I want to share application data between two developer profiles is this possible to do with the keychain access?
From reading the documentation it sounds like you are restricted to the identifier preceding the application id. EX: GUS8339.com.company.app would restrict you to GUS8339 profile signed applications
You're correct, but it's slightly more complicated:
The provisioning profiles must have the same bundle seed. This is set when you create the corresponding "app ID". An app can change app ID after you've submitted it to the App Store, but note non-wildcard app IDs must have unique bundle IDs (that is, if you've already set up a non-wildcard app ID for the app, you can only change it to use a wildcard app ID).
You have to give both apps access to the same "keychain access group". This is set in the app entitlements. I think Xcode has a working UI for editing these now. You can use a wildcard access group, but I don't think this is recommended.
The relevant portion of the provisioning profile looks something like this (open one in your favourite text editor):
<key>Entitlements</key>
<dict>
<key>application-identifier</key>
<string>A1B2C3D4E5.com.example.myapp</string>
<key>aps-environment</key>
<string>production</string>
<key>get-task-allow</key>
</false>
<key>keychain-access-groups</key>
<array>
<string>A1B2C3D4E5.*</string>
</array>
</dict>
This restricts what you can put in the entitlements, but you should be able to specify something like
<key>keychain-access-groups</key>
<array>
<string>A1B2C3D4E5.com.example.myappsuite</string>
</array>
Note that you may need to specify this to the keychain API!
Keychain access groups depend on the bundle seed ID - the value "GUS8339" that is unique to your provisioning profile. So to answer more directly, no, you can't use access groups across different provisioning profiles, as the seed ID is basically the provisioning profile ID in your example.
Related
I'm trying to run an app on my iPhone. I started by using "Automatic Signing", but whenever I try to run it I get the following message:
The entitlements specified in your application’s Code Signing
Entitlements file are invalid, not permitted, or do not match those
specified in your provisioning profile. (0xE8008016).
This seems weird, because Xcode should be creating the provisioning profile for me, so I don't know how I could screw up Entitlements, especially when the app doesn't need any.
I read through a couple other threads with the same issue, but none of the answers seemed to solve my problem. I also read an article from Apple about them, so I decided to do it the old fashioned way and manually create a provisioning profile. Inside the profile itself it lists the entitlements attached to that profile. I'm getting the exact same error.
<key>Entitlements</key>
<dict>
<key>keychain-access-groups</key>
<array>
<string>XXXXXXXX.*</string>
</array>
<key>get-task-allow</key>
<true/>
<key>application-identifier</key>
<string>XXXXXXXX.*</string>
<key>com.apple.developer.team-identifier</key>
<string>XXXXXXXX</string>
</dict>
I also looked at the entitlements file within the app, it's just the default with no entitlements.
Has anyone encountered this or have an idea of what might be happening?
Perhaps this can help. My problem was because I recently switched teams, and this file:
/ios/Encargo.xcodeproj/project.pbxproj
had a conflict with different DevelopmentTeam id. I fixed it by updating them manually to the current team. Hope it helps.
Need some help to understand terminology and the process correctly.
I have an iOS app that i want to install on my Devices for testing. So far i was able to install the app on my devices only through iTunes(with archived .ipa file), plugging the device to my Mac.
My iOS developer program is not enterprise, it's regular Developer Program (the $99 one).
Can i use over the air installation in my case? http://help.apple.com/deployment/ios/#/apda0e3426d7
My app is built with a "Development" Provisioning profile and not "In House" provisioning profile. Documentation says it must be built with and in-house provisioning profile. I don't have in-house option in my Developer Program interface.
What other wireless, web based installation options can i provide my users?
The difference between signing with an Enterprise account in-house distribution profile and one from a regular account is that the former allows any iOS device to install the .ipa, and the latter one allows only devices listed in the profile to install it.
Without an enterprise account, this means that you need to obtain the deviceID from the devices first, create a provisioning profile that contains all those IDs and use that profile for an OTA-build (OTA = over the air).
But before you do, just try out the next steps with your own device (which for sure is listed as you use if to build on from Xcode). The next steps are error-prone enough even without trying multiple devices:
To create an OTA-build you need to do the following:
create a .ipa for in-house distribution (this will make sure the profile is included into the package, which allows listed devices to actually install it)
create a .plist file with information about the app and a URL to the .ipa file (see below). The link to the .ipa contained in it needs to be HTTPS.
create an .html file with a specially formatted link (also needs to be HTTPS) to that .plist file: <a href="itms-services://?action=download-manifest&url=http://linkToyour/plistFile.plist">
Download My App
</a>
If you browse on your iOS device to that webpage, you should be able to install the .ipa file. Make sure that you have your device connected to your machine with Xcode's devices pane open. This will allow you to look at the system output in the console when things don't work (the alerts on your iOS device usually are not helpful).
