I have an app that I want to profile it using Instruments. I can use the Instrument with the App in the simulator but I can't do it with my device, although the device is registered for Ad-Hoc and development in the provisional profile and I can install the app using Hockey-App so I am sure there is no problem with the device and the code signing part. However I can profile it when the build configuration is Debug, only Release doesn't work.
I get the following error.
The executable was signed with invalid entitlements.
The entitlements specified in your application’s Code Signing Entitlements file are invalid, not permitted, or do not match those specified in your provisioning profile.
none of the following links could help me:
Entitlements file do not match those specified in your provisioning profile.(0xE8008016)
Entitlements don't match Provisioning Profile (0xE8008016)
the result of codesign -d --entitlements - release-app-path
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>TEAM_ID.BUNDLE_IDENTIFIER</string>
<key>aps-environment</key>
<string>production</string>
<key>beta-reports-active</key>
<true/>
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:SOME_URL</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>TEAM_ID</string>
<key>get-task-allow</key>
<false/>
</dict>
</plist>
As the original TestFlight app will be retired in a month, I am trying to get to grips with the iTunes Connect Beta system, which looks like a significant improvement. As directed, I regenerated my provisioning profiles and redownloaded them on my build server.
I then performed the build with the "AppStore|Release" profile and I saw this message in the log:
codesign -v -f -s "XXXXXX" "--resource-rules=/.../MyApp.app/ResourceRules.plist" --entitlements "/../iSnagMobileiOS.xcent" "/../iSnagMobileiOS.app"
The file specified in the entitlements parameter contained the beta-reports-active key as expected:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>get-task-allow</key>
<false/>
<key>application-identifier</key>
<string>XXXXXXX.com.mycompany.myapp</string>
<key>com.apple.developer.team-identifier</key>
<string>XXXXXXXX</string>
<key>beta-reports-active</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>XXXXX.com.mycompany.myapp</string>
</array>
</dict>
</plist>
I then retrieved the generated IPA, which was signed with my distribution certificate. In order to check that the correct entitlement had been applied, I executed this command to check the provisioning profile:
unzip -p MyApp.ipa Payload/MyApp.app/embedded.mobileprovision | security cms -D
Within the XML fragment I could see the entitlements dictionary which contained the flag as expected:
<key>Entitlements</key>
<dict>
<key>keychain-access-groups</key>
<array>
<string>XXXXXXXX.*</string>
</array>
<key>get-task-allow</key>
<false/>
<key>application-identifier</key>
<string>XXXXXXXX.com.mycompany.myapp</string>
<key>com.apple.developer.team-identifier</key>
<string>XXXXXXXXX</string>
<key>beta-reports-active</key>
<true/>
</dict>
There is also no extra Entitlements.plist file in the IPA that might be throwing this off.
I uploaded the IPA with Application Loader 3.0, but I then received this error message:
WARNING: ITMS-90191: "Missing beta entitlement. Your app does not include the beta-reports-active entitlement. If you intend to distribute this build via TestFlight for beta testing, please re-build this app with a newly generated provisioning profile."
I have found numerous hits while searching for this message but none seemed to describe the above the problem; all those users found that regenerating the profile and downloading it again was all that was required.
I wondered if I was perhaps experiencing an issue caused by an older version of XCode or MonoTouch but after I updated both, I still experienced the same problem. I'm going to guess that this issue is not caused by Xamarin but is perhaps caused by a setting I have overlooked in my build configuration, but I could be wrong there.
After updating iOS 8.1.3, I tried to download, but getting error "Unable to download app" and "could not be installed at this time" messages appears.
What are changes between 8.1.2 and 8.1.3 which i have to take into consideration?
Download mode: < a
href="itms-services://?action=download-manifest&url=https://****.plist">
Thanks!
After a few hours wracking braincells, here's how I did it:
NOTE: I haven't currently tested this against iOS 8.1.2 or lower (proceed with caution!)
