fastlane: "Need to acknowledge to Apple's Apple ID and Privacy statement" error when using fastlane with non-2FA account (yeah, I know...)

New Issue Checklist

Issue Description

This is very likely not a bug at all, but a case of Apple throwing an inaccurate error message, but I wanted to log it to a) confirm that others had the same experience, and b) just in case something is lost in translation from Apple to fastlane, c) I’m afraid to convert my account to 2FA just to confirm what I suspect (that Apple is just giving the wrong error message when blocking accounts without 2FA).

I have a build agent/ continuous integration Apple developer account that I was using for building apps, that does not have the upgraded two factor security required for all accounts by Apple starting in February. Even as of right now, despite Apple’s message that I would be “required” to upgrade security, I can still log into App Store Connect, developer.apple.com, appleid.apple.com, etc without actually upgrading any security (it bugs me to, makes me answer questions, but doesn’t force an upgrade). This had me hopeful that stuff still worked!

When using any command on fastlane that logs into Apple with this account, however, I get the following error:

Need to acknowledge to Apple's Apple ID and Privacy statement. Please manually log into https://appleid.apple.com (or https://appstoreconnect.apple.com) to acknowledge the statement.

I tried following the steps, but I never saw any new privacy statement.

However, when I try using fastlane with another account that does have 2FA, everything works just fine.

Command executed

register_devices (what happened to be first in my lane), pilot (another one I tried)

Complete output when running fastlane, including the stack trace and command used
 [00:28:43]: Loading from './fastlane/.env.autogenerated'
[00:28:44]: ------------------------------
[00:28:44]: --- Step: default_platform ---
[00:28:44]: ------------------------------
[00:28:44]: Driving the lane 'ios beta' 🚀
[00:28:44]: ------------------------------
[00:28:44]: --- Step: register_devices ---
[00:28:44]: ------------------------------
[00:28:44]: Login to App Store Connect (buildagent@nudgecoach.com)
Available session is not valid any more. Continuing with normal login.
+------------------+---------------+
|           Lane Context           |
+------------------+---------------+
| ENVIRONMENT      | autogenerated |
| DEFAULT_PLATFORM | ios           |
| PLATFORM_NAME    | ios           |
| LANE_NAME        | ios beta      |
+------------------+---------------+
[00:28:45]: Need to acknowledge to Apple's Apple ID and Privacy statement. Please manually log into https://appleid.apple.com (or https://appstoreconnect.apple.com) to acknowledge the statement.

±-----±-----------------±------------+
|           fastlane summary            |
±-----±-----------------±------------+
| Step | Action           | Time (in s) |
±-----±-----------------±------------+
| 1    | default_platform | 0           |
| 💥   | register_devices | 1           |
±-----±-----------------±------------+


[00:28:45]: fastlane finished with errors

Environment

 
✅ fastlane environment ✅

Stack






Key
Value






OS
11.1




Ruby
2.7.1




Bundler?
true




Git
git version 2.29.2




Installation Source
~/.rbenv/versions/2.7.1/bin/fastlane




Host
macOS 11.1 (20C69)




Ruby Lib Dir
~/.rbenv/versions/2.7.1/lib




OpenSSL Version
OpenSSL 1.1.1i  8 Dec 2020




Is contained
false




Is homebrew
false




Is installed via Fabric.app
false




Xcode Path
/Applications/Xcode.app/Contents/Developer/




Xcode Version
12.3






System Locale






Variable
Value







LANG
en_US.UTF-8





LC_ALL






LANGUAGE








fastlane files:


`./fastlane/Fastfile`

require "spaceship"

default_platform :ios

platform :android do
  lane :beta do
    gradle(task: "clean", project_dir: 'android')
    gradle(
      task: 'assembleRelease',
      project_dir: 'android'
    )
  end
  lane :uploadToPlayStore do
    upload_to_play_store(
      track:"beta",
        skip_upload_metadata: false,
        skip_upload_images: true,
        skip_upload_screenshots: true,
        skip_upload_apk: false,
        apk: "android/app/build/outputs/apk/release/app-release.apk"
      )
  end
end
 
platform :ios do
  lane :labels do
    echo(message: 'APP_NAME:')
    echo(message: ENV['APP_NAME'])
    echo(message: 'APP_IDENTIFIER:')
    echo(message: ENV['APP_IDENTIFIER'])
    echo(message: 'SKU:')
    echo(message: ENV['SKU'])
    echo(message: 'TEAM_ID:')
    echo(message: ENV['TEAM_ID'])
    echo(message: 'TEAM_NAME:')
    echo(message: ENV['TEAM_NAME'])
    echo(message: 'ITC_TEAM_ID:')
    echo(message: ENV['ITC_TEAM_ID'])
    echo(message: 'ITC_TEAM_NAME:')
    echo(message: ENV['ITC_TEAM_NAME'])
  end

  # just some command that allows us to enter the second factor auth
  lane :entersecondfactor do
    Spaceship::Tunes.login
    Spaceship::Tunes.select_team
  end

