Xcode 14.3 doesn't use credentials (from netrc or keychain) for auth to a package registry

[FirstAM]

Description

I'd tried to use this solution (self hosted spm registry )
The main thing is - after success auth, utility append new credentials to ~/.netrc file or mac os keychain
In my case all credential was appended, but credential getting from netrc or keychain only when i use command line utility
If i try to use Xcode, i got auth error status response that means credentials didn't send.
I've checked request headers, and exactly as i thought, credential didn't send

In my case file content seems like that:

.swiftpm/configuration/registries.json

{
  "authentication": {
    "spm-registry.net": {
      "type": "token"
    },
  },
  "registries" : {
    "scope" : {
      "url" : "https://spm-registry.net/api/spm-registry/"
    }
  },
  "version" : 1
}

~/.netrc

machine spm-registry.net 
login token 
password <TOKEN>

Expected behavior

Xcode use credentials from netrc or keychain

Actual behavior

Credential was used only when i run cmd utility

Steps to reproduce

1. Install Xcode 14.3
2. Setup registries url by command line
3. Setup registries auth by command line
4. Run your self-hosted spm registry
5. Try to resolve dependencies by Xcode application

Swift Package Manager version/commit hash

No response

Swift & OS version (output of swift --version && uname -a)

###############################

$ swift --version
swift-driver version: 1.75.2 Apple Swift version 5.8 (swiftlang-5.8.0.124.2 clang-1403.0.22.11.100)
Target: arm64-apple-macosx13.0

###############################

$ swift package  --version
Swift Package Manager - Swift 5.8.0

###############################

$ system_profiler SPSoftwareDataType
Software:

    System Software Overview:

      System Version: macOS 13.1 (22C65)
      Kernel Version: Darwin 22.2.0
      ...

###############################

$ system_profiler SPDeveloperToolsDataType
Developer:

    Developer Tools:

      Version: 14.3 (14E222b)
      Location: /Applications/Xcode.app
      Applications:
          Xcode: 14.3 (21812)
          Instruments: 14.3 (64559.163)
      ...

[yim-lee]

rdar://107679395

[tomerd]

cc @abertelrud

[FirstAM]

Hi @yim-lee, @abertelrud
Do you have any updates?

[yim-lee]

@FirstAM The fix is in Xcode. We will post back here when it becomes available.

[lukepistrol]

@yim-lee Can you confirm this will be available in a Xcode 14.x.x update or is it more likely this will be available only in the upcoming Xcode 15 beta?

[yim-lee]

@lukepistrol We will let you know the version when it's available.

[lukepistrol]

Seems to be included in the Xcode 15 Beta!

[yim-lee]

@lukepistrol Yep!

[felipeska]

Hello, I'm using XCode Version 15.0 beta 4 (15A5195m)

Xcode can't accept the credentials but in the server the authentication is valid.

[yim-lee]

@felipeska That's for npm?

[felipeska]

Hello @yim-lee, No. I'm using https://jfrog.com/help/r/jfrog-artifactory-documentation/swift-registry.
Swift registry works fine using CLI, but when I add a dependency from Xcode (File -> Add package dependency) the error mentioned error is what I get.

It's possible to use private and authenticated repository from XCode?
It's possible to use authentication similar to the one used via .netrc? basic token.
I am aware that XCode offers some authentication for most used platforms (Github, GitLab. Sourcetree), but it seems that handling Swift packages from JFrog is not possible.

Thanks!

[yim-lee]

@felipeska Xcode only supports registry credentials saved in Keychain. Is there an internet password entry for the registry you use in Keychain?

https://github.com/apple/swift-evolution/blob/main/proposals/0378-package-registry-auth.md#macos-keychain

[yim-lee]

Xcode15 should make use of registry credentials from keychain, so closing this. Please create new issue if you still experience problem.

