fastlane: Don't ask verification code and access forbiden and apple account block

✨ Official Update 10

Okay! So 2.212.1 is out on RubyGems and is waiting for approval on Homebrew (probably out sometime today)

Release 👉 https://github.com/fastlane/fastlane/releases/tag/2.212.1

Hope this all works for everyone now! And… its been a pleasure talking to you all but let’s not meet like this again 😉

✨ Official Update 7

So based on this feedback, some new headers I discovered earlier, and talking with people over at Appfigures… it looks like Apple implemented Hashcash in the API and that is what is causing this

I’m going to be looking into this further and should have a fix out for this… hopefully 🤞

I don’t have an ETA but I will dedicate this evening and I should be able to block off a lot of time tomorrow for this.

This Hashcash looks like to help them determine denial of service stuff / too many signins from new devices

So…

Stay tuned and thank you all for your patience 🚀

✨ Official Update 1

It looks like this is happening to everybody. I was able to reproduce it on one of my accounts 😬

It appears that Apple might have added some new “federated” login thing. I got a weird prompt but my screenshot didn’t save. But I do see in my proxy logs that there are some new endpoints so I’m trying to figure out exactly what we need to change to make things start working again.

Huge favor

🙏 If we could pause any “+1” or “this is happening to me to” that would be greatly appreciated!

I want to keep the comments for any updates from the fastlane team or if anybody has done anything to fix this on their own ❤️

Thank you!

✨ Official Update 9 (I lost count)

Will be merging the PR and preparing a new version! New version should be out within an hour or so if nothing breaks during the release process 🙈

Thank you to everyone who participated in the conversation to help us diagnose the problem and thank you all for your patience ❤️

Hey, everyone!

I’ve reached out to an Apple contact to see if I can get any insight into what’s causing this.

Hopefully be able to give update soon 🤞

But also… if you are able to use the App Store Connect API Key auth for any of your fastlane flows, that would probably get around this issue 🤷‍♂️

Side note: I have my two kids for the next few hours so this is not great timing 🙈 but… I’ll try to do as much as I can!

✨ Official Update 2

I got it working with SMS verification 🥳 There was a change in the API used for sending up the 2FA answers

Now testing with the other forms while my 2 year old is crawling all over me 🤷

✨ Official Update 8

I have a PR #21073 ready for review and some testers 😇

Summary: It adds a new X-APPLE-HC header to the auth flow that is simple to generate but not documented.

We got some awesome help by our friends at Appfigures who were also working on solving this issue today ❤️

Testing Steps

Update Gemfile and run bundle install, bundle update fastlane, or bundle update

gem "fastlane", :git => "https://github.com/fastlane/fastlane.git", :branch => "joshdholtz-implement-hashcash"

🙏 Please leave any question or issues about the PR on the PR and not on this thread

But… you can 👍 this comment and comment if PR worked for you in this thread

Just trying to make sure that this thread doesn’t become a huge conversation about the PR 😇

I need to sleep now so hoping to wake up to a bunch of “This works for me!” in the morning so I can push out a new release with this fix 😊

This seems to be due to Apple being careless somehow. You can fix it by manually changing your password and unlock your account.

It’s not a fix in my case. After unlock it and change the password, the “Access forbidden” error persists.

Looks like you already figured out that Hashcash was added, but figured I’d post my notes anyway

I can’t answer why this seems conditionally broken for people, but I think I’ve found a way to fix this.

Doing some testing by logging into https://developer.apple.com/download/all/?q=Safari through a browser and messing with the headers, it looks like Apple introduced the X-APPLE-HC header. Googling shows this seems to be a form of Hashcash, except without ext or rand part and with the date format changed.

Now, in order to get the minimum bit count (it seems to vary) and the resource string, you have two options:

• Make a normal GET request to https://idmsa.apple.com/appleauth/auth/signin (the website uses the values from this request)
• Make a POST request to federate (I have no clue what this is for, but the website does it when you enter your email): https://idmsa.apple.com/appleauth/auth/federate. Payload is JSON, {"accountName": "EMAIL", "rememberMe": true/false}

In both cases, you’ll get X-Apple-HC-Challenge (res) and X-Apple-HC-Bits (bits) in the response headers. Use these to generate the hashcash, pass it as X-APPLE-HC and you should be set.

