Could not install WWDR certificate about fastlane HOT 80 CLOSED

Same issue here, running on Github Actions

from fastlane.

I had this issue months ago and then had to revert to an older version, was forced to update to 2.212.1 and now have the issue again, please can we have a fix? This has been a issue for months now and its kinda a big one

from fastlane.

Hitting this with Fastlane 2.212.1

from fastlane.

I'm struggling to reproduce it on my test repo, but I have seen this occur sporadically on Bitrise.

Some of this is speculation, but from what I can see:

• Before 2.211.0 the success check in cert_checker was looking at the wrong process (this is why it was changed according to the commit 4b30089#diff-605d869e313da5ef9f0c402845a4911eed5f8afc4ef45382210f237fceae498aL169), which then meant all failures in cert_checker were being ignored
• Some machines have some WWDR certificates pre-installed, so even though cert_checker was failing to install them, other parts of Fastlane kept on going because they didn't rely upon the missing certs
• The HTTP/2 error is a transient error from the server, which is why not everyone is seeing it all of the time

Using Curl through a shell call feels dirty, but I don't think replacing it with Faraday (or something else) will necessarily solve this.

Backing out the 2.211.0 change to the success check is papering over another issue, and only works by pure luck.

In the Curl command we could add --http1.1 and/or --retry 3 --retry-all-errors to try and alleviate it in the short term.

Another solution would be to add an option to Match to skip the WWDR cert installation, but I think this will take a lot of unpicking, and possibly just creates further problems in the future when the WWDR cert is renewed again.

Without being able to reproduce it I'm hesistant to just chuck a PR in and have all the Match users alpha-test it.

Why this is only failing occasionally on CI is way beyond me right now but... I like that there are some things we can add to the curl command --http1.1 and/or --retry 3 --retry-all-errors that might fix this 🤷‍♂️ Thank you @chedabob for this! ❤️

I'm going to put these behind an environment variable since I'm not able to replicate this issue but it will allow anybody facing this issue to set an environment variable like FASTLANE_WWDR_USE_HTTP1_AND_RETRIES=true to see if this does solve it 🤔

I'm going to create a PR for this and then get a new release out this weekend. Would appreciate any feedback when released if this works or not... but hopefully it does 🤞

from fastlane.

I'm still seeing this as well

from fastlane.

Happens to us as well every few builds (CircleCI).

from fastlane.

Will try and get a new version of fastlane out with a fix tonight if I can!

from fastlane.

Still occurs with v2.212.1 although the flag FASTLANE_WWDR_USE_HTTP1_AND_RETRIES is set.

Occurs only sporadically and is currently bypassed by retrying pipeline job.

from fastlane.

• I can confirm that downgrading to version 2.210.1 seems to get rid of the problem.

Same here. FYI for anybody who'd like to know how, simply edit Gemfile:

source "https://rubygems.org"

-# gem "fastlane"
+gem "fastlane", "= 2.210.1"
gem "fastlane-plugin-flutter_version", git: "https://github.com/tianhaoz95/fastlane-plugin-flutter-version"
plugins_path = File.join(File.dirname(__FILE__), '.', 'Pluginfile')
eval_gemfile(plugins_path) if File.exist?(plugins_path)

from fastlane.

Like others are saying, still an issue with latest 2.213.0 and Xcode 14.3.1 on GitHub Actions. :/

from fastlane.

@joshdholtz , @PaulTaykalo in #21442 figured out a real reason and it looks like a bug in security import.
Executing security import AppleWWDRCAG2.cerXXXXXXXXXXX-X-p8asd will produce an error security: SecKeychainItemImport: Unknown format in import.

The workaround is to preserve .cer file extension.

from fastlane.

@joshdholtz Unfortunately it did not fix the issue. I just got the same error in our 4th CI build after merging the bump to 2.212.0 and setting the env var :(

from fastlane.

We're also seeing this issue intermittently, why is the issue closed?

same question

from fastlane.

We also downgraded to 2.210.1 and until now this issue did not show up anymore

from fastlane.

This happens to us quite often in CI and is really annoying 😞

from fastlane.

I'm struggling to reproduce it on my test repo, but I have seen this occur sporadically on Bitrise.