    #  trying out portal add user stuff
  lane :teststuff do
    Spaceship::Tunes.login
    Spaceship::Tunes.client.team_id = ENV['ITC_TEAM_ID']
    begin
      Spaceship::Tunes::Members.create!(
        firstname: "Russ",
        lastname: "Campbell",
        email_address: "russ@nudgecoach.com",
        roles: ["developer"],
        apps: []
      )
    rescue
    end
    p Spaceship::Tunes::Members.all
  end

  lane :update_bundle_id do
    update_app_identifier(
      xcodeproj: "ios/nudgev4.xcodeproj", # Optional path to xcodeproj, will use the first .xcodeproj if not set
      plist_path: "nudgev4/Info.plist", # Path to info plist file, relative to xcodeproj
      app_identifier: ENV["APP_IDENTIFIER"] # The App Identifier
    )
  end

  # future command for conditionally deleting keychain
  # delete_keychain(name: "fastlane_keychain") if File.exist?(File.expand_path("~/Library/Keychains/fastlane_keychain-db"))

  lane :beta do
    register_devices(
      # Just one device so we can get a provisioning profile
      devices: {
        "Keith's iPhone SE" => "6c0961d7ffcae05321e636f8172c327ffa1e2c7e",
      }
    )
    update_app_identifier(
      xcodeproj: "ios/nudgev4.xcodeproj", # Optional path to xcodeproj, will use the first .xcodeproj if not set
      plist_path: "nudgev4/Info.plist", # Path to info plist file, relative to xcodeproj
      app_identifier: ENV["APP_IDENTIFIER"] # The App Identifier
    )
    delete_keychain(name: "nudge-v4") if File.exist?(File.expand_path("~/Library/Keychains/nudge-v4-db"))
    create_keychain(
      name: 'nudge-v4',
      password: 'nudge123',
      default_keychain: false,
      unlock: true,
      timeout: false,
      lock_when_sleeps: false,
      lock_after_timeout: false,
    )
    cert(
      team_id: ENV['TEAM_ID'],
      team_name: ENV['TEAM_NAME'],
      output_path: 'current-config/certs',
      keychain_path: '~/Library/Keychains/nudge-v4-db',
      keychain_password: 'nudge123',
    )
    sigh(
      team_id: ENV['TEAM_ID'],
      team_name: ENV['TEAM_NAME'],
      output_path: 'current-config/provisioning-profiles',
      force: true,
    )
    automatic_code_signing(
      use_automatic_signing: true,
      team_id: ENV['TEAM_ID'],
      path: 'ios/nudgev4.xcodeproj'
    )
    gym(
      scheme: 'nudgev4',
      workspace: 'ios/nudgev4.xcworkspace',
      export_method: 'app-store',
      output_directory: 'output/ios',
      xcargs: "-allowProvisioningUpdates"
    )
    pilot(
      team_id: ENV['ITC_TEAM_ID'],
      team_name: ENV['ITC_TEAM_NAME'],
      skip_waiting_for_build_processing: true,
      testers_file_path: 'fastlane/testflight_testers.csv'
    )
    #slack(
    #  slack_url: 'https://hooks.slack.com/services/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',
    #  channel: '#dev-feed',
    #  message: 'Successfully distributed a new beta build'
    #)
    delete_keychain(
      name: 'nudge-v4',
    )
  end

  lane :upload do
    pilot(
      team_id: ENV['ITC_TEAM_ID'],
      team_name: ENV['ITC_TEAM_NAME'],
      skip_waiting_for_build_processing: true,
      ipa: 'output/ios/nudge.ipa'
    )
    #slack(
    #  slack_url: 'https://hooks.slack.com/services/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',
    #  channel: '#dev-feed',
    #  message: 'Successfully distributed a new beta build'
    #)
  end
 
  error do |lane, exception|
    # This block is called, if there was an error running a specific lane.
  end
 
end





`./fastlane/Appfile`

app_identifier ENV['APP_IDENTIFIER'] # The bundle identifier of your app
itc_team_id ENV['ITC_TEAM_ID']
itc_team_name ENV['ITC_TEAM_NAME']

team_id ENV['TEAM_ID']  # Developer Portal Team ID
json_key_file ENV["JSON_KEY_FILE"]
package_name ENV["APP_IDENTIFIER"]

# you can even provide different app identifiers, Apple IDs and team names per lane:
# More information: https://github.com/fastlane/fastlane/blob/master/fastlane/docs/Appfile.md


  ENV["FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD"] = ENV["ADMIN_FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD"];






fastlane gems






Gem
Version
Update-Status






fastlane
2.172.0
✅ Up-To-Date






Loaded fastlane plugins:


