ERROR ITMS-90164 Invalid Code Signing Entitlements with com.apple.token

Code Signing Entitlements
richard-a OP
Created Dec ’20
Replies 2
Boosts 0
Views 2.4k
Participants 3
Hey guys.

We're attempting to submit an update for our app and TestFlight scan of our IPA returns a rejection with the message:

ERROR ITMS-90164 Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. According to the provisioning profile, the bundle contains a key value that is not allowed: ["OurTeamID", "com.apple.token"] for the key 'keychain-access-groups' in 'Payload/ourApp.app/ourApp'


This is only happening now with the introduction of 'com.apple.token' since we're introducing biometrics support to our App. Our previous release had no issues.

Our app's entitlements are:

Code Block 
<plist version="1.0">
<dict>
	<key>application-identifier</key>
  <string>OurTeamID.our.bundle.id</string>
	<key>com.apple.developer.default-data-protection</key>
	<string>NSFileProtectionComplete</string>
	<key>com.apple.developer.team-identifier</key>
	<string>OurTeamID</string>
	<key>get-task-allow</key>
	<true/>
	<key>keychain-access-groups</key>
	<array>
		<string>OurTeamID.*</string>
		<string>com.apple.token</string>
	</array>
</dict>
</plist>


and our provisioning profile entitlements are:

Code Block language
	<key>Entitlements</key>
	<dict>
    <key>com.apple.developer.default-data-protection</key>
    <string>NSFileProtectionComplete</string>
    <key>application-identifier</key>
<string>ourTeamID.our.bundle.id</string>
				
		<key>keychain-access-groups</key>
		<array>
				<string>OurTeamID.*</string>
				<string>com.apple.token</string>
		</array>
				
		<key>get-task-allow</key>
		<true/>
				
		<key>com.apple.developer.team-identifier</key>
		<string>OurTeamID</string>
	</dict>



So everything looks correct to me. Does anyone have any idea why the scan would think the entitlements don't match when they do?

Thanks in advance.
Replies  2
Boosts  0
Views  2.4k
Participants  3
Robert_Developer OP
Mar ’21
I see similar issue. When building binary, xcodebuild fails with signature error. I had to remove com.apple.token completely, although Apple's docs say it's allowed by default.

Perhaps you need to use OurTeamId.com.apple.token.

0
DTS Engineer OP
Apple
Mar ’21
richard-a wrote:

Our app's entitlements are:

<string>OurTeamID.*</string>

This doesn’t make sense. A keychain access group should be an explicit value. Wildcard values like this only make sense in the profile’s allowlist.


Robert_Developer wrote:

Perhaps you need to use OurTeamId.com.apple.token.

No, that would also not make sense. The goal of the com.apple.token keychain access group (aka kSecAttrAccessGroupToken) is to grant your app access to credentials that are store on a hardware token. Adding your Team ID would turn it into a normal keychain access group, which only your apps have access to.

Note that the docs say:

Access to this group is granted by default and does not require an
explicit entry in your app's [keychain-access-groups] entitlement.

If you do what this suggests — that is, don’t list com.apple.token in keychain-access-groups but instead just use com.apple.token as necessary — does that work?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
0
ERROR ITMS-90164 Invalid Code Signing Entitlements with com.apple.token
First post date Last post date
 
 
Q