Some of this is speculation, but from what I can see:

• Before 2.211.0 the success check in cert_checker was looking at the wrong process (this is why it was changed according to the commit 4b30089#diff-605d869e313da5ef9f0c402845a4911eed5f8afc4ef45382210f237fceae498aL169), which then meant all failures in cert_checker were being ignored
• Some machines have some WWDR certificates pre-installed, so even though cert_checker was failing to install them, other parts of Fastlane kept on going because they didn't rely upon the missing certs
• The HTTP/2 error is a transient error from the server, which is why not everyone is seeing it all of the time

Using Curl through a shell call feels dirty, but I don't think replacing it with Faraday (or something else) will necessarily solve this.

Backing out the 2.211.0 change to the success check is papering over another issue, and only works by pure luck.

In the Curl command we could add --http1.1 and/or --retry 3 --retry-all-errors to try and alleviate it in the short term.

Another solution would be to add an option to Match to skip the WWDR cert installation, but I think this will take a lot of unpicking, and possibly just creates further problems in the future when the WWDR cert is renewed again.

Without being able to reproduce it I'm hesistant to just chuck a PR in and have all the Match users alpha-test it.

from fastlane.

I think the root cause of this issue is that fastlane is looking for the certificate in the Login Keychain and the cert is installed in the System Keychain

Failing
security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Users/vagrant/Library/Keychains/login.keychain-db

Working
security find-certificate -a -c 'Apple Worldwide Developer Relations'

When fastlane fails to find the cert it downloads it from Apple which intermittently fails

from fastlane.

The same error with 2.212.2 while using GitHub Actions.

from fastlane.

@pchelnikov, we're currently still facing this issue on 2.212.2.

Running on GH actions, macos-13 runner.

from fastlane.

The actual workaround would be to download the 6 certs

• https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
• https://www.apple.com/certificateauthority/AppleWWDRCAG2.cer
• https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
• https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer
• https://www.apple.com/certificateauthority/AppleWWDRCAG5.cer
• https://www.apple.com/certificateauthority/AppleWWDRCAG6.cer

and install them in login.keychain

ref: https://github.com/fastlane/fastlane/blob/4b3008914ff809850d7b8bf772e1a3363213ed18/fastlane_core/spec/cert_checker_spec.rb

from fastlane.

I was able to work around this intermittent failure by adding a bash step to our pipeline that runs before the fastlane commands:

tmpfile=$(mktemp /tmp/wwdr-cert.cer)
curl -f -o $tmpfile https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer && security import $tmpfile /Users/runner/Library/Keychains/login.keychain-db

Swap out /Users/runner/Library/Keychains/login.keychain-db with the path to your pipeline's login.keychain-db

from fastlane.

Getting this one too on 2.212.0.

from fastlane.

Got this today for the first time. GitHub Actions, macos-13 runner, fastlane 2.211.0.

UPD:
I've updated fastlane to 2.212.2 and it works.

from fastlane.

Download https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer

Then add the following lines to the Fastfile: organicmaps/organicmaps@8028798

from fastlane.

Same is happening for us.

from fastlane.

• Currently happening to me on Github Actions.
• Works fine if I run it locally.
• I'm using fastlane version 2.211.0.
• Unlike what is said in the above comments, I am not running lanes in parallel.
• I can confirm that downgrading to version 2.210.1 seems to get rid of the problem.

[06:56:26]: Sending anonymous analytics information
[06:56:26]: Learn more at https://docs.fastlane.tools/#metrics
[06:56:26]: No personal or sensitive data is sent.
[06:56:26]: You can disable this by adding `opt_out_usage` at the top of your Fastfile
[06:56:26]: ------------------------------
[06:56:26]: --- Step: default_platform ---
[06:56:26]: ------------------------------
[06:56:26]: Driving the lane 'ios productionRelease' 🚀
[06:56:26]: ----------------------
[06:56:26]: --- Step: setup_ci ---
[06:56:26]: ----------------------
[06:56:26]: Creating temporary keychain: "fastlane_tmp_keychain".
[06:56:26]: $ security list-keychains -d user
[06:56:26]: ▸ "/Users/runner/Library/Keychains/fastlane_tmp_keychain-db"
[06:56:26]: Found keychain '/Users/runner/Library/Keychains/fastlane_tmp_keychain-db' in list-keychains, adding to search list skipped
[06:56:26]: Enabling match readonly mode.
[06:56:26]: ---------------------------------------
[06:56:26]: --- Step: app_store_connect_api_key ---
[06:56:26]: ---------------------------------------
[06:56:27]: -------------------
[06:56:27]: --- Step: match ---
[06:56:27]: -------------------
[06:56:27]: Successfully loaded '/Users/runner/work/myapp-react-native/myapp-react-native/ios/fastlane/Matchfile' 📄