No plugins Loaded


Loaded gems





Gem
Version






did_you_mean
1.4.0




bundler
2.1.4




uri
0.10.0




rake
13.0.3




CFPropertyList
3.0.3




ZenTest
4.12.0




RubyInline
3.12.5




concurrent-ruby
1.1.7




i18n
0.9.5




minitest
5.14.2




thread_safe
0.3.6




tzinfo
1.2.7




activesupport
4.2.11.3




public_suffix
4.0.6




addressable
2.7.0




httpclient
2.8.3




json
2.5.1




algoliasearch
1.27.3




artifactory
3.0.15




atomos
0.1.3




aws-eventstream
1.1.0




aws-partitions
1.420.0




aws-sigv4
1.2.2




jmespath
1.4.0




aws-sdk-core
3.111.2




aws-sdk-kms
1.41.0




aws-sdk-s3
1.87.0




babosa
1.0.4




claide
1.0.3




fuzzy_match
2.0.4




nap
1.1.0




netrc
0.11.0




ffi
1.13.1




ethon
0.12.0




typhoeus
1.4.0




cocoapods-core
1.9.3




cocoapods-deintegrate
1.0.4




cocoapods-downloader
1.4.0




cocoapods-plugins
1.0.0




cocoapods-search
1.0.0




cocoapods-stats
1.1.0




cocoapods-trunk
1.5.0




cocoapods-try
1.2.0




colored2
3.1.2




escape
0.0.4




fourflusher
2.3.1




gh_inspector
1.1.3




molinillo
0.6.6




ruby-macho
1.4.0




nanaimo
0.3.0




xcodeproj
1.19.0




cocoapods
1.9.3




dotenv
2.7.6




osx_keychain
1.0.2




cocoapods-keys
2.2.1




colored
1.2




highline
1.7.10




commander-fastlane
4.4.6




declarative
0.0.20




declarative-option
0.1.0




digest-crc
0.6.3




unf_ext
0.0.7.7




unf
0.1.4




domain_name
0.5.20190701




emoji_regex
3.2.1




excon
0.78.1




faraday-net_http
1.0.1




multipart-post
2.0.0




ruby2_keywords
0.0.4




faraday
1.3.0




http-cookie
1.0.3




faraday-cookie_jar
0.0.7




faraday_middleware
1.0.0




fastimage
2.2.1




jwt
2.2.2




memoist
0.16.2




multi_json
1.15.0




os
1.1.1




signet
0.14.0




googleauth
0.15.0




mini_mime
1.0.2




uber
0.1.0




representable
3.0.4




retriable
3.1.2




google-api-client
0.38.0




rexml
3.2.4




webrick
1.7.0




google-apis-core
0.2.1




google-apis-iamcredentials_v1
0.1.0




google-apis-storage_v1
0.1.0




google-cloud-env
1.4.0




google-cloud-errors
1.0.1




google-cloud-core
1.5.0




google-cloud-storage
1.30.0




mini_magick
4.11.0




plist
3.6.0




rubyzip
2.3.0




security
0.1.3




naturally
2.2.1




simctl
1.6.8




slack-notifier
2.3.2




terminal-notifier
2.0.0




unicode-display_width
1.7.0




terminal-table
1.8.0




tty-screen
0.8.1




tty-cursor
0.7.1




tty-spinner
0.9.3




word_wrap
1.0.0




rouge
2.0.7




xcpretty
0.3.0




xcpretty-travis-formatter
1.0.1








generated on: 2021-02-03

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 112
  • Comments: 127 (54 by maintainers)

Commits related to this issue

Most upvoted comments

Hey all! I got a fix for this finally 💪 It was a wild goose chase 😇

Cleaning up the code and making a PR!

+54
joshdholtz on Feb 3, 2021

@joshdholtz I feel embarrassed asking this but where does SPACESHIP_SKIP_2FA_UPGRADE=1 get set? My Fastfile, Matchfile, or circlci’s config.yml? I didn’t set this pipeline up and im a bit over my head! 😅

@alittletf No need to feel embarrassed! You have a few options…

In your Fastfile

# at the top
ENV[''SPACESHIP_SKIP_2FA_UPGRADE"] = "1"

In a fastlane/.env file

 SPACESHIP_SKIP_2FA_UPGRADE=1

In your CircleCI environment variables for you project

Key: SPACESHIP_SKIP_2FA_UPGRADE Value: 1

+46
joshdholtz on Feb 4, 2021

Ok, as far as I understand we basically have to switch to App Store Connect API Key now.

However, there are still open questions.

  1. How will this work for enterprise accounts? AFAIK Apple doesn’t allow API key generation for enterprise accounts. Are there any known workarounds?
  2. According to the docs the Connect API doesn’t have any calls for produce yet, hence, produce doesn’t work with API key?
  3. Did Apple seriously just screw up a lot of CIs?
+42
EmDee on Feb 3, 2021

Howdy! So my team and I just ran into this same issue and were able to resolve it. Despite the somewhat cryptic error from Apple, it looks like this error message is related to the recent 2FA changes that Apple is enforcing as of February 2021. Chances are if you’re using a non-2FA account for your automation you’re hitting this error when trying to do stuff in fastlane with ye’ old username/password combo.

We were able to “resolve” this issue by switching our fastlane calls to authenticate via an AppStoreConnect API Key rather than a non-2FA account. The fastlane docs have some good instructions on how to do this here: https://docs.fastlane.tools/app-store-connect-api/

One thing to note is ruby is super picky about the format of the private key. Need to make sure it has no white-spaces and that new-line characters are \n (these can easily be accidentally double escaped depending on how you’re populating the key). The way the key is structured in the example is a good example of how your key should look.

If your key is malformed then you’ll see an error that looks like this: [!] invalid curve name (OpenSSL::PKey::ECError).

