Develop Reference

How to build and sign an iOS app on separate machines?

We have an iOS app which is built using a series of Bash scripts run by Jenkins. As things are today, we build an xcarchive using this command:
xcodebuild archive -workspace "..." -scheme "..." -configuration "Release" -archivePath "..."
This builds the app and signs it using the certs specified in the provisioning profile which is set using an xcconfig. Once it is complete, we then turn it into an IPA using:
xcodebuild -archivePath "..." -exportArchive -exportOptionsPlist "${export_options_plist}" -exportPath "..."
This IPA can then be uploaded to Hockey or to the App store depending on the xcconfig we use (we swap them out to create different builds).
We now want to make sure our certificates are kept safe as much as possible. This means we want to perform the build on one machine, but the signing on another. In order to do that, we need to do this:
Create an unsigned xcarchive
Transfer the xcarchive to the signing machine
Turn the xcarchive into a signed IPA
Step 2 can be ignored for now though, so lets just focus on steps #1 and #3.
Creating the unsigned xcarchive can be done by adding the arguments CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO to the archive command.
Signing the IPA is much trickier though. We assumed we could just create the IPA again and use the codesign command to sign the binary in the IPA. This had a couple of problems though. The first is that the .entitlements file we had for the app wasn't respected. We had to pass this as a flag to the signing command. Then we realised that we had to correct all the variables in the .entitlements file since Xcode was no longer replacing them with the correct values. Then we realised that we had to do this for each extension we had.
We finally got this all working, with the correct entitlements, replacing the variables and everything was signed, but when I tried uploading the new signed IPA to Hockey it rejected it. The error message wasn't helpful either.
We diff'ed a build with the previous system with the new system and each binary was different. We're not sure if this is a codesigning issue, or just a timestamp change, but there are changes. Furthermore, we discovered that my extensions are all missing archived-expanded-entitlements.xcent files, plus possibly more issues.
It definitely seems like we are going about this the wrong way. We clearly shouldn't have to re-do everything just to sign on a different machine, so where are we going wrong? How are we supposed to build on one machine and sign on another?
P.S. Our current tools use xcodebuild directly, but we have support for fastlane for other parts of our build process, so we are happy to use it if needed.
Update: We have a "solution" to this which is to sign the Release builds with a dev cert, then resign them using the distribution one. This solves all the problems with entitlements being populated etc. but still requires each binary to be resigned and entitlements combined, etc. so I'm curious if there is a better solution.

Please follow the steps to create an unsigned xcarchive
Set ‘Code Signing Identity’ = ‘Don’t Code Sign’
• Select Targets (‘’) -> Build Settings and find the ‘Signing’ section.
• Set ‘Code Signing Identity’ = ‘Don’t Code Sign’
Set Bundle Identifier = ‘’
Set Version = 1.0 //That you need to send
Set Build = 5 //That you need to send
Remove ‘Automatically manage singing’ flag.
Open the terminal and go to the project root folder. Then run the following command.
xcodebuild -workspace <ProjectName>.xcworkspace -scheme <ProjectName> -configuration Release clean archive -archivePath buildArchive/<ProjectName>.xcarchive CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO
After successfully completing, it will create a new ‘buildArchive’ folder and inside that a ‘.xcarchive’ file.
You can Zip that ‘.xcarchive’ file and transfer the xcarchive to the signing machine.

We worked on this for several weeks along with other teams in the company. All of us came to the same conclusion, there is no better option than signing with a dev cert and then re-signing each and every binary with the prod cert afterwards. It's not a straight forward process, but that's what we have been left with.

This might work for you I think
Create an unsigned IPA on your build machine.
Have a script in the build machine that transfers the IPA to your
signing machine.
Use the FloatSign script on the signing machine to resign the
IPA.

Manual signing fails for xcode test with embedded library. Can it be decomposed?