I got my (personal) Apple ID locked by my own code (had it running in a loop, after getting this error 3 times in a very short period it got locked) and had to change my password to unlock it. I still get -36607 from https://github.com/RobotsAndPencils/XcodesApp and from my own code without adding this, but as soon as I add this it works again.

Hope this helps

This seems to be due to Apple being careless somehow. You can fix it by manually changing your password and unlock your account.

We have unlocked the account and changed the account password but the issue persists. Every time we try we receive the 2FA code in the trusted device but fastlane is unable to present the form to type it, instead presents the error we are all seing. I am in Spain.

@aebischers But the account we use that is affected by this issue, does have 2FA enabled.

This seems to be due to Apple being careless somehow. You can fix it by manually changing your password and unlock your account.

✨ Official Update 5

I was able to replicate the issue again by VPN-ing into Luxembourg

This is super weird! I have no idea why its not failing for me anymore 😱 😱 😱

Okay, I got it working for me again now… I followed the following steps:

1. Removing credentials from Fastlane via: fastlane fastlane-credentials remove --username APPLEUSERNAME

2. Change password on Apple

3. Adding credentials again fastlane fastlane-credentials add --username APPLEUSERNAME

In the last step, it asked me to authenticate again, filling in the new password and 2FA - after that, my normal flows started working again.

I deleted ~/.fastlane/spaceship/<email> and tried again, but still got the same error Access forbidden.

As i said, Xcode archiving and sending also fails. The official process is failing…

Same. No time to enter the 6-digits code and Access forbidden

Same symptoms here:

• Access Forbidden error seen in match and spaceauth processes.
• Happens in 2.209.1, 2.210.1 and 2.212.0 versions.
• Yesterday it works fine.
• The account was blocked by Apple. After I unlocked it on Apple portal, the issue persists.
• I have been able to create a cookie session (spaceauth) in a machine on Dublin. The error persists in Spain (where I’m). Regional error? I don’t think that it’s a permanent solution since the cookie created in differents regions expires soon.

Anyone knows a possible fix?

Thanks!

I had this issue about an hour ago. My account was blocked. I unblocked / changed the password and it worked on second try.

1. fastlane fastlane-credentials remove --username APPLEUSERNAME

This has not worked for me. I keep getting the login to the authorized phone twice with its verification code but fastlane does not ask me for it.

Works perfectly with the joshdholtz branch, tried several methods and everything works fine. Great job.

Mine has magically started working with no changes.

❓ Where is everybody located that is seeing these issues?

Another fastlane user shared a test Apple ID account with me and… ✅ worked fine for me in the United States ❌ did not work for them in Europe

It seems like this could be a location based bug and we are hitting different Apple auth servers???

I am in Brazil

tried deleting the ~/.fastlane/spaceship/<email> still seeing the same issue where fastlane spaceauth -u email will hang while trying to login. I will get couple of 2FA in my trusted device and then the command fails saying forbidden access

Have the same exact issue, getting access forbidden in terminal but my account was not blocked when I try to login dev portal. (2 hours ago everything was working)

Getting same issue, be careful as it completely locked my Apple account

changing to use api_key did the trick. Also api_key seems to be supporting most of the features now and we dont have to rotate the session every 30 days.

Just curious where did you use api_key?

instruction on how to generate apikey https://docs.fastlane.tools/app-store-connect-api/ and then put it as a json file place it inside the fastlane folder

Here is my fastfile

default_platform(:ios)

platform :ios do desc “Push a new beta build to TestFlight” lane :beta do upload_to_testflight(api_key_path: “fastlane/somefile.json”,distribute_external: true, changelog:“02-27-2023 09:45:10”) end end

contents of somefile.json placed inside fastlane folder { “key_id”: “your key id”, “issuer_id”: "your issuer id ", “key”: “-----BEGIN PRIVATE KEY-----\nMIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHknlhdlYdLu\n-----END PRIVATE KEY-----”, “duration”: 1200, “in_house”: false }

✨ Official Update 10

Okay! So 2.212.1 is out on RubyGems and is waiting for approval on Homebrew (probably out sometime today)

Release 👉 https://github.com/fastlane/fastlane/releases/tag/2.212.1

Hope this all works for everyone now! And… its been a pleasure talking to you all but let’s not meet like this again 😉

Thank you @joshdholtz !

fastlane update_fastlane updated the version but still not working

@joshdholtz amazing work! When is version 2.212.1 going to be available via rubygems?