+36
RepairManMan on Feb 3, 2021

Hey, fam! 👋 I got a PR up for the fix. Below is what you can put in your Gemfile to test it. It would be ❤️ if a few of you could! It does require an opt-in to bypass by setting the SPACESHIP_SKIP_2FA_UPGRADE=1 environment variable.

I’m waiting on some approvals and finishing up some test additions but hopefully this works (for now) 😬

🙏 Please put any questions or issues in the PR if you have any!

Testing Steps

Update Gemfile and run bundle install, bundle update fastlane, or bundle update

gem "fastlane", :git => "https://github.com/fastlane/fastlane.git", :branch => "joshdholtz-skip-2fa-upgrade"
+34
joshdholtz on Feb 4, 2021

Hey all! I got access to my 2FA account and I’m able to reproduce. I’m going to see if I can get a hot fix thing out for the “Not now” thing. It will be opt-in only and I don’t know how long it will work but YOLO

+29
joshdholtz on Feb 3, 2021

@max-ott I’ve observed the same thing as you. Logging in to appleid.apple.com and appstoreconnect.apple.com give a prompt to enable 2FA, which you can sidestep by hitting “don’t upgrade”, but the Spaceship login error persists after doing so. No other messages/agreements/disclosures appear on either of those pages.

+22
justindhill on Feb 3, 2021

Apple broke the internet.

+20
edgarfroes on Feb 4, 2021

Shipping this in an hour or so!

+16
joshdholtz on Feb 4, 2021

Released 👆👆👆👆👆

+15
joshdholtz on Feb 4, 2021

Turn on 2FA will resolve the issue

+14
mtr1012 on Feb 3, 2021

@EmDee Uhhhh… you are correct 🤔 Maybe I shouldn’t answer GitHub notifications during baby’s mid-night feed 😅

I’d still like to see a console output but…

@oingbong - is your account already 2FA enabled?

+10
joshdholtz on Feb 4, 2021

@Gunavel This makes no sense. The fix is for standard Apple ID usage without 2FA/2SV enabled. Please don’t clutter the thread with not relevant information.

Re-cap:

  • Using the App Store Connect (ASC) API Key will always work for the correct endpoints. It won’t work for generating push certificates, downloading dsym or Apple Enterprise Accounts (any probably much more), because Apple is not exposing those endpoints with their API. --> Recommended if possible
  • Using Apple ID + Password without 2FA/2SV enabled and you get the above error message, please try out Josh’s branch --> Temporary Work Around
  • Using Apple ID + Password with 2FA/2SV enabled you can use all fastlane actions depending on your role. Reports are sessions are only valid for 8 hours to 30 days. This is dependent on a lot of factors and seems to change every day. --> Will be the future for non-API interactions.
+9
max-ott on Feb 4, 2021

The only quick solution our team has found so far for our Enterprise builds is to:

  1. Enable 2FA on the account. You are only given two weeks to turn it off again, so make sure you are okay with this.
  2. Grab the FASTLANE_SESSION using fastlane spaceauth -u user@email.com and use that env var in our CI builds.

Obviously this isn’t ideal, since FASTLANE_SESSION is only valid for 30 days. We’ve submitted feedback to Apple requesting that App Store Connect API keys be supported for Enterprise accounts, and I’m not sure what else we can do for now. Hopefully somebody here figures out a different workaround for Enterprise accounts.

+9
grant-mccarriagher on Feb 3, 2021

Released 👆👆👆👆👆

🙌 Homebrew please 🙂

+8
reubits on Feb 4, 2021

@sukhrobkhakimov I mean download_dsyms does not use Appstore API Key, this lane use email + password. (More: https://github.com/fastlane/fastlane/discussions/17485)

+8
khambir on Feb 3, 2021

I have the same issue 😦 non-2FA account can login in web

+8
Echo-Joker on Feb 3, 2021

If you are using Azure DevOps as your CD and is using their custom task named ms-vsclient.app-store.app-store-release.AppStoreRelease@1, make sure you set SPACESHIP_SKIP_2FA_UPGRADE=1 in your Variables tab, then under Advanced options in your task, make sure you mark the Install Fastlane option, chose the Specific Version under the fastlane Version field and put 2.173.0 as your Fastlane version.

+7
edgarfroes on Feb 4, 2021

@joshdholtz I feel embarrassed asking this but where does SPACESHIP_SKIP_2FA_UPGRADE=1 get set? My Fastfile, Matchfile, or circlci’s config.yml? I didn’t set this pipeline up and im a bit over my head! 😅

@alittletf No need to feel embarrassed! You have a few options…

In your Fastfile

# at the top
ENV[''SPACESHIP_SKIP_2FA_UPGRADE"] = "1"

In a fastlane/.env file

 SPACESHIP_SKIP_2FA_UPGRADE=1

In your CircleCI environment variables for you project

Key: SPACESHIP_SKIP_2FA_UPGRADE Value: 1

Thanks, this answered my question above as well.

