-
IntroductionGreetings! In this Discussion I'd like to centralize everything that is known so far about the recent 2FA changes that Apple has been making us go through. Let's discuss below workarounds that you're using in your project, solutions you tried and didn't work, what we can expect moving forward, and post official Apple updates on this topic 🙏 ContextIn the past, Apple IDs didn't have 2FA at all. The problem here is that Apple's 2FA pretty much can't be authenticated via CLI without human interaction* This means that the only 100% automatable and fully capable Apple IDs are old Apple IDs that haven't enabled 2FA yet. So I recommend to NOT add 2FA to your Apple ID that you use within your fastlane flow. Apple 2FA State Of The UnionPretty much everything about the current state of Apple's 2FA VS Automation can be found in this article https://drobinin.com/posts/keep-using-fastlane-with-apples-2fa-changes/ (shout out to https://twitter.com/Valzevul for the great article!), including:
Linked Issues2 step verification session times out too fast #17027Documentation: CI / Seperate Apple-ID for CI isn't correct anymore #16956Spaceship login failed, when running Fastlane match #168122FA code still required for
|
Beta Was this translation helpful? Give feedback.
Replies: 9 comments 19 replies
-
Would this be the solution of all our problems? 😁 https://developer.apple.com/documentation/appstoreconnectapi/creating_api_keys_for_app_store_connect_api @joshdholtz can you attest? Is that API Key the expected parameters e.g. here? → |
Beta Was this translation helpful? Give feedback.
-
Hi. I'm trying to upload mac build to AppStore Connect with a 2FA account. I added FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD in the .env file, but deliver still requires password. I'm using CLI so it is not interactive environment. For upload_to_testflight it works, but it says no ipa file found (becuase it is not an ipa, becuase it is mac app). I know that I have to add apple_id and other flags for testflight to make app specific pwd working, but for deliver I could not find any. Tried to dig the source code, but still no luck :( In the doc it says, it should work with it (If you want to upload builds to App Store Connect (actions upload_to_app_store and deliver) or TestFlight (actions upload_to_testflight, pilot or testflight) from your CI machine, you need to generate an application specific password...) but I can not make it working. Can you help me with it? |
Beta Was this translation helpful? Give feedback.
-
@MetaImi I personally don't have experience with that since I've never needed to use the application-specific password, but at this point, I'd just wait till the Apple API Token is deployed in the next release, which should probably happen later this week. This is the PR in question: #17238 and the official docs: https://developer.apple.com/documentation/appstoreconnectapi/creating_api_keys_for_app_store_connect_api |
Beta Was this translation helpful? Give feedback.
-
I'm running app resigning and upload to App Store on a MAC agent hosted by Azure DevOps. The session token is added to an environment variable and service connection settings. Yesterday I updated the session token as it was due to expire and performed an upload of an app and it worked like a charm. Today when I tried to upload another app, I got the error message about the token being invalid. After I updated the environment variable and service connection settings with the same exact session token, I got the following output:
So, I don't believe the session ACTUALLY expires after 6-8 hours as Valzevul stated but rather your pipeline needs a "refresh" of the environment variable with a session token. All things considered, how come the session is invalid but login still completes successfully? What can be done for the pipeline not to start failing the day after updating the session token? This is quite annoying. Any ideas, @rogerluan? |
Beta Was this translation helpful? Give feedback.
-
What "token" are you referring to, @evgeniisage ? Is it the new App Store Connect API token? If not, see my post below 🙏 |
Beta Was this translation helpful? Give feedback.
-
Heads up guys, this issue has been resolved since the App Store Connect API and fastlane now support JWT auth. This API token replaces the need for user/pass credentials, and thus 2FA hacks and workarounds. Please use this whenever dealing with deliver, match, or other fastlane tools. Note that fastlane doesn't have API token support in all of its tools yet, but the 2 major ones are already in place 🙌 Let us know if you have any questions, issues using it, or wants to use the token with another tool that is not supported yet 🚀 |
Beta Was this translation helpful? Give feedback.
-
I try to use Twilio (https://www.twilio.com) as a solution to receive SMS code from Apple 2FA, but currently I can not receive any incoming messages.
Can some help me? |
Beta Was this translation helpful? Give feedback.
-
My approach has been running the spaceauth command and then using this Apple Script to fetch the code:
This might remove the need of having to using an SMS provider and phone number. I am currently using a self-hosted macOS agent for Azure DevOps pipelines. |
Beta Was this translation helpful? Give feedback.
-
and perhaps Google Voice is a good resolution, to fetch 2fa code via gmail api. |
Beta Was this translation helpful? Give feedback.
Heads up guys, this issue has been resolved since the App Store Connect API and fastlane now support JWT auth. This API token replaces the need for user/pass credentials, and thus 2FA hacks and workarounds.
Please use this whenever dealing with deliver, match, or other fastlane tools. Note that fastlane doesn't have API token support in all of its tools yet, but the 2 major ones are already in place 🙌
Let us know if you have any questions, issues using it, or wants to use the token with another tool that is not supported yet 🚀