xcodes icon indicating copy to clipboard operation
xcodes copied to clipboard

Published 20 hours ago verified publisher icon XcodesOrg

Allow for automated use in CI for 2FA accounts

Open tahirmt opened this issue 4 years ago • 6 comments

We can use other things using fastlane and FASTLANE_SESSION to authenticate for CI. Is there a way to do that through environment variables?

tahirmt avatar Mar 26 '21 03:03 tahirmt

Thanks for opening this issue, @tahirmt! There are likely things from Fastlane we can leverage to automate this, but to fully understand the motivation behind this, can you describe how xcodes plays in your CI environment? Is this lack of support for 2FA currently blocking you right now?

senmu avatar Mar 30 '21 16:03 senmu

@senmu I'm using fastlane's xcode_install lane currently but xcodes is faster in terms of setting up an Xcode. We are managing our CI ourselves and I want to use xcodes in place of fastlane for the Xcode setup on the machine. No it is not a current blocker since there is an alternative we can use.

tahirmt avatar Mar 30 '21 17:03 tahirmt

Thanks for the insight, @tahirmt. At the moment our focus at Robots & Pencils is to ensure that the experience around manual use is taken care of first, so we won't have time to look into this in the near future. However if someone were to issue a PR for this, it would be welcomed.

In the meantime, we'll keep it in the back of our minds and continue to think about how it can be integrated in such a way that it's done in a secure manner for when that time comes.

senmu avatar Mar 30 '21 18:03 senmu

I think a viable workaround for the issue can be #145. One can manually put an Xcode XIP in the same network as CI nodes and install it from there.

FYI it seems it's now not possible to download Xcode without 2FA and xcode-install has the same issue. It might be a good opportunity for xcodes to be the only tool that can be used in CIs.

fkorotkov avatar Apr 27 '21 16:04 fkorotkov

would also love to see an option for an install that requires no manual input (ie by using environment variables to represent the developer email, password, and session)

tejassharma96 avatar Dec 13 '21 22:12 tejassharma96

I found a way to do this by making xcodes use the cookie generated by fastlane spaceauth. This allows for one login per 30 days. Which is how I'm managing our CI right now.

  1. Use fastlane spaceauth -u 'email' to generate a fastlane cookie
  2. If cookie isn't expired, run fastlane spaceauth -u 'email' again when reading cookies. (This is crucial because while the main cookie is valid, another cookie is only valid for 24 hours but running this doesn't require 2FA code. This bumps up the cookie time from 24 hours to 30 days.
  3. Using a ruby script to load the cookies from the file stored by spaceauth into a json file that swift can read.
  4. Load up the cookies into HTTPCookieStorage for URLSession to use.
  5. xcodes now uses the cookies that were originally generated by spaceauth.

I'm sure there is a way to optimize some of this and maybe even make xcodes handle most of these things internally but for my use case I wanted to read the cookie already generated by fastlane.

tahirmt avatar Jan 30 '22 04:01 tahirmt

With #215 in, I don't think this is needed anymore

tahirmt avatar Sep 21 '22 13:09 tahirmt

I think this issue should be reopened now that Apple blocked the non-authenticated download workaround 😢 If possible @tahirmt could you share the code snippet to load the cookie into HTTPCookieStorage?

omarzl avatar Jan 09 '23 23:01 omarzl

Opened https://github.com/RobotsAndPencils/xcodes/pull/265 with a modified version of @tahirmt solution, hope you can give it a review, thanks!

omarzl avatar Jan 10 '23 02:01 omarzl

I had opened this new issue #248 to track it. Thanks for the PR. When I worked on it originally I didn't know what fastlane used internally so I ended up using ruby but your solution is much cleaner!

tahirmt avatar Jan 10 '23 02:01 tahirmt