Did Apple break SPACESHIP_SKIP_2FA_UPGRADE=1?

[Westacular]

New Issue Checklist

• Updated fastlane to the latest version
• I read the Contribution Guidelines
• I read docs.fastlane.tools
• I searched for existing GitHub issues

Issue Description

When using match in a CI provisioning update process (that hasn't changed in a while), we're suddenly getting Unauthorized Access when spaceship tries to sign into Apple using a non-2FA Apple ID with SPACESHIP_SKIP_2FA_UPGRADE=1 set. It was working two days ago.

Issue occurs with 2.212.1, 2.212.2, and 2.213.0.

The credentials haven't changed, and I've confirmed I can manually login to the portal with the same Apple ID and everything appears to work and it has access to certs/provisioning.

The end of the spaceship logs:

INFO  [18:40:42]: >> GET https://appleid.apple.com/account/manage/repair/options: [undefined body] 
DEBUG [18:40:43]: << GET https://appleid.apple.com/account/manage/repair/options: 200 {"type"=>"sa", "repairAttribute"=>"hsa2_enrollment", "requiredSteps"=>["hsa2_enrollment"], "allowiCloudAccount"=>false, "phoneNumberRequirementGracePeriodEnded"=>false}
INFO  [18:40:43]: >> GET https://appleid.apple.com/account/security/upgrade/setuplater: [undefined body] 
DEBUG [18:40:43]: << GET https://appleid.apple.com/account/security/upgrade/setuplater: 200 {"success"=>0, "requiresTerms"=>false, "localLoginUsesAnAppleID"=>false, "clientShouldSetPasscode"=>false, "wasMacTrustedDeviceConverted"=>false, "autoEnrollFailed"=>false, "mandatory"=>false, "notEligibileToJoinFamily"=>false, "requiresiCloudAccount"=>false, "requiresEmailRepair"=>false, "nonFTEUEnabled"=>false, "displayNonUpgradeableDeviceWarning"=>false, "displayIncompatibleDeviceWarning"=>false, "displayInvalidCreditCardWarning"=>false, "accountAlreadyEnrolled"=>false, "displayEligibilityWarnings"=>false, "displayVerificationRequiredWarning"=>false, "incompatibleDeviceWarningAccepted"=>false, "invalidCreditCardWarningAccepted"=>false, "otherOptionsWarningAccepted"=>false, "nonUpgradeableDeviceWarningAccepted"=>false, "verificationRequiredWarningAccepted"=>false, "shouldSuppressDevicePhoneNumbersOffer"=>false, "actionValidationSuccessful"=>false, "successful"=>false}
INFO  [18:40:43]: >> POST https://idmsa.apple.com/appleauth/auth/repair/complete: [non JSON body] 
DEBUG [18:40:43]: << POST https://idmsa.apple.com/appleauth/auth/repair/complete: 204 
INFO  [18:40:43]: >> GET https://appstoreconnect.apple.com/olympus/v1/session: [undefined body] 
DEBUG [18:40:43]: << GET https://appstoreconnect.apple.com/olympus/v1/session: 401 {"errors"=>[{"id"=>"<masked>", "status"=>"401", "code"=>"NOT_AUTHORIZED.2FA_REQUIRED", "title"=>"An account supporting 2-Factor Authentication is required to log in.", "detail"=>"Your Apple ID needs to be upgraded. Apple requires two-factor authentication to help ensure you're the only person who can sign in to your Apple ID. See: https://appleid.apple.com/manage/security/2sv/enrollment", "links"=>{"see"=>"/login?errorKey=ITC.signin.error.invalidLogin.require2sv"}}]}
WARN  [18:40:43]: Auth lost

I'm not sure what a successful log for this used to look like, so it's hard to guess at what changed / why things have broken, but perhaps some implementation detail that the SPACESHIP_SKIP_2FA_UPGRADE workaround depends on has changed?

[fastlane-bot]

It seems like you have not included the output of fastlane env
To make it easier for us help you resolve this issue, please update the issue to include the output of fastlane env 👍

[mdubs]

We are seeing the same outcome; was working less than 12 hours ago not working now

[SaeedRahmatolahiAmity]

is it possible to login on Terminal and store the session to bypass this ? does anybody know its possible or not ?

