Comments (80)
Same issue here, running on Github Actions
from fastlane.
I had this issue months ago and then had to revert to an older version, was forced to update to 2.212.1 and now have the issue again, please can we have a fix? This has been a issue for months now and its kinda a big one
from fastlane.
Hitting this with Fastlane 2.212.1
from fastlane.
I'm struggling to reproduce it on my test repo, but I have seen this occur sporadically on Bitrise.
Some of this is speculation, but from what I can see:
- Before 2.211.0 the success check in
cert_checker
was looking at the wrong process (this is why it was changed according to the commit 4b30089#diff-605d869e313da5ef9f0c402845a4911eed5f8afc4ef45382210f237fceae498aL169), which then meant all failures incert_checker
were being ignored- Some machines have some WWDR certificates pre-installed, so even though
cert_checker
was failing to install them, other parts of Fastlane kept on going because they didn't rely upon the missing certs- The HTTP/2 error is a transient error from the server, which is why not everyone is seeing it all of the time
Using Curl through a shell call feels dirty, but I don't think replacing it with Faraday (or something else) will necessarily solve this.
Backing out the 2.211.0 change to the success check is papering over another issue, and only works by pure luck.
In the Curl command we could add
--http1.1
and/or--retry 3 --retry-all-errors
to try and alleviate it in the short term.Another solution would be to add an option to Match to skip the WWDR cert installation, but I think this will take a lot of unpicking, and possibly just creates further problems in the future when the WWDR cert is renewed again.
Without being able to reproduce it I'm hesistant to just chuck a PR in and have all the Match users alpha-test it.
Why this is only failing occasionally on CI is way beyond me right now but... I like that there are some things we can add to the curl
command --http1.1
and/or --retry 3 --retry-all-errors
that might fix this 🤷♂️ Thank you @chedabob for this! ❤️
I'm going to put these behind an environment variable since I'm not able to replicate this issue but it will allow anybody facing this issue to set an environment variable like FASTLANE_WWDR_USE_HTTP1_AND_RETRIES=true
to see if this does solve it 🤔
I'm going to create a PR for this and then get a new release out this weekend. Would appreciate any feedback when released if this works or not... but hopefully it does 🤞
from fastlane.
I'm still seeing this as well
from fastlane.
Happens to us as well every few builds (CircleCI).
from fastlane.
Will try and get a new version of fastlane out with a fix tonight if I can!
from fastlane.
Still occurs with v2.212.1 although the flag FASTLANE_WWDR_USE_HTTP1_AND_RETRIES
is set.
Occurs only sporadically and is currently bypassed by retrying pipeline job.
from fastlane.
- I can confirm that downgrading to version
2.210.1
seems to get rid of the problem.
Same here. FYI for anybody who'd like to know how, simply edit Gemfile
:
source "https://rubygems.org"
-# gem "fastlane"
+gem "fastlane", "= 2.210.1"
gem "fastlane-plugin-flutter_version", git: "https://github.com/tianhaoz95/fastlane-plugin-flutter-version"
plugins_path = File.join(File.dirname(__FILE__), '.', 'Pluginfile')
eval_gemfile(plugins_path) if File.exist?(plugins_path)
from fastlane.
Like others are saying, still an issue with latest 2.213.0 and Xcode 14.3.1 on GitHub Actions. :/
from fastlane.
@joshdholtz , @PaulTaykalo in #21442 figured out a real reason and it looks like a bug in security import.
Executing security import AppleWWDRCAG2.cerXXXXXXXXXXX-X-p8asd
will produce an error security: SecKeychainItemImport: Unknown format in import
.
The workaround is to preserve .cer file extension.
from fastlane.
@joshdholtz Unfortunately it did not fix the issue. I just got the same error in our 4th CI build after merging the bump to 2.212.0 and setting the env var :(
from fastlane.
We're also seeing this issue intermittently, why is the issue closed?
same question
from fastlane.
We also downgraded to 2.210.1
and until now this issue did not show up anymore
from fastlane.
This happens to us quite often in CI and is really annoying 😞
from fastlane.
I'm struggling to reproduce it on my test repo, but I have seen this occur sporadically on Bitrise.
Some of this is speculation, but from what I can see:
- Before 2.211.0 the success check in
cert_checker
was looking at the wrong process (this is why it was changed according to the commit 4b30089#diff-605d869e313da5ef9f0c402845a4911eed5f8afc4ef45382210f237fceae498aL169), which then meant all failures incert_checker
were being ignored - Some machines have some WWDR certificates pre-installed, so even though
cert_checker
was failing to install them, other parts of Fastlane kept on going because they didn't rely upon the missing certs - The HTTP/2 error is a transient error from the server, which is why not everyone is seeing it all of the time
Using Curl through a shell call feels dirty, but I don't think replacing it with Faraday (or something else) will necessarily solve this.
