I'm trying to run an app on my iPhone. I started by using "Automatic Signing", but whenever I try to run it I get the following message:
The entitlements specified in your application’s Code Signing
Entitlements file are invalid, not permitted, or do not match those
specified in your provisioning profile. (0xE8008016).
This seems weird, because Xcode should be creating the provisioning profile for me, so I don't know how I could screw up Entitlements, especially when the app doesn't need any.
I read through a couple other threads with the same issue, but none of the answers seemed to solve my problem. I also read an article from Apple about them, so I decided to do it the old fashioned way and manually create a provisioning profile. Inside the profile itself it lists the entitlements attached to that profile. I'm getting the exact same error.
<key>Entitlements</key>
<dict>
<key>keychain-access-groups</key>
<array>
<string>XXXXXXXX.*</string>
</array>
<key>get-task-allow</key>
<true/>
<key>application-identifier</key>
<string>XXXXXXXX.*</string>
<key>com.apple.developer.team-identifier</key>
<string>XXXXXXXX</string>
</dict>
I also looked at the entitlements file within the app, it's just the default with no entitlements.
Has anyone encountered this or have an idea of what might be happening?
Perhaps this can help. My problem was because I recently switched teams, and this file:
/ios/Encargo.xcodeproj/project.pbxproj
had a conflict with different DevelopmentTeam id. I fixed it by updating them manually to the current team. Hope it helps.
Related
First before anyone suggests this has been answered elsewhere on SO, I submit that ALL of those answers assume you are compiling with XCode, which is not the case for me. I am using Adobe Animate to compile an Adobe AIR application and deploy to an iPad.
Updated Adobe air SDK to latest 32.0 and have tried re-creating my certificates and provisioning profile from scratch.
If I try to deploy directly from Adobe AIR I get an error message
"Application verification failed"
If instead I publish an .ipa and try and deploy via XCode I get the following
If I furthermore check entitlements on my app.bundle I see
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>foo.domain.app</string>
<key>get-task-allow</key>
<true/>
<key>aps-environment</key>
<string>development</string>
</dict>
</plist>
but checking entitlements in my Provisioning profile I see
<key>get-task-allow</key><false/>
Could this be the source of my error? If so, how do I get both these values to be the same?
Any replies welcome as I need to launch this!
Here are a few ideas/things to check.
Check beta reports key is removed from the app descriptor.
When changing iOS certificates, delete the old ones via Keychain Access, then restart the computer before creating the Certificate Signing Request for the new cert.
Check that the new assets.cer has been created for the icons and it has been included in the package.
Check that all icons are present and all casing is correct in the naming on icon files as well as in xml.(e.g. icon and Icon)
Ensure path to SDK is correct. e.g. /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.2.sdk
If you still cannot install the app from Animate, try including the beta reports key, publish the app and upload it to TestFlight.
I'm testing my app with TestFlight but I can't upload my archives after updating to MacOS 10.12 and Xcode 8.1.
When I archive my app, click on "Upload to App Store...", select my Development, I get this error.
No matching provisioning profiles found for "Applications/app.app"
None of the valid provisioning profiles allowed the specified entitlements: application-identifier, beta-reports-active, keychain-access-groups.
What I've tried so far:
Reopening Xcode (Many times)
⌘+, > select team > remove every provisioning profile > re-download every provisioning profile (Reopening Xcode after each step)
Re-downloaded and installed my certificates and provisioning profiles
Removing every provisioning profile and building the app
I had this same error when my Xcode wildcard profile expired. Xcode didn't automatically renew it even though everything was set to automatic.
I logged in to the the portal, edited the XC: * profile, hit generate and then downloaded the resulting certificate. All good after that.
On Xcode's Capabilities screen, turning a capability On and then Off will fix the issue.
None of the other answers worked for me.
I had to delete all certificates from KeyChain, and also revoke them in Apple Developer portal. Then manually request a Distribution certificate in KeyChain. Upload it to the Developer portal.
XCode (8.3) must be stopped because it keeps creating certificates as they are being deleted from KeyChain.
Also, KeyChain burped and suddenly had a whole bunch of certificates and keys that it wasn't showing before. I don't know why that happened. Some were expired, which may have been causing the original problem. I deleted them all too.
Finally, XCode was happy to Archive, and Upload to iTunes. Only two hours wasted this time.
Use the automatic option provided in Xcode just add the relevant account team in the Xcode and let Xcode manage the signing process. Then go for Archive and select proper options while making archiving.