+----------------+----------------------------------------------------------------------------------------+
|                               Detected Values from './fastlane/Matchfile'                               |
+----------------+----------------------------------------------------------------------------------------+
| git_url        | [email protected]:aprilmintacpineda/myapp-fastlane-match.git                              |
| storage_mode   | git                                                                                    |
| type           | appstore                                                                               |
| app_identifier | ["com.aprmp.myapp", "com.aprmp.myapp.stg", "com.aprmp.myapp.dev"]                      |
| username       | ***                                                                                    |
+----------------+----------------------------------------------------------------------------------------+


+----------------------------------------+----------------------------------------------------------------------------------------+
|                                                    Summary for match 2.211.0                                                    |
+----------------------------------------+----------------------------------------------------------------------------------------+
| api_key                                | ********                                                                               |
| readonly                               | true                                                                                   |
| type                                   | appstore                                                                               |
| generate_apple_certs                   | true                                                                                   |
| skip_provisioning_profiles             | false                                                                                  |
| app_identifier                         | ["com.aprmp.myapp", "com.aprmp.myapp.stg", "com.aprmp.myapp.dev"]                      |
| username                               | ***                                                                                    |
| team_id                                | ***                                                                                    |
| storage_mode                           | git                                                                                    |
| git_url                                | [email protected]:aprilmintacpineda/myapp-fastlane-match.git                              |
| git_branch                             | master                                                                                 |
| shallow_clone                          | false                                                                                  |
| clone_branch_directly                  | false                                                                                  |
| skip_google_cloud_account_confirmation | false                                                                                  |
| keychain_name                          | fastlane_tmp_keychain                                                                  |
| force                                  | false                                                                                  |
| force_for_new_devices                  | false                                                                                  |
| include_mac_in_profiles                | false                                                                                  |
| include_all_certificates               | false                                                                                  |
| force_for_new_certificates             | false                                                                                  |
| skip_confirmation                      | false                                                                                  |
| safe_remove_certs                      | false                                                                                  |
| skip_docs                              | false                                                                                  |
| platform                               | ios                                                                                    |
| derive_catalyst_app_identifier         | false                                                                                  |
| fail_on_name_taken                     | false                                                                                  |
| skip_certificate_matching              | false                                                                                  |
| skip_set_partition_list                | false                                                                                  |
| verbose                                | false                                                                                  |
+----------------------------------------+----------------------------------------------------------------------------------------+

[06:56:27]: Cloning remote git repo...
[06:56:27]: If cloning the repo takes too long, you can use the `clone_branch_directly` option in match.
[06:56:29]: Checking out branch master...
[06:56:29]: 🔓  Successfully decrypted certificates repo
[06:56:29]: Installing certificate...
[06:56:29]: $ security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Users/runner/Library/Keychains/fastlane_tmp_keychain-db
+---------------------------+-----------------------------------------------------+
|                                  Lane Context                                   |
+---------------------------+-----------------------------------------------------+
| DEFAULT_PLATFORM          | ios                                                 |
| PLATFORM_NAME             | ios                                                 |
| LANE_NAME                 | ios productionRelease                               |
| KEYCHAIN_PATH             | ~/Library/Keychains/fastlane_tmp_keychain           |
| ORIGINAL_DEFAULT_KEYCHAIN | "/Users/runner/Library/Keychains/login.keychain-db" |
+---------------------------+-----------------------------------------------------+
[06:56:30]: Could not install WWDR certificate


[!] Could not install WWDR certificate
+------+---------------------------+-------------+
|                fastlane summary                |
+------+---------------------------+-------------+
| Step | Action                    | Time (in s) |
+------+---------------------------+-------------+
| 1    | default_platform          | 0           |
| 2    | setup_ci                  | 0           |
| 3    | app_store_connect_api_key | 0           |
| 💥   | match                     | 3           |
+------+---------------------------+-------------+

[06:56:30]: fastlane finished with errors
Error: Process completed with exit code 1.

from fastlane.

This is still happening intermittently for me even on fastlane-2.213.0 version in Bitrise.

from fastlane.