[tychop]

Same Issue over here... Using Enterprise account...

[lundn]

Same here when using an Enterprise account!

[julientini]

same, with Enterprise account

[aebischers]

yes same here. It looks like Apple replaced Hashcash with SRP-6a (Secure Remote Password protocol). Thanks Apple for breaking our Enterprise CI builds! Apple should rather focus on App Store Connect APIs for Enterprise Developer Programs!

[lemonjuicer]

Any by-when on this update? is this being actively worked on? Looking forward to updates :) thanks!

[robokeo]

Same issue here with Enterprise account. We need a fix for this. is there any update?

[lundn]

We temporarily circumvent this login issue with spaceship (for Enterprise), by running match in read-only mode. Don't know if that's applicable for other setups though.

[swamatt10]

Same issue here with our Enterprise account. We really need a fix.

[lemonjuicer]

Hello!? Is anyone paying attention to this? Looking for a ❤️ beat...

[itaischuftan]

EDIT: This does not solve for enterprise!

This the 2nd time this thing has broken our CI in the past couple of months, so we've decided to use the better option provided here:
https://docs.fastlane.tools/app-store-connect-api/

Create a JSON file with the following keys and set its location in $API_KEY_PATH:

{
    "issuer_id": "12345678-abcd-1234-4321-abdefg123456",
    "key": "-----BEGIN PRIVATE KEY-----\nMIGTA...\n-----END PRIVATE KEY-----",
    "key_id": "123ABC456D",
  }

you need to get the private key by creating an API key in appstoreconnect.com and then use your command as follows:

$ fastlane pilot distribute --api_key_path $API_KEY_PATH

It won't take you a lot of time to implement it, and you won't be facing this 2FA issues anymore <3

[tychop]

This the 2nd time this thing has broken our CI in the past couple of months, so we've decided to use the better option provided here: https://docs.fastlane.tools/app-store-connect-api/

Create a JSON file with the following keys and set its location in $API_KEY_PATH:

{
    "issuer_id": "12345678-abcd-1234-4321-abdefg123456",
    "key": "-----BEGIN PRIVATE KEY-----\nMIGTA...\n-----END PRIVATE KEY-----",
    "key_id": "123ABC456D",
  }

you need to get the private key by creating an API key in appstoreconnect.com and then use your command as follows:

$ fastlane pilot distribute --api_key_path $API_KEY_PATH

It won't take you a lot of time to implement it, and you won't be facing this 2FA issues anymore <3

Does this work for Enterprise users?

[itaischuftan]

This the 2nd time this thing has broken our CI in the past couple of months, so we've decided to use the better option provided here: https://docs.fastlane.tools/app-store-connect-api/
Create a JSON file with the following keys and set its location in $API_KEY_PATH:

{
    "issuer_id": "12345678-abcd-1234-4321-abdefg123456",
    "key": "-----BEGIN PRIVATE KEY-----\nMIGTA...\n-----END PRIVATE KEY-----",
    "key_id": "123ABC456D",
  }

you need to get the private key by creating an API key in appstoreconnect.com and then use your command as follows:

$ fastlane pilot distribute --api_key_path $API_KEY_PATH

It won't take you a lot of time to implement it, and you won't be facing this 2FA issues anymore <3

Does this work for Enterprise users?

Just tested for enterprise, it does not work :(

[rajpratim123]

Any update on this? Unable to login and fetch required certs for our CI pipelines. Was working a week back. Any solution?

[SaeedRahmatolahiAmity]

Any update on this? Unable to login and fetch required certs for our CI pipelines. Was working a week back. Any solution?
try this way It's working even on Enterprise accounts

We temporarily circumvent this login issue with spaceship (for Enterprise), by running match in read-only mode. Don't know if that's applicable for other setups though.

[rajpratim123]

Any update on this? Unable to login and fetch required certs for our CI pipelines. Was working a week back. Any solution?
try this way It's working even on Enterprise accounts

We temporarily circumvent this login issue with spaceship (for Enterprise), by running match in read-only mode. Don't know if that's applicable for other setups though.

Can you please elaborate a bit? Do we replace the login commands with this(in that case please specify the command)? Any help is appreciated!