Backing out the 2.211.0 change to the success check is papering over another issue, and only works by pure luck.
In the Curl command we could add --http1.1
and/or --retry 3 --retry-all-errors
to try and alleviate it in the short term.
Another solution would be to add an option to Match to skip the WWDR cert installation, but I think this will take a lot of unpicking, and possibly just creates further problems in the future when the WWDR cert is renewed again.
Without being able to reproduce it I'm hesistant to just chuck a PR in and have all the Match users alpha-test it.
from fastlane.
I think the root cause of this issue is that fastlane is looking for the certificate in the Login Keychain and the cert is installed in the System Keychain
Failing
security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Users/vagrant/Library/Keychains/login.keychain-db
Working
security find-certificate -a -c 'Apple Worldwide Developer Relations'
When fastlane fails to find the cert it downloads it from Apple which intermittently fails
from fastlane.
The same error with 2.212.2 while using GitHub Actions.
from fastlane.
@pchelnikov, we're currently still facing this issue on 2.212.2
.
Running on GH actions, macos-13
runner.
from fastlane.
The actual workaround would be to download the 6 certs
- https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
- https://www.apple.com/certificateauthority/AppleWWDRCAG2.cer
- https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
- https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer
- https://www.apple.com/certificateauthority/AppleWWDRCAG5.cer
- https://www.apple.com/certificateauthority/AppleWWDRCAG6.cer
and install them in login.keychain
from fastlane.
I was able to work around this intermittent failure by adding a bash step to our pipeline that runs before the fastlane commands:
tmpfile=$(mktemp /tmp/wwdr-cert.cer)
curl -f -o $tmpfile https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer && security import $tmpfile /Users/runner/Library/Keychains/login.keychain-db
Swap out /Users/runner/Library/Keychains/login.keychain-db
with the path to your pipeline's login.keychain-db
from fastlane.
Getting this one too on 2.212.0
.
from fastlane.
Got this today for the first time. GitHub Actions
, macos-13
runner, fastlane 2.211.0
.
UPD:
I've updated fastlane to 2.212.2
and it works.
from fastlane.
Download https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
Then add the following lines to the Fastfile: organicmaps/organicmaps@8028798
from fastlane.
Same is happening for us.
from fastlane.
- Currently happening to me on Github Actions.
- Works fine if I run it locally.
- I'm using fastlane version
2.211.0
. - Unlike what is said in the above comments, I am not running lanes in parallel.
- I can confirm that downgrading to version
2.210.1
seems to get rid of the problem.
full logs
[06:56:26]: Sending anonymous analytics information
[06:56:26]: Learn more at https://docs.fastlane.tools/#metrics
[06:56:26]: No personal or sensitive data is sent.
[06:56:26]: You can disable this by adding `opt_out_usage` at the top of your Fastfile
[06:56:26]: ------------------------------
[06:56:26]: --- Step: default_platform ---
[06:56:26]: ------------------------------
[06:56:26]: Driving the lane 'ios productionRelease' 🚀
[06:56:26]: ----------------------
[06:56:26]: --- Step: setup_ci ---
[06:56:26]: ----------------------
[06:56:26]: Creating temporary keychain: "fastlane_tmp_keychain".
[06:56:26]: $ security list-keychains -d user
[06:56:26]: ▸ "/Users/runner/Library/Keychains/fastlane_tmp_keychain-db"
[06:56:26]: Found keychain '/Users/runner/Library/Keychains/fastlane_tmp_keychain-db' in list-keychains, adding to search list skipped
[06:56:26]: Enabling match readonly mode.