I've gotten this issue today as well, here's my log:

INFO [2023-05-30 13:56:53.72]: Installing certificate...
INFO [2023-05-30 13:56:53.72]: $ security default-keychain -d user
INFO [2023-05-30 13:56:53.73]: ▸     "/Users/distiller/Library/Keychains/fastlane_tmp_keychain-db"
INFO [2023-05-30 13:56:53.73]: $ security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db
INFO [2023-05-30 13:56:53.75]: $ security default-keychain -d user
INFO [2023-05-30 13:56:53.76]: ▸     "/Users/distiller/Library/Keychains/fastlane_tmp_keychain-db"
DEBUG [2023-05-30 13:56:53.76]: Installing WWDR Cert: curl -f -o /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG2.cer20230530-4903-xtweu1 https://www.apple.com/certificateauthority/AppleWWDRCAG2.cer && security import /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG2.cer20230530-4903-xtweu1 -k /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db
INFO [2023-05-30 13:56:53.82]: ▸ 1 certificate imported.
INFO [2023-05-30 13:56:53.82]: ▸ 100   763  100   763    0     0  31488      0 --:--:-- --:--:-- --:--:-- 38150
INFO [2023-05-30 13:56:53.82]: $ security default-keychain -d user
INFO [2023-05-30 13:56:53.83]: ▸     "/Users/distiller/Library/Keychains/fastlane_tmp_keychain-db"
DEBUG [2023-05-30 13:56:53.83]: Installing WWDR Cert: curl -f -o /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG3.cer20230530-4903-1qw8jke https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer && security import /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG3.cer20230530-4903-1qw8jke -k /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db
INFO [2023-05-30 13:56:53.89]: ▸ 1 certificate imported.
INFO [2023-05-30 13:56:53.89]: ▸ 100  1109  100  1109    0     0  44407      0 --:--:-- --:--:-- --:--:-- 52809
INFO [2023-05-30 13:56:53.89]: $ security default-keychain -d user
INFO [2023-05-30 13:56:53.90]: ▸     "/Users/distiller/Library/Keychains/fastlane_tmp_keychain-db"
DEBUG [2023-05-30 13:56:53.90]: Installing WWDR Cert: curl -f -o /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG4.cer20230530-4903-nioy06 https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer && security import /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG4.cer20230530-4903-nioy06 -k /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db
INFO [2023-05-30 13:56:53.95]: ▸ 1 certificate imported.
INFO [2023-05-30 13:56:53.95]: ▸ 100  1113  100  1113    0     0  46892      0 --:--:-- --:--:-- --:--:-- 58578
INFO [2023-05-30 13:56:53.95]: $ security default-keychain -d user
INFO [2023-05-30 13:56:53.96]: ▸     "/Users/distiller/Library/Keychains/fastlane_tmp_keychain-db"
DEBUG [2023-05-30 13:56:54.14]: Installing WWDR Cert: curl -f -o /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG5.cer20230530-4903-luzp8t https://www.apple.com/certificateauthority/AppleWWDRCAG5.cer && security import /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG5.cer20230530-4903-luzp8t -k /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db
INFO [2023-05-30 13:56:54.20]: ▸ 100  1113  100  1113    0     0  38039      0 --:--:-- --:--:-- --:--:-- 44520
INFO [2023-05-30 13:56:54.20]: ▸ security: SecKeychainItemImport: Unknown format in import.
DEBUG [2023-05-30 13:56:54.20]: Failed to install WWDR Certificate, checking output to see why
WARN [2023-05-30 13:56:54.21]: Lane Context:
INFO [2023-05-30 13:56:54.21]: {:PLATFORM_NAME=>:ios, :LANE_NAME=>"ios upload_development_to_firebase", :KEYCHAIN_PATH=>"~/Library/Keychains/fastlane_tmp_keychain", :ORIGINAL_DEFAULT_KEYCHAIN=>"\"/Users/distiller/Library/Keychains/login.keychain-db\""}
ERROR [2023-05-30 13:56:54.21]: Could not install WWDR certificate

This is running on CircleCI platform, using macos: xcode: 14.3.0, ruby version 2.7.5

I tried fixing this by creating my own keychain for fastlane to use with the following:

- run:
          name: Fix WWDR certificate
          command: |
            security create-keychain -p "$TMP_KEYCHAIN_PASSWORD" build.keychain
            security default-keychain -s build.keychain
            security unlock-keychain -p "$TMP_KEYCHAIN_PASSWORD" build.keychain

            tmpfile=$(mktemp /tmp/wwdr-cert.cer)
            curl -f -o $tmpfile https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
            security import $tmpfile -k /Users/distiller/Library/Keychains/build.keychain -A -P "$TMP_KEYCHAIN_PASSWORD"

            security set-key-partition-list -S apple-tool:,apple: -s -k "$TMP_KEYCHAIN_PASSWORD" /Users/distiller/Library/Keychains/build.keychain

But this also gave me the error: security: SecItemCopyMatching: The specified item could not be found in the keychain.