Once I figure out why my local release process is failing 🙈 But sooooooooooon

@ChristineWasike In my case, when apple blocked the account it also deleted app-specific password and I have had to create it again, is it possible that this is the case?

“bundle exec fastlane spaceauth -u <APPLE_ID>” is working prefectly now using the new branch from Spain! good job!

@joshdholtz Your fix seems to fix the login issue to App Store Connect, but now I got a new error when upload a build

[!] Error uploading ipa file: [Application Loader Error Output]: Error uploading ‘/var/folders/8_/2vd36wqn2sq5y9skr7gwjcyw0000gn/T/458535fe-4479-498b-b245-138bb5384ec6.ipa’. [Application Loader Error Output]: Unable to upload archive. Failed to get authorization for username ‘<MY USERNAME>’ and password. ( [Application Loader Error Output]: The call to the altool completed with a non-zero exit status: 1. This indicates a failure.

Ha! I thought it said “try these”… They really need to change that messaging

São Paulo, Brazil, not working

@joshdholtz please have a look at your mailbox.

To add to the cases, I’m getting the 2FA code sent to my devices, but am never prompted to enter the code. It prompts a second time for the 2FA on my devices, then fails with Access Forbidden errors.

I’ve tried deleting the credentials and deleting the referenced folder in the .fastlane folder and still see the same behavior. My Apple account did get blocked once, but hasn’t been blocked again since.

It’s not just Fastlane having issues with Authentication. https://github.com/RobotsAndPencils/XcodesApp is having the same issue so Apple changed something around how it is checking Apple ID’s and is now setting those as locked.

We had the same problem and changed to using an API key that you can create with this documentation https://docs.fastlane.tools/app-store-connect-api/

same here, all of our mobile CI is down due to this

I am in Kenya and my account was also locked. After changing the password the issue persists. It is not a geo-locked issue.

fastlane --version
fastlane 2.212.0

@conradpronto

Do you know where we can see the scope of actions that are supported by the AppStore Connect API key? for example, can we use it create Apple Pass Type Identifiers and create NFC Certificates.

Here is the scope of supported Fastlane actions/tools with API Key: https://docs.fastlane.tools/app-store-connect-api/

@superandrew213 I logged into appleid and it notified me there. Had to jump through a few screens to unlock it.

NFC Certificates

Check out Apple’s API here: https://developer.apple.com/documentation/appstoreconnectapi/certificatetype

These are the certificates you can generate with ASC API.

it worked now, thanks

@StringKaori Actually can you try again? I just tried it again 10 minutes ago and brew was able to install it finally

i can’t update it, when i run fastlane update_fastlane it says Updating fastlane from 2.212.0 to 2.212.1... 🚀, but when i run fastlane --version it says i’m still on 2.212.0

My archive uploads worked doing the following

1. Switched the gemfile to branch => "joshdholtz-implement-hashcash"
2. Re-created app-specific password and updated it in the environment
3. Deleted the file at .fastlane/spaceship
4. Ran my lane as usual

2FA Working with PR https://github.com/fastlane/fastlane/pull/21073

First I deleted the cookie in .fastlane/spaceship and then I got the new one by running bundle exec fastlane spaceauth -u your_email Then I tried uploading to testflight and apple store and everything is fine.

@ChristineWasike Previous app specific passwords are now invalid, generate a new one from https://appleid.apple.com/

@WJacobsNL In case you are/were using an app-specific-password somewhere for Fastlane, due the issue yesterday my CI account’s app-specific-password’s were all wiped and I had to create a new one. This may explain your issue (I had it too because I forgot to update the app-specific-password) in our service connection for Azure Devops that uses fastlane.

