Admin role in the Developer Portal not enough to do automatic provisioning on Apple Developer Program

[jandigital]

Problem

• terminal-app.log
• xcode-output.log

We are trying to build the automation pipeline for iOS on an organisation apple account.
So there are different roles for the different users, and we are using the Admin role.
Following the steps you describe on your post -Managing iOS code signing files - automatic provisioning- we see that you specify the need of having an Admin role at least, which is not correct.

An Admin has permissions to Digitally sign with Apple Distribution certificate, and only an Account Owner has permissions to Digitally sign with Developer ID certificate.

And the Codesigndoc that you use tries to digitally sign with Developer ID certificate, which is not allowed for the Admin role - as you can see at the very bottom of the xcode-output.log file.

Solution

Make the your Codesigndoc only do Distribution or do it at least as an option for non Account Holders roles -Admin, App Managers, Developers.

[ofalvai]

Hello @jandigital 👋

I'm not sure that the root cause is the account permission. First, the logs show that the archive failed because of a custom shell script:

Looking at the attached logs, this part offers a bit more details about the failure: https://gist.github.com/jandigital/e23f6d0276c52ebea4a1e2d33e4ad888#file-xcode-output-log-L150

The codesigndoc tool assumes that your local environment is set up and you can export an IPA in Xcode, so I would try to debug that first.

Second, the permission Digitally sign with Developer ID certificate is a bit confusing, but it's not the regular Development type certificate signing you think it is. It's for distributing a macOS app outside of the Mac App Store:

According to Apple's own permission matrix, the Admin role should be able to create and list development certificates (except for Developer ID certificates).

I hope this helps, let us know if you have further questions.

[jandigital]

Hello @ofalvai
Sorry I didn't clarify that, but basically my local environment is set up and I can export an IPA in xCode.

Then regarding the certificates, I tried them all. They all work locally, and I'm able to use that IPA on different devices, and I'm also able to push to the play store via xCode.

Then regarding the line you point out, that's not an issue locally. But let's assume that's an issue on bitrise, why would the script keep on going for a long while without erroring out there and then? It might be a silly question, but I see 1691 more lines after that one.

[ofalvai]

There are two instances of this No such file or directory in the logs. I linked to the first occurrence, which was part of the clean action, but there is another error towards the end of the file in the archive action (note that codesigndoc executes xcodebuild ... clean archive ... as shown at the beginning of the log file).

[jandigital]

@ofalvai thanks for your advice, you where right, even though the clean step wouldn't impede us from building an ipa and submitting it to the store, it was failing. Fixing that fail got us sorted.

[jandigital]

@ofalvai sorry to reopen again, after we made that script work, now bitrise would not build due to the error I described you earlier. Only Account Holders have right to full API access. I'm an admin and I still get this.

which means that the iOS build doesn't go through on bitrise.

[bilaldurnagolmomentup]

I have the same error. There are 10 environments in the application. I have successfully signed 8 of them. but 2 of them give the same error as the top one.