I'm trying to run Facebook's WebDriverAgent, for testing on real devices: https://github.com/facebook/WebDriverAgent.
Our admin isn't a fan of Apple's automatic signing, so we're trying manual. When I put
xcodebuild -project WebDriverAgent.xcodeproj -scheme WebDriverAgentRunner -destination id='4xxx9' test DEVELOPMENT_TEAM=xxxx PROVISIONING_PROFILE=xxxxx
it says
Testing failed:
WebDriverAgentLib has conflicting provisioning settings. WebDriverAgentLib is automatically signed, but provisioning profile xxxx has been manually specified. Set the provisioning profile value to "Automatic" in the build settings editor, or switch to manual signing in the project editor.
I set manual signing on everything (in xcode), and try again:
xcodebuild -project WebDriverAgent.xcodeproj -scheme WebDriverAgentRunner -destination id='4xxx9' test DEVELOPMENT_TEAM=xxxx PROVISIONING_PROFILE=xxxxx
Testing failed:
WebDriverAgentLib does not support provisioning profiles. WebDriverAgentLib does not support provisioning profiles, but provisioning profile xxxx has been manually specified. Set the provisioning profile value to "Automatic" in the build settings editor.
It seems I need to decompose the 'test' action to build the library without the profile, but everything else with the profile, and then trigger testing.
Can this 'xcodebuild test' command be rewritten as several commands to effect such a build/test? I need a command-line solution because this is part of a continuous integration.
Thanks in advance!

This happened to me using manual signing and including Cocoapods dependencies. This is possibly a known issue with Cocoapods (https://github.com/CocoaPods/CocoaPods/pull/6964). Their workaround is to specify setting PROVISIONING_PROFILE_SPECIFIER to '' in the Podfile's post_install hook, but this didn't work for us because we commit our Pods, so the post_install hook doesn't run when we build.
However, in addition to passing the option PROVISIONING_PROFILE_SPECIFIER=xxxxx to xcodebuild, we were able to build by setting the following options in Pods.xcodeproj/project.pbxproj for each target/build configuration:
CODE_SIGNING_ALLOWED = NO;
CODE_SIGNING_REQUIRED = NO;
PROVISIONING_PROFILE = '';
PROVISIONING_PROFILE_SPECIFIER = '';
I am not primarily an iOS developer by trade, but from my understanding, PROVISIONING_PROFILE is deprecated and specifying both CODE_SIGNING_ALLOWED and CODE_SIGNING_REQUIRED may be redundant, but we do it anyway at the moment in our project.

Try using PROVISIONING_PROFILE_SPECIFIER=xxxxx instead of setting PROVISIONING_PROFILE, which is deprecated starting with Xcode8.
If the error then still occurs, try to set neither DEVELOPMENT_TEAM nor PROVISIONING_PROFILE_SPECIFIER, as these codesigning related buildsettings are only relevant, if you are actually building an app (but you are only executing an xcodebuild test on an already build app bundle).
If you want to build and test the app with one call of xcodebuild, you are encouraged to do a xcodebuild ... clean build test
EDIT
After taking a look at the WebDriverAgent project, the problem is related to the WebDriverAgentLib being a Dynamic Framework and a Target-Dependency of the WebDriverAgentRunner-Bundle. Dynamic Frameworks don't like codesigning during the build phase in Xcode8 at all (they now should be codesigned on the fly when being copied into the build product). With specifying code signing related build settings on the command line (DEVELOPMENT_TEAM etc.), Xcode8 will complain about this for Dynamic Framework targets and fail the build.
Solution 1: remove all codesigning related build settings from your xcodebuild call (PROVISIONING_PROFILE_SPECIFIER, PROVISIONING_PROFILE, DEVELOPMENT_TEAM, CODE_SIGN_IDENTITY) and just set these for the WebDriverAgentRunner-Target (either in the Xcode UI or via Command-Line with plistbuddy on the project.pbxproj).
Solution 2: don't test on a real device and instead just on the Simulator. As there is no need to codesign an Executable and/or Test-Bundle for Simulators, you can safely omit any codesigning related parameters from your xcodebuild call.
Solution 3: just stick with Automatic CodeSigning and assure that there a is valid login for the proper Developer Account in the build machine's Xcode.

