I had push notifications working on an app that was using an ad hoc distribution. My client then bought an Enterprise license, and I generated new certificates/profiles, archived the app, and now we are distributing via Enterprise, but push notifications are no longer working. What steps would I have to take in order to get them working on the Enterprise version? Thanks!
Based on your description it sounds as though you did your original implementation on an AppId registered under one developer account, and then attempted to migrated the build to a second developer account.
In APNS parlance, the server that generates the push notification payload objects is called the provider and must register an APNS certificate keypair to be able to establish a secure connection between your server and the relevant Apple Push Notification gateway (Sandbox or Production). This keypair is exclusive to the AppId for which it was registered, and AppIds are exclusive to the Developer Account under which it was registered -- even with a precise matching AppId certificates registered under one account can not be transferred to a second account. If that were possible, I could look at your app's AppId, register that AppId in my own account and start sending spammy pushes to your app. Thankfully, the Bundle Seed ID is a silent element to all AppIDs and prevent that situation from occurring!
I've answered a similar question about APNS Provisioning that might help further clarify what is going on behind the scenes, so you might give Why I can't add APNs Development iOS typed certificate to provisioning profile a read.
If you want to see that your AppIDs are actually different you can use a couple of Terminal commands to export information from the original Provisioning Profile (where things were working) and from the Enterprise Provisioning Profile (where things aren't working) to see the differences:
Copy and pasting the following, taking care to update the path to your specific .mobileprovision:
/usr/libexec/PlistBuddy -c 'Print :Entitlements' /dev/stdin <<< $(security cms -D -i /path/to/your/original.mobileprovision)
Then run this command a second time updating the path to your Enterprise provisioning profile.
The output of this command will be a dictionary of key value pairs:
Dict {
get-task-allow = true
aps-environment = development
com.apple.developer.team-identifier = ABC1DEF2G3
application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
keychain-access-groups = Array {
XYZW1ABC2D.*
}
}
You'll notice that the output of these two commands is different -- the application-identifier section and keychain-access-groups section will have different bundle seed IDs.
So how do I fix it?
The fix is quite simple and requires no additional development work in-app! You will, however, likely need to recompile with a new provisioning profile:
Because you've set things up already you just need to login to the Enterprise Account and enable Push Notifications in your Enterprise account's AppId
While in that AppID's configuration, you will need to generate a new SSL keypair and submit it to Apple just as you did for the original account.
Install the new certificate and private key on your Push Server
Edit your Enterprise Distribution provisioning profile, and install it in Xcode taking care to remove the old Enterprise Distribution provisioning profile.
Rebuild your application using the new Provisioning Profile.
The rebuild may be necessary because if the Enterprise AppID didn't have Push Notifications enabled, the Enterprise Distribution Provisioning Profile's Entitlements block would not contain the aps-environment key and thus be prohibited from connecting with the APNS Gateways.
Related
Currently, I have following config in my Xcode.I am trying to test app. Directly in device with Notification enabled i.e APNS
i) Code Signing Identity as "iPhone Distribution"
ii) Provisioning profile as Wildcard
Question 1 : Can I install through iTunes directly in my device after archieving ?
Question 2 : Will WildCard provisioning profile create release/debug build ? Does this wildcard concept have anything to do the release/debug ?
Question 3 : Without Testflight, is there any way where I can test my app. in release mode directly in device ?
Help is appreciated !
I am stuck here.
A provisioning profile for a wildcard App-ID does not give the Apple Push Notification entitlement.
You need:
An app with the aps-environment entitlement set to production. If you want to test with the APNS sandbox environment this should be set to development.
A provisioning profile for your App-ID that includes the permission to install apps with the aps-environment entitlement set.
A code siging certificate and private key that is included in the provisioning profile.
To check an apps entitlements you can run the following command:
$ codesign -d --entitlements :- path/to/Payload/MyApp.app/MyApp
....
