fastlane: iTunes account blocked/corrupted by fastlane sigh download
New Issue Checklist
- Updated fastlane to the latest version
- I read the Contribution Guidelines
- I read docs.fastlane.tools
- I searched for existing GitHub issues
Issue Description
After using fastlane sigh download to manually download provisioning profiles, the itunes account that was used gets somehow blocked. When signing in to appleid.apple.com I get the error “Failed to verify your identity. Try again” and the page stays with the loading indicator forever.
With the same account I can log in to developer.apple.com but not to itunesconnect.apple.com
After some time or some action that I cannot pinpoint, the account works again (asks for the security questions every time you log in but it works). Then fastlane sigh download works a couple of times and right after that the accounts gets blocked again.
I tried with a complete new apple id, registered everything in the development portal, etc. Then I used fastlane sigh download couple of times, it worked and then the new account also got blocked.
Needless to say, I tried resetting the password (successfully), different computers, etc. Didn’t help.
When the account is in this blocked state, when using fastlane sigh download I get the following error:
[18:28:16]: ▸ [18:28:16]: Get started using a Gemfile for fastlane https://docs.fastlane.tools/getting-started/ios/setup/#use-a-gemfile
[18:28:18]: ▸ +-------------------------------------+-------------------------------------------+
[18:28:18]: ▸ | Summary for sigh 2.63.0 |
[18:28:18]: ▸ +-------------------------------------+-------------------------------------------+
[18:28:18]: ▸ | development | true |
[18:28:18]: ▸ | provisioning_name | <Redacted>
[18:28:18]: ▸ | username | <Redacted>
[18:28:18]: ▸ | app_identifier | <Redacted>
[18:28:18]: ▸ | skip_certificate_verification | true |
[18:28:18]: ▸ | team_id | <Redacted> |
[18:28:18]: ▸ | adhoc | false |
[18:28:18]: ▸ | skip_install | false |
[18:28:18]: ▸ | force | false |
[18:28:18]: ▸ | ignore_profiles_with_different_name | false |
[18:28:18]: ▸ | skip_fetch_profiles | false |
[18:28:18]: ▸ | platform | ios |
[18:28:18]: ▸ | readonly | false |
[18:28:18]: ▸ +-------------------------------------+-------------------------------------------+
[18:28:18]: ▸ [18:28:18]: Starting login with user '<Redacted>'
[18:28:20]: ▸ Looking for related GitHub issues on fastlane/fastlane...
[18:28:20]: ▸
[18:28:20]: ▸ [!] The request could not be completed because:
[18:28:20]: ▸ <html>
[18:28:20]: ▸ <head><title>503 Service Temporarily Unavailable</title></head>
[18:28:20]: ▸ <body bgcolor="white">
[18:28:20]: ▸ <center><h1>503 Service Temporarily Unavailable</h1></center>
[18:28:20]: ▸ <hr><center>Shield</center>
[18:28:20]: ▸ </body>
[18:28:20]: ▸ </html>
[18:28:20]: ▸
I would really appreciate any suggestions here even though it looks like a problem on apple’s side, something very specific to my accounts or something temporary…
Environment
✅ fastlane environment ✅
Stack
| Key | Value |
|---|---|
| OS | 10.12.6 |
| Ruby | 2.2.2 |
| Bundler? | false |
| Git | git version 2.9.2 |
| Installation Source | ~/.rbenv/versions/2.2.2/bin/fastlane |
| Host | Mac OS X 10.12.6 (16G29) |
| Ruby Lib Dir | ~/.rbenv/versions/2.2.2/lib |
| OpenSSL Version | OpenSSL 1.0.2j 26 Sep 2016 |
| Is contained | false |
| Is homebrew | false |
