brihas
commented
2 years ago Please try now. When I Requested Access I agreed to the polices below. Please confirm that we are abiding by these policies:
Closed deobald closed 2 years ago
brihas
commented
2 years ago Please try now. When I Requested Access I agreed to the polices below. Please confirm that we are abiding by these policies:
deobald
commented
2 years ago I received this reply from a helpful Codemagic engineer (who said it was okay to repost this). His explanation makes a lot of sense:
Hi @Steven Deobald, let me try to shed some light on the way that Codemagic handles user secrets as I believe this will help to dispel your concerns.
In order to use App Store (or any other) credentials, you have to store them somewhere on the machine that is doing the app building and signing. Since these secrets are necessary and need to be used for the build process to succeed, you necessarily need to make them available. When using Codemagic, the only difference is that you do not own the machine where the app is being build but you lease it for a limited time.
What is important to note is that configuring sensitive values in Codemagic UI (as explained here: https://docs.codemagic.io/variables/environment-variable-groups/#storing-sensitive-valuesfiles) does not give us the access to them. When you check the 'Secure' option while storing the environment variables, they are immediately encrypted and Codemagic does not have access to them. They are transferred encrypted to the build VM during the build process, decrypted and made available there during the build and then the whole VM gets destroyed afterwards.
Since the API key is being used to build your own app, in your own development workflow and you are not using it to provide build services for other people/companies, you are not in violation of Apple's policy.
Here is the original Slack thread: https://codemagicio.slack.com/archives/CEKE2KZ37/p1654645429330889
I'm satisfied with this explanation, but I will wait for @brihas and @balwa to close this issue.
brihas
commented
2 years ago Thanks, Steven! I am also satisfied with this explanation.
Brihas Sarathy Executive Director P A R I Y A T T I 867 Larmon Road, Onalaska, WA, 98570, USA Phone +1.541.719.8004 @.*** | www.pariyatti.org [image: Pariyatti logo] https://pariyatti.org
On Wed, Jun 8, 2022 at 4:35 AM Steven Deobald @.***> wrote:
I received this reply from a helpful Codemagic engineer (who said it was okay to repost this). His explanation makes a lot of sense:
Hi @Steven Deobald https://codemagicio.slack.com/team/U03JS8YSWAY, let me try to shed some light on the way that Codemagic handles user secrets as I believe this will help to dispel your concerns.
In order to use App Store (or any other) credentials, you have to store them somewhere on the machine that is doing the app building and signing. Since these secrets are necessary and need to be used for the build process to succeed, you necessarily need to make them available. When using Codemagic, the only difference is that you do not own the machine where the app is being build but you lease it for a limited time.
What is important to note is that configuring sensitive values in Codemagic UI (as explained here: https://docs.codemagic.io/variables/environment-variable-groups/#storing-sensitive-valuesfiles) does not give us the access to them. When you check the 'Secure' option while storing the environment variables, they are immediately encrypted and Codemagic does not have access to them. They are transferred encrypted to the build VM during the build process, decrypted and made available there during the build and then the whole VM gets destroyed afterwards.
Since the API key is being used to build your own app, in your own development workflow and you are not using it to provide build services for other people/companies, you are not in violation of Apple's policy.
Here is the original Slack thread: https://codemagicio.slack.com/archives/CEKE2KZ37/p1654645429330889
I'm satisfied with this explanation, but I will wait for @brihas https://github.com/brihas and @balwa https://github.com/balwa to close this issue.
— Reply to this email directly, view it on GitHub https://github.com/pariyatti/mobile-app/issues/77#issuecomment-1149801383, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHIXKBGDZHUCHWFXFW4QVLVOCAPBANCNFSM5X3NHHNQ . You are receiving this because you were mentioned.Message ID: @.***>
deobald
commented
2 years ago @balwa is busy this week helping his Mom recover from surgery. Since I doubt he'll have any disagreements with the way we're using the Connect API, I'm going to close this issue. If we need to, we can always re-open it.
I've tested the API Key creation and it works.
balwa
commented
2 years ago Yes, would be a little occupied this week🙂
The fact that there is at rest and in transit encryption and the machine is also recycled after the build gets done are acceptable measures to ensure that our api key remains private to the team. Also our automation workflows will be publishing the app to test flight for our internal users of the app to test. So, we should be good.
Unfortunately, although we can now create API keys, only the Account Holder can request access to the Connect API, as per the attached screenshot.