I was running into the same issue. As our project was automatically generated by Ionic and had to be build in a CI environment, opening the project and toggle automatic signing wasn't an option. I did a diff of the entitlements file before and after the toggle and found out that the dict value was sorted differently:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
+ <key>aps-environment</key>
+ <string>production</string>
<key>keychain-access-groups</key>
<array>
<string>$(AppIdentifierPrefix)com.microsoft.adalcache</string>
</array>
- <key>aps-environment</key>
- <string>production</string>
</dict>
</plist>
Even though from my understanding it shouldn't make a difference, the build was successfull after this change.
For everyone running into this in an Ionic project, the solution was to add this key-value pair to the config edit in the config.xml:
<config-file parent="keychain-access-groups" target="*-Release.plist">
<key>aps-environment</key>
<string>production</string>
<array>
<string>$(AppIdentifierPrefix)com.microsoft.adalcache</string>
</array>
</config-file>
Xcode 5 helped in creating plist descriptor for enterprise ipa.
Xcode 6 (6A313) creates ipa only.
Is this a bug or intentional change? If so - what would be the reason for taking a step back?
If I did not have previously generated plist using Xcode 5, I would need to crete it manually myself.
Do you know of any automatic tool which would help in the process?
I'm having the same problem. Needed to put a build out last night. I ended up just reusing an old plist and updating it. Here's a template:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>items</key>
<array>
<dict>
<key>assets</key>
<array>
<dict>
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>[INSERT URL HERE]</string>
</dict>
</array>
<key>metadata</key>
<dict>
<key>bundle-identifier</key>
<string>[INSERT BUNDLE ID HERE]</string>
<key>bundle-version</key>
<string>[INSERT VERSION HERE]</string>
<key>kind</key>
<string>software</string>
<key>title</key>
<string>[INSERT APP TITLE HERE]</string>
</dict>
</dict>
</array>
</dict>
</plist>
Couldn't find other solution than reusing an old .plist-file --- worked perfectly.
I fixed this issue in following manner(As #pir800 mentioned)-
1) Take plist file of an old project and rename it name should be same as ipa file.
2) Changed values of following keys in plist file - a) url. b) bundle-identifier. c) title.
And then put ipa and plist on server. Remaining things are same like Xcode5.
But it is very bad, apple should inform to developer and mention such type changes in document.
I do not my way is correct or wrong but my Enterprise In-house Distribution build properly downloaded and working. ....:)
I replied same on apple developer also. You can check this thread https://devforums.apple.com/message/1076995#1076995 also
If any one find better solution then please reply.
Thank you...
To extend the accepted answer, you need to be a team member of the 299$ enterprise account. Go to Project Navigator (ProjectName) -> Targets -> General tab and select the account that is assoicated with 299$ enterprise developer account. If you cannot find the account you are looking for, go to XCode -> Preferences -> accounts and check if you are the admin / agent / team member of the said account and then proceed to make the ipa and plist file.
I'm not sure about enterprise deployment, but in XCode 7.0, you can create a manifest.plist while exporting an archive for Ad Hoc deployment...
Select Product > Archive
When the build finishes, select the archive you wish to export and choose "Export..."
Choose "Save for Ad Hoc Deployment"
Select your dev team
Choose the desired option for "Device Support"
On the "Summary" page, check the box beside "Include manifest for over-the-air installation." This will add a manifest.plist to the folder where the .ipa file was saved. - Click "Next"
Insert the correct paths to the .ipa, display image, and full size image and click "Export"
Hope this helps.
I'm experiencing exactly the same thing, having to re-use a plist file generated from Xcode5. Just one other thing to add: The validate button, that we're presented with after archiving, does not validate my App correctly. It gets past "Preparing Archive" but then throws up an error, "No matching provisioning profiles found for Applications/plumbsApp.app" - None of the valid provisioning profiles allowed the specified entitlements: application identifier, beta-reports-active, keychain-access-groups.
Now, dismissing this and continuing with the "Export", creates my .ipa file and my users are able to install correctly, with the correct url, of course. So, not totally sure why this is happening. I had the beta release of Xcode running but used the final release of Xcode6. Perhaps the beta, comment, in red-herring. Has anyone else experienced this, where the validation of the archive fails in this way but the App installs ok?
I'm trying to use Testflight to upload an IPA to my app testers, but it's failing with the following error:
Invalid IPA: The keychain-access-group in in the embedded.mobileprovision and your binary don't match.