[06:56:26]: ---------------------------------------
[06:56:26]: --- Step: app_store_connect_api_key ---
[06:56:26]: ---------------------------------------
[06:56:27]: -------------------
[06:56:27]: --- Step: match ---
[06:56:27]: -------------------
[06:56:27]: Successfully loaded '/Users/runner/work/myapp-react-native/myapp-react-native/ios/fastlane/Matchfile' 📄
+----------------+----------------------------------------------------------------------------------------+
| Detected Values from './fastlane/Matchfile' |
+----------------+----------------------------------------------------------------------------------------+
| git_url | [email protected]:aprilmintacpineda/myapp-fastlane-match.git |
| storage_mode | git |
| type | appstore |
| app_identifier | ["com.aprmp.myapp", "com.aprmp.myapp.stg", "com.aprmp.myapp.dev"] |
| username | *** |
+----------------+----------------------------------------------------------------------------------------+
+----------------------------------------+----------------------------------------------------------------------------------------+
| Summary for match 2.211.0 |
+----------------------------------------+----------------------------------------------------------------------------------------+
| api_key | ******** |
| readonly | true |
| type | appstore |
| generate_apple_certs | true |
| skip_provisioning_profiles | false |
| app_identifier | ["com.aprmp.myapp", "com.aprmp.myapp.stg", "com.aprmp.myapp.dev"] |
| username | *** |
| team_id | *** |
| storage_mode | git |
| git_url | [email protected]:aprilmintacpineda/myapp-fastlane-match.git |
| git_branch | master |
| shallow_clone | false |
| clone_branch_directly | false |
| skip_google_cloud_account_confirmation | false |
| keychain_name | fastlane_tmp_keychain |
| force | false |
| force_for_new_devices | false |
| include_mac_in_profiles | false |
| include_all_certificates | false |
| force_for_new_certificates | false |
| skip_confirmation | false |
| safe_remove_certs | false |
| skip_docs | false |
| platform | ios |
| derive_catalyst_app_identifier | false |
| fail_on_name_taken | false |
| skip_certificate_matching | false |
| skip_set_partition_list | false |
| verbose | false |
+----------------------------------------+----------------------------------------------------------------------------------------+
[06:56:27]: Cloning remote git repo...
[06:56:27]: If cloning the repo takes too long, you can use the `clone_branch_directly` option in match.
[06:56:29]: Checking out branch master...
[06:56:29]: 🔓 Successfully decrypted certificates repo
[06:56:29]: Installing certificate...
[06:56:29]: $ security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Users/runner/Library/Keychains/fastlane_tmp_keychain-db
+---------------------------+-----------------------------------------------------+
| Lane Context |
+---------------------------+-----------------------------------------------------+
| DEFAULT_PLATFORM | ios |
| PLATFORM_NAME | ios |
| LANE_NAME | ios productionRelease |
| KEYCHAIN_PATH | ~/Library/Keychains/fastlane_tmp_keychain |
| ORIGINAL_DEFAULT_KEYCHAIN | "/Users/runner/Library/Keychains/login.keychain-db" |
+---------------------------+-----------------------------------------------------+
[06:56:30]: Could not install WWDR certificate
[!] Could not install WWDR certificate
+------+---------------------------+-------------+
| fastlane summary |
+------+---------------------------+-------------+
| Step | Action | Time (in s) |
+------+---------------------------+-------------+
| 1 | default_platform | 0 |
| 2 | setup_ci | 0 |
| 3 | app_store_connect_api_key | 0 |
| 💥 | match | 3 |
+------+---------------------------+-------------+
[06:56:30]: fastlane finished with errors
Error: Process completed with exit code 1.
from fastlane.
This is still happening intermittently for me even on fastlane-2.213.0 version in Bitrise.
from fastlane.
I've gotten this issue today as well, here's my log:
INFO [2023-05-30 13:56:53.72]: Installing certificate...
INFO [2023-05-30 13:56:53.72]: $ security default-keychain -d user
INFO [2023-05-30 13:56:53.73]: ▸ "/Users/distiller/Library/Keychains/fastlane_tmp_keychain-db"
INFO [2023-05-30 13:56:53.73]: $ security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db
INFO [2023-05-30 13:56:53.75]: $ security default-keychain -d user
INFO [2023-05-30 13:56:53.76]: ▸ "/Users/distiller/Library/Keychains/fastlane_tmp_keychain-db"
DEBUG [2023-05-30 13:56:53.76]: Installing WWDR Cert: curl -f -o /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG2.cer20230530-4903-xtweu1 https://www.apple.com/certificateauthority/AppleWWDRCAG2.cer && security import /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG2.cer20230530-4903-xtweu1 -k /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db
INFO [2023-05-30 13:56:53.82]: ▸ 1 certificate imported.
INFO [2023-05-30 13:56:53.82]: ▸ 100 763 100 763 0 0 31488 0 --:--:-- --:--:-- --:--:-- 38150
INFO [2023-05-30 13:56:53.82]: $ security default-keychain -d user
INFO [2023-05-30 13:56:53.83]: ▸ "/Users/distiller/Library/Keychains/fastlane_tmp_keychain-db"
DEBUG [2023-05-30 13:56:53.83]: Installing WWDR Cert: curl -f -o /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG3.cer20230530-4903-1qw8jke https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer && security import /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG3.cer20230530-4903-1qw8jke -k /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db
INFO [2023-05-30 13:56:53.89]: ▸ 1 certificate imported.