Also tried downgrading to version 2.210.1, which worked but it would be great if we could solve this without it

from fastlane.

I started having this issue on GitHub Actions. The runner has fastlane 2.213.0 installed.
I am using Xcode 14.3.1.

The issue goes away once I rerun the workflow.

from fastlane.

Nope, still an issue for us (2.213.0), so we use the workaround.

from fastlane.

@fruitcoder Get Apple certificates and install them in Fastfile, for example, like that: https://github.com/organicmaps/organicmaps/blob/master/xcode/fastlane/Fastfile#L13

from fastlane.

Same for me: random errors when downloading WWDR certs, but I don't believe it's an Apple issue. I have another CI server with another version of fastlane and the errors there are way less frequent (or almost nonexistent).

Fortunately I have debug enabled.

The most common error message I get is the following one:

curl: (92) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream

However, sometimes I get the following one:

Installing WWDR Cert: curl -f -o /var/folders/gh/5h9l2j0n4klg38n4bhn256yc0333gm/T/AppleWWDRCAG3.cer20230109-941-zd7vp7 https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer && security import /var/folders/gh/5h9l2j0n4klg38n4bhn256yc0333gm/T/AppleWWDRCAG3.cer20230109-941-zd7vp7 -k /Users/myuser/Library/Keychains/login.keychain-db

INFO [2023-01-09 18:28:34.08]: ▸ 100  1109  100  1109    0     0   7648      0 --:--:-- --:--:-- --:--:--  7809
INFO [2023-01-09 18:28:34.08]: ▸ security: SecKeychainItemImport: Unknown format in import.

from fastlane.

@chedabob maybe the installed Curl version is a factor here, or even the way Fastlane was installed (Ruby [Bundler] vs. Brew). If the previous way of checking Curl results was not properly checking them, perhaps/probably Curl was already failing before without noticing. If so, stopping to rely on a system binary which is not under Fastlane's control (which could also be at different versions for each user) by replacing it with Faraday (or something else) could actually solve it. At least it will provide a homogeneous scenario for everybody. Additionally, removing the dependency on a system package which ―as I said― is not under Fastlane's control looks like something that should be addressed ASAP.

Either way, right now adding those flags will probably mitigate this issue as a quick workaround. On top it will help to test if the HTTP/2 protocol was the real problem or if it's somewhere else.

from fastlane.

Comparing 2.210.1 and 2.211.0 shows a likely relevant change¹. Finding² the relevant commit, it seems³ that there had been a bug (from 6 years ago)⁴ that would ignore the result of the fetch (via curl) of the certificates. It seems this bug was possibly/probably benign.

from fastlane.

I hit it as well using Github actions

from fastlane.

We still have this issue. fastlane 2.213.0 installed.
We are using Xcode 14.1

from fastlane.

❯ security import /tmp/AppleWWDRCAG6.cer20230720-19211-1xp81x  -k test5-db
security: SecKeychainItemImport: Unknown format in import.

 mv /tmp/AppleWWDRCAG6.cer20230720-19211-1xp81x /tmp/AppleWWDRCAG6.cer20230720-19211-1xp81x.cer

security import /tmp/AppleWWDRCAG6.cer20230720-19211-1xp81x.cer  -k test6-db
1 certificate imported.

or with format

❯ security import /tmp/AppleWWDRCAG6.cer20230720-19211-1xp81x -f pkcs7 -k test5-db
1 certificate imported.

I think problem near

      file = Tempfile.new(File.basename(url))

need save extension for temfile.

Something like this

base = File.basename(url)
file = Tempfile.new([base, File.extname(base)])

from fastlane.

It seems like you have not included the output of fastlane env
To make it easier for us help you resolve this issue, please update the issue to include the output of fastlane env 👍

from fastlane.

Hey Fastlane team,
I use the verbose: true arg on match command and it seems it fails on the G6 certificate import

DEBUG [2023-01-03 17:28:18.95]: Installing WWDR Cert: curl -f -o /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG6.cer20230103-4270-11yw6p8 https://www.apple.com/certificateauthority/AppleWWDRCAG6.cer && security import /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG6.cer20230103-4270-11yw6p8 -k /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db
INFO [2023-01-03 17:28:19.00]: ▸ 100   794  100   794    0     0  30909      0 --:--:-- --:--:-- --:--:-- 39700
INFO [2023-01-03 17:28:19.00]: ▸ security: SecKeychainItemImport: Unknown format in import.
DEBUG [2023-01-03 17:28:19.00]: Failed to install WWDR Certificate, checking output to see why 

