I'm trying to upload my app to the App Store via Transporter App. My app is going to use iCloud to save some user data. But I'm getting this error while uploading:
ERROR ITMS-90164: "Invalid Code Signing Entitlements. The entitlements
in your app bundle signature do not match the ones that are contained
in the provisioning profile. According to the provisioning profile,
the bundle contains a key value that is not allowed:
'MY_APP_IDENTIFIRE' for the key
'com.apple.developer.ubiquity-kystore-identifier' in 'MY_APP_NAME'."
I have iCloud enabled for the appID.
I've recreated the provisioning profile.
I've rebuilt the project several times.
My Entitlements are as follows:
<key>com.apple.developer.ubiquity-container-identifiers</key>
<array>
<string>[ICLOUD_CONTAINER_IDENTIFIER]</string>
</array>
<key>com.apple.developer.ubiquity-kvstore-identifier</key>
<string>[APP_PREFIX].[BUNDLE_ID]</string>
Any help is greatly appreciated.
For anyone ending up here:
You should use TEAM_ID instead of APP_PREFIX for kvstore-identifier.
<key>com.apple.developer.ubiquity-kvstore-identifier</key>
<string>[TEAM_ID].[BUNDLE_ID]</string>
Related
I am learning to develop an Apple WatchOS App (stand alone watch app), this is my first ever app, I have written the code to access the HealthKit functionality (Read and Write, I am also able to run the app on my physical device and no errors in console when reading or writing to HealthKit).
I have created an Identifier in the Apple Developer Website and enabled HealthKit
In my app I have also enabled the HealthKit Capabilities
In my Info.plist I have added the following 2 permissions
Privacy - Health Share Usage Description
Privacy - Health Update Usage Description
However I am getting the following error when trying to publish the app to AppStore.
Please can someone guide me and tell me what I could be doing wrong here.
My Error
App Store Connect Operation Error
ERROR ITMS-90164: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. According to the provisioning profile, the bundle contains a key value that is not allowed: '[ ]' for the key 'com.apple.developer.healthkit.access' in 'Payload/app name.app/Watch/app name WatchKit App.app/PlugIns/app name WatchKit Extension.appex/app name WatchKit Extension'."
I have tried to run Product->Clean etc however no luck
Thank you
I have an iPhone app that uses the keychain for authentication-related storage.
I also had an expiring Provisioning Profile.
In the documentation for keychain access it states:
On iPhone, Keychain rights depend on the provisioning profile used to
sign your application. Be sure to consistently use the same
provisioning profile across different versions of your application.
Because my Provisioning Profile was expiring, I renewed it (in the provisioning portal), downloaded it, and double-clicked it which "installed" it into XCode's organizer.
After submitting an update to the app to the app store, I'm basically seeing an empty keychain (user's are being asked to log in again).
My question is: does renewing the provisioning profile used to sign an app affect keychain access when the renewed profile is used to submit an update to the app? The docs just say to use "the same provisioning profile", but is unclear about whether a renewed profile counts as a different profile (as my experience described above suggests).
What gives?
Update
Solved with help from tc's answer. Looking at the embedded.mobileprovision file in each of the .ipas submitted to apple revealed that an expiring certificate and provisioning profile were used to sign version x of the app, and a different certificate and provisioning profile was used to sign version x+1 of the app (culprit: "Automatic Profile Selector" feature of XCode for the Code Signing Identity).
The 1st certificate and profile were leftover from when a developer used a different iOS Developer Program account to develop an unrelated app (on the same machine, with the same OSX user). Provisioning profiles across multiple iOS developer program accounts are apparently all stored together in ~/Library/MobileDevice/Provisioning Profiles, so they are all candidates for XCode's automatic profile selection feature.
I changed the code signing identity by selecting a totally different distribution profile that I mistook as a renewed/valid version of the expiring distribution profile, and submitted an update. Same app, different cert, different provisioning profile == empty keychain. D'OH.
The keychains you're allowed to use is determined by keychain-access-groups in the entitlements, which is limited to a subset of the keychain-access-groups in the provisioning profile, which is determined by the "bundle seed"/"prefix"/ (ApplicationIdentifierPrefix in the provisioning profile), set in the "App ID".
Assuming you've kept the old submitted app (or have the .ipa from iTunes, which is just a zip), look at embedded.mobileprovision in both the old and new apps (less Foo.app/embedded.mobileprovision in a terminal should do the trick, or you can open it in a text editor although sometimes they'll pick the wrong line endings). You're looking for something like this (you may see extra keys for push/iCloud):
<key>Entitlements</key>
<dict>
<key>application-identifier</key>
<string>A1B2C3D4E5.com.example.MyApp</string>
<key>get-task-allow</key>
<false/>
<key>keychain-access-groups</key>
<array>
<string>A1B2C3D4E5.*</string>
</array>
</dict>
You can also view the actual entitlements your app was signed with:
codesign -d --entitlements - Foo.app/Foo | vis
IIRC the keychain access groups default to e.g. A1B2C3D4E5.com.example.MyApp, but you can set this to anything you want provided it matches A1B2C3D4E5.* (Xcode 4 even has a nice GUI entitlements editor). If the bundle prefix is different, that'll cause the problem you're seeing. I think you can change it back provided you haven't enabled push/Game Center/etc.
As long as your app's bundle id doesn't change there won't be any issue with the keychain.
