Apple’s 2FA announcement will break all Your iOS CI/CD Pipelines. How to Prepare For It
Everyone who has Apple ID might have received an email that Apple will enforce Two-Factor Authentication (2FA) starting from 27th Feb 2019. The purpose of 2FA is to add an extra layer of security. Everyone needs to enable 2FA in order to use Certificates, Provisioning profiles and Identifiers from the Apple developer porter or App Store Connect. Before we jump into the post, it’s important to understand that Two-factor authentication(2FA) is different from the Two-Step Verification(2SV). Please read this guide to understand the difference. In this post, we will explore how 2FA will affect your CI/CD pipelines if you have one in place, what to expect and how to prepare for this change.
Current State of iOS CI/CD Pipelines
Most of the iOS Continuous Delivery pipelines has been set up using Fastlane tools which might be the right choice at one time. There might be some teams automating the iOS deployment workflow using custom scripting or some teams completely outsource it to the third-party CI/CD services like TravisCI, CircleCI, Nevercode, Bitrise etc. Most of the time, we didn’t have to worry about the 2FA for the CI server user, who downloads certificates profiles etc. We used to create a separate account for this purpose and things would have worked well. However, this approach completely bypasses the 2FA process on the CI server. Fastlane tools documented best CI practices here which tells us to create a separate user who doesn’t have 2FA and bypass trusted devices and SMS verification. This approach also uses some crazy tools and cookies to keep the session alive. In my opinion, Fastlane’s approach to deal with iOS CI/CD solution is not that secure and reliable. What will happen if Apple enforces the 2FA? Will Fastlane handle the 2FA? Do we need to set the pipelines again or we need to go with manual release approach again? Let’s try to find answers to all these questions in this post.
Potential Fastlane Workarounds
At the moment, Fastlane suggests to create a user which doesn’t have 2FA on CI server. Fastlane uses Spaceship tool to log in to Apple developer portal create sessions, cookies and use them as ENV variables. When Apple announced 2FA for every Apple ID, Fastlane users gets crazy and proposing some strange workaround to solve this problem. You can read some crazy and super crazy idea on this Github issue here or search some tweets about it. Some of the crazy proposals that I read online are
- Using third-party services like Twilio for the SMS verification, store in the database and use REST API to get the codes.
- Breaking down the spaceauth authentication process in the Two steps and create cookies and session on a regular basis
- Reverse engineer 2FA API calls and automate the process in the Fastlane builds.
- Write custom TOTP client to deal with 2FA
So the question is, do Fastlane has a solution if the 2FA become mandatory for all Apple ID users?
Answer: There is no clean solution at the moment to solve this problem but there might be some temporary hacks works in the future
Stored Certificate and Profiles + iTMSTransporter
Another potential approach to solving the code signing problem would be to store all the Certificates, provisioning profiles in the source code repository with strong encryption. While performing the build we can decrypt the code signing assets and sign our builds to create an IPA file. However, the next challenge is to upload the binary to App Store where 2FA will come in the picture. We can still use the tools like iTMSTransporter or altool with the private API key.
App Store Connect API is Future
Apple announced an App Store API which is a RESTful interface to deal with all the App Store Connect directly to automate the tasks. With App Store Connect API, we can automate almost everything related to App Store including
- Managing certificates, provisioning profiles, managing device ID and bundle ID
- Managing users, roles and App access of App Store Connect
- Managing TestFlight and Beta Testers and Public Links
- Downloading financial reports and Sales reports
In order to use App Store Connect API, we need to create JWT tokens after regular intervals so that our session stays alive Apple is still rolling out some of the App Store Connect endpoints gradually but hopefully. All endpoints will be available soon. You can read more about the App Store Connect API documentation here Or I have explained the detailed process with the example in this blog posts in details.
Admin users Vs Account Holder
Apple’s announcement to enable the 2FA turned out to be confusing as some of the people contacted the Apple Developer Relationship team and confirmed the following things.
- 2FA will be only applicable if you are the account holder role (not admin) in the App Store Connect.
- If you are an admin user then you don’t need to enable the 2FA
There are a couple of things posted online e.g Tweet from Christopher Pickslay here
Apple Dev Relations told me you don’t have to use 2FA on your developer account unless it’s the Account Holder role. If you have the Admin role, you can still manage certificates, profiles etc without 2FA.
Too bad the announcement has none of that info https://t.co/r603xeYoj2
— Christopher Pickslay (@cpickslay) February 15, 2019
There is also discussed here on the Github, where the user posted the response from the Apple Developer Relation team
After reviewing your Apple ID, it appears as though you are not currently listed as an account holder for an Apple Developer team. This new requirement will not currently affect you or your account access. If in the future you decide you would like to be an account holder of an Apple Developer Program membership, you will then need to enable two-factor authentication.
If you are in doubt too, contact them directly.
How to Prepare for 2FA for your iOS Pipelines
Fastlane users don’t have to CI flow at the moment as these changes will be for account holders for now. Although, you might need to update your CI user with Admin account. Not sure how safe that will be but you don’t have another option at the moment.
Stop patching Fastlane as sooner or later, Fastlane has to retire from all these things. Start looking at the new ways of automating your workflow with App Store Connect API.
If Apple announced 2FA on admin accounts that will really break all the existing solutions, announcements are still confusing so we will come to know what will happen after 27th Feb 2019. Be prepared for that!
Rolling out the 2FA might be the initial step for Apple+BuddyBuild thingy for official CI/CD solution. Let’s wait till WWDC if that’s the case.
If the 2FA rules are only applicable for the Account holder roles then there is no big deal for iOS CI/CD pipelines. However, if it applies for all users including Admin roles then it would be a problem and you need to pull your socks up for the new way of automating your CI/CD workflow. What are your opinions about 2FA and CI/CD. Stay tuned with XCBlog and XCTEQ for more updated and potential solutions for your Mobile DevOps workflow.