INFO [2023-05-30 13:56:53.89]: ▸ 100 1109 100 1109 0 0 44407 0 --:--:-- --:--:-- --:--:-- 52809
INFO [2023-05-30 13:56:53.89]: $ security default-keychain -d user
INFO [2023-05-30 13:56:53.90]: ▸ "/Users/distiller/Library/Keychains/fastlane_tmp_keychain-db"
DEBUG [2023-05-30 13:56:53.90]: Installing WWDR Cert: curl -f -o /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG4.cer20230530-4903-nioy06 https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer && security import /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG4.cer20230530-4903-nioy06 -k /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db
INFO [2023-05-30 13:56:53.95]: ▸ 1 certificate imported.
INFO [2023-05-30 13:56:53.95]: ▸ 100 1113 100 1113 0 0 46892 0 --:--:-- --:--:-- --:--:-- 58578
INFO [2023-05-30 13:56:53.95]: $ security default-keychain -d user
INFO [2023-05-30 13:56:53.96]: ▸ "/Users/distiller/Library/Keychains/fastlane_tmp_keychain-db"
DEBUG [2023-05-30 13:56:54.14]: Installing WWDR Cert: curl -f -o /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG5.cer20230530-4903-luzp8t https://www.apple.com/certificateauthority/AppleWWDRCAG5.cer && security import /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG5.cer20230530-4903-luzp8t -k /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db
INFO [2023-05-30 13:56:54.20]: ▸ 100 1113 100 1113 0 0 38039 0 --:--:-- --:--:-- --:--:-- 44520
INFO [2023-05-30 13:56:54.20]: ▸ security: SecKeychainItemImport: Unknown format in import.
DEBUG [2023-05-30 13:56:54.20]: Failed to install WWDR Certificate, checking output to see why
WARN [2023-05-30 13:56:54.21]: Lane Context:
INFO [2023-05-30 13:56:54.21]: {:PLATFORM_NAME=>:ios, :LANE_NAME=>"ios upload_development_to_firebase", :KEYCHAIN_PATH=>"~/Library/Keychains/fastlane_tmp_keychain", :ORIGINAL_DEFAULT_KEYCHAIN=>"\"/Users/distiller/Library/Keychains/login.keychain-db\""}
ERROR [2023-05-30 13:56:54.21]: Could not install WWDR certificate
This is running on CircleCI platform, using macos: xcode: 14.3.0, ruby version 2.7.5
I tried fixing this by creating my own keychain for fastlane to use with the following:
- run:
name: Fix WWDR certificate
command: |
security create-keychain -p "$TMP_KEYCHAIN_PASSWORD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$TMP_KEYCHAIN_PASSWORD" build.keychain
tmpfile=$(mktemp /tmp/wwdr-cert.cer)
curl -f -o $tmpfile https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
security import $tmpfile -k /Users/distiller/Library/Keychains/build.keychain -A -P "$TMP_KEYCHAIN_PASSWORD"
security set-key-partition-list -S apple-tool:,apple: -s -k "$TMP_KEYCHAIN_PASSWORD" /Users/distiller/Library/Keychains/build.keychain
But this also gave me the error: security: SecItemCopyMatching: The specified item could not be found in the keychain.
Also tried downgrading to version 2.210.1
, which worked but it would be great if we could solve this without it
from fastlane.
I started having this issue on GitHub Actions. The runner has fastlane 2.213.0
installed.
I am using Xcode 14.3.1.
The issue goes away once I rerun the workflow.
from fastlane.
Nope, still an issue for us (2.213.0), so we use the workaround.
from fastlane.
@fruitcoder Get Apple certificates and install them in Fastfile, for example, like that: https://github.com/organicmaps/organicmaps/blob/master/xcode/fastlane/Fastfile#L13
from fastlane.
Same for me: random errors when downloading WWDR certs, but I don't believe it's an Apple issue. I have another CI server with another version of fastlane and the errors there are way less frequent (or almost nonexistent).
Fortunately I have debug enabled.
The most common error message I get is the following one:
curl: (92) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream
However, sometimes I get the following one:
Installing WWDR Cert: curl -f -o /var/folders/gh/5h9l2j0n4klg38n4bhn256yc0333gm/T/AppleWWDRCAG3.cer20230109-941-zd7vp7 https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer && security import /var/folders/gh/5h9l2j0n4klg38n4bhn256yc0333gm/T/AppleWWDRCAG3.cer20230109-941-zd7vp7 -k /Users/myuser/Library/Keychains/login.keychain-db
INFO [2023-01-09 18:28:34.08]: ▸ 100 1109 100 1109 0 0 7648 0 --:--:-- --:--:-- --:--:-- 7809
INFO [2023-01-09 18:28:34.08]: ▸ security: SecKeychainItemImport: Unknown format in import.
from fastlane.
