fastlane: [Regression] Breaking change when importing a new cert in 2.113.0, worked in 2.112.0
New Issue Checklist
- Updated fastlane to the latest version
- I read the Contribution Guidelines
- I read docs.fastlane.tools
- I searched for existing GitHub issues
Issue Description
There is an error message when importing a new certificate:
Could not configure imported keychain item (certificate) to prevent UI permission popup when code signing
Check if you supplied the correct `keychain_password` for keychain: `/Users/dmitry/Library/Keychains/fastlane.keychain-db`
[17:59:19]:
[17:59:19]: Please look at the following docs to see how to set a keychain password:
[17:59:19]: - https://docs.fastlane.tools/actions/sync_code_signing
[17:59:19]: - https://docs.fastlane.tools/actions/get_certificates
This leads to build failures in CI because of the UI permission popup. Keychain password in supplied in the Match file, as per details below.
Command executed
fastlane certificates
^ this installs certificates for various build types
Complete output when running fastlane, including the stack trace and command used
:fastlane dmitry$ fastlane certificates [09:51:41]: Get started using a Gemfile for fastlane https://docs.fastlane.tools/getting-started/ios/setup/#use-a-gemfile [09:51:43]: ---------------------------------------- [09:51:43]: --- Step: Verifying fastlane version --- [09:51:43]: ---------------------------------------- [09:51:43]: Your fastlane version 2.113.0 matches the minimum requirement of 2.44.1 ✅ [09:51:43]: ------------------------------ [09:51:43]: --- Step: default_platform --- [09:51:43]: ------------------------------ [09:51:43]: Driving the lane 'certificates' 🚀 [09:51:43]: ----------------------------- [09:51:43]: --- Step: delete_keychain --- [09:51:43]: ----------------------------- [09:51:43]: ----------------------------- [09:51:43]: --- Step: create_keychain --- [09:51:43]: ----------------------------- [09:51:43]: $ security list-keychains -d user [09:51:43]: ▸ "/Users/dmitry/Library/Keychains/login.keychain-db" [09:51:43]: ------------------- [09:51:43]: --- Step: match --- [09:51:43]: ------------------- WARNING: You are running Ruby 2.2.4, which has reached end-of-life and is no longer supported by Ruby Core. The Google Cloud API clients work best on supported versions of Ruby. It is strongly recommended that you upgrade to Ruby 2.4 or later. See https://www.ruby-lang.org/en/downloads/branches/ for more info on the Ruby maintenance schedule. To suppress this message, set the GOOGLE_CLOUD_SUPPRESS_RUBY_WARNINGS environment variable. [09:51:43]: Successfully loaded '/Users/dmitry/Documents/development/fastlane/fastlane/Matchfile' 📄±------------------±-------------------------------------+ | Detected Values from ‘./fastlane/Matchfile’ | ±------------------±-------------------------------------+ | git_url | REDUCTED | | type | development | | readonly | true | | keychain_name | fastlane.keychain | | keychain_password | temppassword | ±------------------±-------------------------------------+
±----------------------±-------------------------------------+ | Summary for match 2.113.0 | ±----------------------±-------------------------------------+ | type | development | | readonly | true | | app_identifier | [“REDUCTED”] | | username | REDUCTED | | storage_mode | git | | git_url | REDUCTED | | git_branch | master | | shallow_clone | false | | clone_branch_directly | false | | keychain_name | fastlane.keychain | | keychain_password | ******** | | force | false | | force_for_new_devices | false | | skip_confirmation | false | | skip_docs | false | | platform | ios | | verbose | false | ±----------------------±-------------------------------------+
[09:51:43]: Cloning remote git repo… [09:51:43]: If cloning the repo takes too long, you can use the
clone_branch_directlyoption in match. [09:51:44]: 🔓 Successfully decrypted certificates repo [09:51:44]: Installing certificate… [09:51:44]: There are no local code signing identities found. You can runsecurity find-identity -v -p codesigning fastlane.keychainto get this output. This Stack Overflow thread has more information: https://stackoverflow.com/q/35390072/774. (Check in Keychain Access for an expired WWDR certificate: https://stackoverflow.com/a/35409835/774 has more info.) [09:51:45]: [09:51:45]: Could not configure imported keychain item (certificate) to prevent UI permission popup when code signing Check if you supplied the correctkeychain_passwordfor keychain:/Users/dmitry/Library/Keychains/fastlane.keychain-db[09:51:45]: [09:51:45]: Please look at the following docs to see how to set a keychain password: [09:51:45]: - https://docs.fastlane.tools/actions/sync_code_signing [09:51:45]: - https://docs.fastlane.tools/actions/get_certificates