Note that another, way more convenient way is to setup an Xcode bot. Maybe you can do this from one machine, but I did this using an old MacBook I still had. Download Xcode Server (for free) by using the redemption code from the developer portal. Enable Xcode server, then setup a bot from your local machine. This is by far the most convenient way.
Here is a template of the .plist file that you need to make:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>items</key>
<array>
<dict>
<key>assets</key>
<array>
<dict>
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>http://yourWebSite.com/youripaFileName.ipa</string> // change this
</dict>
</array>
<key>metadata</key>
<dict>
<key>bundle-identifier</key>
<string>yourBundleID</string> // change this
<key>bundle-version</key>
<string>yourApplicationVersion</string> // change this
<key>kind</key>
<string>software</string>
<key>title</key>
<string>yourAlertTitle</string> // change this
</dict>
</dict>
</array>
</dict>
</plist>
Clean build folder. Go to Product Menu and Select Archive from the submenu. Let the process of archiving complete. Once it will get complete select export option from screen menu.
Select save for development deployment method to export the ipa file.
Chooose your provision profile and account that was used when you created the provision profile.
Choose Export one app for all compatible devices option
In the summary screen verify the correct provision profile and entitlement has been added to archived file. Click next option
Finally save the ipa file to desktop or any other folder where you need it.
Upload the .ipa file to https://www.diawi.com/ and get the installation link
I have a bit of an unusual problem. I have a client who is using keychain access to store login credentials for their iOS apps. When I re-sign one of their apps to my provisioning profile (on my own developer account) it, breaks keychain access, which is what I'd expect.
I was wondering if there is a way for me to re-sign their app with my own wildcard provisioning profile and still allow keychain access. I get that it would be easier to just have them add a few of my devices to their portal, so I wouldn't need to re-sign, but they have already used all 100 slots.
I assume that I'll need a custom entitlements file, but I'm not totally sure what changes to make.
Thanks for any help you can give me!
-Jason
Access to keychain element is restricted by the Team ID. This is a 10 character string that can be found on the Member Center here https://developer.apple.com/membercenter/index.action#accountSummary. If you look at the provisioning profile in a text editor you will see an element like this
<key>keychain-access-groups</key>
<array>
<string>XXXXXXXXXX.*</string>
</array>
The XXXXXXXXXX corresponds to your Team ID. If the app is trying to store anything into the keychain with a different prefix, it will not work.
It seems to be a big feature to share data between different Apps through the iOS Keychain, but how can I avoid the sharing between apps? I can't find anything for that case in the Apple documentation.
I know that the access-group and therefore the access of the keychain for an app is defined through the provisioning profile with the parameter keychain-access-groups.
<key>Entitlements</key>
<dict>
<key>application-identifier</key>
...
<key>keychain-access-groups</key>
<array>
<string>XXXXXXXXXX.*</string>
</array>
</dict>
After Apple redesigned their developer-page it is not more possible to create different App-Prefix-Ids where defines the keychain-access-groups. I hope someone can give me a hint, how to prevent the sharing of the keychain for different apps with the same code base.
Additional Note:
It is not possible to save the data with different keys.
Update:
I found an attribute that set on runtime the keychain-access-group kSecAttrAccessGroup I think this should help to fix the problem.
You misunderstood what share means here, which is you can opt to share with different apps produced by you and accepted by Apple. Arbitrary apps cannot access your app's keychain data.
I need to create an iOS .xarchive file using a developer profile, that a client can resign using their distribution profile(s).
(I have read this but it didn't have any real solutions: How can I send iOS app to client, for them to code-sign)
The client doesn't want to share their private keys, nor give me access above 'Developer' in the member center. And we don't want to share our source code.
We need to support push notifications, so this means we need a fully qualified app id.
I cannot figure out a way that allows me to build and export an .xarchive signed with 'aps production', 'get-task-allow' as false, BUT ALSO using the certificate that matches the clients distribution certificate.
This feels like a bug in Xcode, shouldn't the changes to 'aps production' and 'get-task-allow' be tied to the configuration, not the type of provisioning profile? I am using 'Release', but with my developer profile.
Am I missing something, or is this just not possible?
I figured out the answer to this question through trial and error. Even though tech notes and most web resources say you don't need an entitlements.plist if you are using XCode4+, there are certain cases where you do. Two cases are represented by my question above:
building Release configuration (i.e.: Archive), but signing with a Developer provisioning profile
using push notifications
My final custom entitlements.plist has 3 values:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>get-task-allow</key>
<false/>
<key>aps-environment</key>
<string>production</string>
<key>keychain-access-groups</key>
<array>
<string>L23874DF.com.your.appid</string>
</array>
</dict>
</plist>
Once I had that in my entitlements.plist, I built with the developer provisioning profile for this app id. Then I archived it, and exported the archive from the organizer. Once exported, I sent it to my client. The client was able to resign the archive with an ad hoc profile, and send me back an IPA file, which I loaded onto my device. I also successfully received a push notification from Urban Airship to this IPA!