For apps that have ALREADY been signed with your OWN enterprise certificate, all you have to do (as mentioned by RAStudios in his edit) is to edit the manifest.plist:
Before:
<key>bundle-identifier</key>
<string>uk.co.acme.AcmeApp</string>
After:
<key>bundle-identifier</key>
<string>S836XXACME.uk.co.acme.AcmeApp</string>
For apps that have been signed by a third party that you're resigning with your enterprise certificate (this walkthrough is assuming the ipa file is AcmeApp.ipa, your entitlements file is entitlements.plist and your provisioning profile is provProvile.mobileprovision; all files are in the Desktop folder (Mac OSX), and S836XXACME is your team identifier):
Create a new entitlements.plist file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>S836XXACME.uk.co.acme.AcmeApp</string>
<key>get-task-allow</key>
<false/>
</dict>
</plist>
Unzip the ipa:
cd ~/Desktop
unzip AcmeApp.ipa
Remove the Code Signature:
rm -r Payload/AcmeApp.app/_CodeSignature/
Copy in the mobileprovision file:
cp provProfile.mobileprovision Payload/AcmeApp.app/embedded.mobileprovision
Codesign:
codesign -f -s "iPhone Distribution: ACME Corporation Limited" --entitlements entitlements.plist Payload/AcmeApp.app
Zip it up as the resigned ipa:
zip -qr AcmeApp_resigned.ipa Payload/
You also need to amend the manifest.plist file as per the 'ALREADY' signed part earlier:
<key>bundle-identifier</key>
<string>S836XXACME.uk.co.acme.AcmeApp</string>
After investigating..
Edit: After further testing, I found that simply matching the bundle ID in the Info.plist and the bundle ID in the manifest.plist worked for installing apps over-the-air on iOS 8.1.3. If this solution does not work, try the solution below.
Original Solution
Fix to the problem:
Your application must have a valid entitlements.plist, which includes correct the valid bundle identifier of an application.
If you are distributing an application signed with a iOS development certificate, here is an example of a entitlements.plist you should include with your app.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>com.yourbundleidhere.mycoolapp</string>
<key>com.apple.developer.team-identifier</key>
<string>com.yourbundleidhere.mycoolapp</string>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>com.yourbundleidhere.mycoolapp</string>
</array>
</dict>
</plist>
If you are using a wildcard profile, replace com.yourbundleidhere.mycoolapp with yourwildcardappid.*. In both instances, you can use iResign to properly resign applications and include the now required, entitlements.plist.
Explanation of the problem
Due to security patches (see here under CVE-2014-4493), without the entitlements.plist, the application will not install. The security patch keeps applications from overriding existing apps and installing over the top of them/replacing them.
I've done quite a few experiments with this. In my experience the bundle identifier in the manifest.plist file isn't actually that critical. The most important thing to do is to get the entitlements.plist correct.
Rather than creating this manually I would recommend generating it from the provisioning profile using the following script (credit):
# Create an entitlements file
# parse provision profile
security cms -D -i "provProfile.mobileprovision" > ProvisionProfile.plist 2>&1
# generate entitilements.plist
/usr/libexec/PlistBuddy -x -c "Print Entitlements" ProvisionProfile.plist > Entitlements.plist 2>&1
You can then use this entitlements file with the --entitlements option on the codesign utility.
I have the same issue and this happens for the applications that doesn't have any entitlements.
Re-signing the app with entitlement solved the issue for me, but this is going to be pain as all the applications that are already deployed need to be re-signed and deployed.
This is a weird issue because these apps which failed for me doesn't use anything like keychain sharing or push notifications and hence doesn't need an entitlement at all (as per my understanding). Now when I just add an entitlement with keychain-sharing it starts working.
I have answered this here, this worked for me without having to do anything else
In addition to #Mark's and #RaStudio's answers, I have seen two more causes for the 'Unable to download application' message; one of which is new to iOS 8.1.3.
New failure cause on iOS 8.1.3
This error occurs when trying to install an application that has an expired provisioning profile. When signing an application, both the certificate and the provisioning profile must be valid and not expired. It seems as though an application with an expired provisioning profile and non-expired certificate can be installed on iOS 8.1.2 in some circumstances. Ensure that the provisining profile is not expired by going to Apple's developer center.
