fastlane: "Need to acknowledge to Apple's Apple ID and Privacy statement" error when using fastlane with non-2FA account (yeah, I know...)
New Issue Checklist
- Updated fastlane to the latest version
- I read the Contribution Guidelines
- I read docs.fastlane.tools
- I searched for existing GitHub issues
Issue Description
This is very likely not a bug at all, but a case of Apple throwing an inaccurate error message, but I wanted to log it to a) confirm that others had the same experience, and b) just in case something is lost in translation from Apple to fastlane, c) I’m afraid to convert my account to 2FA just to confirm what I suspect (that Apple is just giving the wrong error message when blocking accounts without 2FA).
I have a build agent/ continuous integration Apple developer account that I was using for building apps, that does not have the upgraded two factor security required for all accounts by Apple starting in February. Even as of right now, despite Apple’s message that I would be “required” to upgrade security, I can still log into App Store Connect, developer.apple.com, appleid.apple.com, etc without actually upgrading any security (it bugs me to, makes me answer questions, but doesn’t force an upgrade). This had me hopeful that stuff still worked!
When using any command on fastlane that logs into Apple with this account, however, I get the following error:
Need to acknowledge to Apple's Apple ID and Privacy statement. Please manually log into https://appleid.apple.com (or https://appstoreconnect.apple.com) to acknowledge the statement.
I tried following the steps, but I never saw any new privacy statement.
However, when I try using fastlane with another account that does have 2FA, everything works just fine.
Command executed
register_devices (what happened to be first in my lane), pilot (another one I tried)
Complete output when running fastlane, including the stack trace and command used
[00:28:43]: [32mLoading from './fastlane/.env.autogenerated'[0m [00:28:44]: [32m------------------------------[0m [00:28:44]: [32m--- Step: default_platform ---[0m [00:28:44]: [32m------------------------------[0m [00:28:44]: [32mDriving the lane 'ios beta' 🚀[0m [00:28:44]: [32m------------------------------[0m [00:28:44]: [32m--- Step: register_devices ---[0m [00:28:44]: [32m------------------------------[0m [00:28:44]: Login to App Store Connect (buildagent@nudgecoach.com) Available session is not valid any more. Continuing with normal login. +------------------+---------------+ | [33mLane Context[0m | +------------------+---------------+ | ENVIRONMENT | autogenerated | | DEFAULT_PLATFORM | ios | | PLATFORM_NAME | ios | | LANE_NAME | ios beta | +------------------+---------------+ [00:28:45]: [31mNeed to acknowledge to Apple's Apple ID and Privacy statement. Please manually log into https://appleid.apple.com (or https://appstoreconnect.apple.com) to acknowledge the statement.[0m±-----±-----------------±------------+ | [32mfastlane summary[0m | ±-----±-----------------±------------+ | Step | Action | Time (in s) | ±-----±-----------------±------------+ | 1 | default_platform | 0 | | 💥 | [31mregister_devices[0m | 1 | ±-----±-----------------±------------+
[00:28:45]: [31mfastlane finished with errors[0m
Environment
✅ fastlane environment ✅
Stack
Key Value OS 11.1 Ruby 2.7.1 Bundler? true Git git version 2.29.2 Installation Source ~/.rbenv/versions/2.7.1/bin/fastlane Host macOS 11.1 (20C69) Ruby Lib Dir ~/.rbenv/versions/2.7.1/lib OpenSSL Version OpenSSL 1.1.1i 8 Dec 2020 Is contained false Is homebrew false Is installed via Fabric.app false Xcode Path /Applications/Xcode.app/Contents/Developer/ Xcode Version 12.3 System Locale
