Cannot sign app with xcodebuild and authenticationKey

I'm trying automated signing suggested in WWDC21 session with xcodebuild and authenticationKey. I have unsigned xcarchive, .p8 key generated on portal as suggested in WWDC session, and trying to sign it with:

xcodebuild -exportArchive -archivePath ./myapp.xcarchive -exportPath ./1 -exportOptionsPlist exportoptions.plist -authenticationKeyIssuerID <removed> -authenticationKeyID <removed> -authenticationKeyPath <full path to p8> -allowProvisioningUpdates

However it fails, and I can see in IDEDistributionProvisioning.log the following response from Apple:

Payload:
{"urlEncodedQueryParams":"teamId=<removed>&filter%5BcertificateType%5D=DISTRIBUTION_MANAGED&limit=200"}

2021-09-23 10:19:23 +0000  2021-09-23 10:19:23 +0000 IDEProvisioningRepair(<removed>): 2021-09-23 10:19:23 +0000 IDEProvisioningRepair(<removed>): Received response for B50672C5-10E6-40CF-996A-097BADBD0EEF @ <https://appstoreconnect.apple.com/xcbuild/v1/certificates>. Code = 0

2021-09-23 10:19:23 +0000  2021-09-23 10:19:23 +0000 IDEProvisioningRepair(<removed>): 2021-09-23 10:19:23 +0000 IDEProvisioningRepair(<removed>): Response payload: {
  "errors" : [ {
    "id" : "8f50dfff-8ca6-442b-aa64-92f0a91730ec",
    "status" : "403",
    "code" : "FORBIDDEN_ERROR",
    "title" : "This request is forbidden for security reasons",
    "detail" : "You are not allowed to perform this operation.  Please check with one of your Team Admins, or, if you need further assistance, please contact Apple Developer Program Support. https://developer.apple.com/support"
  } ]
}

If I'm trying to sign with my Dev account logged in into XCode, xcodebuil uses it instead and signing completes with no issues.

Did I miss something?

Up vote post of Artem_XZ Down vote post of Artem_XZ
3.5k views
Posted by
Artem_XZ
Reply
Add a Comment

Accepted Reply

I found that it's necessary to have Admin role for the p8 key to succeed with this. Wondering why should it have Admin role, if my regular XCode account with AppManager role works as well?

Posted by
Artem_XZ
Up vote reply of Artem_XZ Down vote reply of Artem_XZ
Post marked as solved

  • I also have the same issue but using an Admin role for the p8 doesn't work now.

    akilajwasalawa
Add a Comment

Replies

I found that it's necessary to have Admin role for the p8 key to succeed with this. Wondering why should it have Admin role, if my regular XCode account with AppManager role works as well?

Posted by
Artem_XZ
Up vote reply of Artem_XZ Down vote reply of Artem_XZ
Post marked as solved

  • I also have the same issue but using an Admin role for the p8 doesn't work now.

    akilajwasalawa
Add a Comment

@Artem_XZ can you describe how did you manage to work Cloud-managed distribution certificates, please? Even using the Admin API key, I get the following error:

Error Domain=IDEDistributionErrorDomain Code=10 "Failed to log in." UserInfo={IDEDistributionErrorsAccountIssues=(
), NSLocalizedDescription=Failed to log in., NSLocalizedRecoverySuggestion=App Store Connect access for “$TEAM_ID” is required. Ensure that your Apple ID account usernames and passwords are correct in the Accounts preference pane.}

Does the API key-based distribution still work for you?

Posted by
odnairy
Up vote reply of odnairy Down vote reply of odnairy

  • Could you find a solution to this? I also have the same problem now.

    akilajwasalawa

  • We have automated build using the command line I put above working for 2 years already and I never seen this error even using different teams. The only requirement is .p8 with admin role is needed, in other case it fails.

    Artem_XZ
Add a Comment

I ran into the same issue and also updated the rights but didn't get it to work. I fixed it with exporting it locally first and then using altool to upload it.

For xcodebuild -exportArchive you'd need to do the following

  • Set the export option plist destination to export
  • add -exportPath <your preferred ipa folder> to the command

Validate or Upload

 xcrun altool --validate-app/--upload-app -f <ipa-folder/ipa-file.ipa> -t iOS --apiIssuer ... --apiKey ...

altool wants a key file stored in the folder where its executed from: private_keys/AuthKey_<keyid>.p8

if you use github action and secrets, setting up the key could look like this:

echo "${{ secrets.<idToYourStoredKeyContent> }}" > ${{ format('private_keys/AuthKey_{0}.p8', secrets.<idToYourStoredKeyId>) }}
Posted by
kflip
Up vote reply of kflip Down vote reply of kflip
Add a Comment