match behaves differently in v2.220.0: wrong final block length

[setoelkahfi]

New Regression Checklist

• Updated fastlane to the latest version
• I read the Contribution Guidelines
• I read docs.fastlane.tools
• I searched for existing GitHub issues

Regression Information

• Breaking version: 2.220.0
• Last working version: 2.219.0

Regression Description

We have a new colleague who accidentally updated his Fastlane version to 2.220.0 and runs our match action, breaking all our workflows that need the certificates. We fixed the issue by bumping our Fastlane to match the one used to update our certificates. Shouldn't this be marked as a breaking change?

Probably related:

• fastlane match #21956
• Match managing provisioning profiles for DriverKit #21969
• Match import to s3 Crash on encrypting. #21965

[12:35:34]: Cloning remote git repo...
[12:35:34]: If cloning the repo takes too long, you can use the `clone_branch_directly` option in match.
[12:35:36]: Checking out branch master...
[12:35:36]: wrong final block length
[12:35:36]: Couldn't decrypt the repo, please make sure you enter the right password!
+---------------------------------------------------------------------------------+
|                                  Lane Context                                   |
+---------------------------+-----------------------------------------------------+
| DEFAULT_PLATFORM          | ios                                                 |
| PLATFORM_NAME             |                                                     |
| LANE_NAME                 | signing_install_certificates                        |
| KEYCHAIN_PATH             | ~/Library/Keychains/fastlane_tmp_keychain           |
| ORIGINAL_DEFAULT_KEYCHAIN | "/Users/runner/Library/Keychains/login.keychain-db" |
+---------------------------+-----------------------------------------------------+
[12:35:37]: Invalid password passed via 'MATCH_PASSWORD'
+-------------------------------------------------+

|                fastlane summary                 |

+------+----------------------------+-------------+

| Step | Action                     | Time (in s) |

+------+----------------------------+-------------+

| 1    | Verifying fastlane version | 0           |

| 2    | default_platform           | 0           |

| 3    | bundle_install             | 0           |

| 4    | ensure_xcode_version       | 3           |

| 5    | Verifying Ruby version     | 0           |

| 6    | ruby --version             | 0           |

| 7    | setup_ci                   | 0           |

| 8    | app_store_connect_api_key  | 0           |

| 💥   | match                      | 2           |

+------+----------------------------+-------------+

Environment

✅ fastlane environment ✅

Stack

Key	Value
OS	14.3
Ruby	3.2.2
Bundler?	true
Git	git version 2.39.3 (Apple Git-146)
Installation Source	~/.rbenv/versions/3.2.2/bin/fastlane
Host	macOS 14.3 (23D56)
Ruby Lib Dir	~/.rbenv/versions/3.2.2/lib
OpenSSL Version	OpenSSL 1.1.1w 11 Sep 2023
Is contained	false
Is homebrew	false
Is installed via Fabric.app	false
Xcode Path	/Applications/Xcode-15.3.0.app/Contents/Developer/
Xcode Version	15.3
Swift Version	5.10

System Locale

Variable	Value
LANG	en_US.UTF-8	✅
LC_ALL	en_US.UTF-8	✅
LANGUAGE

fastlane files:

`./fastlane/Fastfile`

# Customise this file, documentation can be found here:
# https://github.com/fastlane/fastlane/tree/master/docs
# All available actions: https://docs.fastlane.tools/actions/
# can also be listed using the `fastlane actions` command

fastlane_version '1.80.0'
default_platform :ios

import 'fastfiles/Helper'
import 'fastfiles/Code'
import 'fastfiles/Metadata'
import 'fastfiles/Repo'
import 'fastfiles/Setup'
import 'fastfiles/Signing'
import 'fastfiles/Tests'
import 'fastfiles/Release'
import 'fastfiles/Source-control'
import 'fastfiles/Code-freeze'

before_all do |lane, options|
  next unless options[:skip_preflight].nil?

  # Install gems
  bundle_install

  accepted_xcode_version = '15.3'
  target_ruby_version = '3.2.2'

  # Ensure we're using the correct Xcode version
  ensure_xcode_version(
    version: accepted_xcode_version,
    strict: false
  )

  ruby_version(target_ruby_version)

  sh('ruby --version')
end

No Appfile found

fastlane gems

Gem	Version	Update-Status
fastlane	2.220.0	✅ Up-To-Date

Loaded fastlane plugins:

Plugin	Version	Update-Status
fastlane-plugin-xcov_report	1.1.3	✅ Up-To-Date
fastlane-plugin-sentry	1.22.0	✅ Up-To-Date

