fastlane / fastlane

πŸš€ The easiest way to automate building and releasing your iOS and Android apps
https://fastlane.tools
MIT License
39.72k stars 5.72k forks source link

This operation can only be performed by the Account Holder #27149

Open justinkumpe opened 1 month ago

justinkumpe commented 1 month ago

trying to generate new certificates thru match and getting "This request is forbidden for security reasons - This operation can only be performed by the Account Holder". This has worked fine in the past but having issues now. I regenerated the auth certificate to have Admin Access but that does not work. Only way I can see to get Account Holder access is with individual certificate which fastlane does not seem to be compatible with.

+--------------------------------------------------------------------------------------+
|                              Summary for match 2.225.0                               |
+----------------------------------------+---------------------------------------------+
| generate_apple_certs                   | true                                        |
| api_key                                | ********                                    |
| type                                   | developer_id                                |
| readonly                               | false                                       |
| skip_provisioning_profiles             | false                                       |
| app_identifier                         | ["com.kumpeapps.flet.kumpe3dkiosk"]         |
| username                               | jakumpe@******                     |
| team_id                                | **********                                  |
| storage_mode                           | git                                         |
| git_url                                | git@github.com:******** |
| git_branch                             | master                                      |
| shallow_clone                          | false                                       |
| clone_branch_directly                  | false                                       |
| skip_google_cloud_account_confirmation | false                                       |
| s3_skip_encryption                     | false                                       |
| gitlab_host                            | https://gitlab.com                          |
| keychain_name                          | login.keychain                              |
| force                                  | false                                       |
| force_for_new_devices                  | true                                        |
| include_mac_in_profiles                | true                                        |
| include_all_certificates               | false                                       |
| force_for_new_certificates             | false                                       |
| skip_confirmation                      | false                                       |
| safe_remove_certs                      | false                                       |
| skip_docs                              | false                                       |
| platform                               | ios                                         |
| derive_catalyst_app_identifier         | false                                       |
| fail_on_name_taken                     | false                                       |
| skip_certificate_matching              | false                                       |
| skip_set_partition_list                | false                                       |
| force_legacy_encryption                | false                                       |
| verbose                                | false                                       |
+----------------------------------------+---------------------------------------------+

[15:30:43]: Cloning remote git repo...
[15:30:43]: If cloning the repo takes too long, you can use the `clone_branch_directly` option in match.
[15:30:45]: Checking out branch master...
[15:30:45]: πŸ”“  Successfully decrypted certificates repo
[15:30:45]: Verifying that the certificate and profile are still valid on the Dev Portal...
[15:30:45]: Creating authorization token for App Store Connect API
[15:30:45]: Warning: `force_for_new_devices` is set but is ignored for developer_id.
[15:30:45]: You can safely stop specifying `force_for_new_devices` when running Match for type 'developer_id'.
[15:30:46]: Couldn't find a valid code signing identity for developer_id_application... creating one for you now

+----------------------------------------------------------------------------------+
|                             Summary for cert 2.225.0                             |
+-------------------------+--------------------------------------------------------+
| platform                | ios                                                    |
| development             | false                                                  |
| type                    | developer_id_application                               |
| generate_apple_certs    | true                                                   |
| force                   | true                                                   |
| api_key                 | ********                                               |
| username                | jakumpe@******                                |
| team_id                 | ******                                             |
| keychain_path           | /Users/justinkumpe/Library/Keychains/login.keychain-db |
| skip_set_partition_list | false                                                  |
+-------------------------+--------------------------------------------------------+

[15:30:46]: Creating authorization token for App Store Connect API
+----------------------------------------------------------------------------------------------+
|                                         Lane Context                                         |
+------------------------------------+---------------------------------------------------------+
| DEFAULT_PLATFORM                   | ios                                                     |
| PLATFORM_NAME                      | ios                                                     |
| LANE_NAME                          | ios update_match                                        |
| SIGH_PROFILE_TYPE                  | development                                             |
| MATCH_PROVISIONING_PROFILE_MAPPING | {"com.kumpeapps.flet.kumpe3dkiosk"=>"match Development  |
|                                    | com.kumpeapps.flet.kumpe3dkiosk"}                       |
+------------------------------------+---------------------------------------------------------+
[15:31:00]: Called from Fastfile at line 48
[15:31:00]: ```
[15:31:00]:     46:           type: "development"
[15:31:00]:     47:         )
[15:31:00]:  => 48:         match(
[15:31:00]:     49:           generate_apple_certs: true, 
[15:31:00]:     50:           api_key: api_key,
[15:31:00]: ```
[15:31:00]: This request is forbidden for security reasons - This operation can only be performed by the Account Holder.

+------------------------------------------------+
|                fastlane summary                |
+------+---------------------------+-------------+
| Step | Action                    | Time (in s) |
+------+---------------------------+-------------+
| 1    | update_fastlane           | 7           |
| 2    | default_platform          | 0           |
| 3    | is_ci                     | 0           |
| 4    | is_ci                     | 0           |
| 5    | app_store_connect_api_key | 0           |
| 6    | match                     | 5           |
| 7    | match                     | 4           |
| πŸ’₯   | match                     | 16          |
+------+---------------------------+-------------+

[15:31:00]: fastlane finished with errors

Looking for related GitHub issues on fastlane/fastlane...