@chedabob maybe the installed Curl version is a factor here, or even the way Fastlane was installed (Ruby [Bundler] vs. Brew). If the previous way of checking Curl results was not properly checking them, perhaps/probably Curl was already failing before without noticing. If so, stopping to rely on a system binary which is not under Fastlane's control (which could also be at different versions for each user) by replacing it with Faraday (or something else) could actually solve it. At least it will provide a homogeneous scenario for everybody. Additionally, removing the dependency on a system package which ―as I said― is not under Fastlane's control looks like something that should be addressed ASAP.
Either way, right now adding those flags will probably mitigate this issue as a quick workaround. On top it will help to test if the HTTP/2 protocol was the real problem or if it's somewhere else.
from fastlane.
Comparing 2.210.1
and 2.211.0
shows a likely relevant change1. Finding2 the relevant commit, it seems3 that there had been a bug (from 6 years ago)4 that would ignore the result of the fetch (via curl
) of the certificates. It seems this bug was possibly/probably benign.
Footnotes
-
https://github.com/fastlane/fastlane/compare/2.210.1...2.211.0#diff-605d869e313da5ef9f0c402845a4911eed5f8afc4ef45382210f237fceae498aR169 ↩
-
https://github.com/fastlane/fastlane/blame/2.211.0/fastlane_core/lib/fastlane_core/cert_checker.rb#L169 ↩
-
https://github.com/fastlane/fastlane/commit/4b3008914ff809850d7b8bf772e1a3363213ed18#:~:text=concatenation%0A%0A*%20Fix%20some-,WWDR%20certificates,-test%20failure%0A%0AThis ↩
-
https://github.com/fastlane/fastlane/blame/7de28ca20ebbee386728ea8eb35838a67375a9ca/fastlane_core/lib/fastlane_core/cert_checker.rb#L169 ↩
from fastlane.
I hit it as well using Github actions
from fastlane.
We still have this issue. fastlane 2.213.0
installed.
We are using Xcode 14.1
from fastlane.
❯ security import /tmp/AppleWWDRCAG6.cer20230720-19211-1xp81x -k test5-db
security: SecKeychainItemImport: Unknown format in import.
mv /tmp/AppleWWDRCAG6.cer20230720-19211-1xp81x /tmp/AppleWWDRCAG6.cer20230720-19211-1xp81x.cer
security import /tmp/AppleWWDRCAG6.cer20230720-19211-1xp81x.cer -k test6-db
1 certificate imported.
or with format
❯ security import /tmp/AppleWWDRCAG6.cer20230720-19211-1xp81x -f pkcs7 -k test5-db
1 certificate imported.
I think problem near
file = Tempfile.new(File.basename(url))
need save extension for temfile.
Something like this
base = File.basename(url)
file = Tempfile.new([base, File.extname(base)])
from fastlane.
It seems like you have not included the output of fastlane env
To make it easier for us help you resolve this issue, please update the issue to include the output of fastlane env
👍
from fastlane.
Hey Fastlane team,
I use the verbose: true
arg on match
command and it seems it fails on the G6 certificate import
DEBUG [2023-01-03 17:28:18.95]: Installing WWDR Cert: curl -f -o /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG6.cer20230103-4270-11yw6p8 https://www.apple.com/certificateauthority/AppleWWDRCAG6.cer && security import /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG6.cer20230103-4270-11yw6p8 -k /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db INFO [2023-01-03 17:28:19.00]: ▸ 100 794 100 794 0 0 30909 0 --:--:-- --:--:-- --:--:-- 39700 INFO [2023-01-03 17:28:19.00]: ▸ security: SecKeychainItemImport: Unknown format in import. DEBUG [2023-01-03 17:28:19.00]: Failed to install WWDR Certificate, checking output to see why
DEBUG [2023-01-03 17:26:49.76]: Installing WWDR Cert: curl -f -o /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG6.cer20230103-4271-3gxe8q https://www.apple.com/certificateauthority/AppleWWDRCAG6.cer && security import /var/folders/bl/wbxjgtzx7j5_mjsmfr3ynlc00000gp/T/AppleWWDRCAG6.cer20230103-4271-3gxe8q -k /Users/distiller/Library/Keychains/fastlane_tmp_keychain-db INFO [2023-01-03 17:26:49.81]: ▸ 1 certificate imported. INFO [2023-01-03 17:26:49.81]: ▸ 100 794 100 794 0 0 30197 0 --:--:-- --:--:-- --:--:-- 37809
And it looks like it the result of this line
from fastlane.
facing the same issue on GitHub Actions
from fastlane.
Our issue has been resolved by itself, seems like it is an Apple problem?
from fastlane.
Some intermittent issue, resolved itself on next build
from fastlane.
Same issue here. Any workaround available? We will try to downgrade fastlane to 210 or to install the mentioned certificates.
from fastlane.