Loaded gems

Gem	Version
error_highlight	0.5.1
did_you_mean	1.6.3
syntax_suggest	1.0.2
bundler	2.4.20
pathname	0.2.1
rake	13.2.1
base64	0.1.1
nkf	0.2.0
rexml	3.2.6
CFPropertyList	3.0.7
concurrent-ruby	1.2.2
i18n	1.13.0
minitest	5.18.0
tzinfo	2.0.6
activesupport	7.0.8
public_suffix	4.0.7
addressable	2.8.6
httpclient	2.8.3
json	2.7.2
algoliasearch	1.27.5
artifactory	3.0.17
ast	2.4.2
atomos	0.1.3
aws-eventstream	1.3.0
aws-partitions	1.913.0
aws-sigv4	1.8.0
jmespath	1.6.2
aws-sdk-core	3.191.6
aws-sdk-kms	1.79.0
aws-sdk-s3	1.146.1
babosa	1.0.4
claide	1.0.3
fuzzy_match	2.0.4
nap	1.1.0
netrc	0.11.0
ffi	1.15.5
ethon	0.16.0
typhoeus	1.4.0
cocoapods-core	1.12.1
cocoapods-deintegrate	1.0.5
cocoapods-downloader	1.6.3
cocoapods-plugins	1.0.0
cocoapods-search	1.0.1
cocoapods-trunk	1.6.0
cocoapods-try	1.2.0
colored2	3.1.2
escape	0.0.4
fourflusher	2.3.1
gh_inspector	1.1.3
molinillo	0.8.0
ruby-macho	2.5.1
nanaimo	0.3.0
xcodeproj	1.24.0
cocoapods	1.12.1
colored	1.2
highline	2.0.3
commander	4.6.0
declarative	0.0.20
digest-crc	0.6.5
domain_name	0.6.20240107
dotenv	2.8.1
emoji_regex	3.2.3
excon	0.110.0
faraday-em_http	1.0.0
faraday-em_synchrony	1.0.0
faraday-excon	1.1.0
faraday-httpclient	1.0.1
multipart-post	2.4.0
faraday-multipart	1.0.4
faraday-net_http	1.0.1
faraday-net_http_persistent	1.2.0
faraday-patron	1.0.0
faraday-rack	1.0.0
faraday-retry	1.0.3
ruby2_keywords	0.0.5
faraday	1.10.3
http-cookie	1.0.5
faraday-cookie_jar	0.0.7
faraday_middleware	1.2.0
fastimage	2.3.1
jwt	2.8.1
multi_json	1.15.0
os	1.1.4
signet	0.19.0
googleauth	1.8.1
mini_mime	1.1.5
trailblazer-option	0.1.2
uber	0.1.0
representable	3.2.0
retriable	3.1.2
google-apis-core	0.11.3
google-apis-androidpublisher_v3	0.54.0
google-apis-playcustomapp_v1	0.13.0
google-cloud-env	1.6.0
google-apis-iamcredentials_v1	0.17.0
google-apis-storage_v1	0.31.0
google-cloud-errors	1.4.0
google-cloud-core	1.7.0
google-cloud-storage	1.47.0
mini_magick	4.12.0
naturally	2.2.1
optparse	0.5.0
plist	3.7.1
rubyzip	2.3.2
security	0.1.5
simctl	1.6.10
terminal-notifier	2.0.0
unicode-display_width	2.5.0
terminal-table	3.0.2
tty-screen	0.8.2
tty-cursor	0.7.1
tty-spinner	0.9.3
word_wrap	1.0.0
rouge	2.0.7
xcpretty	0.3.0
xcpretty-travis-formatter	1.0.1
fastlane-plugin-sentry	1.22.0
fastlane-plugin-xcov_report	1.1.3
language_server-protocol	3.17.0.3
sawyer	0.8.2
octokit	4.21.0
parallel	1.23.0
racc	1.7.1
parser	3.2.2.4
rainbow	3.1.1
regexp_parser	2.8.1
rubocop-ast	1.29.0
ruby-progressbar	1.13.0
rubocop	1.56.4
xcode-install	2.7.0

generated on: 2024-04-16

[danielmayor]

We're facing the same issue on another project

[andre-alves]

+1

[bartlomiejswierad-vodeno]

+1

[okankocyigit]

+1

We have the same problem.

[colejd]

This happens for me when I use 220 to write with Match. Rolling back to 219 and regenerating isn't enough, as that has the same issue - I need to roll the signing repo back to a known good state too.

[alpha-moisol]

+1

[StephenMcMillan]

+1

[Brahma-Github]

+1

[sweepty]

I sloved the issue.

1. Downgrade fastlane version to 2.219.0
2. Go to the your match git repository and revert the commit created by fastlane 2.22.0
3. Run fastlane and check it is working.

[kahest]

Same thing happened for us. Pretty sure this isn't intentional, maybe related to #21790?

[bitwolfe]

Just ran into this same issue. Had previously updated a project to 2.220.0 without issue and imported a new match certificate for an AppStore build. But now when I tried to build another project, I got this error. I tried updating to 2.220.0 which got rid of that error, but now it incorrectly selects the wrong certificate! It always choses the AppStore certificate for the first project even if I re-imported the certificate for this project (Adhoc).

I had to roll back the match git repo to before any commits made by 2.220.0 and roll the project back to 2.219.0 for it to work properly again.

Seems match in 2.220.0 is completely broken.

[stodirascu]

I have the same issue as above. If locally somebody is encrypting a profile or a certificate using 2.220, and the CI is decrypting it with 2.219, it will fail. So it's on a file-by-file basis.