I'm confused, because I think my settings are pretty standard and I have another app that I can build and distribute just fine (note: with a second developer account but in the same instance of Xcode).
Here are my settings:
My app id that I created in the Provisioning Portal is com.bubblefoundry.Clear. Naturally it's then prefixed with the numeric identifier Apple assigns.
I created an ad-hoc distribution provisioning profile with the app id and the desired devices. I downloaded it into Xcode.
The product name is Clear in Xcode.
The bundle name under the target's 'Summary' tab is com.bubblefoundry.Clear, where Clear is in light grey and filled-in automatically by Xcode. While I can add text before or after Clear, I can't delete it. The name under the 'Info' tab is com.bubblefoundry.${PRODUCT_NAME:rfc1034identifier}.
In the code signing build settings for both the project and the target, both Debug and Release are set to the iPhone Developer under the Automatic Profile Selector. I thought I might need to set Release to my distribution profile, but I didn't do this in the other, working project.
I can Archive my app just fine. Then in the organizer I can tell it to distribute it for ad-hoc development and then choose to re-sign it with the distribution provisioning profile I created earlier. No errors are reported. Likewise I can connect my iPhone and Run the app on the phone without problems. It only when I try to upload the IPA using Testflight.app that I'm told that the file is invalid.
Because it mentions embedded.mobileprovision, I figured I'd poke into the IPA and examine the file. Here's the relevant data (minus unique info):
<plist version="1.0">
<dict>
<key>AppIDName</key>
<string>Project Clear</string>
<key>ApplicationIdentifierPrefix</key>
<array>
<string>app-id</string>
</array>
<key>CreationDate</key>
<date>2013-01-11T17:44:51Z</date>
<key>DeveloperCertificates</key>
<array>
<data>
my-certificate
</data>
</array>
<key>Entitlements</key>
<dict>
<key>application-identifier</key>
<string>app-id.com.bubblefoundry.Clear</string>
<key>get-task-allow</key>
<false/>
<key>keychain-access-groups</key>
<array>
<string>app-id.*</string>
</array>
</dict>
<key>ExpirationDate</key>
<date>2013-10-07T17:44:51Z</date>
<key>Name</key>
<string>Project Clear Testers</string>
<key>ProvisionedDevices</key>
<array>
<string>device1</string>
<string>device2</string>
<string>device3</string>
<string>device4</string>
<string>device5</string>
</array>
<key>TeamIdentifier</key>
<array>
<string>app-id</string>
</array>
<key>TeamName</key>
<string>Bubble Foundry</string>
<key>TimeToLive</key>
<integer>269</integer>
<key>UUID</key>
<string>uuid</string>
<key>Version</key>
<integer>1</integer>
</dict>
</plist>
Looking at this, just about everything looks consistent with what I've set earlier. The only thought is that the AppIDName is Project Clear, not Clear. Is this the source of the problem? Or maybe keychain-access-groups should be app-id.com.bubblefoundry.Clear, not app-id.*?
In this case your app id should be com.bubblefoundry.Clear.
If you created your provisioning profile like:
com.bubblefoundry.*
You can use this provisioning profile with various Id's like.
com.bubblefoundry.Clear
com.bubblefoundry.my
com.bubblefoundry.Clear.newApp
com.bubblefoundry.testApp
com.bubblefoundry.yoyo
You can change the app Id in indo.plist
replace com.bubblefoundry.${PRODUCT_NAME:rfc1034identifier}. with required Id like: com.bubblefoundry.myTestApp.
I created an iOS app and want to distribute it Over-The-Air. I followed this guide:
http://help.apple.com/iosdeployment-apps/mac/1.1/?lang=en-us#app43ad77ea
The App is signed with the enterprise certificate and contains the distribution provisioning profile.
When I try to download the App onto the ipad (using the technique described in this guide), a square icon with my download icon appears on the screen with the name "Waiting...", then a second later the name changes to my actual application name and then again a second later i receive the error message:
Unable to Download Application
"Your Application" could not be downloaded at this time.
in the guide, there are three troubleshooting tips:
if wireless app distribution fails with an “unable to download”
message, check the following:
Make sure the app is signed correctly. Test it by installing it on a
device using iPhone Configuration Utility or Apple Configurator, and
see if any errors occur.
Make sure the link to the manifest file is correct and the manifest
file is accessible to web users.
