Connecting to an Apple Service with Step inputs

[sapsley]

Troubleshooting

• I've searched discuss.bitrise.io for possible solutions.
• Which version of the step is effected? 4.2.7
• Is the issue reproducible with the latest version? YES
• Does the issue happen sporadically, or every time? EVERY TIME
• Is the issue reproducible locally by following our local debug guide? NOT APPLICABLE

Useful information

• FAQ
• devcenter.bitrise.io

Issue description

The now deprecated "iOS Auto Provision with App Store Connect API" allowed us to specify an API key and issuer ID to use when auto provisioning the app instead of using the Apple Service Connection specified in the Teams tab

The "Xcode Archive & Export for iOS" does not allow for specifying an API Key and Issuer ID which we need to build and deploy different version of our app to different app stores.

The docs here say this should be possible, but I don't see anywhere in this step to specify the inputs
https://devcenter.bitrise.io/en/accounts/connecting-to-services/connecting-to-an-apple-service-with-step-inputs.html#ot-lst-cnt

[draskovits]

We have the same issue, have you found a solution for that?

[mrahn24]

As long this issue is not addressed, we'll use the deprecated step. I've contacted the Bitrise support, which also suggested to use the deprecated step again.

[pwadowski]

We have the same issue in our company and still have to use deprecated steps. It would be great to see the option for specifying API key and issuer ID in future step releases 🙏🏼

[pwadowski]

I have also created feature request on discuss.bitrise.io
https://discuss.bitrise.io/t/xcode-archive-specify-api-key-and-issuer-id/19953

[mbuchetics]

I would also need that.

[SidiBecker]

We have the same issue, any of you found a way to work with multiple api keys?

[aminy]

Definitely need this as well before the iOS Auto Provision step is removed on July 15th (which is just 3 weeks from now)

[traceycraverapp]

Just started looking into switching us over a few weeks ago, and have been trying to find an alternative... this step is going to be removed in just a few weeks... I can't imagine having to switch the chosen api key / issuer id every time that we need to do a build... that becomes a lot of extra management that bitrise has been doing a wonderful job of automating for us until now.

[iulianaCraver]

We need this too! 👀

[ZSeba]

I'd love to see this too 👍

[derek-s-leung]

This would definitely bring us to a grinding halt too over a lot of moments that used to be smooth sailing because of the automation. Would really appreciate this 🙏 🙏

[mbuchetics]

I recently wrote a support ticket and that's the answer I got:

This is unfortunately correct, the new steps are indeed missing this functionality. We're in the process of collecting feedback and assessing the impact radius of this, since the new step is supporting both Xcode and Bitrise managed signing, the implementation isn't trivial in these new methods.

As other people mentioned on the thread, the deprecated options are still available at this time being. It's also worth mentioning that if you use Fastlane for instance, that step still allows for the option to configure step inputs.

I would suggest contacting Bitrise support so they really see the need in supporting this feature.

[traceycraverapp]

thanks @mbuchetics I will do that, We definitely need - at the very least, for them to not deprecate the existing steps so that we are covered until they can work with these requirements. I had been looking into creating my own step, but it seems they have a lot of internal things happening... unfortunately we don't use fastlane...

[ofalvai]

Hello everyone!

I'm happy to announce that the latest step version adds the ability to override the App Store Connect connection: https://github.com/bitrise-steplib/steps-xcode-archive/releases/tag/4.6.0

Thank you for your patience and let us know how it's working for your use case!

[SidiBecker]

Thanks a lot @ofalvai!!
One question: Which path we have to set in api_key_path?

I set $TMPDIR/AuthKey_$KEY_ID.p8, where $KEY_ID variable is correct, the name of API Key and the name of .p8 file that I upload in profile settings is correct, as is api_key_id, api_key_issuer_id, but I have the follow error:

Fetching Apple Service connection
Overriding Bitrise Apple Service connection with Step-provided credentials (api_key_path, api_key_id, api_key_issuer_id)
private key does not exist at /var/folders/11/nh0v1jld7zd7b9zqm1774gtm0000gn/T//AuthKey_44XG*****M.p8

[ofalvai]

Are you sure the private key is downloaded previously into the temp directory? We recommend uploading the private key to Bitrise's Code Signing tab, then adding a File Downloader step to the workflow that downloads the file at runtime. Note that $TMPDIR

Note that you no longer need to include the key ID in the filename, now there is a separate step input for that.

[SidiBecker]

Oh, I was uploading in profile settings -> Integrations, my mistake.

[mrahn24]

works like a charm! 🎉

[traceycraverapp]

@ofalvai Hey, thanks so much for the changes you added! We could use a little help…
Can the removal of the iOS Auto Provision with Apple ID Step be delayed for 2 weeks or so?
We’re still testing making Xcode Archive & Export 4.6.0 work for us - in my team I was working on this, but I got hit with covid, and someone else is trying to help now but there’s ramp-up time...
I can see how the option will work for some of our projects, but for one of them, we have multiple smaller workflows that point into two main ones, (passing in params and such) that will need to be reworked. I don’t quite have the energy to keep on top of this now, so we have someone else taking it on. A tiny extra grace period would be greatly appreciated 🙏

[derek-s-leung]

Reposting something I originally wrote in the related Bitrise feature request forum:
In the new Xcode Archive & Export Step 4.6.0, what's the right way to fix the archive portion choosing to:

1. Use the Xcode Managed Profile,
2. Use the development export method,
3. And use an “iOS Team Provisioning Profile” like what Xcode managed profiles are named,

even though we set as a Step Input variable Distribution method: app-store?

