The embedded profile in my IPA's payload contains the beta-reports-active key with a following true value. When those builds are uploaded, and later listed within itunesconnect pre-release tab they are flagged as NOT having that entitlement. I am inspecting the embedded.profile with this command
security cms -D -i
In the p-list that is returned I see the Entitlements dict and within that <key>beta-reports-active</key> followed by <true/>.
Has anyone encountered this? Could there be some other source of entitlements?
EDIT:
I should add the profile is being embedded by jenkins via it's XCODE plugin.
Okay, got it:
Problem was that xcodebuild run by Jenkins could not find my correct mobileprovision during build, only during resining. Moving the certificate into ~/Library/MobileDevices/Provisioning Profiles solved it.
Look for this line
Provisioning Profile: "XYZ"
in the build output, that's what being used to build (not to resign for the packaged IPA) and it has to be the right file.
I will probably switch to a more modern tool like fastlane to avoid stuff like this from now on...
Related
I've got a command line script I use to compile, archive and submit my ios builds to ITC for TestFlight deployment. They work great, but I recently ran into an issue when trying to use an embedded framework within my otherwise working project. My script compiles and archives the project successfully but is getting ITC signing errors because of the embedded binary conflict.
xctool -workspace $BASE_DIR/$PROJECT_NAME -scheme $SCHEME -configuration $CONFIG clean archive -archivePath ./$PRODUCT_NAME.xcarchive
xcodebuild -exportArchive -archivePath ./$PRODUCT_NAME.xcarchive -exportPath $PRODUCT_NAME -exportFormat ipa -exportProvisioningProfile "$DIST_PROVISIONING_PROFILE_NAME"
# result is successful, with .ipa file generated
After a successful compilation my script tries to upload to ITC, and fails with the below msg. I get the same message if I try to upload the generated IPA file to ITC myself using Application Loader tool.
ERROR ITMS-90046: "Invalid Code Signing Entitlements. Your application
bundle's signature contains code signing entitlements that are not
supported on iOS. Specifically, value 'XXXXXXXXX.com.domain.Product'
for key 'application-identifier' in
'Payload/Product.app/Frameworks/Charts.framework/Charts' is not
supported. This value should be a string starting with your TEAMID,
followed by a dot '.', followed by the bundle identifier.
There is no application-identifier string used in my project or settings that I can find with a global search.
Extra Info
com.domain.Product would be my project's main bundleIdentifier, which has a distribution certificate and provisioning profile generated for it. Without the embedded binary that works just fine. The "Charts" embedded project has a bundleIdentifier but the team is set to "None" in the Info tab, and signing is set to Automatic. Since it is an embedded binary/framework, I'm assuming it doesn't independently sign it. When using Xcode's Archive, it is listed as a subset of the main Project with no independent identifier or entitlements.
I have also tried creating an independent appId and distribution provisioning profile for the embedded binary called "com.domain.ProductCharts" and setup the project correctly. This does not change the error.
I have further tried setting the embedded binary's project to use the same bundleIdentier and settings as the parent Project, but this does not change the error.
Why is xctool/xcodebuild unable to properly compile and sign this to get through to ITC, while the native Archiver can?
Currently, I encountered what I think is a bug in xcodebuild command similar to this, way I fixed it for me was to setup provisioning profile in the project settings. Try updating your project and run build again.
The investigation into the issue was here: https://forums.developer.apple.com/thread/14378
But others reported problem with associated domains:
SO question: Apple Store submit fails with Error ITMS-90046, but Associated Domains is not among entitlements
What is your OS, XCode ... etc?
Just a guess: Maybe you need to specify an application-identifier in your Entitlements.plist if you use the command line. Here https://developer.apple.com/library/ios/qa/qa1710/_index.html it is stated that in "In modern versions of Xcode.."
You said:
They work great, but I recently ran into an issue...
Have you created a new profile meanwhile and now there are two? Or two certificates? Here is a description on how to check your entitlements. Maybe this helps.
Creating .entitlements for the embedded framework will solve the issue only in Xcode 7.x. In the version 8.x the issue still exists.
I got an issue with Xcode's Bot. It always returns the "User canceled the operation. Command /usr/bin/codesign failed with exit code 1" error string after running the command below:
/usr/bin/codesign --force --sign <MY_PRIVATE_KEY> --entitlements /Library/Developer/XcodeServer/Integrations/Caches/2cdd321641e8c114e4eba9819b017479/DerivedData/Build/Intermediates/MyApp.build/Debug-iphoneos/MyApp.build/MyApp.app.xcent /Library/Developer/XcodeServer/Integrations/Caches/2cdd321641e8c114e4eba9819b017479/DerivedData/Build/Products/Debug-iphoneos/MyApp.app
I can run this command in Terminal with sudo. I'm using Xcode 6.3.1 and OS X Server 4.1.53 in my Mac 10.10.4.
Thank for your help.
This looks like a code signing error. There are a few different reasons for this to happen so you will need to do some troubleshooting. Can other bots build on your server? If so then its probably a build settings issue in this specific project.