I had this error and https://stackoverflow.com/a/39923121/713391 suggested i check "Enable Automatic Signing" then click cancel without doing anything, which did fix it. A code diff showed the change was to add
ALWAYS_EMBED_SWIFT_STANDARD_LIBRARIES = YES;
or in Xcode it's called Always Embed Swift Standard Libraries

ERROR ITMS-90046 using xctool / xcodebuild vs XCode Archive's success

I've got a command line script I use to compile, archive and submit my ios builds to ITC for TestFlight deployment. They work great, but I recently ran into an issue when trying to use an embedded framework within my otherwise working project. My script compiles and archives the project successfully but is getting ITC signing errors because of the embedded binary conflict.
xctool -workspace $BASE_DIR/$PROJECT_NAME -scheme $SCHEME -configuration $CONFIG clean archive -archivePath ./$PRODUCT_NAME.xcarchive
xcodebuild -exportArchive -archivePath ./$PRODUCT_NAME.xcarchive -exportPath $PRODUCT_NAME -exportFormat ipa -exportProvisioningProfile "$DIST_PROVISIONING_PROFILE_NAME"
# result is successful, with .ipa file generated
After a successful compilation my script tries to upload to ITC, and fails with the below msg. I get the same message if I try to upload the generated IPA file to ITC myself using Application Loader tool.
ERROR ITMS-90046: "Invalid Code Signing Entitlements. Your application
bundle's signature contains code signing entitlements that are not
supported on iOS. Specifically, value 'XXXXXXXXX.com.domain.Product'
for key 'application-identifier' in
'Payload/Product.app/Frameworks/Charts.framework/Charts' is not
supported. This value should be a string starting with your TEAMID,
followed by a dot '.', followed by the bundle identifier.
There is no application-identifier string used in my project or settings that I can find with a global search.
Extra Info
com.domain.Product would be my project's main bundleIdentifier, which has a distribution certificate and provisioning profile generated for it. Without the embedded binary that works just fine. The "Charts" embedded project has a bundleIdentifier but the team is set to "None" in the Info tab, and signing is set to Automatic. Since it is an embedded binary/framework, I'm assuming it doesn't independently sign it. When using Xcode's Archive, it is listed as a subset of the main Project with no independent identifier or entitlements.
I have also tried creating an independent appId and distribution provisioning profile for the embedded binary called "com.domain.ProductCharts" and setup the project correctly. This does not change the error.
I have further tried setting the embedded binary's project to use the same bundleIdentier and settings as the parent Project, but this does not change the error.
Why is xctool/xcodebuild unable to properly compile and sign this to get through to ITC, while the native Archiver can?

Currently, I encountered what I think is a bug in xcodebuild command similar to this, way I fixed it for me was to setup provisioning profile in the project settings. Try updating your project and run build again.
The investigation into the issue was here: https://forums.developer.apple.com/thread/14378
But others reported problem with associated domains:
SO question: Apple Store submit fails with Error ITMS-90046, but Associated Domains is not among entitlements
What is your OS, XCode ... etc?

Just a guess: Maybe you need to specify an application-identifier in your Entitlements.plist if you use the command line. Here https://developer.apple.com/library/ios/qa/qa1710/_index.html it is stated that in "In modern versions of Xcode.."
You said:
They work great, but I recently ran into an issue...
Have you created a new profile meanwhile and now there are two? Or two certificates? Here is a description on how to check your entitlements. Maybe this helps.