Make sure the URL to the .ipa file (in the manifest file) is correct
and the .ipa file is accessible to web users.
I checked all three things and they are fine.
What else could cause my download problems?
As alexey mentioned, too many reasons can cause that message. Apple use it as a "catch all errors".
You can diagnose it through the Console. Connect the device to your desktop and access it either from XCode's Organizer (mac only) or iPhone Configuration Utility (mac and windows). But...
It just ain't that simple! :-(
Console may be far from enough. Sometimes there is no relevant message there.
Then, the last resort is following a checklist. Doing all over from zero again. There are many out there... But following there's my generic and non-detailed checklist for Over The Air distribution, at the moment.
Have a Distribution build - This is the most complicated part, done always on the web, and Apple changes the steps all the time. In general, you need a certificate, an identifier and the provisioning profile. Listing devices is almost always required. My current choice is "Distribution -> In House".
P.S.: If you do want to list the devices, make sure the UDIDs are correct. Many issues reported here.
Set the profile under Project -> Build Settings - Since XCode 5, things changed. Instead of code signing with an identity you can clear all that up and set it under *Code Signing -> *Provisioning Profile. The Identity should automatically change to "Automatic". There's also no more need to manually download files from step 1 and install them. XCode manages that now.
Archive - In Xcode 5, there's no need any more to "Build for Archive". Just archive it. It should show up next on Organizer, and it will take some time if it's a big project. Many errors can come up on this step, but they're almost always related to code compilation and not to OTA.
Deploy - Now in Organizer -> Archives, select the proper archive (should be already selected as the most recent one) click on "Distribute", then Save for Enterprise or Ad Hoc Deployment. May be big wait now. When saving the file, there is an option to "Save for Enterprise Distribution". That is a completely misleading name. What it really does is create the plist file. If you have one already, it's fine. You can even manually edit it, which is generally better. The plist be needed for step (5). Here's a good one:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>items</key>
<array>
<dict>
<key>assets</key>
<array>
<dict>
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>http://example.com/app.ipa</string>
</dict>
<dict>
<key>kind</key>
<string>full-size-image</string>
<key>needs-shine</key>
<false/>
<key>url</key>
<string>http://example.com/FullSizeImage.png</string>
</dict>
<dict>
<key>kind</key>
<string>display-image</string>
<key>needs-shine</key>
<false/>
<key>url</key>
<string>http://example.com/Icon.png</string>
</dict>
</array>
<key>metadata</key>
<dict>
<key>bundle-identifier</key>
<string>com.example.app</string>
<key>kind</key>
<string>software</string>
<key>subtitle</key>
<string>for iOS</string>
<key>title</key>
<string>My App</string>
</dict>
</dict>
</array>
</dict>
</plist>
Distribute - Skip this step if you want to install it using XCode or iPhone Configuration Utility. You're done. This is putting on the file on a web site. "Simply" add a HTML page with a href link such as this:
itms-services://?action=download-manifest&url=http://example.com/app.plist
Unfortunately dealing with web servers is never simple. So also check the server mime-type! I've made a couple PHP files to deal with them, if your server supports php. Just keep your files as they are (the plist, html and ipa) and link to app.plist.php instead:
app.plist.php
$file = fopen("app.plist", "r");
while(!feof($file)){
$line = fgets($file);
print str_replace(".ipa", ".ipa.php", $line);
}
fclose($file);
?>
app.ipa.php
<?php
header('Content-type: application/octet-stream');
$file = fopen("app.ipa", "r");
while(!feof($file)){
$line = fgets($file);
print $line;
}
fclose($file);
?>
Verify - Ensure that all files listed in the assets array are available to download. If any of these files return 404 or such (including the icons) the entire install will fail. You must either (A) make those files available or (B) delete those missing entries from the plist. The icon entries are not required for the download to work.
Here is an example plist with no icons:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>items</key>
<array>
<dict>
<key>assets</key>
<array>
<dict>
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>http://example.com/app.ipa</string>
</dict>
</array>
<key>metadata</key>
<dict>
<key>bundle-identifier</key>
<string>com.example.app</string>
<key>kind</key>
<string>software</string>
<key>subtitle</key>
<string>for iOS</string>
<key>title</key>
<string>My App</string>
</dict>
</dict>
</array>
</dict>
</plist>
The file examples are a very important part of the checklist. They have to be 100% correct.
Double check the plist and html files!