After several tests I can conclude downgrading to 2.210.1
solves the issue. Additionally I have discovered that both versions work fine when only one lane is run. When two or more lanes are run in parallel is when 2.211.0
fails (at least in my case).
I've then checked all commits between both versions and the only one related to this topic is 4b30089. The issue must be there.
from fastlane.
I'm struggling to reproduce it on my test repo, but I have seen this occur sporadically on Bitrise.
Some of this is speculation, but from what I can see:
- Before 2.211.0 the success check in
cert_checker
was looking at the wrong process (this is why it was changed according to the commit 4b30089#diff-605d869e313da5ef9f0c402845a4911eed5f8afc4ef45382210f237fceae498aL169), which then meant all failures incert_checker
were being ignored- Some machines have some WWDR certificates pre-installed, so even though
cert_checker
was failing to install them, other parts of Fastlane kept on going because they didn't rely upon the missing certs- The HTTP/2 error is a transient error from the server, which is why not everyone is seeing it all of the time
Using Curl through a shell call feels dirty, but I don't think replacing it with Faraday (or something else) will necessarily solve this.
Backing out the 2.211.0 change to the success check is papering over another issue, and only works by pure luck.
In the Curl command we could add
--http1.1
and/or--retry 3 --retry-all-errors
to try and alleviate it in the short term.Another solution would be to add an option to Match to skip the WWDR cert installation, but I think this will take a lot of unpicking, and possibly just creates further problems in the future when the WWDR cert is renewed again.
Without being able to reproduce it I'm hesistant to just chuck a PR in and have all the Match users alpha-test it.
Actually I also can't reproduce the error on my machine, it happens to Github Actions consistently though, maybe you can try there?
from fastlane.
If anyone would like to test, I've put a branch up that migrates from Curl to Faraday
Replace the fastlane
line in your Gemfile with this
gem 'fastlane', git: 'https://github.com/chedabob/fastlane', branch: 'CertCheckerFaraday'
One of my colleagues was also seeing this error so I will get them to verify this week.
from fastlane.
I tried but still get Could not install WWDR certificate
[10:50:39 ] Using fastlane 2.211.0 from https://github.com/chedabob/fastlane (at CertCheckerFaraday@061da97)
[10:50:43]: Installing certificate...
[10:50:43]: $ security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Library/Keychains/System.keychain
[10:50:43 ]
[10:50:43]: ▸ -----BEGIN CERTIFICATE-----
<certificate here>
[10:50:43]: ▸ -----END CERTIFICATE-----
[!] Could not install WWDR certificate
from fastlane.
I tried but still get
Could not install WWDR certificate
[10:50:39 ] Using fastlane 2.211.0 from https://github.com/chedabob/fastlane (at CertCheckerFaraday@061da97) [10:50:43]: Installing certificate... [10:50:43]: $ security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Library/Keychains/System.keychain [10:50:43 ] [10:50:43]: ▸ -----BEGIN CERTIFICATE----- <certificate here> [10:50:43]: ▸ -----END CERTIFICATE----- [!] Could not install WWDR certificate
@ptmt Can you run with --verbose
and paste the whole log?
from fastlane.
@chedabob thanks for the tip, I see now the reason:
Installing WWDR Cert: security import /Users/admin/buildAgent/temp/buildTmp/AppleWWDRCAG2.cer20230209-4500-q5k519 -k /Library/Keychains/System.keychain
NFO [2023-02-09 11:26:07.81]: ▸ security: SecKeychainItemImport: Write permissions error.
from fastlane.
I think this might be an issue unrelated to the OP. It looks like you've only got the System keychain, which I suspect isn't writable by the fastlane process without first elevating its privilege (like a user would by entering their password/fingerprint in Keychain Access).
from fastlane.
Looks like on M1 related issue with not finding the created beforehand keychain. So I'll step up from this issue, but just for future google results (and future chat bot or whatnot), probably more relevant this answer #20559 (comment)
from fastlane.
@joshdholtz have you tried the Faraday workaround by @chedabob
If anyone would like to test, I've put a branch up that migrates from Curl to Faraday
Replace the
fastlane
line in your Gemfile with this
gem 'fastlane', git: 'https://github.com/chedabob/fastlane', branch: 'CertCheckerFaraday'
One of my colleagues was also seeing this error so I will get them to verify this week.
If not, could you please try? I've not been able to reproduce the error lately so I was unable to check it.
from fastlane.
@joshdholtz similar with us, I updated to 2.212.0 and set the env variable and hit the issue on a run today.
from fastlane.
@combinatorial @dcacenabes @juan-vg Are you building on Apple Silicon? Could it be you're seeing the missing keychain issue that @ptmt mentioned?
from fastlane.