±------------------±------------------------------------------+ | Installed Certificate | ±------------------±------------------------------------------+ | User ID | H78U838C7X | | Common Name | iPhone Developer: Jenkins CI (H24NQR3297) | | Organisation Unit | REDUCTED | | Organisation | REDUCTED | | Country | US | | Start Datetime | 2018-07-24 08:13:16 UTC | | End Datetime | 2019-07-24 08:13:16 UTC | ±------------------±------------------------------------------+
[09:51:45]: Installing provisioning profile…
±--------------------±-----------------------±-----------------------+ | Installed Provisioning Profile | ±--------------------±-----------------------±-----------------------+ | Parameter | Environment Variable | Value | ±--------------------±-----------------------±-----------------------+ | App Identifier | | REDUCTED | | Type | | development | | Platform | | ios | | Profile UUID | sigh_ REDUCTED | edae9a4e-d550-492a-9b | | | development | d5-1ff7d94b39cf | | Profile Name | sigh REDUCTED | match Development | | | development_profile- | REDUCTED | | | name | 1532420603 | | Profile Path | sigh REDUCTED | /Users/dmitry/Library | | | development_profile- | /MobileDevice/Provisi | | | path | oning | | | | Profiles/edae9a4e-d55 | | | | 0-492a-9bd5-1ff7d94b3 | | | | 9cf.mobileprovision | | Development Team ID | sigh REDUCTED | 8P6Q66W4FV | | | _development_team-id | | ±--------------------±-----------------------±-----------------------+
[09:51:45]: All required keys, certificates and provisioning profiles are installed 🙌
Environment
✅ fastlane environment ✅
Stack
Key Value OS 10.14.2 Ruby 2.2.4 Bundler? false Git git version 2.18.0 Installation Source ~/.fastlane/bin/bundle/bin/fastlane Host Mac OS X 10.14.2 (18C54) Ruby Lib Dir ~/.fastlane/bin/bundle/lib OpenSSL Version OpenSSL 1.0.2g 1 Mar 2016 Is contained false Is homebrew true Is installed via Fabric.app false Xcode Path /Applications/Xcode.app/Contents/Developer/ Xcode Version 10.1 System Locale
Variable Value LANG en_US.UTF-8 ✅ LC_ALL en_US.UTF-8 ✅ LANGUAGE en_US.UTF-8 ✅ fastlane files:
`./fastlane/Fastfile`
fastlane_version "2.44.1" before_all do update_fastlane ENV["keychain"] = "fastlane.keychain" end default_platform :ios def ensure_temp_keychain(name) delete_keychain( name: name ) if File.exist? File.expand_path("~/Library/Keychains/#{name}-db") create_keychain( name: name, password: 'temppassword', unlock: true, timeout: false ) end lane :certificates do ensure_temp_keychain(ENV["keychain"]) match match(type: "appstore") match(app_identifier: "REDUCTED.*", type: "enterprise", git_branch: "PAW5F92N29") match(type: "adhoc") end`./fastlane/Appfile`
app_identifier "REDUCTED" # the bundle identifier of your app package_name "REDUCTED" # the bundle identifier of your app apple_id "REDUCTED" # Your Apple ID json_key_file "REDUCTED.json"fastlane gems
Gem Version Update-Status fastlane 2.113.0 ✅ Up-To-Date Loaded fastlane plugins:
No plugins Loaded
Loaded gems
Gem Version slack-notifier 2.3.2 atomos 0.1.3 CFPropertyList 2.3.5 claide 1.0.2 colored2 3.1.2 nanaimo 0.2.6 xcodeproj 1.7.0 rouge 2.0.7 xcpretty 0.3.0 terminal-notifier 1.7.1 unicode-display_width 1.1.3 terminal-table 1.7.3 plist 3.2.0 public_suffix 2.0.5 addressable 2.5.1 multipart-post 2.0.0 word_wrap 1.0.0 tty-screen 0.6.5 tty-cursor 0.6.0 tty-spinner 0.8.0 babosa 1.0.2 colored 1.2 highline 1.7.8 commander-fastlane 4.4.6 excon 0.55.0 faraday 0.12.1 unf_ext 0.0.7.4 unf 0.1.4 domain_name 0.5.20170404 http-cookie 1.0.3 faraday-cookie_jar 0.0.6 fastimage 2.1.0 gh_inspector 1.1.3 json 1.8.1 mini_magick 4.5.1 multi_json 1.12.1 multi_xml 0.6.0 rubyzip 1.2.2 security 0.1.3 xcpretty-travis-formatter 0.0.4 dotenv 2.2.0 bundler 1.14.6 faraday_middleware 0.11.0.1 naturally 2.2.0 simctl 1.6.5 uber 0.0.15 declarative 0.0.10 declarative-option 0.1.0 representable 3.0.4 retriable 2.1.0 mime-types-data 3.2016.0521 mime-types 3.1 jwt 1.5.6 signet 0.11.0 memoist 0.16.0 os 0.9.6 googleauth 0.6.7 httpclient 2.8.3 google-api-client 0.23.9 google-cloud-env 1.0.5 google-cloud-core 1.2.7 digest-crc 0.4.1 google-cloud-storage 1.15.0 emoji_regex 0.1.1 libxml-ruby 3.0.0 psych 2.0.8 generated on: 2019-01-09
Match file
``` git_url("REDUCTED")type(“development”) readonly(“true”)
keychain_name(ENV[“keychain”]) keychain_password(“temppassword”)
</details> </pre> </details>
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 25