Creating .entitlements for the embedded framework will solve the issue only in Xcode 7.x. In the version 8.x the issue still exists.

xcodebuild command failing on codesign but logs show incorrect profile uuid being used

I try to run this:
xcodebuild -scheme "MobileRenderStress.iOS" -destination "generic/platform=iOS" archive -archivePath /Applications/buildAgent/work/builds/MobileRenderStress-iOS.xcarchive
Which results in this:
<Many lines of irrelevant log that ends with...>
Signing Identity: "iPhone Developer: DK (RYQ82Z5555)"
Provisioning Profile: "iOSTeam Provisioning Profile: com.company.*"
(0b51596e-46c1-456a-a7bc-911858ad275a)
/usr/bin/codesign --force --sign A72FD8239B6355AE7DECC865F1A13226450F76C --entitlements /Users/builder/Library/Developer/Xcode/DerivedData/Technology-ajtzoltdytdzndgefjzzhzhiufjx/Build/Intermediates/ArchiveIntermediates/MobileRenderStress.iOS/IntermediateBuildFilesPath/MobileRenderStress.iOS.build/Debug-iphoneos/MobileRenderStress.iOS.build/MobileRenderStress.iOS.app.xcent /Users/builder/Library/Developer/Xcode/DerivedData/Technology-ajtzoltdytdzndgefjzzhzhiufjx/Build/Intermediates/ArchiveIntermediates/MobileRenderStress.iOS/InstallationBuildProductsLocation/Applications/MobileRenderStress.iOS.app
/Users/builder/Library/Developer/Xcode/DerivedData/Technology-ajtzoltdytdzndgefjzzhzhiufjx/Build/Intermediates/ArchiveIntermediates/MobileRenderStress.iOS/InstallationBuildProductsLocation/Applications/MobileRenderStress.iOS.app: User interaction is not allowed.
Command /usr/bin/codesign failed with exit code 1
** ARCHIVE FAILED **
The following build commands failed:
CodeSign /Users/builder/Library/Developer/Xcode/DerivedData/Technology-ajtzoltdytdzndgefjzzhzhiufjx/Build/Intermediates/ArchiveIntermediates/MobileRenderStress.iOS/InstallationBuildProductsLocation/Applications/MobileRenderStress.iOS.app
(1 failure)
I've been running xcodebuild commands both for building and archiving (in this example I am archiving) but I am receiving codesign errors. The confusion comes especially from the fact that the logs indicate exactly which provisioning profile ID it's trying to use (and successfully finds) but the command line for "codesign" is indicating a different ID. Even if I specify the profile in the xcodebuild command, it still ends up trying to use this different, non-existent ID in the codesign line.
Has anyone come across this before and know where that ID is even coming from? I grep'd my entire project and it's nowhere to be found. It's kinda creepy, really.
Important Notes:
When I update the provisioning profile to get the ID to change, the xcodebuild command STILL tries to use the A72 ID at the codesign line. It's really frustrating!
I do see the part of the log that indicates "User interaction is not allowed." Although this doesn't relate to the issue, do know that it's using the --force command in the line which should bypass that error and also the provisioning profile's signing keys are all fully permissive, which is the other workaround for that kind of issue.

The issue is caused by "User interaction is not allowed." this is because it needs a code signing prompt to be accepted which cannot happen from command line until the keychain has been unlocked.
security unlock-keychain -p YOUR_PASSWORD ~/Library/Keychains/login.keychain
Also you might want to do it directly in xcode and check it works on the machine.

building xcode project from jenkins fails. when building in command line runs just fine. why?

building xcode project from jenkins fails.
when building in command line runs just fine.
why?
this is is the error I get:
[BEROR]Code Sign error: No matching provisioning profile found: Your build settings specify a provisioning profile with the UUID “_UUID_”, however, no such provisioning profile was found.
[BEROR]CodeSign error: code signing is required for product type 'Application' in SDK 'iOS 7.1'
this is the command line used:
xcodebuild -project PROJECTNAME.xcodeproj/ -target TARGETNAME -configuration Release -sdk iphoneos7.1 clean build
ps: anything with OBJECT was censored so this question can appear online, there was real data there before.

Are you using the login key-chain or did you create a different key-chain for jenkins builds app signing?
If you are just using the login key-chain make sure you unlock the key-chain during the build.
If you are using a different key-chain make sure you swap key-chains and then unlock it.
Jenkins - Xcode build works codesign fails - this thread is quite informative.
Also adding these 2 commands to your build can help you debug it:
/usr/bin/security list-keychains
/usr/bin/security find-identity