+7
michaeldiguiseppi on Feb 4, 2021

There is no option to define AppStoreConnect API Key for the enterprise account that needs to access developer portal only to create/update app or push certificates using produce, pem, get_push_certificate I am getting the same issue with non-2FA account on these actions

produce request having following params: skip_itc: true, skip_devcenter: false

+5
alexzchut on Feb 3, 2021

@joshdholtz I feel embarrassed asking this but where does SPACESHIP_SKIP_2FA_UPGRADE=1 get set? My Fastfile, Matchfile, or circlci’s config.yml? I didn’t set this pipeline up and im a bit over my head! 😅

@alittletf No need to feel embarrassed! You have a few options…

In your Fastfile

# at the top
ENV[''SPACESHIP_SKIP_2FA_UPGRADE"] = "1"

In a fastlane/.env file

 SPACESHIP_SKIP_2FA_UPGRADE=1

In your CircleCI environment variables for you project

Key: SPACESHIP_SKIP_2FA_UPGRADE Value: 1

Thanks, this answered my question above as well.

Setting the environment SPACESHIP_SKIP_2FA_UPGRADE worked for me

+4
gangadharbonda on Feb 4, 2021

The pull request #18116 that closed this issue was merged and released as part of fastlane 2.173.0 🚀 Please let us know if the functionality works as expected as a reply here. If it does not, please open a new issue. Thanks!

+4
fastlane-bot on Feb 4, 2021

FYI FASTLANE_SESSION only lasts for 8 hours

image

I wrote a summary here https://stackoverflow.com/questions/66024297/getting-error-need-to-acknowledge-to-apples-apple-id-and-privacy-statement/66042832#66042832

+4
tedgonzalez on Feb 5, 2021

@konkab Dope! Thanks for testing ❤️ Will ship in early in the AM

+4
joshdholtz on Feb 4, 2021

I found that the problem reported by @AlexTheLost (where Apple returns a 403 when requesting https://appleid.apple.com/account/manage/repair/options) seems to happen for certain IP addresses (in my case all the failing requests originated from AWS). I tested this using VPN so it isn’t an OS or container issue. I am not sure if this is the same issue as @justindhill as I haven’t seen any problems with cookies, but the thing we have in common is that the same code works on some machines and not others.

This is exactly what we have been seeing also. Our CI servers are also running on AWS.

+3
kingfai on Feb 8, 2021

Hi! Found new problem. Now when running script on some VM Apple return 403 status, and happens next exception:

+ ruby ....
/usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:899:in `block in send_request'
/usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:643:in `with_retry'
/usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:879:in `send_request'
/usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:723:in `request'
/usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/upgrade_2fa_later_client.rb:32:in `try_upgrade_2fa_later'
/usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:511:in `send_shared_login_request'
/usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/tunes/tunes_client.rb:127:in `send_login_request'
/usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:805:in `do_login'
/usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:390:in `login'
/usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:352:in `login'
/usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/tunes/spaceship.rb:24:in `login'
....
Failed to bypass 2FA upgrade
To disable this from trying again, set SPACESHIP_SKIP_UPGRADE_2FA_LATER=1
/usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:519:in `send_shared_login_request': Need to acknowledge to Apple's Apple ID and Privacy statement. Please manually log into https://appleid.apple.com (or https://appstoreconnect.apple.com) to acknowledge the statement. Your account might also be asked to upgrade to 2FA. Set SPACESHIP_SKIP_2FA_UPGRADE=1 for fastlane to automaticaly bypass 2FA upgrade if possible. (Spaceship::AppleIDAndPrivacyAcknowledgementNeeded)
	from /usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/tunes/tunes_client.rb:127:in `send_login_request'
	from /usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:805:in `do_login'
	from /usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:390:in `login'
	from /usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:352:in `login'
	from /usr/local/bundle/gems/fastlane-2.173.0/spaceship/lib/spaceship/tunes/spaceship.rb:24:in `login'
	....
This account is being prompted to upgrade to 2FA
Attempting to automatically bypass the upgrade until a later date
To disable this, remove SPACESHIP_SKIP_2FA_UPGRADE=1 environment variable

Anyone have ideas?)

+3
AlexTheLost on Feb 5, 2021

Hey, fam! 👋 I got a PR up for the fix. Below is what you can put in your Gemfile to test it. It would be ❤️ if a few of you could! It does require an opt-in to bypass by setting the SPACESHIP_SKIP_2FA_UPGRADE=1 environment variable. I’m waiting on some approvals and finishing up some test additions but hopefully this works (for now) 😬 🙏 Please put any questions or issues in the PR if you have any!

Testing Steps

Update Gemfile and run bundle install, bundle update fastlane, or bundle update

gem "fastlane", :git => "https://github.com/fastlane/fastlane.git", :branch => "joshdholtz-skip-2fa-upgrade"

Just tested it with the following setting and couldn’t make it work. Still receiving: Need to acknowledge to Apple's Apple ID and Privacy statement. Please manually log into https://appleid.apple.com (or https://appstoreconnect.apple.com) to acknowledge the statement. Setting:

  • User with 2-Factor NOT activated
  • Gemfile:
gem "fastlane", :git => "https://github.com/fastlane/fastlane.git", :branch => "joshdholtz-skip-2fa-upgrade"
  • Azure Pipeline command execution:
- script: bundle update fastlane
  displayName: 'Install Fastlane'
- script: fastlane ios release
  displayName: 'Fastlane iOS Build'
  env:
    SPACESHIP_SKIP_2FA_UPGRADE: 1

@joshdholtz should this work in your eyes or am I missing something?

@kbaxx Do you see any output like This account is being prompted to upgrade to 2FA in your CI output at all?

I just made it work. I had to change fastlane ios release to bundle exec fastlane ios release.

I did not see This account is being prompted to upgrade to 2FA. Now I do. Thanks a lot guys!

+3
kbaxx on Feb 4, 2021

@iliao58 Ho do you use the AppStore connect API key? I use it with fastlane sigh, which has a parameter for the api_key_path and it works perfectly. But I didn’t get how to use it with fastlane gym, fastlane download_dsyms or so?

You can’t download dSYM with the API key. There is no endpoint for it.

+3
dinsen on Feb 4, 2021

@EmDee I am not sure on that. In our workflow, we only use upload, so I can’t speak to any other commands.

FULL DISCLOSURE: We also do not use fastlane directly. We use it through an Azure DevOps pipeline extension task here

+3
ekrapfl on Feb 3, 2021

I found that the problem reported by @AlexTheLost (where Apple returns a 403 when requesting https://appleid.apple.com/account/manage/repair/options) seems to happen for certain IP addresses (in my case all the failing requests originated from AWS). I tested this using VPN so it isn’t an OS or container issue. I am not sure if this is the same issue as @justindhill as I haven’t seen any problems with cookies, but the thing we have in common is that the same code works on some machines and not others.

+2
sonya on Feb 8, 2021

I am seeing some strange behavior with this workaround that I can’t quite explain. Some of my CI executors are working just fine and others are throwing up after receiving a response from the first call where the workaround makes a repair request. @joshdholtz any idea what might be going on here? I’m not super familiar with ruby, but it seems like the cookie store doesn’t like something about the content of the cookie Apple’s setting.

This account is being prompted to upgrade to 2FA
Attempting to automatically bypass the upgrade until a later date
To disable this, remove SPACESHIP_SKIP_2FA_UPGRADE=1 environment variable
/opt/cinc/embedded/lib/ruby/2.7.0/unicode_normalize/normalize.rb:141:in `normalize'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/domain_name-0.5.99999999/lib/domain_name.rb:291:in `unicode_normalize'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/domain_name-0.5.99999999/lib/domain_name.rb:291:in `normalize'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/domain_name-0.5.99999999/lib/domain_name.rb:99:in `initialize'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/http-cookie-1.0.3/lib/http/cookie_jar/hash_store.rb:70:in `new'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/http-cookie-1.0.3/lib/http/cookie_jar/hash_store.rb:70:in `each'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/http-cookie-1.0.3/lib/http/cookie_jar.rb:163:in `each'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/http-cookie-1.0.3/lib/http/cookie_jar.rb:131:in `each'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/http-cookie-1.0.3/lib/http/cookie_jar.rb:131:in `sort'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/http-cookie-1.0.3/lib/http/cookie_jar.rb:131:in `cookies'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/faraday-cookie_jar-0.0.7/lib/faraday/cookie_jar.rb:12:in `call'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/faraday_middleware-1.0.0/lib/faraday_middleware/response_middleware.rb:36:in `call'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/faraday_middleware-1.0.0/lib/faraday_middleware/response_middleware.rb:36:in `call'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/faraday-1.3.0/lib/faraday/rack_builder.rb:154:in `build_response'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/faraday-1.3.0/lib/faraday/connection.rb:492:in `run_request'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/faraday-1.3.0/lib/faraday/connection.rb:198:in `get'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:880:in `block in send_request'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:643:in `with_retry'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:879:in `send_request'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:723:in `request'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/upgrade_2fa_later_client.rb:27:in `try_upgrade_2fa_later'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:511:in `send_shared_login_request'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/tunes/tunes_client.rb:127:in `send_login_request'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:805:in `do_login'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:390:in `login'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/client.rb:352:in `login'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/tunes/spaceship.rb:24:in `login'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/playground.rb:37:in `run'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/commands_generator.rb:35:in `block (2 levels) in run'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/commander-fastlane-4.4.6/lib/commander/command.rb:178:in `call'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/commander-fastlane-4.4.6/lib/commander/command.rb:153:in `run'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/commander-fastlane-4.4.6/lib/commander/runner.rb:476:in `run_active_command'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/fastlane_core/lib/fastlane_core/ui/fastlane_runner.rb:76:in `run!'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/commander-fastlane-4.4.6/lib/commander/delegates.rb:15:in `run!'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/commands_generator.rb:50:in `run'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/spaceship/lib/spaceship/commands_generator.rb:14:in `start'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/fastlane/lib/fastlane/cli_tools_distributor.rb:114:in `take_off'
/opt/cinc/embedded/lib/ruby/gems/2.7.0/gems/fastlane-2.173.0/bin/fastlane:23:in `<top (required)>'
./fastlane:23:in `load'
./fastlane:23:in `<main>'
Failed to bypass 2FA upgrade
To disable this from trying again, set SPACESHIP_SKIP_UPGRADE_2FA_LATER=1
Could not login to App Store Connect...
+2
justindhill on Feb 5, 2021

@reubits

Released 👆👆👆👆👆

🙌 Homebrew please 🙂

Done: https://github.com/Homebrew/homebrew-core/pull/70498 Anybody can update using the brew bump-formula-pr command, as long as there is a release with a source code asset linked.

