Missing Push Notification Entitlement after building in command line

Question

Created Jan ’21

Replies 4

Boosts 0

Views 4k

Participants 3

Firstly, I'm building my app through the command line- unfortunately this is necessary since I'm using Azure DevOps to do the build.

Since the app has an extension I created two provisioning profiles (the app's has Push Notifications capability) and build and sign the ipa via a plist file (multi-provisioning-profiles.plist) as follows:

Code Block xcodebuild -sdk iphoneos -configuration Release -project myapp.xcodeproj -scheme MyApp archive -archivePath myapp.xcarchive CODE_SIGNING_ALLOWED=NO

Code Block xcodebuild -sdk iphoneos -configuration $(Configuration) -project myapp.xcodeproj build -exportArchive -archivePath myapp.xcarchive -exportOptionsPlist multi-provisioning-profiles.plist -exportPath /ipa

The ipa then successfully uploads and a short while later I get the error email (ITMS-90078: Missing Push Notification Entitlement) from Apple regarding push notification entitlements.

Any idea what I might be missing here?

For completeness, here's the multi-provisioning-profiles.plist file also:

<dict>
<key>provisioningProfiles</key>
<dict>
<key>[My app key]</key>
<string>[UUID of app's prov profile]</string>
<key>[My extension key]</key>
<string>[UUID of extension's prov profile]</string>
</dict>
<key>signingCertificate</key>
<string>iOS Distribution</string>
<key>signingStyle</key>
<string>manual</string>
<key>method</key>
<string>app-store</string>
<key>teamID</key>
<string><[My team ID]</string>
</dict>
</plist>

Answered by benjfromlondon in 658472022

The problem seemed to stem from not signing the archive (CODESIGNINGALLOWED=NO is bad in this case). Once the xarchive was signed with the provisioning profiles then I no longer received the email from Apple after uploading.

I'd originally avoided signing the archive because I'd struggled to get it working with more than one provisioning profile but eventually found the following solution: https://stackoverflow.com/a/29605731/2520623

For reference, this is what my final archive command looked like:

Code Block xcodebuild -sdk iphoneos -configuration Release -project myapp.xcodeproj -scheme MyApp archive -archivePath myapp.xcarchive -allowProvisioningUpdates OTHER_CODE_SIGN_FLAGS=--keychain tempkeychain.keychain APP_PROFILE=[UUID of app's prov profile] EXTENSION_PROFILE=[UUID of extension's prov profile]

Boost

Answer 1

benjfromlondon OP

Jan ’21

Accepted Answer

The problem seemed to stem from not signing the archive (CODESIGNINGALLOWED=NO is bad in this case). Once the xarchive was signed with the provisioning profiles then I no longer received the email from Apple after uploading.

I'd originally avoided signing the archive because I'd struggled to get it working with more than one provisioning profile but eventually found the following solution: https://stackoverflow.com/a/29605731/2520623

For reference, this is what my final archive command looked like:

Code Block xcodebuild -sdk iphoneos -configuration Release -project myapp.xcodeproj -scheme MyApp archive -archivePath myapp.xcarchive -allowProvisioningUpdates OTHER_CODE_SIGN_FLAGS=--keychain tempkeychain.keychain APP_PROFILE=[UUID of app's prov profile] EXTENSION_PROFILE=[UUID of extension's prov profile]

2

Answer 2

osmangokc OP

Nov ’21

i have same issue. but in my case there are 1 more prov profile extra. 1 app profile and 2 extension profile. how can i deal with it? may you share your azure pipeline yaml if you do not mind? should i insert xcodebuild command manually to the yaml? or can i use xcode build task from azure devops modules?

0

Answer 3

thidu06 OP

Mar ’25

Thank you @benjfromlondon for showing me the way! I had the same issue while building using the Xcode@5 in Azure Pipelines although the project was otherwise configured as it should and as many StackOverflow threads indicated it should.

I will add below more information about how I fixed the issue and troubleshooting.

The fix

The Xcode@5 Azure Pipelines task does not sign the archive by default:

# Signing & provisioning
    #signingOption: 'nosign' # 'nosign' | 'default' | 'manual' | 'auto'. Signing style. Default: nosign.
    #signingIdentity: # string. Optional. Use when signingOption = manual. Signing identity.

So I added the following to my Yaml pipeline: (signingOption, signingIdentity and provisioningProfileName)

  - task: Xcode@5
    displayName: 'Build IPA'
    inputs:
      actions: 'clean build'
      configuration: 'Release'
      sdk: 'iphoneos'
      xcWorkspacePath: 'ios/MyApp.xcworkspace'
      workingDirectory: '$(Build.SourcesDirectory)'
      scheme: 'MyApp'
      packageApp: true
      signingOption: 'manual'
      signingIdentity: 'iPhone Distribution'
      provisioningProfileName: '${{ parameters.provisioningProfileName }}'

Troubleshooting and checking the fix

According to this Q/A there are a couple of ways to check that the entitlement is present in the ipa. Unzip the .ipa first, then you can run the following commands:

security cms -D -i "Payload/MyApp.app/embedded.mobileprovision"

codesign -d --entitlements :- "Payload/MyApp.app"

The first command checks the entitlements in the provisioning profile used for code signing when exporting the ipa. It did include the aps-environment entitlement both before and after the fix.

The second command checks the entitlements in the app bundle (unsure exactly where). It did not output the aps-environment before adding the code signing identity to the archive build, but did after I specified the code signing identity (and I could check in the build logs that the Xcode@5 task did pass the code signing identity parameters to xcodebuild during archiving).

I then uploaded the .ipa to the App Store and the warning was gone.

0

Answer 4

thidu06 OP

Mar ’25

I have found that you can also check whether your app "executable" contains the aps-environment string.

For example:

grep -n -a "aps-environment" Payload/MyApp.app/MyApp

It did not contain the string before the fix and it did after. This is probably similar to codesign -d --entitlements :- "Payload/MyApp.app"

0