I notice when I enable Keychain Sharing in Xcode for my iOS app Xcode says it will "Add the Keychain Sharing entitlement to your App ID", and it does appear to connect to my account because I get a popup asking which developer account to use. However on the dev portal there's no visible change to any of my App IDs, and my provisioning profile isn't invalidated like it sometimes is when I change an app's entitlements. Keychain Sharing isn't a visible option to enable/disable in the App ID, either.
Does anyone know what Xcode is doing under the covers here? The local change to the entitlements file is obvious, but I'd like to understand the App ID side of it.
Every keychain item in iOS contains an attribute called the keychain access group. An iOS app can only access those keychain items it has permission to. This permission comes from the code signing entitlements stamped into the app when it is signed.
By default, an app can only access keychain items with the keychain access group matching the application-identifier code signing entitlement. However, if a developer wants to share keychain items amongst their apps, they can add a custom keychain-access-groups code signing entitlement that specifies an array of keychain access groups that the app can access.
Normally one creates keychain items without setting the access group attribute kSecAttrAccessGroup. In that case, Keychain Services will automatically set that attribute to the default value. If there is no keychain-access-groups entitlement, the default is the value of the application-identifier entitlement. Otherwise the default is the value of the first array element in the keychain-access-groups entitlement.
When using the Xcode Capabilities editor on the target settings pane to turn on Keychain Sharing, Xcode will add the required App ID Prefix (Team ID) to the front of any listed Keychain Group items at build time. You can see that in the generated entitlements file represented by the build setting $(AppIdentifierPrefix).
Related
I have got User Assigned Device Name additional entitlement approved for my bundle ID and now need to use this in XCode project. I have successfully configured this additional capability in my AppId in developer portal, but I can not find anyway to import it in XCode project as highlighted in the portal:
Provisioning in Xcode with additional capabilities
In Xcode 13 and later, once the capability is enabled for your App ID, you can configure Xcode to support automatic signing.
In your app’s .entitlements file, add the assigned entitlement key and value pair.
Build your app on your device.
Xcode will detect the differences between your currently issued provisioning profile and the entitlements.plist, and request a new provisioning profile.
Problem is there is no entitlements.plist file for my target. And if I click on capabilities tab in Signing & Capabilities section, there is no key value pair to select for User Assigned Device Name. What am I supposed to do I wonder?
I'm creating my second keyboard extension app. I've been submitting through iTunes TestFlight for testing for a couple months with no problems. But after making two changes, it no longer submits. I get the error "Failed to locate or generate matching signed assets and ailed to do so because of the following issues.
"not matching provisioning profiles found for "Applications/spkapp.app/Plugins/spk.appex"
None of the valid provision profiles allowed the specified entitlements: beta-reports-active, com.apple.security.application-groups"
The two changes I've made were to the Bundle Display Name and adding the Groups entitlement. My app ids for the extension and app both have Groups activated and set to the same group.
I've tried
1) Restoring Bundle Display Name to previous name.
2) Rebuilding all profiles several dozen times
3) Creating new profiles from scratch.
4) Refreshing profiles in Xcode, even downloading them and installing new ones and deleting the old manually.
5) Cleaning/deleting derived data/restarting Xcode/rebooting OSX
6) Comparing it to my shipping keyboard that uses the Groups entitlement. Everything matches from the entitlement files to the project settings to the provisioning profiles to the App IDs settings.
I think the problem is something to do with the Groups obviously, since it's the new addition. But I did look at Technical Q&A QA1830, but it doesn't seem helpful because I have a Store provisioning profile and it was working, so the beta-reports-active flag seems like a spurious error.
Any other suggestions?
Turns out the problem was caused by adding the Groups entitlement. Xcode creates a custom app ID for your keyboard extension, with a name starting with "Xcode iOS App ID" followed by your bundle IDs. The App ID itself will be the combined bundle ids of your app/extension as the App ID such as com.companyname.appBundleID.extensionBundleID. It's settings will match your other AppIDs, including the App Group settings.
It will also create a distribution profile for this App ID, and you need this distribution profile in order to submit to the store with groups enabled. The distribution profile will be named something like "XC: com.companyname:appBundleID.extensionBundleID". If this isn't installed when you submit to the store, you will get the error that your plugin does not have a correct profile with the groups entitlement as described above.
Note: I could submit to the story with the group entitlements disabled, so it seems this profile is only needed when you have specific entitlements enabled.
