Support FASTLANE_SESSION

[jviotti]

This environment variable can be used instead of the username & password combination for CI use on accounts with 2FA enabled. See https://github.com/fastlane/fastlane/tree/master/spaceship#2-step-verification

[GhostLyrics]

This will become increasingly important in 2021, according to a mail sent by Apple.

Starting February 2021, additional authentication will be required for all users to sign in to App Store Connect. This extra layer of security for your Apple ID helps ensure that you’re the only person who can access your account. You can enable two-step verification or two-factor authentication now in the Security section of your Apple ID account or in the Apple ID section of Settings on your device.

[veronica-ovando-etermax]

Hi, any updates on this? From now on, all users will have 2fa or 2sv enabled by default. Supporting FASTLANE_SESSION will be useful for CI. Thanks!

[daniel-beard]

Currently broken

[cltnschlosser]

I found a workaround for this:

XCODE_INSTALL_USER="User" XCODE_INSTALL_PASSWORD="Password" FASTLANE_SESSION='<redacted>' xcversion <command>

As long as you provide non empty values for the environment variables it will use the session instead. I recommend using fake values, like in my example, that way you get Access forbidden (Spaceship::AccessForbiddenError) error and you don't have CI hanging waiting for 2FA code. This could be a bit cleaner, but would need to add some hook into Spaceship for only checking the environment variable. Currently that isn't an option, it will always try the username and password. And prompt for them if not provided. See https://github.com/fastlane/fastlane/blob/48151291f2c4949c3b1b9919ba2cc81a7cc33293/spaceship/lib/spaceship/client.rb#L405

[kapfab]

Just using the session cookie file created by fastlane spaceauth (~/.fastlane/spaceship/•••@•••.•••/cookie) works fine with 2FA enabled. Do you really need to specifically use this environment variable in your context?

[spacesuitdiver]

@kapfab what exactly are you suggesting? Dumping the session into the user folder instead of providing it as an ENV variable?

[kapfab]

Yes, copying the cookie file in the expected folder. A bit more complex but at least, it works.

[veronica-ovando-etermax]

The approach suggested by @cltnschlosser works like a charm.

[jenskuhrjorgensen]

Thanks for the fix/hack @cltnschlosser ! :)

Do you know if it is or will be possible soon to authenticate using the Apple API key? This session solution doesn't feel like the right solution... I'm using xcversion in a Ansible script and don't know any other way around this now that username+password doesn't work anymore.

[cltnschlosser]

Api key isn’t an option here (unless I’m wrong and then someone please let me know!).

I’m using the fastlane session as an input to an ansible script currently. I have a fastlane_session var that gets dumped into the environment variable when running xcversion.

[jenskuhrjorgensen]

Yeah, I think Im doing something similarly to you. But having to commit a session cookie to the repo for our pipeline to use sucks. A lot. Hope a better solution will be possible some day :)

[spacesuitdiver]

Guys, I still don't know how to get this working.

My problem is that everytime I restart the machine the cookie exists but it's sending me 2fa texts and stalling at xcversion install. Running spaceauth again fixes the problem until I restart, interestingly I don't even have to fill in the number from the SMS into the CLI, not sure how that even works, it does have the cookie in the user folder and it should be using that just fine I'd think.

1) Should FASTLANE_USER & FASTLANE_PASSWORD be equivalent to XCODE_INSTALL_USER & XCODE_INSTALL_PASSWORD? 2) Is FASTLANE_SESSION='' the actual cookie? Our ENV variables don't have enough "length" to support an entire cookie so I'm wondering if I'm guessing I'm stuck just doing the cookie file.

Thoughts? I might try adding the spaceauth command as part of my build script.

EDIT:

Supplying XCODE_INSTALL_USER and XCODE_INSTALL_PASSWORD nets me.

bundler: failed to load command: xcversion (/Users/bamboo/.rbenv/versions/2.6.3/bin/xcversion)
error   30-Mar-2021 10:28:22    /Users/bamboo/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/xcode-install-2.6.6/lib/xcode/install.rb:349:in `rescue in spaceship': The specified Apple developer account credentials are incorrect. (RuntimeError)

[ykhandelwal913]

Now even after setting FASTLANE_SESSION, it doesnot work and need 2FA. Any solution for that would be great help?

[ykhandelwal913]

@cltnschlosser setting up the FASTLANE_SESSION in the env variable is no longer working as well. Any other workaround can you suggest?

[cltnschlosser]

Nope. I don’t know what would of changed though. When XCode 12.5 releases I’ll have to figure out something else to update CI boxes.

[cltnschlosser]

Did you try the cookie file approach? https://github.com/xcpretty/xcode-install/issues/395#issuecomment-775166374

[ykhandelwal913]

@cltnschlosser In CI environment how can we create and setup cookie automatically?

[cltnschlosser]

Same as with the environment variable you have to do it manually beforehand. In my case xcversion is just used for installing XCode and simulators. This is done with ansible. So last time I did it, I generated the session and used ansible to install Xcode 12.4 on all the nodes using the session I had created.

[ykhandelwal913]

i am using ansible as well. seems like it failed because i created token in my local and using the same session in CI. Once i created session in CI and used it across CI , it is working.

Important note about session duration
The session generated, stored and reused as part of a 2FA/2SV authentication, or as part of spaceauth is subject to technical limitations imposed by Apple. Namely:

An Apple ID session is only valid within a certain region, meaning if the region you're using your session (e.g. CI system) is different than the region where you created that session (e.g. your local machine), you might run into issues. It's advised that you create the session in the same machine that will be used to consume it, to make the session last longer.
The session's validity can greatly vary (anything between 1 day and 1 month, depending on factors such as geolocation of the session usage). This means you'll have to generate a new session at least once a month. Usually you'd only know about it when your build starts failing.

[mattrobmattrob]

The cookie workaround is working for me with CI machines in roughly the same region as the machine that created the cookie on xcversion 2.7.0.

1. bundle exec fastlane spaceauth -u foo@bar.com
2. Copy over the ~/.fastlane/spaceship/foo@bar.com/ directory to the CI machine.
3. XCODE_INSTALL_USER="foo@bar.com" XCODE_INSTALL_PASSWORD="real_password_here" xcversion install 12.3

The FASTLANE_SESSION approach did not work on fastlane 2.183.2 with xcversion 2.7.0.

[jviotti]

Closing stale issues