Considering that we all have to renew our certificates and distribution profiles every year, it would be chaos if doing so broke the keychain access for our apps.
I have one app that's been in the App Store for over 4 years. It uses the keychain. It has been updated several times over the years, many times with an updated provisioning profile. There have been no keychain issues.
For anyone else searching, I had a different issue. The manual steps I followed to resign the ipa resulted in it having no entitlements, which means no keychain access. So I created a script to resign the ipa but keeping the entitlements from the original. I posted it at http://baltaks.com/2013/08/resigning-enterprise-ios-apps and will keep that updated if required.
I archived my app and then put it through validation. a window came up titled "Choose an application record and an Identity to sign with" and then a yellow triangle and the message "No identities are available for signing" was displayed and options for Downloading Identities and Import Developer Profile.
I chose Download Identities and received the message after it logged into my IOS Dev Center account "An administrator must request identities before they can be Downloaded".
codesigning error warnig http://imageshack.us/a/img824/4080/validate2.gif
I then chose the "Import Developer Profile" and it and was also unsuccessful.
I checked the code signing and got noticed the error warning no profiles currently match and that and that the application identifier com.jarrahbridges...... profile doesnt match application identifier com.jarrahBridges........
In organiser my provisioning profiles state they are Valid Profiles all my certificates in my key chain (numbering 6) are all valid.
Any direction on this would be most appreciated
I was having the same problem and the problem was my Distribution Certificate was created it on another Mac. Here are more details:
http://spacetech.dk/ios-development-error-no-identities-are-available-for-signing.html
Create AppStore provision profile at the Developer Portal, then update xCode profiles (xCode -> Preferences... -> Accounts).
Create an achieve and press "Validate"
You now are able to validate the archive agains you Distribution Certificate and AppStore Provision profile
Don't know is it a bug or feature, though.
Try following these instructions. Basically there are multiple places where you have to tell Xcode what your bundle identifier is and what the provisioning profile is. I can't believe this stuff is totally overlooked in the iOS Developer Distribution Guide by Apple.
http://anthonytietjen.blogspot.com/2012/08/overcoming-trouble-validating-your.html
Also, go into Build Settings for your project and go to Code Signing. Make sure the Code Signing Identities are all set to the iDevice Distribution App ID you created in iTunes Connect as well as the Provisioning Profile set to the Provisioning Profile you painstakingly created in the iOS Development Center as well (that Ad Hoc provisioning profile file you created and downloaded into Xcode.)
Apple was great at walking you through creating the Distribution Certificate and Ad Hoc Provisioning Profile, but when it comes down to getting things bundled up in Xcode, they left a lot out.
https://developer.apple.com/library/IOs/documentation/IDEs/Conceptual/AppDistributionGuide/Introduction/Introduction.html#//apple_ref/doc/uid/TP40012582-CH1-SW1
I would say that if you still can't get it working with an Ad Hoc provisioning profile, try generating an App Store Distribution Provisioning Profile within the "Certificates, Identifiers, and Profiles" portion of the Development center , import it into Xcode (by refreshing the provisioning profile list under Xcode->preferences->accounts->details->refresh button) and go through the validation process of your archive again. I'm not sure if it's because Xcode can't validate an Archive with an Ad Hoc profile or what, but it seems to pick up the Distribution Provisioning Profile just fine and allows you to validate. Don't worry, even if you don't validate the archive with the Ad Hoc provisioning profile, you can still create the .ipa for your archive by hitting the Distribute button in Organizer->Archives and choosing the Ad Hoc profile so that you can beta test it.
I'm getting this message when I try to run on my device:
A valid provisioning profile matching the application's Identifier 'my app bundle ' could not be found
I am able to run the app on iPhone Simulator without problem.
I was able to connect to the device before, I don't know what is going on...
I already deleted everything and tried again, even with a new App ID created on the portal but it didn't work either.
I just don't know what to do to run the app on my device?
A valid provisioning profile matching the application's Identifier 'my app bundle ' could not be found
Please ensure that the identifer is consistent with the App ID you created for the provisioning profiles on developer portal.
For example, if you created App ID "A1B2C3D4E5.com.yourdomain.*" and assigned it to your provisioning profile, your app must have a bundle identifer like "com.yourdomain.someapp" so that it can be correctly signed.
Also I don't think space character is allowed in the identifier. See Information Property List Key Reference:
The bundle ID string must be a uniform type identifier (UTI) that contains only alphanumeric (A-Z,a-z,0-9), hyphen (-), and period (.) characters.
You may refer to:
"Creating and Configuring App IDs" in iOS Team Administration Guide.
Bundle Identifier and Provisioning Profile
Running an app on simulator doesn't require code signing and hence no provisioning profile. As it was working earlier and you've tried deleting and reinstalling everything, see whether your code signing certificate has been revoked or expired.
My app's provision profile expired 2 days back, i created a new one and now it gives me the error:
Code Signing Entitlements Do Not Match Provisioning Profile
EveryThing is same,jus the profile name is changed..
Anyone here knws wat's the problem??
It can happen that you have not created your provisioning profile for the same application id.
The easiest is to create a provisioning profile for the app id "*" (in case you are not using special things, like push) - and you can use this provisioning profile for every application of yours.
Also - you can delete your provisioning profile from the apple developer website and your xcode organizer, and you click on the refresh button in organizer then xcode will talk to the apple dev website and download a new one for you.
Hope this helps, Moszi