Invalid Code Signing Entitlements

Question

Supergonk OP

Created Dec ’15

Replies 9

Boosts 0

Views 15k

Participants 5

Hi there,

I am trying to submit an update to an existing app on the Mac App Store. The goal posts keep moving and it's already a bit of a nightmare. Now I've reached an issue which I can't seem to get beyond.

My game is developed in Unity, and I'm using the combination of codesign/productbuild in terminal to build the installer, then Application Loader to deliver it. I'm running OS X 10.11.2, XCode 7.2 (7C68) and Application Loader 3.4 (902). Here are the two errors from Application Loader:

ERROR ITMS-90287: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.developer.game-center' in 'org.COMPANY.GAMENAME.pkg/Payload/GAMENAME.app/Contents/MacOS/GAMENAME'."

ERROR ITMS-90287: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.application-identifier' in 'org.COMPANY.GAMENAME.pkg/Payload/GAMENAME.app/Contents/MacOS/GAMENAME'."

On the Apple developer portal I can verify that my provisioning profiles do indeed have the required keys (From dev portal: "Enabled Services: Game Center, In-App Purchase"). My certificates seem to be installed correctly, and XCode reports that it has all of the provisioning profiles downloaded. The basic setup is correct, as Apple have already approved several versions of this app and it is currently live on the Mac App Store.

Can anybody advise: is it possible to see which provisioning profile is actually being used here? I suspect that the wrong profile is being selected somehow, but I'm not sure how to tell which is actually being used. Can anybody give any suggestions on what to try next?

Thanks for your help.

Ben

Answered by DTS Engineer in 95487022

Distribution issues aren’t really my forte but I believe that you will need an

embedded.provisionprofile

inside your app if the app uses entitlements that must be whitelisted by a provisioning profile. Certainly, if I create a

.pkg

using Xcode’s Organizer (Save for Mac App Store Deployment), it has a copy of the distribution profile embedded within it.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

DTS will close for the winter holidays at the end of business on Wed, 23 Dec 2015 and re-open on Mon, 4 Jan 2016.

Boost

Answer 1

bob133 OP

Dec ’15

Try cracking open the compiled, signed app and looking at the embedded provisioning profile. Chances are good it's missing those entitlements, in which case either a mistake was made regarding the entitlements or it was built with the wrong provisioning profile.

0

Answer 2

Supergonk OP

Dec ’15

Hi Bob,

Thanks for the response. That was my first thought too, although I can't find an embedded provisioning profile within the app. I assumed that it was handled some other way now, but perhaps it's the case that the provisioning profile simply wasn't included in the .app. In which folder should the provisioning profile be located? /Contents/_CodeSignature/ ?

Thanks for your help.

Ben

0

Answer 3

DTS Engineer OP

Apple

Dec ’15

In which folder should the provisioning profile be located?

The entitlements are baked into the code signature. You can dump them using:

$ codesign -d --entitlements :- /path/to/your.app

If the app has embedded code (like a helper tool, a framework, or an extension), you should check the entitlements of those separately.

Keep in mind that the provisioning profile is just one input into the code signing machinery, and the output of that machinery includes these entitlements. IMO it’s best to start by looking at the output and working back from there. I recently posted about this in a different context, but there’s also formal documentation on the subject in the form of Technote 2415 Entitlements Troubleshooting.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

Supergonk OP

Dec ’15

Hi Quinn,

Thanks for your help. Using "codesign --d --entitlements" gives the following output:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>com.apple.application-identifier</key>
  <string>[ID].org.[COMPANY].[GAMENAME]</string>
  <key>com.apple.developer.game-center</key>
  <true/>
  <key>com.apple.security.app-sandbox</key>
  <true/>
  <key>com.apple.security.network.client</key>
  <true/>
</dict>
</plist>

Which, as far as I can tell, is exactly what it should be. I've checked all the other frameworks, etc. inside the bundle and they are all giving the same output.

Thank you for posting links to the documentation. I've had a read through, but they mostly concern dealing with problems if the above output isn't correct. As far as I can tell, it is. Am I missing anything? Can you think of any other reason why this might be failing? As I say, I'm pretty much at the end of the thread on this one. I'm not sure what to do next. To my understanding everything seems a-ok, but Application Loader still fails.

Thanks again for your help.

Ben

0

Answer 5

DTS Engineer OP

Apple

Dec ’15

Accepted Answer

Distribution issues aren’t really my forte but I believe that you will need an

embedded.provisionprofile

inside your app if the app uses entitlements that must be whitelisted by a provisioning profile. Certainly, if I create a

.pkg

using Xcode’s Organizer (Save for Mac App Store Deployment), it has a copy of the distribution profile embedded within it.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

DTS will close for the winter holidays at the end of business on Wed, 23 Dec 2015 and re-open on Mon, 4 Jan 2016.

1

Answer 6

Supergonk OP

Jan ’16

Hi Quinn,

Yep, adding embedded.provisionprofile into the ./Contents/ folder of my app seemed to do the trick. Thank you very much for your help.

Ben

0

Answer 7

AgentPhantom OP

Jan ’16

Hi,

I had the same issue, and yes, adding the embedded.provisionprofile in the Contents folder seemed to do the trick, and the app loader allowed me to send the app to itunes connect, I waited for a while and now when I try to select the build in itunes connect it says that the compilation is not valid, could I see an example of your embedded.provisionprofile or could you give me a step by step of how you created the embedded.provisionprofile.

AgentPhantom

0

Answer 8

AgentPhantom OP

Jan ’16

Hi,

I had the same problem as Supergonk and your answer helped me to submit my app to itunesconnect, but when i tried to select the build in itunes connect I get a message that says "the compilation is not valid", I currently believe it may be because of the plugin I created for my game was signed with another bundle identifier, should I sign it with the same bundle id of the game?

AgentPhantom.

0

Answer 9

milanrdhameliya OP

Jan ’21

I Think It’s Apple Error OR Apple applied new logic and strict validation rule for entitlements validation Cause I haven’t changed the entitlements for months and out of a sudden that error occurs

Possible Solution That Worked for me is to remove the following line in the .entitlements file.

<key>com.apple.developer.healthkit.access</key>
<array/>

This Solution Is Work For Me And I have Submitted my TestFlight Successfully after removing that line.

here Is all possible solution added exerror.com/the-entitlements-in-your-app-bundle-signature-do-not-match-the-ones-that-are-con/

0