[AbbyM]

Any update on this? Unable to login and fetch required certs for our CI pipelines. Was working a week back. Any solution?
try this way It's working even on Enterprise accounts

We temporarily circumvent this login issue with spaceship (for Enterprise), by running match in read-only mode. Don't know if that's applicable for other setups though.

Can you please elaborate a bit? Do we replace the login commands with this(in that case please specify the command)? Any help is appreciated!

I don't know how he manage to make it work with "mach" but i found a temporary workaround using FASTLANE_SESSION and FASTLANE_TEAM_ID.

For this you need an Apple-ID account with 2FA activated that is invited to the enterprise team as an admin.

Then you can login with that account in any computer :

fastlane spaceauth -u "apple id mail".

Result of that command need to be set in "FASTLANE_SESSION " environment variable in your CI.

"FASTLANE_TEAM_ID" need also to be set to your Enterprise Team ID.

FASTLANE_SESSION are valid for 1 month ( exactly 2592000 seconds) , this is not a fix but a temporary workaround, you still have to perform an action per month.

I didn't touch a thing in my lanes, just these two env vars.

I have nothing better at this time :/

[GauthierG]

@AbbyM unfortunetly the validity of the session is variable. As stated in the Fastlane's documentation https://docs.fastlane.tools/getting-started/ios/authentication/

The session's validity can greatly vary (anything between 1 day and 1 month, depending on factors such as geolocation of the session usage).

On our side, it seems that our session's validity is up to a day according to our tests ...

We hope that Fastlane's team will be able to provide a fix for enterpise account that cannot use the app store connect api 🙏

[AbbyM]

@AbbyM unfortunetly the validity of the session is variable. As stated in the Fastlane's documentation https://docs.fastlane.tools/getting-started/ios/authentication/

The session's validity can greatly vary (anything between 1 day and 1 month, depending on factors such as geolocation of the session usage).

On our side, it seems that our session's validity is up to a day according to our tests ...

We hope that Fastlane's team will be able to provide a fix for enterpise account that cannot use the app store connect api 🙏

No luck for you :/

Yes duration of the session depend on your region but you can know this duration when you generate the session, it's literaly in the token :
true\n path: "/"\n secure: true\n httponly: true\n expires: \n max_age: 2592000\n created_at: &1 2023-05-30 10:35:44.866468300 +02:00\n accessed_at: *1\n-

Max age : 2592000 seconds
2592000 / 60 / 60 / 24 = 30 days.

@GauthierG I suppose your is 86400 ?

[itaischuftan]

The max age in our token also shows 2592000 but it expires after 1 day :/
We really need someone to look at this

[GauthierG]

@AbbyM Hmmm actually we do have 2592000 as max_age for domain idmsa.apple.com. 🤔
We also have max_age 1800 for domain appstoreconnect.apple.com

Our newest token was generated 6 hours ago and is still valid for now.

We will see what happens tommorow. But maybe something else invalidate the token before its expiration ?

[AbbyM]

@AbbyM Hmmm actually we do have 2592000 as max_age for domain idmsa.apple.com. 🤔 We also have max_age 1800 for domain appstoreconnect.apple.com

Our newest token was generated 6 hours ago and is still valid for now.

We will see what happens tommorow. But maybe something else invalidate the token before its expiration ?

I'm not sure about this but i think if you login again with the same Apple Id it will generate a new session and invalidate the previous one.
Another possibility is Apple invalidate session from their side depending of your region and just leave you with a "max_age" that is never reach...

[rajpratim123]

Any update on this? Unable to login and fetch required certs for our CI pipelines. Was working a week back. Any solution?
try this way It's working even on Enterprise accounts

We temporarily circumvent this login issue with spaceship (for Enterprise), by running match in read-only mode. Don't know if that's applicable for other setups though.

Can you please elaborate a bit? Do we replace the login commands with this(in that case please specify the command)? Any help is appreciated!

I don't know how he manage to make it work with "mach" but i found a temporary workaround using FASTLANE_SESSION and FASTLANE_TEAM_ID.

For this you need an Apple-ID account with 2FA activated that is invited to the enterprise team as an admin.

Then you can login with that account in any computer :

fastlane spaceauth -u "apple id mail".

Result of that command need to be set in "FASTLANE_SESSION " environment variable in your CI.

"FASTLANE_TEAM_ID" need also to be set to your Enterprise Team ID.

