2022-03-03 08:12:49.026 xcodebuild[33107:1065902] DVTServices: Received response for 78B4588E-1CB0-4E56-86E7-4A62EB8E94A0 @ <https://appstoreconnect.apple.com/xcbuild/QH65B2/listTeams.action?clientId=XABBG36SBA>. Error = Error Domain=DVTPortalResponseErrorDomain Code=0 "Communication with Apple failed" UserInfo={NSLocalizedDescription=Communication with Apple failed, NSLocalizedRecoverySuggestion=A non-HTTP 200 response was received (401) for URL https://appstoreconnect.apple.com/xcbuild/QH65B2/listTeams.action?clientId=XABBG36SBA}

One of the goals of using an API Key on CI is that we can get away from things like needing to press manual download buttons, or try to maintain the Apple IDs that time out every 20 minutes. This is blocking us from that glorious goal and driving me to the precipice of madness.

We are going to open a DTS incident on this, but I wanted to be sure that we also posted the info here for the community.

(Note that it took us a while to realize that in order to use a token you also must remove any Apple IDs from the Xcode prefs. This would be super helpful if it was in the documentation!)

Answered by jamfshome in 707973022

Based on feedback from DTS:

You can't use an API Key with xcodebuild when exporting a Developer ID Mac app. The recommended path for us was to go back to manual code signing.

  • You can use fastlane with the API Token you can download the profile that you need and export using manual code signing.
  • You can use curl with the API Token you can download the profile that you need and export using manual code signing.
  • You can sign an account into Xcode you can use xcodebuild and export using automatic code signing.
  • You can't use an API Key with xcodebuild when exporting a Developer ID Mac app.

I filed: FB9963401

Hey @jamfshome,

I do not have much experience with Mac applications, but are you using an export options plist that has the UUID of a profile that should be found in the local store during the export process or some other method?

Is the goal to have Xcode 100% automate everything on its own, or are you able / willing to have something like a helper script running in the local environment? Using the API Key approach assumes that you have the API Key in every environment where builds would be happening, but don't want to make any assumptions.

Thanks!

Hi @ChuckMN, I would like to avoid going down the manual signing route if possible. We had hoped that using the API Key would allow us to stop messing about with authentication session hacks. We are using Fastlane as well, but in troubleshooting this I took the approach of just using Apple's tools directly to remove any variables.

Accepted Answer

Based on feedback from DTS:

You can't use an API Key with xcodebuild when exporting a Developer ID Mac app. The recommended path for us was to go back to manual code signing.

  • You can use fastlane with the API Token you can download the profile that you need and export using manual code signing.
  • You can use curl with the API Token you can download the profile that you need and export using manual code signing.
  • You can sign an account into Xcode you can use xcodebuild and export using automatic code signing.
  • You can't use an API Key with xcodebuild when exporting a Developer ID Mac app.

I filed: FB9963401

Unable to authenticate for Developer-ID app export with API Key
 
 
Q