Variable Value LANG en_US.UTF-8 ✅ LC_ALL LANGUAGE fastlane files:
`./fastlane/Fastfile`
require "spaceship" default_platform :ios platform :android do lane :beta do gradle(task: "clean", project_dir: 'android') gradle( task: 'assembleRelease', project_dir: 'android' ) end lane :uploadToPlayStore do upload_to_play_store( track:"beta", skip_upload_metadata: false, skip_upload_images: true, skip_upload_screenshots: true, skip_upload_apk: false, apk: "android/app/build/outputs/apk/release/app-release.apk" ) end end platform :ios do lane :labels do echo(message: 'APP_NAME:') echo(message: ENV['APP_NAME']) echo(message: 'APP_IDENTIFIER:') echo(message: ENV['APP_IDENTIFIER']) echo(message: 'SKU:') echo(message: ENV['SKU']) echo(message: 'TEAM_ID:') echo(message: ENV['TEAM_ID']) echo(message: 'TEAM_NAME:') echo(message: ENV['TEAM_NAME']) echo(message: 'ITC_TEAM_ID:') echo(message: ENV['ITC_TEAM_ID']) echo(message: 'ITC_TEAM_NAME:') echo(message: ENV['ITC_TEAM_NAME']) end # just some command that allows us to enter the second factor auth lane :entersecondfactor do Spaceship::Tunes.login Spaceship::Tunes.select_team end # trying out portal add user stuff lane :teststuff do Spaceship::Tunes.login Spaceship::Tunes.client.team_id = ENV['ITC_TEAM_ID'] begin Spaceship::Tunes::Members.create!( firstname: "Russ", lastname: "Campbell", email_address: "russ@nudgecoach.com", roles: ["developer"], apps: [] ) rescue end p Spaceship::Tunes::Members.all end lane :update_bundle_id do update_app_identifier( xcodeproj: "ios/nudgev4.xcodeproj", # Optional path to xcodeproj, will use the first .xcodeproj if not set plist_path: "nudgev4/Info.plist", # Path to info plist file, relative to xcodeproj app_identifier: ENV["APP_IDENTIFIER"] # The App Identifier ) end # future command for conditionally deleting keychain # delete_keychain(name: "fastlane_keychain") if File.exist?(File.expand_path("~/Library/Keychains/fastlane_keychain-db")) lane :beta do register_devices( # Just one device so we can get a provisioning profile devices: { "Keith's iPhone SE" => "6c0961d7ffcae05321e636f8172c327ffa1e2c7e", } ) update_app_identifier( xcodeproj: "ios/nudgev4.xcodeproj", # Optional path to xcodeproj, will use the first .xcodeproj if not set plist_path: "nudgev4/Info.plist", # Path to info plist file, relative to xcodeproj app_identifier: ENV["APP_IDENTIFIER"] # The App Identifier ) delete_keychain(name: "nudge-v4") if File.exist?(File.expand_path("~/Library/Keychains/nudge-v4-db")) create_keychain( name: 'nudge-v4', password: 'nudge123', default_keychain: false, unlock: true, timeout: false, lock_when_sleeps: false, lock_after_timeout: false, ) cert( team_id: ENV['TEAM_ID'], team_name: ENV['TEAM_NAME'], output_path: 'current-config/certs', keychain_path: '~/Library/Keychains/nudge-v4-db', keychain_password: 'nudge123', ) sigh( team_id: ENV['TEAM_ID'], team_name: ENV['TEAM_NAME'], output_path: 'current-config/provisioning-profiles', force: true, ) automatic_code_signing( use_automatic_signing: true, team_id: ENV['TEAM_ID'], path: 'ios/nudgev4.xcodeproj' ) gym( scheme: 'nudgev4', workspace: 'ios/nudgev4.xcworkspace', export_method: 'app-store', output_directory: 'output/ios', xcargs: "-allowProvisioningUpdates" ) pilot( team_id: ENV['ITC_TEAM_ID'], team_name: ENV['ITC_TEAM_NAME'], skip_waiting_for_build_processing: true, testers_file_path: 'fastlane/testflight_testers.csv' ) #slack( # slack_url: 'https://hooks.slack.com/services/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', # channel: '#dev-feed', # message: 