Automating 2FA using Fastlane/CircleCI

Question

What is the correct way to setup 2FA for beta uploads to iTunesConnect/TestFlight?

There are so many links and forums answers but none solve the issue.

Currently I have added the environment variables into CircleCI, including the Application Specific Password generated on the AppleID.

I have a lane in Fastlane that looks like this

desc "Alpha build"
  lane :alpha do
    match(type: "adhoc")
    gym(export_method: "ad-hoc")
    upload_to_testflight(skip_submission: true)
  end

I run the preauth command below before the alpha lane

- run:
    name: Spaceship pre-auth for 2FA
    command: bundle exec fastlane spaceauth -u [redacted].com

Fastlane seems to be failing on auth even if the password is correct

Please check your credentials and try again.
This could be an issue with App Store Connect,
Please try unsetting the FASTLANE_SESSION environment variable

If I remove the spaceauth command circleci is failing by timing out waiting for 2FA.

The Fastlane site says that there is no need to use spaceauth unless additional app store connect APIs are being used such as uploading metadata etc. It states that for uploads to testflight only the Application Specific Password should be enough, although this doesnt work either.

Has anyone solved this issue that can advise please?

Answer 1

You can authenticate with Apple through API key. You can generate the key here: https://appstoreconnect.apple.com/access/api .

Once you have the key.p8 file, you can used to auth with the fastlane command: app_store_connect_api_key as follow:

app_store_connect_api_key(
  key_id: "ABCDEFG",
  issuer_id: "Your_issuer_id",
  key_content: File.read("./key.p8").chomp,
  duration: 1200,
  in_house: false
)

After the execution of the command, the key session is store in the following env var: APP_STORE_CONNECT_API_KEY so your upload to testflight should look like this:

upload_to_testflight(
    groups: ["Friends & Family","Mytest-Group"], 
    ipa: "./build/myapp.ipa",
    api_key: Actions.lane_context[SharedValues::APP_STORE_CONNECT_API_KEY]
  )

Answer 2

Use CI server's REST API to update the value of FASTLANE_SESSION configuration parameter. In our case we have it defined in one place and it gets reused by all jobs that need to auth to Dev Center / App Store Connect. I haven't looked into details, but I'm sure there's a way to update the job/project parameter via REST call. Then again, have a scheduled job that runs spaceauth and uses REST API to set the new value.

Answer 3

The docs are wrong there - and it's my fault. I updated the docs article before the actual code enabling this is merged.

Your best best currently is to create a second account that doesn't have 2FA enabled, or using spaceauth locally and then copying the returned value into a ENV variable on your CI provider, although it probably will only work 24 hours. We are currently investigating how to improve this.