DEBUG [2023-01-03 17:26:49.76]: Installing WWDR Cert: curl -f -o /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG6.cer20230103-4271-3gxe8q https://www.apple.com/certificateauthority/AppleWWDRCAG6.cer && security import /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG6.cer20230103-4271-3gxe8q -k /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db
INFO [2023-01-03 17:26:49.81]: ▸ 1 certificate imported.
INFO [2023-01-03 17:26:49.81]: ▸ 100   794  100   794    0     0  30197      0 --:--:-- --:--:-- --:--:-- 37809

And it looks like it the result of this line

from fastlane.

facing the same issue on GitHub Actions

from fastlane.

Our issue has been resolved by itself, seems like it is an Apple problem?

from fastlane.

Some intermittent issue, resolved itself on next build

from fastlane.

Same issue here. Any workaround available? We will try to downgrade fastlane to 210 or to install the mentioned certificates.

from fastlane.

After several tests I can conclude downgrading to 2.210.1 solves the issue. Additionally I have discovered that both versions work fine when only one lane is run. When two or more lanes are run in parallel is when 2.211.0 fails (at least in my case).

I've then checked all commits between both versions and the only one related to this topic is 4b30089. The issue must be there.

from fastlane.

I'm struggling to reproduce it on my test repo, but I have seen this occur sporadically on Bitrise.

Some of this is speculation, but from what I can see:

• Before 2.211.0 the success check in cert_checker was looking at the wrong process (this is why it was changed according to the commit 4b30089#diff-605d869e313da5ef9f0c402845a4911eed5f8afc4ef45382210f237fceae498aL169), which then meant all failures in cert_checker were being ignored
• Some machines have some WWDR certificates pre-installed, so even though cert_checker was failing to install them, other parts of Fastlane kept on going because they didn't rely upon the missing certs
• The HTTP/2 error is a transient error from the server, which is why not everyone is seeing it all of the time

Using Curl through a shell call feels dirty, but I don't think replacing it with Faraday (or something else) will necessarily solve this.

Backing out the 2.211.0 change to the success check is papering over another issue, and only works by pure luck.

In the Curl command we could add --http1.1 and/or --retry 3 --retry-all-errors to try and alleviate it in the short term.

Another solution would be to add an option to Match to skip the WWDR cert installation, but I think this will take a lot of unpicking, and possibly just creates further problems in the future when the WWDR cert is renewed again.

Without being able to reproduce it I'm hesistant to just chuck a PR in and have all the Match users alpha-test it.

Actually I also can't reproduce the error on my machine, it happens to Github Actions consistently though, maybe you can try there?

from fastlane.

If anyone would like to test, I've put a branch up that migrates from Curl to Faraday

Replace the fastlane line in your Gemfile with this

gem 'fastlane', git: 'https://github.com/chedabob/fastlane', branch: 'CertCheckerFaraday'

One of my colleagues was also seeing this error so I will get them to verify this week.

from fastlane.

I tried but still get Could not install WWDR certificate

[10:50:39 ] Using fastlane 2.211.0 from https://github.com/chedabob/fastlane (at CertCheckerFaraday@061da97)
[10:50:43]: Installing certificate...
[10:50:43]: $ security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Library/Keychains/System.keychain

[10:50:43 ]
[10:50:43]: ▸ -----BEGIN CERTIFICATE-----
<certificate here>
[10:50:43]: ▸ -----END CERTIFICATE-----
[!] Could not install WWDR certificate

from fastlane.

I tried but still get Could not install WWDR certificate

[10:50:39 ] Using fastlane 2.211.0 from https://github.com/chedabob/fastlane (at CertCheckerFaraday@061da97)
[10:50:43]: Installing certificate...
[10:50:43]: $ security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Library/Keychains/System.keychain

[10:50:43 ]
[10:50:43]: ▸ -----BEGIN CERTIFICATE-----
<certificate here>
[10:50:43]: ▸ -----END CERTIFICATE-----
[!] Could not install WWDR certificate

@ptmt Can you run with --verbose and paste the whole log?

from fastlane.

@chedabob thanks for the tip, I see now the reason:

Installing WWDR Cert: security import /Users/admin/buildAgent/temp/buildTmp/AppleWWDRCAG2.cer20230209-4500-q5k519 -k /Library/Keychains/System.keychain

NFO [2023-02-09 11:26:07.81]: ▸ security: SecKeychainItemImport: Write permissions error.

from fastlane.