Old failure cause
This error occurs when trying to download an application signed with a development certificate and provisioning profile if the device has not been added to the development provisining profile on Apple's developer center.
I have sovled this problem.
Since Apple has changed provisioning profiles, please RENEW the provisioning profiles (File 1) and copy it into the "Payload/".
Make sure there's a Entitlements.plist (File 2) in the "Payload/", and this plist file MUST be PLAIN TEXT which is created by a text editor.
Make sure there's a Info.plist (File 3) in "Payload/", and this is created by XCode;
Copy the Entitlements.plist (File 4) anywhere else except the "Payload/".
Be sure "Bundle identifier" in File 1-4 should be the same.
Use this Entitlements.plist (File 4) to Re-Sign the IPA file.
You can resign it like this
codesign -fs "iPhone Distribution: Your Company Name" --entitlements=/Users/SenTR/Downloads/codesign/Entitlements.plist /Users/SenTR/Downloads/codesign/Payload/Your_Project_name.app
Entitlements.plist sample
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>PREFIX.yourappBundleID</string>
<key>aps-environment</key>
<string>production</string>
<key>get-task-allow</key>
<false/>
<key>keychain-access-groups</key>
<array>
<string>PREFIX.yourappBundleID</string>
</array>
</dict>
</plist>
If you know Chinese, this will be helpful.
http://hennry.com/2015/03/fail-to-resign-ipa-since-ios8/
ios 8.1.3: inhouse app need distribute with MDM.
MobileInstallation
Impact: A malicious enterprise-signed application may be able to take control of the local container for applications already on a device
Description: A vulnerability existed in the application installation process. This was addressed by preventing enterprise applications from overriding existing applications in specific scenarios.
from apple release note
I want to suppress the Photos authorization dialog when running tests in the iOS Simulator. To do so I am including an Entitlements.plist as mentioned here.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.private.tcc.allow.overridable</key>
<array>
<string>kTCCServiceAddressBook</string>
<string>kTCCServiceCalendar</string>
<string>kTCCServicePhotos</string>
</array>
</dict>
</plist>
This work fine locally when I sign the app with my developer certificate. However, I want to run these tests on CI (Travis CI, specifically) without having to upload the certificate. When I don't sign the app Xcode is nice enough to give me the following warning:
Warning: Capabilities that require entitlements from "Supporting Files/Entitlements.plist" may not function in the Simulator because the target "Test Host" doesn't have a valid Code Signing Identity for iOS.
Is it possible to use these entitlements without signing the app?
I have two applications - one has a space in the name, the other doesn't. when I try to run the application through my command line build process I have problems with the application being able to function properly - ie: bombs out with "SecItemCopyMatching: missing entitlement"
--- When I attempt to check the entitlements on the command line of the application with the space:
>machine:Release-iphoneos builder$ codesign -d --entitlements - Application\ Name.app
Executable=/Users/Shared/Jenkins/Home/jobs/My_Application_Name/workspace/build/Release-iphoneos/Application Name.app/Application Name
--- When I run this on an app without the space in the name:
machine:Release-iphoneos builder$ codesign -d --entitlements - application.app
Executable=/Users/Shared/Jenkins/Home/jobs/My_Application_Name/workspace/ios/build/Release-iphoneos/Application.app/Application
??qq?<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>ABC123456.com.company.app</string>
<key>aps-environment</key>
<string>production</string>
<key>get-task-allow</key>
<false/>
<key>keychain-access-groups</key>
<array>
<string>ABC123456.com.company.app</string>
</array>
</dict>
</plist>
So the big question here is - this application name is already being used globally and I can't change it - how can I fix this issue so that I can do these command line builds???
IMNHO: Apple has made a big mistake in it's non-posix compliance in xcode.
Any suggestions appreciated.
APPLE'S RESPONSE: "The Code Signing of iOS applications is only supported by DTS when using the Xcode app to build and sign your applications. Their isn't a supported workflow for signing iOS Applications using xcodebuild."
So they don't support their own command line tools...
It's possible that removing all provisioning profiles solved this, although I did that on a few occasions prior to the last time I did it with no luck. It resolved itself one night on an automated build much to my surprise...