| Is installed via Fabric.app | false |
| Xcode Path | /Applications/Xcode.app/Contents/Developer/ |
| Xcode Version | 8.3.3 |
System Locale
| Variable | Value | |
|---|---|---|
| LANG | en_US.UTF-8 | ✅ |
| LC_ALL | en_US.UTF-8 | ✅ |
| LANGUAGE |
fastlane files:
No Fastfile found
No Appfile found
fastlane gems
| Gem | Version | Update-Status |
|---|---|---|
| fastlane | 2.63.0 | ✅ Up-To-Date |
Loaded fastlane plugins:
No plugins Loaded
Loaded gems
| Gem | Version |
|---|---|
| slack-notifier | 1.5.1 |
| CFPropertyList | 2.3.4 |
| claide | 1.0.2 |
| colored2 | 3.1.2 |
| nanaimo | 0.2.3 |
| xcodeproj | 1.5.1 |
| rouge | 1.11.1 |
| xcpretty | 0.2.4 |
| terminal-notifier | 1.7.1 |
| unicode-display_width | 1.1.2 |
| terminal-table | 1.7.3 |
| plist | 3.2.0 |
| multipart-post | 2.0.0 |
| word_wrap | 1.0.0 |
| public_suffix | 2.0.4 |
| tty-screen | 0.5.0 |
| babosa | 1.0.2 |
| colored | 1.2 |
| highline | 1.7.8 |
| commander-fastlane | 4.4.5 |
| excon | 0.54.0 |
| faraday | 0.10.0 |
| unf_ext | 0.0.7.2 |
| unf | 0.1.4 |
| domain_name | 0.5.20161129 |
| http-cookie | 1.0.3 |
| faraday-cookie_jar | 0.0.6 |
| fastimage | 2.1.0 |
| gh_inspector | 1.0.2 |
| json | 1.8.1 |
| mini_magick | 4.5.1 |
| multi_json | 1.12.1 |
| multi_xml | 0.6.0 |
| security | 0.1.3 |
| xcpretty-travis-formatter | 0.0.4 |
| dotenv | 2.1.1 |
| bundler | 1.13.6 |
| faraday_middleware | 0.10.1 |
| uber | 0.0.15 |
| declarative | 0.0.9 |
| declarative-option | 0.1.0 |
| representable | 3.0.4 |
| retriable | 2.1.0 |
| addressable | 2.5.1 |
| mime-types-data | 3.2016.0521 |
| mime-types | 3.1 |
| little-plugger | 1.1.4 |
| logging | 2.1.0 |
| jwt | 1.5.6 |
| memoist | 0.15.0 |
| os | 0.9.6 |
| signet | 0.7.3 |
| googleauth | 0.5.1 |
| httpclient | 2.8.3 |
| google-api-client | 0.13.4 |
| rubyzip | 1.2.0 |
generated on: 2017-11-03
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Reactions: 11
- Comments: 108 (33 by maintainers)
I’ve exactly the same problem 😦
Ok, after some more testing of the problem, I’ve found the following workarounds
So the IP blocking portion doesn’t seem to apply to different accounts now (not sure if my tests yesterday were bad, or if Apple already made a small change)
@taquitos Yes PLEASE 💯
I can give another example of how we use it.
We have a lane that updates provision profiles and certs using match for all our identifiers. this includes our app team, enteprise team and our white labeled teams. This however is all using the same account. It also then uses the same lane to ensure all our build agents (through jenkins pipeline in parallel) have the same provision profiles and certs while using match with read only 👍
This lane even adds new devices to each team using different device pool for each team as that is defined in our ruby code. 💎
We set it up this way to make it easy for developers to sent PR to add new devices and identifiers. It can even produce newly arrived bundle identifiers 🙊
All because of 🍎 quality webpage 😭 and less process overhead for our DevOps guys and I 🙈
This is already extending to over 30 identifiers and has been working wonderfully until now 😢
I talked to the Apple engineers today at WWDC to try to get some answer to this problem. Because I suspect that even if fastlane moves to the new API, we will still get problems with one Apple ID logging in many times in a some minutes or logging in from different machines.