I think this will lead to problems when we send builds to App Store review.

I can see in my build logs that when it exports the IPA and tries to determine the Code sign group, it “Failed to find Codesign Groups”.

• On the way there, the list of “Installed profiles” it filters through only includes those with Apple Development certificates and export_type: development, and it references only the iOS Team Provisioning Profile in bundle_id_profiles.

Previously with the iOS Auto Provision Step 2.0.3, we used the Input variable Should the step try to generate Provisioning Profiles even if Xcode managed signing is enabled in the Xcode project? yes

• Bitrise would generate Provisioning Profiles we could see in our Apple Developer account, titled things like “Bitrise ios app-store - (<bundle_id>)”

[lpusok]

@traceycraverapp The deprecated autoprov Steps will NOT be removed yet (for a few weeks at least), despite the deprecation date.

[mrahn24]

@lpusok Thank you for not removing the deprecated step until everything works as before! 🙏

We had to revert back to the deprecated step due to some unexpected issues. As I wrote earlier, on the first look it worked like a charm, but there are some strange behaviors, like the creation of a dev cert (even if a dev cert is uploaded to Bitrise) #278 and that some of our projects couldn't be built for "app-store" anymore due to "invalid signing" ("via API created" development cert was used to sign the app instead of the uploaded distribution cert).

Edit:
Thank you @derek-s-leung for this idea! 🙏

We were able to fix the "invalid signing", which had something todo with special chars / umlauts in product name and no registered devices in App Store Connect. Wasn't any problem before. 😅

The creation of development certs could also be fixed due to this hint.
But, in some of our projects, we also experienced the automatic creation of "Distribution Managed" certificates which are created by "API Key: xxxxx- ...", even with uploaded "Apple Distribution" certificates.

[SidiBecker]

@lpusok Thank you for not removing the deprecated step until everything works as before! 🙏

[...] but there are some strange behaviors, like the creation of a dev cert (even if a dev cert is uploaded to Bitrise) #278 [...]

I have the same strange behavior. Bitrise is creating a dev cert called "Created via API" each build I make.

[derek-s-leung]

I wanted to ask about a new error after adjusting some settings:

In my build logs, soon after “Starting the Archive …”, I now see

❌  error: No account for team <a_different_team_id_than_our_App_Store_Connect_override_API_key_settings_should_lead_to>. Add a new account in the Accounts preference pane or verify that your accounts have valid credentials. (in target <correct_value> from project <correct_value>)

❌  error: No profiles for <correct_bundle_id> were found: Xcode couldn't find any iOS App Development provisioning profiles matching <correct_bundle_id>. (in target <correct_value> from project <correct_value>)

Trying to interpret it:

• “No account for team <wrong_team_id>”, is weird because <wrong_team_id> is another Team ID our company uses, that the private key, key ID, and key issuer ID I've parameterized in our custom env vars should not lead to.
• “No profiles for <bundle_id> were found” - seems related to the above if it is searching the wrong Team ID.

I'm getting this even though it seems to me I’ve set up the App Store Connect connection override correctly by doing:

• Automatic code signing method: api-key
• Parameterizing the private key, key ID, and Key Issuer ID as custom environment variables that expand to the right values I’ve stored either as Secrets or in the Code Signing tab (the .p8 file’s URL)
  • In our case, we call Bitrise API with some things added to the environments key, kind of like:

"environments":[
  {"mapped_to":"API_KEY_ID","value":"$TEAM1_API_KEY_ID","is_expand":true},
  {"mapped_to":"API_KEY_ISSUER_ID","value":"$TEAM1_API_KEY_ISSUER_ID","is_expand":true}, 
  {"mapped_to":"PRIVATE_KEY_URL","value":"$BITRISEIO_TEAM1_API_KEY_URL","is_expand":true}
]

• Then I reference them like:
  

[derek-s-leung]

@mrahn24 You might be able to get distribution exports by adding the Export iOS and tvOS Xcode archive Step after the Xcode Archive & Export Step like in the Bitrise docs here:
https://devcenter.bitrise.io/en/code-signing/ios-code-signing/signing-an-ipa-with-multiple-code-signing-identities.html

During the development of your iOS app you will need multiple types of distributions for different purposes, such as internal testing or deployment to the App Store.

Add the Export iOS and tvOS Xcode archive Step to your Workflow. This Step reuses the archive generated by the Xcode Archive and Export for iOS Step and does a second export from the archive.

This is working for me. A build I made with the above passed App Store Review, and they can definitely detect if you've signed it with the development certificate or used a development provisioning profile.

Although my message above this one talks about an error I get when trying to archive using an API key from one of my company's team IDs, I didn't get that error using a different API key from a different team ID of my company's. Builds with that API key succeed.

For my company's purposes though, we need API keys from different Team IDs to all work.

[bitrise-coresteps-bot]

Hello there, I'm a bot. On behalf of the community I thank you for opening this issue.

To help our human contributors focus on the most relevant reports, I check up on old issues to see if they're still relevant.
This issue has had no activity for 90 days, so I marked it as stale.

The community would appreciate if you could check if the issue still persists. If it isn't, please close it.
If the issue persists, and you'd like to remove the stale label, you simply need to leave a comment. Your comment can be as simple as "still important to me".

If no comment left within 21 days, this issue will be closed.

[bitrise-coresteps-bot]

I'll close this issue as it doesn't seem to be relevant anymore.
We believe an old issue probably has a bunch of context that's no longer relevant, therefore, if the problem still persists, please open a new issue.