'Successfully distributed a new beta build' #) delete_keychain( name: 'nudge-v4', ) end lane :upload do pilot( team_id: ENV['ITC_TEAM_ID'], team_name: ENV['ITC_TEAM_NAME'], skip_waiting_for_build_processing: true, ipa: 'output/ios/nudge.ipa' ) #slack( # slack_url: 'https://hooks.slack.com/services/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', # channel: '#dev-feed', # message: 'Successfully distributed a new beta build' #) end error do |lane, exception| # This block is called, if there was an error running a specific lane. end end
`./fastlane/Appfile`
app_identifier ENV['APP_IDENTIFIER'] # The bundle identifier of your app itc_team_id ENV['ITC_TEAM_ID'] itc_team_name ENV['ITC_TEAM_NAME'] team_id ENV['TEAM_ID'] # Developer Portal Team ID json_key_file ENV["JSON_KEY_FILE"] package_name ENV["APP_IDENTIFIER"] # you can even provide different app identifiers, Apple IDs and team names per lane: # More information: https://github.com/fastlane/fastlane/blob/master/fastlane/docs/Appfile.md ENV["FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD"] = ENV["ADMIN_FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD"];
fastlane gems
Gem Version Update-Status fastlane 2.172.0 ✅ Up-To-Date Loaded fastlane plugins:
No plugins Loaded
Loaded gems
Gem Version did_you_mean 1.4.0 bundler 2.1.4 uri 0.10.0 rake 13.0.3 CFPropertyList 3.0.3 ZenTest 4.12.0 RubyInline 3.12.5 concurrent-ruby 1.1.7 i18n 0.9.5 minitest 5.14.2 thread_safe 0.3.6 tzinfo 1.2.7 activesupport 4.2.11.3 public_suffix 4.0.6 addressable 2.7.0 httpclient 2.8.3 json 2.5.1 algoliasearch 1.27.3 artifactory 3.0.15 atomos 0.1.3 aws-eventstream 1.1.0 aws-partitions 1.420.0 aws-sigv4 1.2.2 jmespath 1.4.0 aws-sdk-core 3.111.2 aws-sdk-kms 1.41.0 aws-sdk-s3 1.87.0 babosa 1.0.4 claide 1.0.3 fuzzy_match 2.0.4 nap 1.1.0 netrc 0.11.0 ffi 1.13.1 ethon 0.12.0 typhoeus 1.4.0 cocoapods-core 1.9.3 cocoapods-deintegrate 1.0.4 cocoapods-downloader 1.4.0 cocoapods-plugins 1.0.0 cocoapods-search 1.0.0 cocoapods-stats 1.1.0 cocoapods-trunk 1.5.0 cocoapods-try 1.2.0 colored2 3.1.2 escape 0.0.4 fourflusher 2.3.1 gh_inspector 1.1.3 molinillo 0.6.6 ruby-macho 1.4.0 nanaimo 0.3.0 xcodeproj 1.19.0 cocoapods 1.9.3 dotenv 2.7.6 osx_keychain 1.0.2 cocoapods-keys 2.2.1 colored 1.2 highline 1.7.10 commander-fastlane 4.4.6 declarative 0.0.20 declarative-option 0.1.0 digest-crc 0.6.3 unf_ext 0.0.7.7 unf 0.1.4 domain_name 0.5.20190701 emoji_regex 3.2.1 excon 0.78.1 faraday-net_http 1.0.1 multipart-post 2.0.0 ruby2_keywords 0.0.4 faraday 1.3.0 http-cookie 1.0.3 faraday-cookie_jar 0.0.7 faraday_middleware 1.0.0 fastimage 2.2.1 jwt 2.2.2 memoist 0.16.2 multi_json 1.15.0 os 1.1.1 signet 0.14.0 googleauth 0.15.0 mini_mime 1.0.2 uber 0.1.0 representable 3.0.4 retriable 3.1.2 google-api-client 0.38.0 rexml 3.2.4 webrick 1.7.0 google-apis-core 0.2.1 google-apis-iamcredentials_v1 0.1.0 google-apis-storage_v1 0.1.0 google-cloud-env 1.4.0 google-cloud-errors 1.0.1 google-cloud-core 1.5.0 google-cloud-storage 1.30.0 mini_magick 4.11.0 plist 3.6.0 rubyzip 2.3.0 security 0.1.3 naturally 2.2.1 simctl 1.6.8 slack-notifier 2.3.2 terminal-notifier 2.0.0 unicode-display_width 1.7.0 terminal-table 1.8.0 tty-screen 0.8.1 tty-cursor 0.7.1 tty-spinner 0.9.3 word_wrap 1.0.0 rouge 2.0.7 xcpretty 0.3.0 xcpretty-travis-formatter 1.0.1 generated on: 2021-02-03
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 112
- Comments: 127 (54 by maintainers)
Links to this issue
Commits related to this issue
- fastlane: use Apple Store Connect API for CI builds Because our CI Apple account still has 2FA disabled in order for it to be usable in Jenkin it is now failing with an error that seems unrelated to ... — committed to status-im/status-mobile by jakubgs 3 years ago