In my case, i don't know if Xcode neglected to create the distribution profile, or I deleted it when trying to clean up. To fix it I just created my own distribution profile for the Xcode App ID and named it in the same way, and ensured it was installed in Xcode 6.1 ( preferences: Apple ID view details: refresh button). And now my keyboard submits properly, with group entitlements active.
I had distributed an application in appstore with enabling the Keychain sharing by adding the Keychain Entitlement file.Initially, I thought to have two application sharing the same keychain but later I had only one application.Although keychain shared access is enabled in General capabilities in XCode and Entitlement file is added in code signing entitlements,I set nil value to access group in KeychainItemWrapper class as illustrated below.
KeychainItemWrapper *keychainWrapper = [[KeychainItemWrapper alloc]initWithIdentifier:KEYCHAIN_IDENTIFIER_NAME accessGroup:nil];
In the next release, I removed the Keychain Entitlement file and code signing entitlement as i felt its unnecessary but now the application is not able to access the previous version keychain item and returns null value.
Please explain me this strange behavior as in both version the
access group is always set to nil.
Also explain the keychain structure enabling and disabling Keychain
sharing.
If nil value is passed for KeychainBundleIdntifier then it will take the value of Bundle Identifier for a shared keychain the value would be shared keychain identifier in keychain entitlements.plist
I am developing an app with iCloud enabled. While uploading the app to apple I got following error:
Invalid Code Signing Entitlements. Your application bundle's
signature contains code signing entitlements that are not supported by iOS.
Specifically, key
`'com.apple.developer.icloud-container-identifiers' in Payload ------- not supported`
While surfing i also got some answer that disable iCloud,but I want to use iCloud feature for my app, so is there any other way to overcome this problem, please let me know.
Thanks in advance
It seems like your provisioning profile is not configured to allow iCloud entitlements. To do this, log into your dev account at http://developer.apple.com, go to the iOS Dev center, and Click the link on the right for "Certificates, Identifiers, & Profiles" under the iOS Developer Program on the right. Find your app id in the Identifiers section, and click the edit button. From there, make sure iCloud is enabled for both development and distribution.
Also, make sure your app id prefix is not using wildcards. You will not be able to use a wildcard prefix (com.example.*) when using any of the special entitlements, like iCloud, Push Notifications, etc. Once you are sure that is set up with iCloud enabled, you will need to regenerate your provisioning profile.
Click the Provisioning Profiles on the left, and find you app store provisioning profile. Click the Edit button on the profile, select the app ID that now has iCloud enabled, and click the "Generate" button to generate a new provisioning profile. Then download the provisioning profile and install it over top of the old profile. Then re-build and sign the app and try re-submitting.
Another solution relevant to people re-signing their app:
If you have iCloud features enabled the provisioning profile will contain keys like com.apple.developer.icloud-container-identifiers. If you don't filter these keys out before you pass them to codesign they will end up inside the binary, which causes this error.
As soon as I check "Use Entitlements File" in Xcode, I get the following error when I try to run my app on my phone:
The executable was signed with invalid entitlements.
The entitlements specified in your application’s Code Signing Entitlements
file do not match those specified in your provisioning profile.
I'm trying to get iCloud working, and it seems like I'm failing on step 1. I can run in the emulator, but not in the device I provisioned automatically through the organizer.
What am I doing incorrectly here?
First of all, you need to have specific provisioning for your App's ID, matching its bundle ID. Even if it's only for development, generic Team Provisioning cannot work to test iCloud.
If the App ID had been issued without iCloud enabled, and updated afterward, related Provisioning must be updated also.
Often, provisioning updating from Xcode's organizer fails to bring the right one. In this case, I suggest you to try to download updated provisioning directly from iOS Developer Website.
In my case, I have added inter-app capability in my iOS project and Xcode automatically suggested to add this permission in the app id (bundle id) in the provisioning portal and I did so. After this
I thought it was fixed since Xcode was showing tick marks for all under inter-app audio sections as follows
Add the "Inter-App-Audio" entitlement to your APP ID
Add the "Inter-App-Audio" entitlement to your entitlements file
Link AudioToolbox.framework.
Actually it was not fixed and I had to generate another distribution certificate with inter-app enabled and only when I signed with that distribution certificate I was able to install the app.
You Need to have Developer Certificate And Private Key in your keychain And Provision profile that have created must match with this Certificate.