Found no similar issues. To create a new issue, please visit:
https://github.com/fastlane/fastlane/issues/new
Run `fastlane env` to append the fastlane environment to your issue

[!] The request could not be completed because:
        This request is forbidden for security reasons - This operation can only be performed by the Account Holder.
justinkumpe commented 1 month ago
βœ… fastlane environment βœ… ### Stack | Key | Value | | --------------------------- | ------------------------------------------- | | OS | 15.0.1 | | Ruby | 3.3.5 | | Bundler? | true | | Git | git version 2.46.1 | | Installation Source | /usr/local/lib/ruby/gems/3.3.0/bin/fastlane | | Host | macOS 15.0.1 (24A348) | | Ruby Lib Dir | /usr/local/Cellar/ruby/3.3.5/lib | | OpenSSL Version | OpenSSL 3.3.1 4 Jun 2024 | | Is contained | false | | Is homebrew | false | | Is installed via Fabric.app | false | | Xcode Path | /Applications/Xcode.app/Contents/Developer/ | | Xcode Version | 16.0 | | Swift Version | 6.0 | ### System Locale | Variable | Value | | | -------- | ----------- | - | | LANG | en_US.UTF-8 | βœ… | | LC_ALL | | | | LANGUAGE | | | ### fastlane files:
`./fastlane/Fastfile` ```ruby # This file contains the fastlane.tools configuration # You can find the documentation at https://docs.fastlane.tools # # For a list of all available actions, check out # # https://docs.fastlane.tools/actions # # For a list of all available plugins, check out # # https://docs.fastlane.tools/plugins/available-plugins # # Uncomment the line if you want fastlane to automatically update itself update_fastlane default_platform(:ios) platform :ios do desc "Updates match certificates" lane :update_match do if is_ci setup_ci api_key = app_store_connect_api_key( "key_id": ENV['APPLE_APP_STORE_API_KEY_ID'], "issuer_id": ENV['APPLE_APPSTORE_API_ISSUER_ID'], "key_content": ENV['APPLE_APP_STORE_API_KEY'] ) end if !is_ci api_key = app_store_connect_api_key( key_id: "", issuer_id: "********", key_filepath: "/Users/justinkumpe/Documents/AuthKey_.p8", duration: 1200, # optional (maximum 1200) in_house: false # optional but may be required if using match/sigh ) end match( generate_apple_certs: true, api_key: api_key, type: "appstore" ) match( generate_apple_certs: true, api_key: api_key, type: "development" ) match( generate_apple_certs: true, api_key: api_key, type: "developer_id" ) match( generate_apple_certs: true, api_key: api_key, type: "developer_id_installer" ) match( generate_apple_certs: true, api_key: api_key, type: "mac_installer_distribution" ) end lane :matchget do if is_ci setup_ci end match(generate_apple_certs: true, type: "development", readonly: is_ci, app_identifier: "com.kumpeapps.flet.kumpe3dkiosk", git_basic_authorization: ENV['MATCH_GIT_BASIC_AUTHORIZATION'], git_url: "https://github.com/******") match(generate_apple_certs: true, type: "appstore", readonly: is_ci, app_identifier: "com.kumpeapps.flet.kumpe3dkiosk", git_basic_authorization: ENV['MATCH_GIT_BASIC_AUTHORIZATION'], git_url: "https://github.com/******") end end ```
`./fastlane/Appfile` ```ruby app_identifier("com.kumpeapps.flet.kumpe3dkiosk") # The bundle identifier of your app apple_id("jakumpe@******.net") # Your Apple email address itc_team_id("******") # App Store Connect Team ID team_id("******") # Developer Portal Team ID # For more information about the Appfile, see: # https://docs.fastlane.tools/advanced/#appfile ```