@chedabob Yep, I'm building on Apple M1. However I can't remember the keychain was an issue. The issue happened randomly and the keychains were also in the same state for each execution (using Apple VMs freshly deployed from the same golden image each time). What I mean is that if it was a keychain issue, it should have happened every time instead of just some random times.
As you could check on mi first comment (#20960 (comment)) the issue looks different.
Same for me: random errors when downloading WWDR certs, but I don't believe it's an Apple issue. I have another CI server with another version of fastlane and the errors there are way less frequent (or almost nonexistent).
Fortunately I have debug enabled.
The most common error message I get is the following one:
curl: (92) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream
However, sometimes I get the following one:
Installing WWDR Cert: curl -f -o /var/folders/gh/5h9l2j0n4klg38n4bhn256yc0333gm/T/AppleWWDRCAG3.cer20230109-941-zd7vp7 https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer && security import /var/folders/gh/5h9l2j0n4klg38n4bhn256yc0333gm/T/AppleWWDRCAG3.cer20230109-941-zd7vp7 -k /Users/myuser/Library/Keychains/login.keychain-db INFO [2023-01-09 18:28:34.08]: ▸ 100 1109 100 1109 0 0 7648 0 --:--:-- --:--:-- --:--:-- 7809 INFO [2023-01-09 18:28:34.08]: ▸ security: SecKeychainItemImport: Unknown format in import.
Note the first assumption was wrong because the new Fastlane version just showed a problem that was already happening but not properly addressed (something I've discovered later across this issue). Also, the other CI server is not ephemeral and it has the certs installed in the keychain, so it's not a good example to compare.
from fastlane.
We still see this happening in the https://github.com/getsentry/sentry-cocoa repo: Could not install WWDR certificate
Rerunning the GH action solves the problem. We didn't see this error when using Fastlane 2.210.1
.
from fastlane.
I think the root cause of this issue is that fastlane is looking for the certificate in the Login Keychain and the cert is installed in the System Keychain
Failing
security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Users/vagrant/Library/Keychains/login.keychain-db
Working
security find-certificate -a -c 'Apple Worldwide Developer Relations'
When fastlane fails to find the cert it downloads it from Apple which intermittently fails
Same for us using it on CircleCI
. The cert is stored in the system
keychain.
from fastlane.
Is there any update on this?! not fixed yet.
from fastlane.
We're also seeing this issue intermittently, why is the issue closed?
from fastlane.
@joshdholtz can the ticket be opened again? Or does it have to be a new issue?
Since many are reporting downgrading to 2.210.1
fixes the issue it might be interesting what changed since then.
from fastlane.
Hello ! I opened this issue 3 months ago and I noticed it is closed but people are still facing the issue intermittently.
Do you have any updates about it?
from fastlane.
Just got this error today.
from fastlane.
same
from fastlane.
The same error with 2.212.2 while using GitHub Actions.
same here
from fastlane.
bitrise, same issue
from fastlane.
Getting this issue too on 2.211.0.
from fastlane.
Just got this for the first time today. CircleCI, Match 2.211.0.
from fastlane.
We have solved it by manually importing Apple WWDR certificate during the build in the Fastline config.
from fastlane.
We have solved it by manually importing Apple WWDR certificate during the build in the Fastline config.
how do you do this? @biodranik
from fastlane.
@henderson2350 see this comment above for one possible way to do it: #20960 (comment)
from fastlane.
We are using Fastlane 2.210.1 and XCODE 14.1 but the error randomly occurs
from fastlane.
Even with one of the suggested workarounds (installing the G3 certificate manually) + the retry environment variable, we're still getting "Could not install WWDR certificate" occasionally, when Fastlane tries to download the remaining ones:
A failure example from a Bitrise job:
$ security default-keychain -d user
▸ "/Users/vagrant/Library/Keychains/login.keychain-db"
Installing WWDR Cert: curl --http1.1 --retry 3 --retry-all-errors -f -o /var/folders/69/qgnyrbkx23dbp0p6p_b6bc9m0000gn/T/AppleWWDRCAG2.cer20230705-26839-qa9p96 https://www.apple.com/certificateauthority/AppleWWDRCAG2.cer && security import /var/folders/69/qgnyrbkx23dbp0p6p_b6bc9m0000gn/T/AppleWWDRCAG2.cer20230705-26839-qa9p96 -k /Users/vagrant/Library/Keychains/login.keychain-db
▸ 1 certificate imported.