This must be mentioned as a breaking change in the release notes at least.

[markst]

Does match process all provisioning profiles in a remote match repo? Seems odd that only a couple of our provisioning profiles have been replaced but causes this issue for apps which haven't had an updated profile

[stodirascu]

Also noticed that. The process of decryption could benefit from an optimisation

[okankocyigit]

Rolling back to latest 2.219 commit solves the problem but what is correct way to use fastlane 2.220?

[Brahma-Github]

Until 2.219.0 version, fastlane was using 'aes-256-cbc' algorithm to encrypt / decrypt files and repo. From 2.220.0 fastlane started using 'aes-256-gcm' algorithm. (repo encrypted with 2.220.0 version, can't be decrypted with 2.219.0. So everyone in the team and dependent system needs to move to 2.220.0).

In 2.220.0 fastlane provided a companion script named 'match_file' for manual encryption and decryption. If you installed fastlane using homebrew, 'match_file' have issues with execution as it is not finding dependent gems properly. But if you install fastlane using ruby gem, 'match_file' script works fine.

MacOS have system default ruby (2.* version). Make sure you are not using system default old ruby version and install latest ruby version separately using homebrew / rbenv and set path like below.

brew install ruby

if [ -d "/opt/homebrew/opt/ruby/bin" ]; then
  export PATH=/opt/homebrew/opt/ruby/bin:$PATH
  export PATH=`gem environment gemdir`/bin:$PATH
fi

gem install fastlane

and now you can encrypt/decrypt files manually using match_file script.

match_file encrypt "<fileYouWantToEncryptPath>" ["<encryptedFilePath>"]

match_file decrypt "<fileYouWantToDecryptPath>" ["<decryptedFilePath>"]

[Buju77]

Thx for the info about the updated encryption algorithm. We also faced this issue and had to rollback to 2.219.0 and also rollback out repo commit like @sweepty mentioned above. ✅

But on another side note:

MacOS have system default ruby (2.* version). Make sure you are not using system default old ruby version and install latest ruby version separately using homebrew and set path like below.

I would advice against installing Ruby using Homebrew but instead install Ruby using one of many Ruby version managers out there. It will be a much safer and easier way to maintain your Ruby installations. It will safe you a lot of Ruby installation and Gems issues in the long run.

There are multiple version managers for Ruby out there:

• RBENV (my recommendation, it's super small, lightweight and very fast)
• RVM (works perfectly, but a bit bloated and slower than RBENV. I used this for a while, but then switched over to RBENV)
• asdf (this version manager has bunch of plugins to install and manage a lot of dev tools including Ruby)
• mise (looks like another new version manager attempt "Version Manager to rule them all"; better, more powerful and faster than ASDF)

[pranjali420]

I am also facing the same issue regarding this, if you please help me. I am just from 2 days.

[setoelkahfi]

Rolling back to latest 2.219 commit solves the problem but what is correct way to use fastlane 2.220?

The fix is to use the same version on CI, local development, and everywhere else in the team. It's better to use the 2.220.

[cruinh]

Is there a good place to watch for known(?) breaking changes like this? At least for me, it really was not obvious that my builds started failing just due to the fastlane update.

[iBotPeaches]

I don't fully understand the scope yet to the point if I fully understand this, but I thought updating all ci machines, project gemlock files, etc to latest fastlane would solve it - it did for most.

However, some projects still failed despite being on latest. I attributed this to the encrypted blobs in match encrypted in the older method. I found running fastlane match change_password and just giving it the same password upgraded my encryption format to the new standard used in v220 and fixed those build pipelines.

That of course hard-broke projects (since a shared match repo) that were not yet on v220. However - since this appears the way forward - I guess that was my best option. All projects seem to be green now, but this was for sure the most confusing complex build failures that were difficult to track down.

Some errors I got between builds for context.

• [11:42:32]: couldn't set additional authenticated data
• [14:21:12]: wrong final block length

[setoelkahfi]

I don't fully understand the scope yet to the point if I fully understand this, but I thought updating all ci machines, project gemlock files, etc to latest fastlane would solve it - it did for most.

However, some projects still failed despite being on latest. I attributed this to the encrypted blobs in match encrypted in the older method. I found running fastlane match change_password and just giving it the same password upgraded my encryption format to the new standard used in v220 and fixed those build pipelines.

That of course hard-broke projects (since a shared match repo) that were not yet on v220. However - since this appears the way forward - I guess that was my best option. All projects seem to be green now, but this was for sure the most confusing complex build failures that were difficult to track down.

Some errors I got between builds for context.

• [11:42:32]: couldn't set additional authenticated data

• [14:21:12]: wrong final block length

TLDR; Try to reproduce the error locally.

For me, it's quite obvious. We have a lane for setting up a new local development for a new joiner, including setting up the certificates, adding a new testing device, etc. After someone pushed to the keychain repo with the fastlane v220 because somehow he couldn't set up the local with the v219, which was our current version, I could reproduce the error locally. So I just bumped the fastlane version to match the one he used, and it worked.

Then, I locked down the fastlane version in the Gemfile to avoid having different versions between different development environments.