Apple Push Notification key could not be loaded

Hi, I’m getting this response from the Expo notification service for all notifications sent to iOS. This is a managed app and notifications had been working fine for some time already, but now all fail with this error:

{
    "data": {
        "c29fb48e-95ac-42b3-8f47-266adfe49e88": {
            "status": "error",
            "message": "The Apple Push Notification service key for your account could not be loaded, likely due to a malformed p8 file. Expo needs a valid PEM key in order to deliver notifications to APNs.",
            "details": {
                "error": "InvalidCredentials",
                "sentAt": 1593078129
            },
            "__debug": {
              "internalError": "Failed to generate token: error:0909006C:PEM routines:get_name:no start line"
            }
        }
    }
}

Apparently there is a problem with the p8 certifcate, so I tried to create a new build with a new certificate and published in the app store, but same result. The p8 file was straight downloaded from the apple developer console and the build didn’t complain.
I’ve looked at the expo cli commands, but haven’t found anything related to uploading a new certificate to the expo servers, so I’m kinda out of ideas. Can you help?

This is using SDK37.

Thanks!

Did you or anyone on your team(if you are using teams) might have run build with clear credentials?

If you used p12 certificate for push notifications it could have expired and an error message is just confusing. Push certificates are deprecated, we still support them if someone already set them up, but there is no way to add them.

It’s unlikely, but it might be an issue with our cache, so you can try running expo fetch:ios:certs and if push key and password will look reasonable (sth like example below) you can try to specify them again in build command expo build:ios --clear-push-key

-----BEGIN PRIVATE KEY-----
MwefwAMBMGByqGSM49weAwCfSwM49AwEHBHkwdwIweQQgJKZmSHV5vPCieqsO
J1twfewfwenWdxkQJ5mgCgYIKoZIzj0DAQehRANCAAREbvN0hePWfrYD
f68RDG70BQR3gtrcfjP4AbzBOD7vwlei3XuVJZtw/cwefwefwe+liV8ck121e
xBzjSz23
-----END PRIVATE KEY-----        

If above won’t help, run expo build:ios --clear-push-key and let expo generate new push key.

Thanks for your reply, we moved to p8 push keys some time ago,

I run that command, it generated 3 files:

myapp.mobileprovision
myapp_apns_key.p8
myapp_dist.p12

The p8 file contains a string of chars that could be an encoded key, but it doesn’t have the PEM header/footer (-----BEGIN PRIVATE KEY-----…-----END PRIVATE KEY----- ), could that be the problem?

It’s hard to say based only on that, I’m not sure if p8 support other formats, but if it would I would assume that it would be just raw binary and based on what you said it’s some sort of alphanumeric/ASCII text.

The easiest fix for you would be to follow my last instruction and generate new push key with expo build:ios --clear-push-key. There is no way to download push key from apple developer portal

string of chars that could be an encoded key

can you try decoding it e.g. with base64?

Ok, now I see, the downloaded p8 file is the base64 encoded version of the p8 file I have, and it has the PEM envelope mentioned in the first post.

I’m using expo-cli version 3.18.0, is it possible that there has a been a change in the p8 encoding when uploading during build (maybe a mismatch between what the server expects and what the client uploads)?

This is the command I use to build

EXPO_APPLE_PASSWORD=xxxxxxxxxxxx
EXPO_IOS_DIST_P12_PASSWORD=yyyyyyyyyyy
expo build:ios
–release-channel production
–apple-id xxxx@xxxx.com
–team-id XXXXXXXXX
–no-wait
–dist-p12-path …/app-secrets/ios/app-prod-distribution.p12
–push-id ZZZZZZZZ
–push-p8-path …/app-secrets/ios/Push20200623.p8
–provisioning-profile-path …/app-secrets/ios/app-STORE.mobileprovision
–no-publish

so you specify all the credentials every time you build?

3.18 is a bit old version, , I’m not aware of any format change, but there might be some breaking changes.

Providing credentials for every build is very insecure, this command basically disables push notifications every time you run build for a few seconds. Int his case (if sth goes wrong) for longer. After specifying those credentials once everything is already on expo server you don’t need to speciffy it again

I’ll review the entire build process then, thanks so much for your help @wkozyra!