+2
Basca on Feb 5, 2021

I am using circleci and getting the same apple privacy update requirement. With your release, is all I need is upgrade fastlane using bundle update fastlane? @joshdholtz

@alittletf That and set the SPACESHIP_SKIP_2FA_UPGRADE=1 environment variable 😊 But you will want to look at doing what you can to either change over to App Store Connect API Keys since 2FA will mostly likely be fully required at some point

+2
joshdholtz on Feb 4, 2021

My apple id hasn’t enabled 2FA, and followed @joshdholtz 's branch here: https://github.com/fastlane/fastlane/issues/18098#issuecomment-772970322

Works!

+2
penghuili on Feb 4, 2021

Folks, still after requesting session, I get this error [14:30:18]: Need to acknowledge to Apple's Apple ID and Privacy statement. Please manually log into https://appleid.apple.com (or https://appstoreconnect.apple.com) to acknowledge the statement. The user email I use has 2FA enabled.

  • updated the gem file and updated fastlane
  • .env has key SPACESHIP_SKIP_2FA_UPGRADE=1
  • I am running fastlane from command line and no errors in certificates etc…

Am I missing anything?

I got it working by, using the appstore connect api key and setting this env var while running the fastlane. SPACESHIP_SKIP_2FA_UPGRADE=1 bundle exec fastlane <lanename>

+2
Gunavel on Feb 4, 2021

@tedgonzalez Thanks for pointing that out. I was already wondering why the session I generated yesterday was already invalid. This explains it.

+2
EmDee on Feb 4, 2021

@oingbong Then this won’t have any effect on you sadly 😔 This PR will probably only buy time for a few weeks for most people at best anyway before 2FA is fully forced 😬

@EmDee Thanks for pointing that out!

+2
joshdholtz on Feb 4, 2021

switched to use the appstore connect api key, and it works like a charm.

+2
iliao58 on Feb 4, 2021

we’re using the spaceship API directly, so anyone knows how these work with the App Store Connect API ?

I am using spaceship directly, can get the auth to work. Added details here - https://github.com/fastlane/fastlane/issues/18098#issuecomment-772626250. Hope it helps

+2
scorpion35 on Feb 3, 2021

@justindhill Thanks for checking! I’m trying to find one of my non-2FA accounts to test this out so I can fully understand what’s going on 🤷‍♂️

+2
joshdholtz on Feb 3, 2021

For those who use fastlane via shell,

SPACESHIP_SKIP_2FA_UPGRADE=1 fastlane SUBCOMMAND ...

did trick for me (subcommand is sigh in my case).

+1
aerobounce on Feb 8, 2021

@joshdholtz thanks for your quick turnaround on this (hopefully long lasting) fix.

I tried to use app_store_connect_api_key though I have a feeling it was stuck with team selection (FASTLANE_ITC_TEAM_NAME).

[12:52:36]: ▸ [12:52:36]: Creating authorization token for App Store Connect API <-- gets stuck here.

I managed to create a client with spaceship Client.auth(…).select_team… though it’s not what’s used by pilot.

any way yo get app_store_connect_api_key to utilize FASTLANE_ITC_TEAM_NAME ?

Thanks,

After trying a million things, snooping around rb files, and having this work from home but not the office (I thought due to jenkins user being part of multiple teams), I tracked down the blockage to https access to api.appstoreconnect.apple.com being stuck at ssl handshake hello. quick search pointed me in the derction of a too large MTU (1500). Reduction to 1453 and I’m back in business 😃 So this issue was nothing to do with any fastlane threads, and I’m now using API key, so all good. Kudos to @joshdholtz for the quickfix efforts nonetheless. Thanks fastlane team! 😃

+1
ruZZil on Feb 7, 2021

@joshdholtz I was the one pushing the version 😉 it’s a small effort to help you/fastlane out. As I personally prefer brew over gems.

Thank you for providing this update, our team was suffering from the 2FA changes as well. Keep up the good work 🙇‍♂️

+1
Basca on Feb 5, 2021

Released 👆👆👆👆👆

🙌 Homebrew please 🙂

@Basca Sorry about that! Looks like that part of my release script didn’t run properly 😱 It looks like somebody else release it ❤️

Will fix my script so this doesn’t happen again!

+1
joshdholtz on Feb 5, 2021

If you are using Azure DevOps as your CD and is using their custom task named ms-vsclient.app-store.app-store-release.AppStoreRelease@1, make sure you set SPACESHIP_SKIP_2FA_UPGRADE=1 in your Variables tab, then under Advanced options in your task, make sure you mark the Install Fastlane option, chose the Specific Version under the fastlane Version field and put 2.173.0 as your Fastlane version.