- Comments: 72 (27 by maintainers)
@Deub27 @DTown @romk1n Question about what not working is here 🙃
gym/build_ios_app?security: SecKeychainItemSetAccessWithPassword: The user name or passphrase you entered is not correct.?History
2.112.0and earlier, this error was still happening but the message was just not being captured.2.113.0introduced a change show this to the user because this happens ifMATCH_KEYCHAIN_PASSWORDis not set.matchneedsMATCH_KEYCHAIN_PASSWORDto callsecurity set-key-partition-listto prevent the UI popup when signing2.113.0was a bit too aggressive/open with when it showed this error so it would sometimes show this error when another error was actually happening2.113.0may have not been callingsecurity set-key-partition-listproperly which is why some users experience the UI popup which blocked signing the first time using a certificate while signing withgym2.114.0, we will only show the message you have seen above when we receive an error ofSecKeychainItemSetAccessWithPasswordwhich means thatMATCH_KEYCHAIN_PASSWORDis probably not being set.Summary
MATCH_KEYCHAIN_PASSWORDto be what the password of your keychain is (which is your login credentials for the login keychain), this error should no longer happenstill having this issue in version 2.114.0
@joshdholtz just tested on ‘2.114.0’ but the issue is still there
Running ‘match’ readonly from the fastfile gives the same error plus a new info:
‘’’ [10:32:34]: Could not configure imported keychain item (certificate) to prevent UI permission popup when code signing Check if you supplied the correct
keychain_passwordfor keychain:/Users/x/Library/Keychains/login.keychain-dbsecurity: SecKeychainItemSetAccessWithPassword: The user name or passphrase you entered is not correct. [10:32:34]: [10:32:34]: Please look at the following docs to see how to set a keychain password: [10:32:34]: - https://docs.fastlane.tools/actions/sync_code_signing [10:32:34]: - https://docs.fastlane.tools/actions/get_certificates ‘’’I can also confirm the issue still persists running locally on my machine
Popping a new release this morning which should have a fix for these!
@joshdholtz I have reverted to
2.112.0for now, it works fine 👍In my case the problem was caused by new Mac OS feature called Full Disk Access. I use iTerm in everyday work, but I didn’t grant Full Disk Access for it. In Mac Os Terminal
fastlane certificatesworks as expected and when I’ve grant Full Disk Access for iTerm then it also starts working. 🎉I’m going to reopen this even because though
2.114.0shouldn’t cause anybody failures now (that weren’t there before becausesecuritycommands that we executing are the same as we were back in `2.112.0), the errors that are showing might be showing up falsely or showing too strongly still - the points that were pointed out here https://github.com/fastlane/fastlane/issues/14039#issuecomment-456842291If anybody is having further issues, I would appreciate an explanation of what the issue actually is that you are experiencing since there are multiple things that have happened here 🙃
MATCH_KEYCHAIN_PASSWORDnot preventing the error from showing?setup_circle_ciandsetup_travis_ci?Thanks! 🚀
Hmm, updated to 2.114.0 , still having the problem
I’m getting the same on a Bitrise project
I’m gunna see if I can get a branch out there for anybody to test in a few hours if anybody is willing to 😬 I’d like to get this fixed today if possible and working for as many people here as possible 💪
We have also experienced this issue. We are building using Bitrise and it works very well for 2.112 but every build that was run on 2.113 was broken because of that Keychain issue.
@nemui Looking into right now for you!
@joshdholtz Hello, Is thie pull request going to release on 2.116.0? By the way, this issue occurs on delvelopment only.
I am using the 2.115.0. I wonder whether I am the only one who shows the this issue.
@racer1988 After @joshdholtz re-opened it and posted https://github.com/fastlane/fastlane/issues/14039#issuecomment-455159133, there was no activity for 5 days. This and the fact that the fix did work for me.
Hi, I have got still the issue with 2.114 version
@joshdholtz , I think that @nemui is right in some way. match produces an error in logs only and lane successfully completes. On my mac certificate and private key are already in the Keychain, so maybe that’s why match doesn’t throw (but only shows) an error.
UPD. Works 👍, but shows an error in the log.
@joshdholtz Yes, using CircleCI. I’m able to get my builds to work for now by using 2.112.0