[saschpe]

Hello, I'm using XCode Version 15.0 beta 4 (15A5195m)
...
Xcode can't accept the credentials but in the server the authentication is valid.

Same issue, doesn't work with Xcode 15.0.1

[jeremybarr]

@saschpe I'm also having a hard time getting this working in Xcode. Have you gotten anywhere with this since?

[yim-lee]

Package registry credentials need to be added to Keychain via the swift package-registry login command or manually (by creating an item under "Internet Passwords").

At the end you should have an entry like this in Keychain:

Note that this is different from source control account. Registry operations do not use source control credentials.

If it still doesn't work after ensuring the registry credentials are in Keychain, one thing you might check is if there is more than one entry for the same registry in Keychain. In this case, delete all the entries for the registry and create a new entry again. We don't know what causes multiple entries to be saved for the same registry, for we can't reproduce it consistently, so it would be great to get more information if that's what's happening for you.

[justin-doordash]

@yim-lee How can this work in a CI environment? The proposal included using netrc, which would work for a CI environment, but that doesn't seem to work anymore. How are we supposed to allow remote machines to auth private repos such as Artifactory?

[yim-lee]

The proposal included using netrc, which would work for a CI environment, but that doesn't seem to work anymore.

@justin-doordash What problem do you run into with netrc? netrc should still work, it's just that it's no longer the default if Keychain is available, but one can override that using the --netrc option:

  --netrc                 Use netrc file even in cases where other credential stores are preferred

[justin-doordash]

@yim-lee Yes the command correctly adds the credentials to netrc, however xcodebuild refuses to utilize them. xcodebuild fails on Resolve Package Graph saying missing or invalid authentication credential. xcodebuild doesn't seem to utilize netrc as a valid source of credentials for package auth. If we instead authorize without --netrc, xcodebuild prompts the user for access to keychain and correctly resolves the package, but we can't do that on CI

[yim-lee]

xcodebuild doesn't seem to utilize netrc as a valid source of credentials for package auth. If we instead authorize without --netrc, xcodebuild prompts the user for access to keychain and correctly resolves the package, but we can't do that on CI

@justin-doordash I see. I will check with the team to see if we can fix/workaround this. In the meantime maybe there is some way to disable the Keychain prompt in CI?

[justin-doordash]

@yim-lee There doesn't seem to be a way to disable the keychain prompt, but even if we did the package resolution would still fail because it's not using the netrc for auth. Should I open a new issue and describe the issue in depth?

[yim-lee]

but even if we did the package resolution would still fail because it's not using the netrc for auth

I was thinking you could use Keychain to store credentials if that's available in your CI environment.

Should I open a new issue and describe the issue in depth?

Yes, that would be great. Thanks @justin-doordash.

[jeremybarr]

Package registry credentials need to be added to Keychain via the swift package-registry login command or manually (by creating an item under "Internet Passwords").

At the end you should have an entry like this in Keychain:

Note that this is different from source control account. Registry operations do not use source control credentials.

If it still doesn't work after ensuring the registry credentials are in Keychain, one thing you might check is if there is more than one entry for the same registry in Keychain. In this case, delete all the entries for the registry and create a new entry again. We don't know what causes multiple entries to be saved for the same registry, for we can't reproduce it consistently, so it would be great to get more information if that's what's happening for you.

@yim-lee The multiple credentials issue repeatedly happened to me. I also was unable to connect to an authenticated repo with Xcode 15. I've found that this problem seems to be due to upgrading from Xcode 14 to Xcode 15. I've installed Xcode through the App Store and was constantly having these problems. Once I deleted Xcode, and also deleted Xcode settings files like com.apple.dt.Xcode in locations like ~/Library/Application Scripts , ~/Library/Preferences , ~/Library/Containers, ~/Library/Developer, and ~/Library/Saved Application State followed by a reinstall of Xcode directly from the App Store, both of my problems disappeared and I stopped getting duplicate credentials in keychain and was able to connect to the authenticated repo.

