-allowProvisioningUpdates doesn't work

Question

We are using Jenkins for Continiuous Integration. Everything we need to do in order to compile our app is done via commandline (bash script), because we have several machines where the build has be done without any human access to the devices.

As you can imagine I was very happy to see the new xcodebuild feature flag -allowProvisioningUpdates in XCode9.

I understand, that I need to add the credentials of our Apple ID into the XCode settings.

The credentials are adde to the XCode account tab in Preferences, but when I try to compile using "xcodebuild ... -allowProvisioningUpdates" the following error message appears:

 2017-09-19 09:47:59.692 xcodebuild[74979:3824315]  DVTAssertions: Warning in /Library/Caches/com.apple.xbs/Sources/DVTFrameworks/DVTFrameworks-13231/DVTFoundation/Portal/DVTDeveloperAccountCredentialsManager.m:38  
Details:  Unable to find default keychain.  
Object:   <DVTDeveloperAccountCredentialsManager>  
Method:   +defaultAccountCredentialsManager  
Thread:   <NSThread: 0x7fe17860aa40>{number = 4, name = (null)}  
Please file a bug at http:/  
2017-09-19 09:47:59.792 xcodebuild[74979:3824308] [MT] IDEDistribution: Step failed: <IDEDistributionSigningAssetsStep: 0x7fe17d45cf20>: Error Domain=IDEDistributionSigningAssetStepErrorDomain Code=0 "Locating signing assets failed." UserInfo={NSLocalizedDescription=Locating signing assets failed., IDEDistributionSigningAssetStepUnderlyingErrors=(  
    "Error Domain=DVTServicesSessionErrorDomain Code=0 \"Unable to log in with account 'xxx@yyy.com'.\" UserInfo={NSLocalizedFailureReason=Unable to log in with account 'xxx@yyy.com'., NSLocalizedRecoverySuggestion=The login details for account 'xxx@yyy.com' were rejected., DVTDeveloperAccountErrorAccount=<DVTAppleIDBasedDeveloperAccount 0x7fe179b016c0: username: xxx@yyy.com>, NSUnderlyingError=0x7fe179e8ee60 {Error Domain=DVTDeveloperAccountErrorDomain Code=4 \"xxx@yyy.com could not sign in.\" UserInfo={NSLocalizedRecoverySuggestion=Cannot sign in to this account. Try signing into it again in the Accounts preference pane., NSLocalizedDescription=xxx@yyy.com could not sign in., DVTDeveloperAccountErrorAccount=<DVTAppleIDBasedDeveloperAccount 0x7fe179b016c0: username: xxx@yyy.com>}}}",  
    "Error Domain=IDEProfileLocatorErrorDomain Code=1 \"No profiles for 'com.yyy.CITestProject' were found\" UserInfo={NSLocalizedDescription=No profiles for 'com.yyy.CITestProject' were found, NSLocalizedRecoverySuggestion=Xcode couldn't find any iOS App Store provisioning profiles matching 'com.yyy.CITestProject'.}"  
)}  
error: exportArchive: The operation couldn’t be completed. Unable to log in with account 'xxx@yyy.com'.

Does someone know how to fix this problem?

update: We use this plugin to start ssh sessions to our Jenkins slaves in order to do the buildjob: https://wiki.jenkins.io/display/JENKINS/SSH+Slaves+plugin

Answer 1

I have the same problem. I reported the bug to Apple, to no avail. To move forward with Xcode 9, I switched to manual signing for Jenkins only. (Developers still use automatic signing.)

/usr/bin/xcodebuild -exportArchive \
    DEVELOPMENT_TEAM=*your-dev-team-id* \
    CODE_SIGN_STYLE=Manual \
    CODE_SIGN_IDENTITY="iPhone Distribution: *your cert*" \
    PROVISION_PROFILE="*your*.mobileprovision" \
    *rest of your parameters*

Answer 2

I've fixed this. The problem was that I specified the team using team_id Fastlane command. You should use enable_automatic_code_signing instead. Also, configuration was not specified. Now I have this script:

    enable_automatic_code_signing(
        team_id: <YOUR_TEAM_ID_REQUIRED_HERE>,
    )
    gym(
        scheme: <YOUR_SCHEME_REQUIRED HERE>,
        configuration: <YOUR_CONFIGURATION_REQUIRED HERE>,
        export_method: "development",
        xcargs: "-allowProvisioningUpdates",
    )

Also, I'v found this page. I've tried it at the same time with changes above, so I don't know what helped me. But I've reverted the change from the page and it still works. So I assume the problem was with team_id and configuration.

Answer 3

This -allowProvisioningUpdates worked for me in Xcode 9 final release.

Verify You Can Build an auto-signing Xcode Project Using Xcode IDE

• 1) Open an Xcode project configured for automatically sign
  • Select target from Targets > General > Signing
  • [x] Automatically manage signing
  • Enter your team account credentials
• 2) Build the project and verify build succeeds

Close Xcode and Build project using xcodebuild with options -allowProvisioningUpdates

• 1) Add option "xcodebuild ... -allowProvisioningUpdates
• 2) When prompted, "xcode wants to access key "xcode apple id access" in your keychain"
  • Enter credentials and press button Always Allow

Now Jenkins command line builds should work.

Answer 4

Did you try using the CODE_SIGNING_ALLOWED=NO? We also struggled for days looking for a solution to build an app for E2E tests without development client and this worked for us.

So the full command would look like this:

xcodebuild build-for-testing -workspace Test.xcworkspace -scheme Test -destination generic/platform=iOS -allowProvisioningUpdates CODE_SIGNING_ALLOWED=NO

Of course it is not a publishable version.

Answer 5

I used to have the same issue after recent update from XCode 7.x to 9.3 version.

The solution for me was an parameter -allowProvisioningDeviceRegistration in addition to -allowProvisioningUpdates for xcodebuilder:

/usr/bin/xcodebuild -exportArchive \
-allowProvisioningUpdates -allowProvisioningDeviceRegistration \
...

Works perfectly with Jenkins.

Answer 6

This looks like an old issue. But I got here today because I ran into the same problem. I could not run the flutter app on the simulator due to "allowProvisioningUpdates doesn't work."

Anyways, I finally solve this issue by opening the flutter app on Xcode. Then updating my account preference on Xcode. It looks like you have to manually log into the Apple ID account from time to time.

Thanks,

Answer 7

When you're dealing with Xcode errors over SSH, it's usually best to try out the same commands using the GUI. It will often show you which keychain entries it's trying to access.

In my case, it prompted me to allow xcodebuild access to Xcode-AlternateDSID and Xcode-Token in my keychain. I granted it access with "Always Allow". You could also edit those entries in Keychain Access and allow all applications to access them, if you're not too worried about security.

I was already running security unlock-keychain -p mypassword /Users/myuser/Library/Keychains/login.keychain-db before running xcodebuild, so that's probably also necessary.

After doing that, the export worked.

Answer 8

Xcode saves the credentials in the default keychain. In order for it to access it over ssh, you first need to unlock that keychain:

/usr/bin/security unlock-keychain /Users/xxx/Library/Keychains/login.keychain-db

When using jenkins, you need to unlock the keychain either inside your build jobs or when starting the agent. You could for example add it to /Library/Application Support/Jenkins/jenkins-slave-runner.sh.

The answer from "Ed of the Montain" only works, because xcodebuild checks the /Library/MobileDevice/ProvisioningProfiles (and other) directories for valid profiles, if it finds one, then the -allowProvisioningUpdates option simply uses this profile and doesn't need the login.