New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
match
behaves differently in v2.220.0: wrong final block length
#21973
Comments
We're facing the same issue on another project |
+1 |
match
behaves differently in v2.220.0match
behaves differently in v2.220.0: wrong final block length
+1 |
+1 We have the same problem. |
This happens for me when I use 220 to write with Match. Rolling back to 219 and regenerating isn't enough, as that has the same issue - I need to roll the signing repo back to a known good state too. |
+1 |
2 similar comments
+1 |
+1 |
I sloved the issue.
|
Same thing happened for us. Pretty sure this isn't intentional, maybe related to #21790? |
Just ran into this same issue. Had previously updated a project to 2.220.0 without issue and imported a new match certificate for an AppStore build. But now when I tried to build another project, I got this error. I tried updating to 2.220.0 which got rid of that error, but now it incorrectly selects the wrong certificate! It always choses the AppStore certificate for the first project even if I re-imported the certificate for this project (Adhoc). I had to roll back the match git repo to before any commits made by 2.220.0 and roll the project back to 2.219.0 for it to work properly again. Seems match in 2.220.0 is completely broken. |
I have the same issue as above. If locally somebody is encrypting a profile or a certificate using 2.220, and the CI is decrypting it with 2.219, it will fail. So it's on a file-by-file basis. This must be mentioned as a breaking change in the release notes at least. |
Does match process all provisioning profiles in a remote match repo? Seems odd that only a couple of our provisioning profiles have been replaced but causes this issue for apps which haven't had an updated profile |
Also noticed that. The process of decryption could benefit from an optimisation |
Rolling back to latest 2.219 commit solves the problem but what is correct way to use fastlane 2.220? |
Until 2.219.0 version, fastlane was using 'aes-256-cbc' algorithm to encrypt / decrypt files and repo. From 2.220.0 fastlane started using 'aes-256-gcm' algorithm. (repo encrypted with 2.220.0 version, can't be decrypted with 2.219.0. So everyone in the team and dependent system needs to move to 2.220.0). In 2.220.0 fastlane provided a companion script named 'match_file' for manual encryption and decryption. If you installed fastlane using homebrew, 'match_file' have issues with execution as it is not finding dependent gems properly. But if you install fastlane using ruby gem, 'match_file' script works fine. MacOS have system default ruby (2.* version). Make sure you are not using system default old ruby version and install latest ruby version separately using homebrew / rbenv and set path like below.
and now you can encrypt/decrypt files manually using
|
Thx for the info about the updated encryption algorithm. We also faced this issue and had to rollback to 2.219.0 and also rollback out repo commit like @sweepty mentioned above. ✅ But on another side note:
I would advice against installing Ruby using Homebrew but instead install Ruby using one of many Ruby version managers out there. It will be a much safer and easier way to maintain your Ruby installations. It will safe you a lot of Ruby installation and Gems issues in the long run. There are multiple version managers for Ruby out there:
|
The fix is to use the same version on CI, local development, and everywhere else in the team. It's better to use the 2.220. |
Is there a good place to watch for known(?) breaking changes like this? At least for me, it really was not obvious that my builds started failing just due to the fastlane update. |
I don't fully understand the scope yet to the point if I fully understand this, but I thought updating all ci machines, project gemlock files, etc to latest fastlane would solve it - it did for most. However, some projects still failed despite being on latest. I attributed this to the encrypted blobs in match encrypted in the older method. I found running That of course hard-broke projects (since a shared match repo) that were not yet on v220. However - since this appears the way forward - I guess that was my best option. All projects seem to be green now, but this was for sure the most confusing complex build failures that were difficult to track down. Some errors I got between builds for context.
|
TLDR; Try to reproduce the error locally. For me, it's quite obvious. We have a lane for setting up a new local development for a new joiner, including setting up the certificates, adding a new testing device, etc. After someone pushed to the keychain repo with the Then, I locked down the |
New Regression Checklist
Regression Information
Regression Description
We have a new colleague who accidentally updated his Fastlane version to 2.220.0 and runs our match action, breaking all our workflows that need the certificates. We fixed the issue by bumping our Fastlane to match the one used to update our certificates. Shouldn't this be marked as a breaking change?
Probably related:
Environment
✅ fastlane environment ✅
Stack
System Locale
fastlane files:
`./fastlane/Fastfile`
No Appfile found
fastlane gems
Loaded fastlane plugins:
Loaded gems
generated on: 2024-04-16
The text was updated successfully, but these errors were encountered: