Lately I've been having issues deploying my applications in-house
(enterprise developer program) with reports that some entitlement
values were not the ones specified in the provisioning profile.
I started looking into the issue, and found that, of course, the
values weren't a match:
Contents of the .mobileprovision file:
(as extracted by running security cms -D -i <mobileprovision file>)
<key>application-identifier</key>
<string>M7X5D8MA6U.some.masked.Identifier</string>
<key>com.apple.developer.ubiquity-container-identifiers</key>
<array>
<string>KNHHJPPHR7.*</string>
</array>
<key>com.apple.developer.ubiquity-kvstore-identifier</key>
<string>KNHHJPPHR7.*</string>
<key>get-task-allow</key>
<false/>
<key>keychain-access-groups</key>
<array>
<string>M7X5D8MA6U.*</string>
</array>
And the entitlements are (as extracted running: codesign -d --entitlements - <app bundle>)
<key>application-identifier</key>
<string>5R678HMG35.some.masked.Identifier</string>
<key>get-task-allow</key>
<false/>
<key>keychain-access-groups</key>
<array>
<string>5R678HMG35.some.masked.Identifier</string>
</array>
I'm not specifying any entitlements file in my project, and the
mobileprovision file was downloaded fresh from the Portal.
Should I create an Entitlements.plist with those values just to make
the installer happy or is there a less hackish way of solving this?
And more importantly, why is this happening only with some builds of
my app? (Some other builds are fine)
Any other tips on how to solve and/or avoid this problem?
I have already tried the usual suspects: deleting all profiles, recreating profiles, re-downloading the certificate, etc...
Thanks!
What I noted was that I wasn't using a development provisioning profile for that specific app, I was using the team profile generated by Xcode. I took a shot at creating the development profile, and then it fixed itself.
Make sure, if you're not using iCloud, that your Provisioning Profile on the Apple Developer Page doesn't have iCloud enabled.
If so, disable iCloud and download the new generated profile and try again.
Had a pretty similar problem a few weeks back.
This can happen if, while doing a Release build, Xcode decides to use a wildcard provisioning profile.
Even though you go on to choose the correct provisioning profile in Xcode Organizer, when you hit the Distribute… button Xcode invokes xcrun PackageApplication which embeds the provisioning profile in your app and then resigns it. It also very carefully copies the original incorrect entitlements, like App ID Prefix, APN entitlement, gleaned from the wrong provisioning profile, into your new IPA. This will likely fail to install.
I'm not sure why it does this, maybe because not all entitlements come from provisioning profiles.
Related
I'm working on app which is distributed with Cydia. So it is installed in /Applications folder, not /var/mobile/Applications/ as usual AppStore apps. And I assume that installation give me some huge problems.
At first, keychain read & write with famous Apple's KeychainItemWrapper doesn't work at all.
Also, my settings.bundle doesn't work too. App settings don't displayed in Settings.app.
When I test application in Simulator or even deploy it from Xcode to device directly (it is deployed to /var/mobile/Applications/) everything works like a charm.
I tried moving installed .app to var/mobile/Applications/XXXXXX/myapp.app with making mobile:mobile as it's owner. It didn't help.
Any solution for making this work?
Settings Bundle
Settings work a little differently for jailbreak apps. You need to do something similar to the normal Settings.bundle, but there are differences.
See here for some information on that.
And here
And here
You should make your app depend on the preferenceloader package, which helps jailbreak apps manage Settings. So, you'll have something like this in your DEBIAN/control file:
package: com.mycompany.MyApp
Name: MyApp
Version: 2.2-2
Architecture: iphoneos-arm
Depends: preferenceloader
Description: Do something for jailbreak iPhones
...
Keychain
In order to make the keychain work for my app, I needed to add entitlements to my binary. The way I found out which entitlements were needed was to first build the app in the normal way (not a jailbreak app, just a normal 3rd-party app store app using Xcode). Then, I inspected the entitlements in the binary built by Xcode:
ldid -e MyApp.app/MyApp
And then spliced those entitlements into a new entitlements.xml file. See here for an example of applying entitlements. I believe the entitlements for your app should look something like this:
<key>application-identifier</key>
<string>L44W4W8ABC.com.mycompany.MyApp</string>
<key>aps-environment</key>
<string>development</string>
<key>com.apple.developer.team-identifier</key>
<string>L44W4W8ABC</string>
It's possible that this method of adding entitlements isn't necessary. See comments below your question for other options. However, I was adding other entitlements for other reasons, and could not do that through Xcode.
RemoveProfile command is not working properly for me.
I am setting the proper profile identifier with below xml
<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'>
<dict>
<key>Command</key>
<dict>
<key>RequestType</key>
<string>RemoveProfile</string>
<key>Identifier</key>
<string>com.apple.mgmt.mdmA3727E23-7914-59A6-FDCE-D79D9B42A209</string>
</dict>
<key>CommandUUID</key>
<string>B733FE25-101E-4959-4FAD-7262D7774169</string>
</dict>
</plist>
Also when I query for profiles installed on device I get this profile installed with same profile identifier.
Can someone guide me whats wrong with the command.
On IPCU, I get the following error:
The profile “com.apple.mgmt.mdmA3727E23-7914-59A6-FDCE-D79D9B42A209” is not managed by MDM.
If I performed an enterprise wipe i.e. remove the main enrollment profile via the same above command, it removes the enrollment as well as all the associated profiles, so why doesn't it allow me to remove individuals?
Two pieces of information:
1) If profile is truely not managed (wasn't installed through MDM), you can't remove it using MDM.
2) I noticed and reported to Apple a bug in which my iOS device lost association between MDM profile and profiles which were installed through MDM. So, you may have seen this bug.
I have updated and rebuilt my app with a new provision profile that was configured with "Enable for iCloud" checkbox selected in the provision portal.
Next, in XCode, for the app project, I selected the box for "Entitlements" in Targets->Summary->Entitlements as shown below to support iCloud. However, as soon as I add this, I am unable to build the application as I get the dreaded
warning: Application failed codesign verification. The signature was invalid, or it was not signed with an iPhone Distribution Certificate. (-19011)
The app builds successfully with NO codesign errors and installs onto hardware with the proper provisioning profile when the "Enable Entitlements" is unchecked. As soon as I check it, it gets the codesign error.
I also tried updating the entitlements file with ABCDEF.com.myapp (with my real iCloud ID and app id) for the com.apple.developer.ubiquity-container-identifiers value.
What am I doing wrong? Any help is greatly appreciated!
Btw, I wrote a blog post with a solution which could be helpful.
You may try to copy and paste the <dict> of key entitlements from your provisioning profile to your.entitlements (a plist) file.
iCloud Gotchas
Finally, I found the solution. It ended up being a Apple Provisioning Portal issue.
Even though I followed these steps:
1. Selected "Enable for iCloud" for the App ID
2. Created(regenerated) a new provision profile that was configured for the respective "Enable for iCloud" app
3. In XCode, for the app project, I selected the box for "Entitlements" in Targets->Summary->Entitlements as shown below to support iCloud.
The build error still persisted. So, I looked at the Prov Prof with an editor and the entitlements were NOT in there even though I just generated a new one.
What I found was after about 1 week, surprise!, if I generated the Prov. Profile now it had the entitlements in it! So, there was a delay before the generation of the PP's would pick up the iCloud entitlements. Also I filed this issue with Apple so they are aware of this strange delay.
I'm getting the following error when trying to submit my app to the app store. I went through the initial provisioning process and am able to run the app on my phone so not sure what's wrong.
Application failed codesign verification. The signature was invalid, or it was not signed with an Apple submission certificate.
EDIT: I tried downloading and installing a Distribution profile, but I'm still getting the error. Is there some way I need to link this new profile to my app in XCode? Thanks!
EDIT 2: I've now gotten a distribution provisioning profile from Apple and tried compiling with this. Getting the error "A valid provisioning profile for this executable was not found."