[yim-lee]

@jeremybarr Yeah we were unable to reproduce the multiple credentials issue ourselves, so we didn't know what caused it or how to fix/workaround it. I am sorry for not able to offer solutions or alternatives when you ran into that problem. Glad to hear you figured that out and I am sure your notes will help others as well!

[Baza207]

I see there's been a variety of questions here regarding authentication, but I still can't get past the adding the package as a local repository to an Xcode Project. We're trying it similar to @felipeska with Atrifactory, but can't get past the File -> Add package dependency step. Am I missing something?

We have .netrc file with the token credentials at the user level, there's a keychain (internet password type) item looking the same as @yim-lee posted above, but I still constantly get a dialog saying "authentication failed". 😞

Any help or pointers appreciated.

[ncharniauski]

I see there's been a variety of questions here regarding authentication, but I still can't get past the adding the package as a local repository to an Xcode Project. We're trying it similar to @felipeska with Atrifactory, but can't get past the File -> Add package dependency step. Am I missing something?

We have .netrc file with the token credentials at the user level, there's a keychain (internet password type) item looking the same as @yim-lee posted above, but I still constantly get a dialog saying "authentication failed". 😞

Any help or pointers appreciated.

Yes, I am experiencing the same issue. Trying to add package dependency from the protected Artifactory Swift registry and failing at the Xcode Authentication screen. Keychain has credentials to connect to Artifactory. When I open "Add Package Dependency" window - Xcode prompts me to get access to keychain, which I grant. Then when I enter Artifactory URL to locate the package, Xcode displays Authentication window with error: "Authentication failed because the credentials were rejected". Once I manually enter User name/password - authentication still fails.
Registry URL and credentials are correct, I can confirm via running "swift package-registry login" and then "swift package resolve". I tried both types of authentication - basic and token -- both fail.
What am I missing? Why I cannot simply add protected Artifactory package dependency to Xcode app project via keychain creds or via manually entering credentials? Any missing steps here?

[yim-lee]

Registry package dependency is specified with package id in Package.swift rather than a URL. For example:

dependencies: [
    .package(id: "mona.LinkedList", .upToNextMajor(from: "1.0.0")),
],

I suggest that you try editing Package.swift to use id for packages that are supposed to be downloaded from Artifactory Swift registry, make sure the credentials are in Keychain, then see if Xcode and/or swift package resolve works.

Note that the corresponding Artifactory repo must have the "Swift" package type.

[ncharniauski]

Registry package dependency is specified with package id in Package.swift rather than a URL. For example:

dependencies: [
    .package(id: "mona.LinkedList", .upToNextMajor(from: "1.0.0")),
],

I suggest that you try editing Package.swift to use id for packages that are supposed to be downloaded from Artifactory Swift registry, make sure the credentials are in Keychain, then see if Xcode and/or swift package resolve works.

Note that the corresponding Artifactory repo must have the "Swift" package type.

Xcode resolves private Artifactory dependencies listed in Package.swift just fine. This is not the issues.
The issue is only with adding private packages to application xcproject directly from the Xcode UI:

Application project does not contain Package.swift. It is not a package, it is a simple application project.

[yim-lee]

Xcode resolves private Artifactory dependencies listed in Package.swift just fine. This is not the issues.
The issue is only with adding private packages to application xcproject directly from the Xcode UI:

@ncharniauski Can you create a new issue detailing the steps it takes to reproduce the issue? Please include example of values you enter in the UI. e.g., do you type in Artifactory URL or package identifier?

[ncharniauski]

Xcode resolves private Artifactory dependencies listed in Package.swift just fine. This is not the issues.
The issue is only with adding private packages to application xcproject directly from the Xcode UI:

@ncharniauski Can you create a new issue detailing the steps it takes to reproduce the issue? Please include example of values you enter in the UI. e.g., do you type in Artifactory URL or package identifier?

new issue is created: #7237