- fastlane: use Apple Store Connect API for CI builds Because our CI Apple account still has 2FA disabled in order for it to be usable in Jenkin it is now failing with an error that seems unrelated to ... — committed to status-im/status-mobile by jakubgs 3 years ago
- fastlane: use Apple Store Connect API for CI builds Because our CI Apple account still has 2FA disabled in order for it to be usable in Jenkin it is now failing with an error that seems unrelated to ... — committed to status-im/status-mobile by jakubgs 3 years ago
- fastlane: use Apple Store Connect API for CI builds Because our CI Apple account still has 2FA disabled in order for it to be usable in Jenkin it is now failing with an error that seems unrelated to ... — committed to status-im/status-mobile by jakubgs 3 years ago
Hey all! I got a fix for this finally 💪 It was a wild goose chase 😇
Cleaning up the code and making a PR!
@alittletf No need to feel embarrassed! You have a few options…
In your
Fastfile
In a
fastlane/.env
fileIn your CircleCI environment variables for you project
Key: SPACESHIP_SKIP_2FA_UPGRADE Value: 1
Ok, as far as I understand we basically have to switch to App Store Connect API Key now.
However, there are still open questions.
produce
yet, hence,produce
doesn’t work with API key?Howdy! So my team and I just ran into this same issue and were able to resolve it. Despite the somewhat cryptic error from Apple, it looks like this error message is related to the recent 2FA changes that Apple is enforcing as of February 2021. Chances are if you’re using a non-2FA account for your automation you’re hitting this error when trying to do stuff in fastlane with ye’ old username/password combo.
We were able to “resolve” this issue by switching our fastlane calls to authenticate via an AppStoreConnect API Key rather than a non-2FA account. The fastlane docs have some good instructions on how to do this here: https://docs.fastlane.tools/app-store-connect-api/
One thing to note is ruby is super picky about the format of the private key. Need to make sure it has no white-spaces and that new-line characters are
\n
(these can easily be accidentally double escaped depending on how you’re populating the key). The way the key is structured in the example is a good example of how your key should look.If your key is malformed then you’ll see an error that looks like this:
[!] invalid curve name (OpenSSL::PKey::ECError)
.Hey, fam! 👋 I got a PR up for the fix. Below is what you can put in your
Gemfile
to test it. It would be ❤️ if a few of you could! It does require an opt-in to bypass by setting theSPACESHIP_SKIP_2FA_UPGRADE=1
environment variable.I’m waiting on some approvals and finishing up some test additions but hopefully this works (for now) 😬
🙏 Please put any questions or issues in the PR if you have any!
Testing Steps
Update
Gemfile
and runbundle install
,bundle update fastlane
, orbundle update
Hey all! I got access to my 2FA account and I’m able to reproduce. I’m going to see if I can get a hot fix thing out for the “Not now” thing. It will be opt-in only and I don’t know how long it will work but YOLO
@max-ott I’ve observed the same thing as you. Logging in to appleid.apple.com and appstoreconnect.apple.com give a prompt to enable 2FA, which you can sidestep by hitting “don’t upgrade”, but the Spaceship login error persists after doing so. No other messages/agreements/disclosures appear on either of those pages.
Apple broke the internet.
Shipping this in an hour or so!