They told me that because Fastlane is a third party tool, they can only look into the issue if the login problems also occur on some of their tools (e.g. Application Loader, Xcode, …). Because being able to log in with one account multiple times or across many devices is something they really want to avoid for obvious security reasons.
So I will try to reproduce this by logging in and out of Application Loader. If I reproduce the issue they will take a look.
Chill @fastlane-bot, it’s still not resolved.
Hey everyone, sorry we’re not actively working on this right now. We’ve reported the issue with Apple, but haven’t heard back.
For now as a temporary workaround, can you use
sleep(10)in-between calls to make it work? Or is that not enough?Hey everyone,
Looking at the code, it seems like there is already an environment variable option built-in you could use:
SPACESHIP_COOKIE_PATHTry setting this variable to a shared network drive every of your nodes has access to, and let me know if that works 👍
Hey everyone, thanks again for looking into this issue. Sorry it took so long, I finally found some time to look further into this issue, and was able to reproduce the issue and prepare a fix. You can check out the PR over here https://github.com/fastlane/fastlane/pull/11108
I’d love to ship this as a new release tomorrow morning 👍
Thanks for this info! This is super helpful to understand how people are running into this situation. We’re going to start exploring more aggressive session caching so if you use the same account, we don’t try to login each time. I think that should help a ton.
@KrauseFx so this is an issue. Signing into Developer portal and from there we can go to iTunesConnect. (After resetting password)
However when using Fastlane or logging in directly to iTunesConnect we get the infamous “Failed to verify your identity”
Still an issue, go away fastlane bot
Cool it @fastlane-bot, still an issue.
I did already. And I showed the radar. But they told me that the account gets blocked while using fastlane and this they don’t want to take care of. Of course once it’s blocked it will show on Application Loader (and everywhere else) but that is not enough.
I tried login-logout multiple times (more than 20 in a row) with application loader and their website and I could not reproduce the issue…
@elorz007 a quick and easy way to reproduce is to login using spaceship playgrounds multiple times in quick succession. Once you get blocked, you can attempt to login using Application Loader or any other Apple Product and it will continue to fail.
If you see them again, you can also point them to rdar://35445457 There are complete logs for requests and responses that trigger this on their own tools.
Update: I’ve updated the radar I filed with Apple last year around this (https://openradar.appspot.com/35445457), they just asked me for more information and to see if I can repro (which I can). So I updated them. 🤞 they fix it.
I sent them more information on 4/25/2018 to help them repro. Still no word.
Issue is not resolved.
Just an FYI - the
SPACESHIP_COOKIE_PATHsolution looks to be working. At least in my case. Thanks!So all that stuff happens in: https://github.com/fastlane/fastlane/blob/bc4105dbe77d244e7d6c3ba42af2d5f13146e4da/spaceship/lib/spaceship/client.rb
fetch_olympus_session,load_session_from_envare the methods involvedalso: https://github.com/fastlane/fastlane/blob/bc4105dbe77d244e7d6c3ba42af2d5f13146e4da/spaceship/lib/spaceship/two_step_client.rb#L85
where it creates a temp file:
file = Tempfile.new('cookie.yml')So I think if we made this less temporary, and provided a path, a shared storage area would be good, as long as you control for multiple readers/writers to the file.
Hmm, right as I was writing to confirm that this fix worked on the
2.68.2, I ranfastlane match nuke distributionfollowed by a lane that callsmatchthree times for an app with 7 targets… and it’s still failing with:FWIW, I was locked out of this account all morning due to the rate limit and I tried this immediately after I was able to unlock the account this afternoon. Not sure if that has anything to do with it.
@ytn3rd one theory is that Apple is trying to prevent brute-force login attacks, but they aren’t reenabling logins after a successful login.
I say it’s probably an Apple issue because you can get this to trigger even on the website. That being said, it’s probably really rare for people not using automation like fastlane.
thanks @casz, we’re checking it out 👍