P.S.: I'm writing this answer because, in my case, it was a "simple" matter of wrong link on the .plist file. And, as such, it's hard as hell to diagnose. Well, only doing this checklist could I find the error! It was pointing to "another-app.ipa" rather than "app.ipa"!
There are a plenty of reasons to cause this message.
The best way to diagnose it is to connect a device to Mac and look Console for the device in Organizer.
In my case, for example, it was:
verify_bundle_metadata: This app was not build to support this device family
Answering my own question:
The problem was that one of the thumbnails did not have the correct path set in the manifest.plist - so not only the ipa needs the correct path, but also the temporary download icons, otherwise the installation will fail with the mentioned error message.
Another Issue that it could be is that both the .plist AND the .ipa need to be hosted with HTTPS and not just regular HTTP. The software package string should look like below:
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>https://example.com/app.ipa</string>
Stupid little oversight but it was tripping me up for awhile.
We did experience the very same error message when trying to install an iOS 5+ app to an iOS4.3.5 phone.
Did you also check deployment/build targets and target architecture to match the device(s) showing that issue?
Make sure the casing is matching in all the files. They tend to be case insensitive.
In my case the issue was on my device an older version of same app was installed with same bundle identifier (downloaded from applstore) so now when I was trying to download its new version via enterprise distribution it was doing nothing, no error at all. Delete existing version from the device solved my issue.
I found in console.
installcoordinationd(MobileInstallation)[99] :
****bundleID****:5:11:1:1:Updating PlaceholderMetadata for
****bundleID**** with failure 1 _LSInstallType 1, underlyingError
(Error Domain=MIInstallerErrorDomain Code=13 "Failed to verify code
signature of
/private/var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.IoCSM9/extracted/Payload/App.app
: 0xe8008016 (The executable was signed with invalid entitlements.)"
UserInfo={LibMISErrorNumber=-402620394,
LegacyErrorString=ApplicationVerificationFailed, SourceFileLine=147,
FunctionName=+[MICodeSigningVerifier
_validateSignatureAndCopyInfoForURL:withOptions:error:], NSLocalizedDescription=Failed to verify code signature of
/private/var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.IoCSM9/extracted/Payload/App.app
: 0xe8008016 (The executable was signed with invalid entitlements.)}),
source 17>
Here we should look at:
Failed to verify code signature of App.app
The executable was signed with invalid entitlements.
In my case it was because i downloaded enterprise build from amazon. But the provisioning profile, which it was builded with, was expired (figured out in developer console).
Another one with the other purpose:
"This app could not be installed at this time."
UserInfo={NSLocalizedDescription=This app could not be installed at
this time., NSUnderlyingError=0x100cbd3c0 {Error
Domain=MIInstallerErrorDomain Code=64 "Upgrade's
application-identifier entitlement string (BBBUUUU.com.bundle.www)
does not match installed application's application-identifier string
(CCCEEEE.com.bundle.www); rejecting upgrade."
UserInfo={LegacyErrorString=MismatchedApplicationIdentifierEntitlement,
FunctionName=-[MIInstallableBundle
_validateApplicationIdentifierForNewBundleSigningInfo:error:], SourceFileLine=878, NSLocalizedDescription=Upgrade's
application-identifier entitlement string (BBBUUUU.com.bundle.www)
does not match installed application's application-identifier string
(CCCEEEE.com.bundle.www); rejected
Here i just removed the previous version of the app. The error was, because i changed the team for the bundle ID and it was installed the app with previous bundle ID.
Open console with:
Xcode > Window > Devices
Select the device
Expand a console with with a box with an arrow inside of it in the bottom left corner.
Try checking bundle identifier in your XCode and .plist file
In my case I did following to get rid off "cannot connect to dl.dropboxusercontent" message after providing ipa shared link.
1. Removed md5 section from plist
2. Uploaded 512*512 and 57*57 images to drop box, and provided shared link in fill_size_image and display_image in plist.
The first thing to check here is that the device you are installing on has the correct OS for the app your are installing. For instance, if the app is built for iOS 11, and your device has iOS 10 on it, then the app will install but you will see this error "Unable to Download Application".
In my case, there was a problem with incorrect file permissions of the FTP folder and the files inside (manifest, ipa, images). Check that they have 775 (rwx) and that Owner/Group is your owner.
The error in the device console was like "Cannot connect to iTunes Store" or "Failed artwork for bundleID" or "Failed to load placeholder artwork for bundleID". But it's just about the files.