Released 👆👆👆👆👆
Turn on 2FA will resolve the issue
@EmDee Uhhhh… you are correct 🤔 Maybe I shouldn’t answer GitHub notifications during baby’s mid-night feed 😅
I’d still like to see a console output but…
@oingbong - is your account already 2FA enabled?
@Gunavel This makes no sense. The fix is for standard Apple ID usage without 2FA/2SV enabled. Please don’t clutter the thread with not relevant information.
Re-cap:
The only quick solution our team has found so far for our Enterprise builds is to:
FASTLANE_SESSION
usingfastlane spaceauth -u user@email.com
and use that env var in our CI builds.Obviously this isn’t ideal, since
FASTLANE_SESSION
is only valid for 30 days. We’ve submitted feedback to Apple requesting that App Store Connect API keys be supported for Enterprise accounts, and I’m not sure what else we can do for now. Hopefully somebody here figures out a different workaround for Enterprise accounts.🙌 Homebrew please 🙂
@sukhrobkhakimov I mean
download_dsyms
does not use Appstore API Key, this lane use email + password. (More: https://github.com/fastlane/fastlane/discussions/17485)I have the same issue 😦 non-2FA account can login in web
If you are using Azure DevOps as your CD and is using their custom task named
ms-vsclient.app-store.app-store-release.AppStoreRelease@1
, make sure you setSPACESHIP_SKIP_2FA_UPGRADE=1
in your Variables tab, then under Advanced options in your task, make sure you mark theInstall Fastlane
option, chose theSpecific Version
under thefastlane Version
field and put2.173.0
as your Fastlane version.Thanks, this answered my question above as well.
There is no option to define AppStoreConnect API Key for the enterprise account that needs to access developer portal only to create/update app or push certificates using
produce
,pem
,get_push_certificate
I am getting the same issue with non-2FA account on these actionsproduce request having following params:
skip_itc: true, skip_devcenter: false
Setting the environment SPACESHIP_SKIP_2FA_UPGRADE worked for me
The pull request #18116 that closed this issue was merged and released as part of fastlane 2.173.0 🚀 Please let us know if the functionality works as expected as a reply here. If it does not, please open a new issue. Thanks!
FYI FASTLANE_SESSION only lasts for 8 hours
I wrote a summary here https://stackoverflow.com/questions/66024297/getting-error-need-to-acknowledge-to-apples-apple-id-and-privacy-statement/66042832#66042832
@konkab Dope! Thanks for testing ❤️ Will ship in early in the AM
This is exactly what we have been seeing also. Our CI servers are also running on AWS.
Hi! Found new problem. Now when running script on some VM Apple return 403 status, and happens next exception:
Anyone have ideas?)
I just made it work. I had to change
fastlane ios release
tobundle exec fastlane ios release
.I did not see
This account is being prompted to upgrade to 2FA
. Now I do. Thanks a lot guys!You can’t download dSYM with the API key. There is no endpoint for it.
@EmDee I am not sure on that. In our workflow, we only use
upload
, so I can’t speak to any other commands.FULL DISCLOSURE: We also do not use fastlane directly. We use it through an Azure DevOps pipeline extension task here
I found that the problem reported by @AlexTheLost (where Apple returns a 403 when requesting https://appleid.apple.com/account/manage/repair/options) seems to happen for certain IP addresses (in my case all the failing requests originated from AWS). I tested this using VPN so it isn’t an OS or container issue. I am not sure if this is the same issue as @justindhill as I haven’t seen any problems with cookies, but the thing we have in common is that the same code works on some machines and not others.
I am seeing some strange behavior with this workaround that I can’t quite explain. Some of my CI executors are working just fine and others are throwing up after receiving a response from the first call where the workaround makes a repair request. @joshdholtz any idea what might be going on here? I’m not super familiar with ruby, but it seems like the cookie store doesn’t like something about the content of the cookie Apple’s setting.