In the Xcode Project go to the Project Target that your trying to build, and then Build Settings, and Code Signing. Under the Provisioning Profile you can either choose Automatic or explicitly choose the correct provision, and then under the Code Signing Identity choose iOS Developer. This is probably where your issue is if its related to the project. Do you have a proper provision setup for the project on the Apple Developer Portal?
If you can't get any bots to run on your server then the issue could be with how you set up Xcode Server. Have you added the server to your team? Here is the blog post that I used to get mine up and running, although you don't need to do all of those steps in the post. Focus specifically on the Setup Certificates section and Setup Provisioning Profiles section.
I fixed the issue by copying the missing provisioning file from my local directory "/Users/phuongle/Library/MobileDevice/Provisioning Profiles" to "/Library/Developer/XcodeServer/ProvisioningProfiles". Do not use the downloaded provisioning file from developer.apple.com directly.
I just want to note here for everyone having the same issue with me.
I am trying to upload an app to Testflight using XCode 6.3. However, on trying to validate the app, it is giving me the error message below:
I have tried regenerating the certificates and provisioning profiles without having any success.
ERROR: ERROR ITMS-90035: "Invalid Signature. Code object is not signed
at all. The binary at path [VirtualMechanic.app/dsym_upload.sh]
contains an invalid signature. Make sure you have signed your
application with a distribution certificate, not an ad hoc certificate
or a development certificate. Verify that the code signing settings in
Xcode are correct at the target level (which override any values at
the project level). Additionally, make sure the bundle you are
uploading was built using a Release target in Xcode, not a Simulator
target. If you are certain your code signing settings are correct,
choose "Clean All" in Xcode, delete the "build" directory in the
Finder, and rebuild your release target. For more information, please
consult
https://developer.apple.com/library/ios/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html"
That dsym_upload.sh script does not belong in the app bundle as it's the script that is run as part of a Build Phase that is used to upload the debug symbols to Crittercism.
Find the Build Phase that is copying it into the app bundle and remove it, however please note that it will still need to be run within a Build Phase.
Here's the official Crittercism Support Article related to the issue which recommends upgrading the pod to version 5.2.0.
I have a problem with creating IPA files and TestFlight is showing me this reason.
http://help.testflightapp.com/customer/portal/articles/402843-mismatched-keychain-access-groups
I get a mismatch with keychain access groups but it takes a while to upload the IPA file to TestFlight before it can tell me the file is not valid. I'd like to test the file before I even upload it. I would also like to know how to get information abou the IPA file so that I can diagnose and fix the problem. I have no idea how it is failing since I am using the same Code Signing Identity in the Debug/Release builds as well as signing the IPA from the Archive. I have no idea what is wrong or how to fix it.
Any help is appreciated.
If your Distribution Provisioning profile bundle identifier matches your App's bundle identifier (eg your bundle id is com.mycompany.appname and your App's bundle id has at least com.mycompany.* then you shouldn't run into this error.
Another way to check validity feedback in Xcode 4.3 is to archive the app, and hit the Validate button in the Archives section of your Organizer. (Note that it won't allow you to to validate and gives a 'No application records found' error until you've created an App ID in your iTunes Connect account, and followed the steps until you've set it to "Waiting for Upload ". Don't worry if you're not ready to upload to the store yet, you can still validate without uploading anything.)
Go to terminal and use it like below
/Applications/Xcode.app/Contents/Applications/Application\ Loader.app/Contents/Frameworks/ITunesSoftwareService.framework/Support/altool -v -f APP.ipa -u itunesconnect#user.com -p password
You can use the altool that comes with Xcode
cd /Applications/Xcode.app/Contents/Applications/Application\ Loader.app/Contents/Frameworks/ITunesSoftwareService.framework/Versions/A/Support/
./altool --validate-app -f <'ipaFile'>
You can use the command to extract entitlements info from the signed application:
codesign -d --entitlements
Then try to compare it with the Entitlements part of provision profile. If they dont match there must be some problem with your signing process.
I would like to use terminal to automatic my application build working flow, how can I change the cert and build the application from terminal only? Thanks.
Yes, you may use terminal to build the app.
There is an xcodebuild tool which allows to do that ($ man xcodebuild would explain a lot).
As for your question – as I understand you're trying to make a build with a different mobileprovision profile. It's possible by adding PROVISIONING_PROFILE parameter to xcodebuild command. And you need to provide profile's UUID.
In two words, each mobileprovision profile has an identifier and it should be "installed" (installation via Xcode is OK). So, you should follow these steps to make a build from the terminal:
Check if the mobileprovision profile is installed (it could be done from Xcode).
Get the mobileprovisioning UUID. The simplest way to do that is the next:
Find the profile in Xcode's organizer
Reveal it in Finder (profile's file name differs from the profile name)
Open the profile in vim or any other editor (it's a signed plist so don't be afraid of the binary part)
Find the <key>UUID</key> string and the corresponding identifier (it should look like AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE), BTW this UUID is used by Xcode as a file name.
Go to your project's folder in terminal (this one which contains .xcodeproj) and run the next command:
xcodebuild PROVISIONING_PROFILE=<YOUR-PROFILE-IDENTIFIER>
That would make a build and store its results in build directory.
You may also specify configuration which should be used, base sdk, target and a lot of different parameters.