<key>aps-environment</key>
<string>production</string>
....
To check the entitlements in a provisioning profile I find it easiest to open the profile in TextEdit.app (drag the file to the dock icon) and search for “Entitlements”.
The setting for the code signing certificate can be checked at the Apple developer member center.
The answer is pretty simple:
Whatever you export/release you App with the Distribution profile, it will count as "Distribution", thus, it will match the production APNS certificate in your sender. Regardless how do you install or download the ipa.
e.g. TestFlight.
Otherwise, if you export/release/share your App using the Developer profile, it will count as "Developer" so you may use the Sandbox Developer APNS certificate in your sender.
e.g. You install the App in your phone trough XCode.
You should not use a Wildcard provisioning/certificate.
So pay attention to the signing of the App, that will give you the clue about which certificate you need to pair with.
I do this frequently and I switch my certificate in the Push Notifications sender (the one should match the APNS certificate) back and forward.
Let me know if you need further clarification.
Question 3. You can test Push Notifications in all possible case scenarios, Ad-Hoc, iTunes, TestFlight, direct install, you just need to pay attention to the certificate using for exporting/installing the App and sign it properly (as I just said).
Happy coding!
My apologies for any confusion or misunderstandings, this is my first phone app so I'm still getting the hang of things.
I've been getting this error when I try to enable push notifications:
no valid 'aps-environment' entitlement string found for application
And my understanding of the issue (from reading other posts and Googling) is that this is most likely due to an incorrectly setup provisioning profile.
I currently have two certificates created, one created about 6 months ago strictly for development:
FirstName LastName iOS Development Mar 22, 2017
com.namehere.tasks APNs Development iOS Sep 18, 2017
Now I've heard that you might have to remake the provisioning profile after creating the APN, however when I try to recreate it to include the APN cert, it only lists the first cert.
I do notice that my current provisioning profile says invalid, which it didn't before, if this is at all relevant:
Name and OtherName 2016 iOS Development Invalid
So my question essentially is - do I need to create a new provisioning profile now that I've created a push certificate? And why can't I add it to my provisioning profile?
do I need to create a new provisioning profile now that I've created a
push certificate?
Yes, you will need to regenerate the provisioning profile. You can think of the provisioning profile as the single source of truth for all your certificates and bundled app services (eg. Push Notification)
however when I try to recreate it to include the APN cert, it only lists the first cert.
That is correct. Just go ahead with it. The provisioning process will obtain the push cert information automatically. When you view your App ID in the developer website, you should be able to see that Push Notification is enabled.
And why can't I add it to my provisioning profile?
If you are looking for an automatic way to regenerate these provisioning profile, you could let XCode manage the provisioning for you using Team Provisioning Profile.
If you enter information about your app and assign a team to your app,
Xcode creates the necessary signing identities and provisioning
profiles for you. Specifically, Xcode creates a team provisioning
profile that allows your app to run on all your devices and use app
services.
See link for more info
I'm following Parse's Push Notification Tutorial for setting up my Parse app to now be able to send Production push notifications, rather than Development ones, so I can get it ready for the app store. This is covered in section 7.1 in the tutorial.
When I attempt to create an AdHoc provisioning profile, it only works if I create an iOS distribution certificate, when I create an APN production certificate, which is the correct one for this purpose, it shows me this:
If I decide to go ahead and use the iOS distribution certificate from this list instead:
The provisioning profile is successfully created, but again, it's not using the correct certificate for push notifications. Likewise, because I had to use the distribution one to create the profile, I therefore would have to use the certificates .p12 file when connecting my Parse Notification settings to this profile. When I attempt to do this, I unsurprisingly receive the following error:
because I'm uploading the .p12 of an iOS Distribution certificate, and not the APN Production iOS certificate. When I try uploading the .p12 of the APN Production iOS certificate to Parse, it works, but my test iOS device doesn't receive push notifications, because the provisioning profile doesn't use that certificate, as I mentioned earlier.