@reubits
Done: https://github.com/Homebrew/homebrew-core/pull/70498 Anybody can update using the
brew bump-formula-pr
command, as long as there is a release with a source code asset linked.@alittletf That and set the
SPACESHIP_SKIP_2FA_UPGRADE=1
environment variable 😊 But you will want to look at doing what you can to either change over to App Store Connect API Keys since 2FA will mostly likely be fully required at some pointMy apple id hasn’t enabled 2FA, and followed @joshdholtz 's branch here: https://github.com/fastlane/fastlane/issues/18098#issuecomment-772970322
Works!
I got it working by, using the appstore connect api key and setting this env var while running the fastlane.
SPACESHIP_SKIP_2FA_UPGRADE=1 bundle exec fastlane <lanename>
@tedgonzalez Thanks for pointing that out. I was already wondering why the session I generated yesterday was already invalid. This explains it.
@oingbong Then this won’t have any effect on you sadly 😔 This PR will probably only buy time for a few weeks for most people at best anyway before 2FA is fully forced 😬
@EmDee Thanks for pointing that out!
switched to use the appstore connect api key, and it works like a charm.
I am using spaceship directly, can get the auth to work. Added details here - https://github.com/fastlane/fastlane/issues/18098#issuecomment-772626250. Hope it helps
@justindhill Thanks for checking! I’m trying to find one of my non-2FA accounts to test this out so I can fully understand what’s going on 🤷♂️
For those who use fastlane via shell,
did trick for me (subcommand is
sigh
in my case).After trying a million things, snooping around rb files, and having this work from home but not the office (I thought due to jenkins user being part of multiple teams), I tracked down the blockage to https access to api.appstoreconnect.apple.com being stuck at ssl handshake hello. quick search pointed me in the derction of a too large MTU (1500). Reduction to 1453 and I’m back in business 😃 So this issue was nothing to do with any fastlane threads, and I’m now using API key, so all good. Kudos to @joshdholtz for the quickfix efforts nonetheless. Thanks fastlane team! 😃
@joshdholtz I was the one pushing the version 😉 it’s a small effort to help you/fastlane out. As I personally prefer brew over gems.
Thank you for providing this update, our team was suffering from the 2FA changes as well. Keep up the good work 🙇♂️
@Basca Sorry about that! Looks like that part of my release script didn’t run properly 😱 It looks like somebody else release it ❤️
Will fix my script so this doesn’t happen again!
Hey, in my instructions you’ll notice that you need to set a variable environment under the
Variables
tab on top, and not a Fastlane argument (as you’re doing). There’s no argument for that (even though it would be a nice idea right @joshdholtz ?), so you can remove that argument and just set the variable.@nasaleanhorea You have to put SPACESHIP_SKIP_2FA_UPGRADE=1 into the Variables tab of the release. Then it works like a charm.
@jrowinski3d Everything that talks to the App Store when using Apple ID auth. So… produce, pem, match, sigh, cert, deliver, pilot, and some other actions 🙂
In Bitrise, the best approach is using app_store_connect_api_key before your action. http://docs.fastlane.tools/actions/app_store_connect_api_key/
So just to confirm with this release with the 2FA workaround, is this an environment variable that goes into the fastfile, or where specifically does this new SPACESHIP_SKIP_2FA_UPGRADE=1 go? We’re using Bitrise with Fastlane.
@joshdholtz , to continue @al-cheb question: Is there any other way to auth in Apple if we need downloading Xcode only (access to https://developer.apple.com/services-account/QH65B2/downloadws/listDownloads.action and https://developer.apple.com/services-account/download?
Your PR with SPACESHIP_SKIP_2FA_UPGRADE looks really great and unblock us but we are thinking about about longer term approach. There is no guarantee that Apple doesn’t start to force 2FA later and will stop to work. We hoped
App Store Connect API Key
will save us but it doesn’t work for this purpose.@joshdholtz It works for me, thanks!
@EmDee Yes, I am using the fastlane spaceauth -u user@email.com command to generate the value for FASTLANE_SESSION
You can’t 😄 Maybe we should move your question into the Discussions? https://github.com/fastlane/fastlane/discussions/new
produce
does not work with app specific password. Only iTMSTransport does that.