▸ 100 763 100 763 0 0 13287 0 --:--:-- --:--:-- --:--:-- 13625
$ security default-keychain -d user
▸ "/Users/vagrant/Library/Keychains/login.keychain-db"
Installing WWDR Cert: curl --http1.1 --retry 3 --retry-all-errors -f -o /var/folders/69/qgnyrbkx23dbp0p6p_b6bc9m0000gn/T/AppleWWDRCAG4.cer20230705-26839-55p8ad https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer && security import /var/folders/69/qgnyrbkx23dbp0p6p_b6bc9m0000gn/T/AppleWWDRCAG4.cer20230705-26839-55p8ad -k /Users/vagrant/Library/Keychains/login.keychain-db
▸ 100 1113 100 1113 0 0 23626 0 --:--:-- --:--:-- --:--:-- 24733
▸ security: SecKeychainItemImport: Unknown format in import.
Failed to install WWDR Certificate, checking output to see why
from fastlane.
why was this issue closed? Apparently, it's still a problem. Or can anyone confirm it's resolved in the latest fastlane release?
from fastlane.
@Legoless which of the many workarounds do you mean and how do they work on a CI? Should we download and install them on every build via fastlane or download them on our machine and upload them to the CI which installs them on launch (my example is bitrise). I don't know which keychain certificates are installed into by default.
from fastlane.
Thanks for the input. I tried a manual script that downloads the certs and installs them in the keychain. Will have to find out if it works for the next build. Otherwise, I'll try your solution in fastlane directly
from fastlane.
@Legoless which of the many workarounds do you mean and how do they work on a CI? Should we download and install them on every build via fastlane or download them on our machine and upload them to the CI which installs them on launch (my example is bitrise). I don't know which keychain certificates are installed into by default.
@fruitcoder We install the certificates ourselves before in addition to our distribution certificate that we use to sign the app on CI. Similar procedure to:
import_certificate(
certificate_path: 'fastlane/certificates/AppleWWDRCAG3.cer',
keychain_name: ENV['MATCH_KEYCHAIN_NAME'],
keychain_password: ENV['MATCH_KEYCHAIN_PASSWORD']
)
from fastlane.
@biodranik I followed your example code, but on the step to import each certificate I'm getting the error
----------------------------------------
--- Step: Switch to ios prepare lane ---
----------------------------------------
Cruising over to lane 'ios prepare' 🚖
--------------------------------
--- Step: import_certificate ---
--------------------------------
Setting key partition list... (this can take a minute if there are a lot of keys installed)
security: SecItemCopyMatching: The specified item could not be found in the keychain.
--------------------------------
And I don't know what I'm doing wrong, I tried 2 options:
- Manually download the
.cer
files and them to the path. - Downloaded the certificates in a previous step of my GitHub action, and install them on the Keychain.
And with both options, I'm getting the same error. How did you achieve to import them into the lane?
from fastlane.
encountered the same error in Github Actions using 2.214.0. downgrading to 2.213.0 fixed it for me, but given everyone else in this thread, I expect it will fail intermittently.
I'll probably resort to the mentioned workaround if I face any more issues.
@joshdholtz please take another look beyond adding retries.
from fastlane.
Same problem, downgrading fastlane was unsuccessful
from fastlane.
I still has this issue when using a non-default keychain, so I opened #21578 which fixes it in our CI
from fastlane.
Related Issues (20)
- Failing run via Bundler: `ensure in take_off': uninitialized constant FastlaneCore::UpdateChecker (NameError) HOT 5
- [Regression] uninitialized constant Fastlane::OpenStruct (NameError) with release 2.220.0 HOT 9
- [match] undefined local variable or method `profile` when running match with `output_path` HOT 5
- Fastlane is not reading macros from Package.Swift (SPM)
- fastlane sigh download_all and "Error parsing provisioning profile at path..."
- fastlane match HOT 4
- bundler: command not found: fastlane
- Individual API Key not supported HOT 3
- fastlane deliver init is not working in CLI
- JEG2/highline should be updated to avoid warning of abbrev missing in standard lib for ruby 3.3.0
- How to get raw exit code from Fastlane HOT 1
- Match import to s3 Crash on encrypting. HOT 2
- Provisioning profile expiration comparison compares Time and DateTime
- AvailableTerritories is deprecated and fastlane is not upgraded to new api endpoints HOT 2
- Match managing provisioning profiles for DriverKit
- curb-1.0.0/lib/curl/easy.rb - Failed to read/open file
- `match` behaves differently in v2.220.0: `wrong final block length` HOT 10
- Can't upload build to Test Flight; [!] undefined method `refresh!' HOT 1
- A parameter has an invalid value - 'prices' is not a valid relationship name HOT 6
- I run the command 'fastlane match development'. and i got the following error: Looking for related GitHub issues on fastlane/fastlane... Found no similar issues. To create a new issue, please visit: https://github.com/fastlane/fastlane/issues/new Run fastlane env to append the fastlane environment to your issue [!] The request could not be completed because: This request is forbidden for security reasons - You currently don't have access to this membership resource. Contact your team's Account Holder, or an Admin.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fastlane.