@ptmt

I think this might be an issue unrelated to the OP. It looks like you've only got the System keychain, which I suspect isn't writable by the fastlane process without first elevating its privilege (like a user would by entering their password/fingerprint in Keychain Access).

from fastlane.

Looks like on M1 related issue with not finding the created beforehand keychain. So I'll step up from this issue, but just for future google results (and future chat bot or whatnot), probably more relevant this answer #20559 (comment)

from fastlane.

@joshdholtz have you tried the Faraday workaround by @chedabob

If anyone would like to test, I've put a branch up that migrates from Curl to Faraday

Replace the fastlane line in your Gemfile with this

gem 'fastlane', git: 'https://github.com/chedabob/fastlane', branch: 'CertCheckerFaraday'

One of my colleagues was also seeing this error so I will get them to verify this week.

If not, could you please try? I've not been able to reproduce the error lately so I was unable to check it.

from fastlane.

@joshdholtz similar with us, I updated to 2.212.0 and set the env variable and hit the issue on a run today.

from fastlane.

@combinatorial @dcacenabes @juan-vg Are you building on Apple Silicon? Could it be you're seeing the missing keychain issue that @ptmt mentioned?

from fastlane.

@chedabob Yep, I'm building on Apple M1. However I can't remember the keychain was an issue. The issue happened randomly and the keychains were also in the same state for each execution (using Apple VMs freshly deployed from the same golden image each time). What I mean is that if it was a keychain issue, it should have happened every time instead of just some random times.

As you could check on mi first comment (#20960 (comment)) the issue looks different.

Same for me: random errors when downloading WWDR certs, but I don't believe it's an Apple issue. I have another CI server with another version of fastlane and the errors there are way less frequent (or almost nonexistent).

Fortunately I have debug enabled.

The most common error message I get is the following one:

curl: (92) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream

However, sometimes I get the following one:

Installing WWDR Cert: curl -f -o /var/folders/gh/5h9l2j0n4klg38n4bhn256yc0333gm/T/AppleWWDRCAG3.cer20230109-941-zd7vp7 https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer && security import /var/folders/gh/5h9l2j0n4klg38n4bhn256yc0333gm/T/AppleWWDRCAG3.cer20230109-941-zd7vp7 -k /Users/myuser/Library/Keychains/login.keychain-db

INFO [2023-01-09 18:28:34.08]: ▸ 100  1109  100  1109    0     0   7648      0 --:--:-- --:--:-- --:--:--  7809
INFO [2023-01-09 18:28:34.08]: ▸ security: SecKeychainItemImport: Unknown format in import.

Note the first assumption was wrong because the new Fastlane version just showed a problem that was already happening but not properly addressed (something I've discovered later across this issue). Also, the other CI server is not ephemeral and it has the certs installed in the keychain, so it's not a good example to compare.

from fastlane.

We still see this happening in the https://github.com/getsentry/sentry-cocoa repo: Could not install WWDR certificate Rerunning the GH action solves the problem. We didn't see this error when using Fastlane 2.210.1.

from fastlane.

I think the root cause of this issue is that fastlane is looking for the certificate in the Login Keychain and the cert is installed in the System Keychain

Failing security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Users/vagrant/Library/Keychains/login.keychain-db

Working security find-certificate -a -c 'Apple Worldwide Developer Relations'

When fastlane fails to find the cert it downloads it from Apple which intermittently fails

Same for us using it on CircleCI. The cert is stored in the system keychain.

from fastlane.

Is there any update on this?! not fixed yet.

from fastlane.

We're also seeing this issue intermittently, why is the issue closed?

from fastlane.

@joshdholtz can the ticket be opened again? Or does it have to be a new issue?

Since many are reporting downgrading to 2.210.1 fixes the issue it might be interesting what changed since then.

from fastlane.

Hello ! I opened this issue 3 months ago and I noticed it is closed but people are still facing the issue intermittently.
Do you have any updates about it?

from fastlane.

Just got this error today.

from fastlane.

same

from fastlane.

The same error with 2.212.2 while using GitHub Actions.

same here

from fastlane.

bitrise, same issue

from fastlane.

Getting this issue too on 2.211.0.

from fastlane.

Just got this for the first time today. CircleCI, Match 2.211.0.

from fastlane.

We have solved it by manually importing Apple WWDR certificate during the build in the Fastline config.

from fastlane.

We have solved it by manually importing Apple WWDR certificate during the build in the Fastline config.

how do you do this? @biodranik

from fastlane.

