Support for app-specific password in env variables

[apps4everyone]

Is there any way to use app-specific password instead of:

XCODES_PASSWORD XCODES_USERNAME

in env variables?

[fishcharlie]

I'm not using environment variables. But it gives me a password error when trying to enter my app-specific password until the normal prompt when running xcodes update.

I'd really love this feature as well. Every so often my automated server that checks for Xcode updates sends 2FA prompts to my phone. I think using an app-specific password should fix that.

@MattKiazyk do you have any thoughts on this? I'd be happy to take a look at possibly improving this, but you might have more context that might be useful here.

[michalszelagsonos]

This seems like a very useful feature in CI environments since it would allow for fully automated installs and do it by assigning an auth password that is scoped to a certain environment and can be revoked. I would love to see this implemented.

[MattKiazyk]

I would love to support app specific passwords to download Xcode, but as far as I'm aware, there is no way to do that. If anybody has done that, please let me know and I'll gladly add that to Xcodes. It for sure would be better security wise then having a username/password sent up.

[michalszelagsonos]

Fastlane has a fairly lengthy write up on various ways of managing authentication and their docs mention that actions other than uploading artifacts will not work with app specific passwords. Here is the page where they outline more details:

https://docs.fastlane.tools/getting-started/ios/authentication/

Fastlane does appear to be able to cache the session info and reuse it for some time, which may be better but that has limitations as well. Not sure if it is better to unexpectedly require human input or just build a workflow that is annoying but predictable 🤔 . To be clear, I like the idea of the app specific password for these reasons: security, and ease of automation. From their docs, it sounds like there are limitations on the API as far as what can be done with these passwords? Is that the issue?

For some more context, I am interested in this as I'd like to be able to manage a fleet of Mac nodes where we can auto deploy new xcode versions via CI, install it, bake an image like an AMI and roll it out. It would be awesome to just define the config, have CI do all the heavy lifting and roll out the new version, and not resort to click-ops for all of this.

[MattKiazyk]

The difference between fastlane and Xcodes, is fastlane mostly deals with the AppStoreConnect portion of Apple's services. Xcodes and similar tools use the developer side. The main issue is I cannot take that app specific password, log in, and then use that token do be able to plug that in to download an Xcode version. Perhaps there is an api somewhere out there to do that? I haven't found it yet.

As an example for Xcodes UI app, I would absolutely love to have the Sign In with Apple mechanism so an app specific password isn't even needed.

[MattKiazyk]

Closing this as Xcodes 1.0 now requires no username+password 🥳

[michalszelagsonos]

Great work! FYI, the top level readme needs an update as it still references username and password requirements.

[samwyndham]

Should this ticket be re-opened now that username+password is required?

[robertoandrade]

Anything new on this?