Am I following the directions incorrectly? Why can't I make a provisioning profile using a Production APN certificate, so that it can work with Parse Push Notifications?
I have never used parse, but you have two exact production certificate.
This is an issue, revoke one of them and try again should work!
the provisioning profile doesn't use that certificate
I think you are misunderstanding what you need to do:
delete the app from your device
Build your app signed with distribution certificate
Install the ad-hoc version of the app on your device
Here is an image to illustrate how the provision profile works:
It's a good idea to check apple docs out
Also very important to check which provisioning profile you have used to sign and build the app.
Turns out my error was forgetting to set the code signing settings in both Project AND Targets.
I have a number of apps already uploaded on Apple Store. I now want to use adhoc distribution to some of them, and in some of them also include push notifications.
I am having a production certificate already, since these apps are already installed.
My questions are:
In order to add adhoc distribution, I need to create a new adhoc provisioning profile that needs to be matched with one certificate. Should this be my production or request a new certificate, then create a new SSL certificate and so on and match this one with the adhoc provisioning profile.
The same questions applies for the pus notification. A different profile will be created but how about the certificate?
So, in general my questions is: Do I have only one active production certificate which matches with the unique profiles or not?
So far, where I hadn't included any adhoc or APNS service I had only one and I do not how this changes right now.
It's all the same certificate (the one you already have).
This is getting frustrating. I have two identities, one old, one new, and the latter should be used to deploy iOS apps to the App Store.
I've created the new user, granted him admin access, then I created the app name and provisioning profiles. However, in the Organizer I see that the Dev provision works flawlessly, while the Deploy profile shows me the dreaded error:
Valid signing identity not found.
How can it be?
Well, I see that in the Certificates section in the iOS Provisioning Portal, there is only one distribution certificate, the one belonging to my company.
Is there a way to enable the new user to create apps without accessing the uberadmin's Xcode?
Thanks & Cheers!
You need the key that was used to create the Distribution Certificate for your company.
Remember when you created your developer certificate? Then you went to keychain -> certificate assistant -> Request a certificate from ...
When you did this, your Mac paired your certificate request to a key in your keychain. Once your developer certificate was processed and you downloaded it to your computer, it could be accessed by your computer through that key.
But if you did not create the Distribution Certificate that your company has, you don't have the key on your computer.
Take a look at your certificates in keychain:
Go to 'Certificates' and expand your developer certificate - it will have a little key with your name.
Now try to expand your distribution certificate - it will not have a key, right?
If this is the case, you have two options:
Ask the person who created the Distribution Certificate to export it from his keychain. This will create a file that includes both certificate and key.
Delete the current Distribution Certificate, and create a new Certificate Signing Request from your computer, which will connect it to a key that you have.
First method require access to "Uberadmins" computer. The second require admin access to your teams Apple account. There is usually no downside in using method 2, because creating a new certificate is necessary from time to time anyway. It will not affect already published apps, just coming releases and updates need to use a the latest certificate.
Once all this is done, you need to create a distribution provisioning profile for App Store and connect to the Distribution Certificate that you are going to use. (if you went with option 1, you might already have done this).
Download the profile to your computer, install it, and then in your app, select to build with this profile for distribution builds.
According to Apple's documentation:
A team’s distribution certificate allows a developer to build an app for distribution. If your team wants to use another Mac to create a distribution build, you need to transfer a copy of the distribution certificate as described in, “Safeguarding and Transferring Your Signing and Provisioning Assets” in Tools Workflow Guide for iOS. (from Managing a Distribution Certificate)
So, in order to have multiple users able to create & submit App Store builds, you must share a private key between them.
Create a new private key for the team, and then send that private key to everyone who needs it. Follow the instructions under Generating a Certificate Signing Request with Keychain Access.
See also: Any concern to share private key for distribution certificate among different group under a team account in itune provisioning portal