@joshdholtz Your fix seems to fix the login issue to App Store Connect, but now I got a new error when upload a build

[!] Error uploading ipa file: [Application Loader Error Output]: Error uploading ‘/var/folders/8_/2vd36wqn2sq5y9skr7gwjcyw0000gn/T/458535fe-4479-498b-b245-138bb5384ec6.ipa’. [Application Loader Error Output]: Unable to upload archive. Failed to get authorization for username ‘’ and password. ( [Application Loader Error Output]: The call to the altool completed with a non-zero exit status: 1. This indicates a failure.

You probably need to generate a new app specific password, these get whiped when your account gets locked (at least that was the case on my end)

For me it started working again on 2.212.0. No idea…

While this gets fixed, we have been getting by setting MATCH_READONLY=true when using match. This will force it to only grab the profiles/certs that already exist in the associated git repo rather than trying to check if it needs to create new ones by reaching out to Apple.

I use account for fastlane only. It suddenly started today.

New York here with Spaceship::AccessForbiddenError. I did clear out the session folder in .fastlane/ (and this is after I’ve already re-enabled the account when it was locked this morning).

I could be wrong, but I just want to note that this doesn’t seem to have anything to do with Fastlane’s 2FA flow, since the login is failing, which happens before we even know we need 2FA in the first place. Please correct me if I’m mistaken.

I had this issue about an hour ago. My account was blocked. I unblocked / changed the password and it worked on second try.

Worked for me the second time as well! (London, UK)

Portugal – Access forbidden

The fix on the joshdholtz-fix-apple-id-2fa branch doesn’t work for me. I am not getting my account blocked but I am still receiving the Access forbidden error. So is the thinking that Apple has to fix this??

Suddenly fastlane worked well with 2fa after some trials. I have no idea why error disappeared…

Strangely, I’m getting sent two 2FA notifications every time I run fastlane spaceauth, but I’m never actually being prompted to type it in, so the command just times out & I’m left with Access forbidden.

I’ve tried the solutions above but, alas…

✨ Official Update 3

It looks like that trusted device still works without code changes but… having an existing session was causing to 💥 and lock out my account

Once I deleted the session from ~/.fastlane/spaceship/<email> it worked for me 🤷‍♂️

So… it seems like trusted device might work with current fastlane releases but it requires deleting that session.

Big Ask

Could somebody risk getting locked out again but try deleting your fastlane session first? (And this will only work with trusted device and not SMS)

We had an account used by CI which we normally use to fetch provisioning profiles from ADC as part of our process for performing release builds, which last night unexpectedly needed a password reset. After performing the password reset, it began working again.

I would love if we could use the App Store Connect API instead of needing to depend on an ADC login flow, but we use both a regular Apple ADC account as well as an Enterprise team account, and the Enterprise team account has no support at all for the App Store Connect API. Filed FB9161884, June 2021.

The login/password flow has always felt fragile and has broken unexpectedly at various times when Apple makes backend changes, it has no SLA and mandates 2FA on new accounts. We have to treat it as a brittle part of our CI infrastructure despite it being an important part of outputting release builds for both external use and internally among hundreds of developers as well as a dedicated QA team.

Same issues, account blocked and 2FA not working.

Exception type: Spaceship::AccessForbiddenError

Fastlane version 2.210.1

Having same issue since morning

Could not login to App Store Connect Please check your credentials and try again. This could be an issue with App Store Connect, Please try unsetting the FASTLANE_SESSION environment variable by calling ‘unset FASTLANE_SESSION’ (if it is set) and re-run fastlane spaceauth

Exception type: Spaceship::AccessForbiddenError

No workaround (:

Having the same issue here. Haven’t found a work-around.

We had the same problem and changed to using an API key that you can create with this documentation https://docs.fastlane.tools/app-store-connect-api/

Using an AppStoreConnect API key is something we are not willing to do, as there is no way to control which apps these keys can be used for and offers anonymous access to your Developer Account’s AppStoreConnect.

It seems like some sort of security policy change, for me this worked (on our CI):

• unlock the account on Apple website
• run unset FASTLANE_SESSION (if you are using it, might be optional) in CI
• run bundle exec fastlane spaceauth -u APPLE_ID in CI to generate a new session
• store the new FASTLANE_SESSION env var

I have this two tried to remove credentials and didnt help