Verify the following:
When creating the distibution profile, make sure that Distribution Method is "App Store".
In project settings, go to Build tab and make sure Code Signing Identity is the distribution profile you created for the App Store
In Target settings (double-click on Target in your project), go to Build tab and make sure Code Signing Identity is the distribution profile you created for the App Store
It's recommended that you have a configuration in your project settings for AdHoc and App Store builds. I've found it makes life easier when it comes time to deploy.
For the Xcode build warning or Archive Validation error "Application failed codesign verification", see Apple's complete list of potential causes for this problem at "How do I resolve the error: Application failed codesign verification?".
For the error "A valid provisioning profile for this executable was not found", typically this error occurs while attempting to run your app on device thru Xcode yet you mentioned that you're uploading the app to the store? Ensure that you're following the recommended steps for uploading your iOS app to the store using
"Steps to submit your app to the App Store".
For others receiving the error "A valid provisioning profile for this executable was not found" check that you're following Apple's recommended steps for running on device thru Xcode at "Steps to run your app on device thru Xcode".
You can either double click a .mobileprovision file, or manually copy it to ~/Library/MobileDevice/Provisioning Profiles. Then it will show up inside the provisioning popup in your Target settings.
Set the provisioning profile for both Project and Active Target.
Click Project -> Edit Project Settings change the code signing entity
Click Project ->Edit Active Target and change the same code signing entity here as well.
You should be good to go.!
Are you sure you provisioning profile is a distribution profile for app store and not a development/ad-hoc one??
This error can also be caused if you incorrectly configured your application's "entitlements". A good place to check is for a warning in Xcode's Log Navigator (last page in left tab) and ensure that there is a green tick next to both the CodeSign and Validate steps in the build log when you Archive your project.
I had the same issue and this is what I did to get it to work:
It turned out my Entitlements file was misformed.
Through much trial and error I have figured out the issue. For others' sanity, here is the proper configuration:
application-identifier $(AppIdentifierPrefix)$(CFBundleIdentifier)
com.apple.developer.ubiquity-container-identifiers
Item 0 $(TeamIdentifierPrefix)$(CFBundleIdentifier)
This got it to validate successfully. I couldn't find this documented anywhere so hopefully it helps someone else.
Here is one solution not listed that turned out to be my problem (and took me 3 days to find!). Set your Archive Build Configuration to Release. You can do this by going into PRODUCT -> EDIT SCHEME -> ARCHIVE -> BUILD CONFIGURATION -> SET TO RELEASE.
Good Luck!
I'm facing the same issue having iCloud KVStore as Capability active:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.icloud-container-identifiers</key>
<array/>
<key>com.apple.developer.ubiquity-kvstore-identifier</key>
<string>$(TeamIdentifierPrefix)$(CFBundleIdentifier)</string>
</dict>
</plist>
Xcode fails to sign to binary when I try to change the 'com.apple.developer.ubiquity-kvstore-identifier identifier to the main app KVStore Identifier as described in
Configuring Common Key-Value Storage for Multiple Apps
Codesign warning: provisioning is not applicable for product type 'Application' in SDK Device - iPhone OS3.1'; ignoring..
Redownloaded my developer certificate, made a new provisioning profile, still getting this error. Searched the Xcode project and removed all lines referencing a Provisioning Profile, but that didn't seem to remove it from the project settings (went to show package contents, then opened the project file).
Was originally on a different machine then transferred over, if that makes a difference?
Thanks
Check the file
/Developer/Platforms/iPhoneOS.platform/Info.plist
and make sure the following keys are set to YES
<key>PROVISIONING_PROFILE_ALLOWED</key>
<string>YES</string>
<key>PROVISIONING_PROFILE_REQUIRED</key>
<string>YES</string>
When developing for a jailbroken devices, these should normally be set to NO, so you can self sign and copy the file over, etc, but it's not necessary to skip this when you actually have a proper certificate and provisioning for your device.