### fastlane gems | Gem | Version | Update-Status | | -------- | ------- | ------------- | | fastlane | 2.225.0 | βœ… Up-To-Date | ### Loaded fastlane plugins: | Plugin | Version | Update-Status | | --------------------------- | ------- | ------------- | | fastlane-plugin-badge | 1.5.0 | βœ… Up-To-Date | | fastlane-plugin-test_center | 3.19.1 | βœ… Up-To-Date |
Loaded gems | Gem | Version | | ------------------------------- | ------------ | | error_highlight | 0.6.0 | | did_you_mean | 1.6.3 | | syntax_suggest | 2.0.0 | | bundler | 2.5.22 | | pathname | 0.3.0 | | resolv | 0.3.0 | | resolv-replace | 0.1.1 | | timeout | 0.4.1 | | io-wait | 0.3.1 | | securerandom | 0.3.1 | | rake | 13.2.1 | | base64 | 0.2.0 | | nkf | 0.2.0 | | rexml | 3.3.9 | | CFPropertyList | 3.0.7 | | bigdecimal | 3.1.8 | | concurrent-ruby | 1.3.4 | | connection_pool | 2.4.1 | | drb | 2.2.1 | | i18n | 1.14.6 | | logger | 1.6.1 | | minitest | 5.25.1 | | tzinfo | 2.0.6 | | activesupport | 7.2.1.2 | | public_suffix | 4.0.7 | | addressable | 2.8.7 | | httpclient | 2.8.3 | | json | 2.7.4 | | algoliasearch | 1.27.5 | | artifactory | 3.0.17 | | atomos | 0.1.3 | | aws-eventstream | 1.3.0 | | aws-partitions | 1.996.0 | | aws-sigv4 | 1.10.1 | | jmespath | 1.6.2 | | aws-sdk-core | 3.211.0 | | aws-sdk-kms | 1.95.0 | | aws-sdk-s3 | 1.169.0 | | babosa | 1.0.4 | | fastimage | 2.3.1 | | colored | 1.2 | | highline | 2.0.3 | | commander | 4.6.0 | | dotenv | 2.8.1 | | emoji_regex | 3.2.3 | | excon | 0.112.0 | | faraday-em_http | 1.0.0 | | faraday-em_synchrony | 1.0.0 | | faraday-excon | 1.1.0 | | faraday-httpclient | 1.0.1 | | multipart-post | 2.4.1 | | faraday-multipart | 1.0.4 | | faraday-net_http | 1.0.2 | | faraday-net_http_persistent | 1.2.0 | | faraday-patron | 1.0.0 | | faraday-rack | 1.0.0 | | faraday-retry | 1.0.3 | | ruby2_keywords | 0.0.5 | | faraday | 1.10.4 | | domain_name | 0.6.20240107 | | http-cookie | 1.0.7 | | faraday-cookie_jar | 0.0.7 | | faraday_middleware | 1.2.1 | | sysrandom | 1.0.5 | | fastlane-sirp | 1.0.0 | | gh_inspector | 1.1.3 | | jwt | 2.9.3 | | multi_json | 1.15.0 | | os | 1.1.4 | | signet | 0.19.0 | | googleauth | 1.8.1 | | mini_mime | 1.1.5 | | declarative | 0.0.20 | | trailblazer-option | 0.1.2 | | uber | 0.1.0 | | representable | 3.2.0 | | retriable | 3.1.2 | | google-apis-core | 0.11.3 | | google-apis-androidpublisher_v3 | 0.54.0 | | google-apis-playcustomapp_v1 | 0.13.0 | | google-cloud-env | 1.6.0 | | digest-crc | 0.6.5 | | google-apis-iamcredentials_v1 | 0.17.0 | | google-apis-storage_v1 | 0.31.0 | | google-cloud-errors | 1.4.0 | | google-cloud-core | 1.7.1 | | google-cloud-storage | 1.47.0 | | mini_magick | 4.13.2 | | naturally | 2.2.1 | | optparse | 0.5.0 | | plist | 3.7.1 | | rubyzip | 2.3.2 | | security | 0.1.5 | | simctl | 1.6.10 | | terminal-notifier | 2.0.0 | | unicode-display_width | 2.6.0 | | terminal-table | 3.0.2 | | tty-screen | 0.8.2 | | tty-cursor | 0.7.1 | | tty-spinner | 0.9.3 | | word_wrap | 1.0.0 | | claide | 1.1.0 | | colored2 | 3.1.2 | | nanaimo | 0.3.0 | | xcodeproj | 1.25.1 | | rouge | 2.0.7 | | xcpretty | 0.3.0 | | xcpretty-travis-formatter | 1.0.1 | | badge | 0.13.0 | | fuzzy_match | 2.0.4 | | nap | 1.1.0 | | netrc | 0.11.0 | | ffi | 1.17.0 | | ethon | 0.16.0 | | typhoeus | 1.4.1 | | cocoapods-core | 1.15.2 | | cocoapods-deintegrate | 1.0.5 | | cocoapods-downloader | 2.1 | | cocoapods-plugins | 1.0.0 | | cocoapods-search | 1.0.1 | | cocoapods-trunk | 1.6.0 | | cocoapods-try | 1.2.0 | | escape | 0.0.4 | | fourflusher | 2.3.1 | | molinillo | 0.8.0 | | ruby-macho | 2.5.1 | | cocoapods | 1.15.2 | | colorize | 1.1.0 | | fastlane-plugin-badge | 1.5.0 | | xctest_list | 1.2.1 | | fastlane-plugin-test_center | 3.19.1 |
*generated on:* **2024-10-26**
ruby05guy commented 3 weeks ago

Hello,

I’ve run into similar issues in the past when migrating to newer versions of Fastlane, and I found that the API key permissions might not always be clear-cut. Even if your API key looks like it has the correct scope, it could still be tied MethodistMyChart to Admin privileges rather than the Account Holder’s. Regenerating the API key with the correct permissions is usually the best bet.