Hi @edgarfroes When doing this: image I get invalid option: --spaceship_skip_2fa_upgrade I’ve also tried with SPACESHIP_SKIP_2FA_UPGRADE=1 , didn’t worked either I don’t have access to the fastfile or to the env file as Azure DevOps installs Fastlane via their extension. So i can only input into that “Addtional fastlane arguments” box … Can someone please help with this ? I am completely confused …

@nasaleanhorea You have to put SPACESHIP_SKIP_2FA_UPGRADE=1 into the Variables tab of the release. Then it works like a charm. Screenshot 2021-02-05 at 17 31 47

Hey, in my instructions you’ll notice that you need to set a variable environment under the Variables tab on top, and not a Fastlane argument (as you’re doing). There’s no argument for that (even though it would be a nice idea right @joshdholtz ?), so you can remove that argument and just set the variable.

+1
edgarfroes on Feb 5, 2021

If you are using Azure DevOps as your CD and is using their custom task named ms-vsclient.app-store.app-store-release.AppStoreRelease@1, make sure you set SPACESHIP_SKIP_2FA_UPGRADE=1 in your Variables tab, then under Advanced options in your task, make sure you mark the Install Fastlane option, chose the Specific Version under the fastlane Version field and put 2.173.0 as your Fastlane version.

Hi @edgarfroes When doing this: image

I get invalid option: --spaceship_skip_2fa_upgrade

I’ve also tried with SPACESHIP_SKIP_2FA_UPGRADE=1 , didn’t worked either

I don’t have access to the fastfile or to the env file as Azure DevOps installs Fastlane via their extension. So i can only input into that “Addtional fastlane arguments” box … Can someone please help with this ? I am completely confused …

@nasaleanhorea You have to put SPACESHIP_SKIP_2FA_UPGRADE=1 into the Variables tab of the release. Then it works like a charm. Screenshot 2021-02-05 at 17 31 47

+1
kbaxx on Feb 5, 2021

Does this at all affect match or gym ? Or only spaceship ?

@jrowinski3d Everything that talks to the App Store when using Apple ID auth. So… produce, pem, match, sigh, cert, deliver, pilot, and some other actions 🙂

+1
joshdholtz on Feb 4, 2021

So just to confirm with this release with the 2FA workaround, is this an environment variable that goes into the fastfile, or where specifically does this new SPACESHIP_SKIP_2FA_UPGRADE=1 go? We’re using Bitrise with Fastlane.

@michallaskowski No problem at all! Your best bet is to set FASTLANE_SESSION with a pregenerated session and updated that occasionally (if possible) - http://docs.fastlane.tools/best-practices/continuous-integration/#spaceauth

In Bitrise, the best approach is using app_store_connect_api_key before your action. http://docs.fastlane.tools/actions/app_store_connect_api_key/

+1
lucianomlima on Feb 4, 2021

So just to confirm with this release with the 2FA workaround, is this an environment variable that goes into the fastfile, or where specifically does this new SPACESHIP_SKIP_2FA_UPGRADE=1 go? We’re using Bitrise with Fastlane.

+1
michaeldiguiseppi on Feb 4, 2021

@joshdholtz , to continue @al-cheb question: Is there any other way to auth in Apple if we need downloading Xcode only (access to https://developer.apple.com/services-account/QH65B2/downloadws/listDownloads.action and https://developer.apple.com/services-account/download?

Your PR with SPACESHIP_SKIP_2FA_UPGRADE looks really great and unblock us but we are thinking about about longer term approach. There is no guarantee that Apple doesn’t start to force 2FA later and will stop to work. We hoped App Store Connect API Key will save us but it doesn’t work for this purpose.

+1
maxim-lobanov on Feb 4, 2021

@joshdholtz It works for me, thanks!

+1
konkab on Feb 4, 2021

The only option I was able to use for now for enterprise account CIs is setting the FASTLANE_SESSION with 30 days valid value

@alexzchut Are you using the fastlane spaceauth -u user@email.com command to generate the value for FASTLANE_SESSION?

@EmDee Yes, I am using the fastlane spaceauth -u user@email.com command to generate the value for FASTLANE_SESSION

+1
alexzchut on Feb 3, 2021

I use Spaceship library directly, and was able to get the clientback with Spaceship::ConnectAPI.auth(key_id: 'key_id', issuer_id: '<issuer_id>', filepath: "<auth p8 file path>"), but can’t proceed further because tunes_client is not initialized in Spaceship::ConnectAPI.auth. fastlane/spaceship/lib/spaceship/tunes/tunes_client.rb seems to accept only username/password. Not sure how to make this work with token. Any ideas?

When you use the Auth Key, you should access the client with Spaceship::ConnectAPI See examples here: https://github.com/fastlane/fastlane/blob/master/spaceship/docs/AppStoreConnect.md#applications

ah yes. Using ConnectAPI directly, but got stuck with iterating thru different teams and selecting a team. Think the only way is to initialize TunesClient, but it doesn’t seem to accept token to login, and username/password combo is broken 😅

Any idea how to initialize tunesclient?

You can’t 😄 Maybe we should move your question into the Discussions? https://github.com/fastlane/fastlane/discussions/new

+1
dinsen on Feb 3, 2021

@ekrapfl Does the app specific password work for produce as well? According to the docs it doesn’t work for deliver/pilot.

produce does not work with app specific password. Only iTMSTransport does that.

+1
dinsen on Feb 3, 2021
Read more comments on GitHub
← fastlane: MultiJson Parser Error
fastlane: No such file or directory / DerivedData problem →