FASTLANE_SESSION are valid for 1 month ( exactly 2592000 seconds) , this is not a fix but a temporary workaround, you still have to perform an action per month.

I didn't touch a thing in my lanes, just these two env vars.

I have nothing better at this time :/

Thank you for the suggestion!! Will give it a try.

[freddi-kit]

Hello, I'm investigating and I want to fix it if can.

But FYI: #18116 As @joshdholtz said (⚠️ This may not work into the future when 2FA is hard forced on everyone) when introducing, SPACESHIP_SKIP_2FA_UPGRADE is adhoc solution of old issue so it's not unexpected we cannot use it now.

[philhinco]

We're seeing the same issue with our enterprise accounts, which haven't upgraded to API-Key yet

[ajmalbhat73]

Hello Enterprise account holders,

The fix works which is mentioned by @rajpratim123
What you need to do is:

1. Activate the MFA in your enterprise account (If not activated already)
2. login to the CI node (Jenkins) and run the below command
   $ fastlane spaceauth -u "apple mail id"
   This command will ask you for authentication and once done it will generate a session token
3. export the session token in the CI node (Jenkins)
   $ export FASTLANE_SESSION="you generated token"
   Run the pipeline and you are good to go.....

[rajpratim123]

Hello Enterprise account holders,

The fix works which is mentioned by @rajpratim123 What you need to do is:

1. Activate the MFA in your enterprise account (If not activated already)
2. login to the CI node (Jenkins) and run the below command
   $ fastlane spaceauth -u "apple mail id"
   This command will ask you for authentication and once done it will generate a session token
3. export the session token in the CI node (Jenkins)
   $ export FASTLANE_SESSION="you generated token"
   Run the pipeline and you are good to go.....

But the issue is that it will require manual intervention as we have to verify the code. The previous process was fully automated and this does break our flow in that respect.

[ajmalbhat73]

I agree but this is the only solution as of now we can have with enterprise accounts.

And what if you have multiple CI servers for building your pipelines?
FASTLANT_SESSION token is only working with one CI node after you export the variable, Are you using this Session token with multiple CI servers? Or can it be used with multiple CI servers?

[AbbyM]

Hello,

There is some good news !

I make a pull request fixing this issue #21317

After some debugging I realized that even with a UI logging / skip 2FA we are no longer able to get an olympus session :

So in case of a 2FA skip, I removed the call to https://appstoreconnect.apple.com/olympus/v1/session and everything seems to working as before in our CI .

No need to provide manually FASTLANE_SESSION ! For now ... 🍎 😨

If you can't wait the merge : https://github.com/AbbyM/fastlane-fix-2fa-olympus/tree/fix-2FA-Skip-olympus

[ajmalbhat73]

Hello,

There is some good news !

I make a pull request fixing this issue #21317

After some debugging I realized that even with a UI logging / skip 2FA we are no longer able to get an olympus session :

So in case of a 2FA skip, I removed the call to https://appstoreconnect.apple.com/olympus/v1/session and everything seems to working as before in our CI .

No need to provide manually FASTLANE_SESSION ! For now ... 🍎 😨

If you can't wait the merge : https://github.com/AbbyM/fastlane-fix-2fa-olympus/tree/fix-2FA-Skip-olympus

Hello Abby,

Is it working with enterprise accounts who have enabled the 2FA? Because 2FA cant be disabled if enabled already.

[AbbyM]

Hello,
There is some good news !
I make a pull request fixing this issue #21317
After some debugging I realized that even with a UI logging / skip 2FA we are no longer able to get an olympus session :

So in case of a 2FA skip, I removed the call to https://appstoreconnect.apple.com/olympus/v1/session and everything seems to working as before in our CI .
No need to provide manually FASTLANE_SESSION ! For now ... 🍎 😨
If you can't wait the merge : https://github.com/AbbyM/fastlane-fix-2fa-olympus/tree/fix-2FA-Skip-olympus

Hello Abby,

Is it working with enterprise accounts who have enabled the 2FA? Because 2FA cant be disabled if enabled already.

Hello,

Unfortunatly if you enabled 2FA after this apple breaking change, this fix will not help you and as you say you cant disable it :/

This issue is all about non-2FA enterprise.

Anyway you can still try to create another account without 2FA and enroll it to your enterprise.