@henderson2350 see this comment above for one possible way to do it: #20960 (comment)

from fastlane.

We are using Fastlane 2.210.1 and XCODE 14.1 but the error randomly occurs

from fastlane.

Even with one of the suggested workarounds (installing the G3 certificate manually) + the retry environment variable, we're still getting "Could not install WWDR certificate" occasionally, when Fastlane tries to download the remaining ones:

A failure example from a Bitrise job:

$ security default-keychain -d user
▸     "/Users/vagrant/Library/Keychains/login.keychain-db"
 Installing WWDR Cert: curl --http1.1 --retry 3 --retry-all-errors -f -o /var/folders/69/qgnyrbkx23dbp0p6p_b6bc9m0000gn/T/AppleWWDRCAG2.cer20230705-26839-qa9p96 https://www.apple.com/certificateauthority/AppleWWDRCAG2.cer && security import /var/folders/69/qgnyrbkx23dbp0p6p_b6bc9m0000gn/T/AppleWWDRCAG2.cer20230705-26839-qa9p96 -k /Users/vagrant/Library/Keychains/login.keychain-db
▸ 1 certificate imported.
▸ 100   763  100   763    0     0  13287      0 --:--:-- --:--:-- --:--:-- 13625
$ security default-keychain -d user
▸     "/Users/vagrant/Library/Keychains/login.keychain-db"
 Installing WWDR Cert: curl --http1.1 --retry 3 --retry-all-errors -f -o /var/folders/69/qgnyrbkx23dbp0p6p_b6bc9m0000gn/T/AppleWWDRCAG4.cer20230705-26839-55p8ad https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer && security import /var/folders/69/qgnyrbkx23dbp0p6p_b6bc9m0000gn/T/AppleWWDRCAG4.cer20230705-26839-55p8ad -k /Users/vagrant/Library/Keychains/login.keychain-db
▸ 100  1113  100  1113    0     0  23626      0 --:--:-- --:--:-- --:--:-- 24733
▸ security: SecKeychainItemImport: Unknown format in import.
 Failed to install WWDR Certificate, checking output to see why

from fastlane.

why was this issue closed? Apparently, it's still a problem. Or can anyone confirm it's resolved in the latest fastlane release?

from fastlane.

@Legoless which of the many workarounds do you mean and how do they work on a CI? Should we download and install them on every build via fastlane or download them on our machine and upload them to the CI which installs them on launch (my example is bitrise). I don't know which keychain certificates are installed into by default.

from fastlane.

Thanks for the input. I tried a manual script that downloads the certs and installs them in the keychain. Will have to find out if it works for the next build. Otherwise, I'll try your solution in fastlane directly

from fastlane.

@Legoless which of the many workarounds do you mean and how do they work on a CI? Should we download and install them on every build via fastlane or download them on our machine and upload them to the CI which installs them on launch (my example is bitrise). I don't know which keychain certificates are installed into by default.

@fruitcoder We install the certificates ourselves before in addition to our distribution certificate that we use to sign the app on CI. Similar procedure to:

import_certificate(
        certificate_path: 'fastlane/certificates/AppleWWDRCAG3.cer',
        keychain_name: ENV['MATCH_KEYCHAIN_NAME'],
        keychain_password: ENV['MATCH_KEYCHAIN_PASSWORD']
    )

from fastlane.

@biodranik I followed your example code, but on the step to import each certificate I'm getting the error

----------------------------------------
--- Step: Switch to ios prepare lane ---
----------------------------------------
Cruising over to lane 'ios prepare' 🚖
--------------------------------
--- Step: import_certificate ---
--------------------------------
Setting key partition list... (this can take a minute if there are a lot of keys installed)
security: SecItemCopyMatching: The specified item could not be found in the keychain.
--------------------------------

And I don't know what I'm doing wrong, I tried 2 options:

• Manually download the .cer files and them to the path.
• Downloaded the certificates in a previous step of my GitHub action, and install them on the Keychain.

And with both options, I'm getting the same error. How did you achieve to import them into the lane?

from fastlane.

encountered the same error in Github Actions using 2.214.0. downgrading to 2.213.0 fixed it for me, but given everyone else in this thread, I expect it will fail intermittently.

I'll probably resort to the mentioned workaround if I face any more issues.

@joshdholtz please take another look beyond adding retries.

from fastlane.

Same problem, downgrading fastlane was unsuccessful

from fastlane.

I still has this issue when using a non-default keychain, so I opened #21578 which fixes it in our CI

from fastlane.