"Asset validation failed Invalid Provisioning Profile" error while validating a .pkg file

I am creating a macOS application to be distributed to Mac App Store. I am getting an error when I try to validate my .pkg file with the "altool". This is the error I am getting:

2023-06-28 22:15:18.389 *** Error: Asset validation failed Invalid Provisioning Profile. The provisioning profile included in the bundle com.***.safari.web.Extension [com.***.safari.web.Extension.pkg/Payload/XXXX.app] is invalid. [Missing code-signing certificate.] For more information, visit the macOS Developer Portal. (ID: cef119d1-f045-4e50-94f7-22ee94877fad) (90283) { NSLocalizedDescription = "Asset validation failed"; NSLocalizedFailureReason = "Invalid Provisioning Profile. The provisioning profile included in the bundle com.***.safari.web.Extension [com.***.safari.web.Extension.pkg/Payload/XXXXXXX.app] is invalid. [Missing code-signing certificate.] For more information, visit the macOS Developer Portal. (ID: cef119d1-f045-4e50-94f7-22ee94877fad)"; NSUnderlyingError = "Error Domain=IrisAPI Code=-19241 "Asset validation failed" UserInfo={status=409, detail=Invalid Provisioning Profile. The provisioning profile included in the bundle com.***.safari.web.Extension [com.***.safari.web.Extension.pkg/Payload/XXXXXX.app] is invalid. [Missing code-signing certificate.] For more information, visit the macOS Developer Portal., id=cef119d1-f045-4e50-94f7-22ee94877fad, code=STATE_ERROR.VALIDATION_ERROR.90283 "iris-code" = "STATE_ERROR.VALIDATION_ERROR.90283"; }

Exited with code exit status 1 CircleCI received exit code 1

The steps I am following, are as follows:

Command to generate the archive:

xcodebuild -workspace ${WORKSPACE}/XXXXXX.xcodeproj/project.xcworkspace -scheme XXXXXX -sdk macosx -destination 'generic/platform=macOS' -archivePath ${WORKSPACE}/XXXXXXExt.xcarchive DEVELOPMENT_TEAM=XXXXXXXXXXXX PROVISIONING_PROFILE_SPECIFIER="match Development com.***.safari.web.Extension mac" PRODUCT_BUNDLE_IDENTIFIER=com.***.safari.web.Extension CODE_SIGN_STYLE=Manual CODE_SIGN_IDENTITY="Apple Development" archive

**The command to generate the .app file (export archive step): ** xcodebuild -exportArchive -exportOptionsPlist ${WORKSPACE}/Config/Prod-MacAppStore-exportOptions.plist -archivePath ${WORKSPACE}/XXXXXX.xcarchive -exportPath ${WORKSPACE}/mac/packages

I am using AppStore Distribution certificate for this step.

**The Command for generating .pkg file: ** productbuild --component ${WORKSPACE}/mac/packages/XXXXXX.app /Applications/ ${WORKSPACE}/mac/packages/XXXXX-${app_build_number}.unsigned.pkg

The Command for signing the .pkg file:

productsign --sign "3rd Party Mac Developer Installer: XXXXX Inc. (XXXXXXXXXX)" ${WORKSPACE}/mac/packages/XXXXX-${app_build_number}.unsigned.pkg ${WORKSPACE}/mac/packages/XXXXX-${app_build_number}.pkg

I am using Mac Developer Installer certificate for this step.

The Command for validating the .pkg file:

xcrun altool --validate-app -f ${WORKSPACE}/mac/packages/signed/XXXXX-${app_build_number}.pkg -t macos --apiKey "${APP_STORE_API_KEY}" --apiIssuer ${APP_STORE_API_ISSUER} --show-progress

The last command is failing. Could someone please let me know what I am missing? And what does it mean by "Missing code-signing certificate"?

Post not yet marked as solved Up vote post of sywappledev Down vote post of sywappledev
2.1k views
Posted by
sywappledev
Reply
Add a Comment

Replies

It seems like there’s a mismatch between your provisioning profile and your signing identity. The purpose of a provisioning profile is to authorise code execution. A profile contains, amongst other things, a list of certificates that it authorises. The certificate from the signing identity you use to sign your code must be listed in your profile.

For a lot more background on this, see TN3125 Inside Code Signing: Provisioning Profiles.

I recommend that you pull apart your .pkg [1] and look at the certificates authorised by that profile. TN3125 has the commands to do the latter.

Then extract the certificate embedded in your code signature and make sure it’s in that list. The Check the Signing Certificate section of Resolving Code Signing Crashes on Launch explains how to extract certificates.

Hopefully that’ll confirm that this error is what I suspect it is. Once you do that, you can then start investigating how this mismatch happened.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I generally unpack an installer using Pacifist, but you can use Apple tools if you want. See Unpacking Apple Archives.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thank you for your response! The profiles I am using are correct, as I am able to generate the build and upload to App Store, using the same certificates and profiles in XCode. It's just not working on Circleci. However, thank you very much for the insight into how to unpack the installer and the links! That will be very helpful. I will try that. Thanks again!

Posted by
sywappledev
Up vote reply of sywappledev Down vote reply of sywappledev
Add a Comment

The issue has been resolved. The issue was that I need to build an Extension app, which is inside a parent app. So I needed two bundle identifiers (instead of one, which I was using earlier) and also needed to define the variables for the value of bundle identifiers and profiles in pbxproj file. After that, changing the archive step to specify the values for those bundle identifiers and profiles, the validation step started working. The following link helped a lot in figuring out the 2nd part:

[https://stackoverflow.com/questions/27973011/xcodebuild-different-provisioning-profile-for-target-dependency/29605731#29605731]

I only wish that this had been documented somewhere. I just wanted to post this so that someone else, who has been struggling with the same issue, can benefit from this.

Thanks.

Posted by
sywappledev
Up vote reply of sywappledev Down vote reply of sywappledev
Add a Comment