I've added my Vendor ID to the appropriate entitlement files but my binary fails validation when trying to upload it to the store for distribution. The embeded.mobileprovision
file in the generated archive shows an asterisk instead of my approved Vendor ID. How can I make sure the embedded provisioning file has my Vendor ID?
A bit of a late reply on this, but I have a few things to share:
-
As far as I can tell Xcode 16 has fixed all of these issues. Set codesigning to "automatic", configure your capabilities in Xcode, and it signs everything exactly the way it should. I haven't specifically tested enterprise distribution (I don't have an account of that type "at hand"), but the automatic flows have worked perfectly for Developer ID and Mac App Store Test Flight. If it's all possible, I think building and signing with Xcode 16 is the easiest solution to all this.
-
If you must use Xcode 15.4, then you need to be very careful about he exact flow involved.
You're right that this is the underlying issue:
I'm assuming this has to do with the fact that the entitlements plist is using the wildcard "*" instead of a proper vendor id.
The wildcard value is why the development profiles can work with "everything", which is also what breaks distribution signing. Here is what you can try to resolve this:
-
I'm not sure how this stands in Xcode 15.4 (I don't have a machine at hand to test this), but Xcode has allowed you to specify a specific entitlement value in your Info.plist while still using the development profiles. However, it's also had a tendency to switch the entitlement value back to *, breaking things again. The last time I specifically tested this, I was able to archive a build in that state (exact plist, wildcard dev profile), which then allowed me to use that manual export flow.
-
If that doesn't work, then you can try switching your Developer and Release signing configurations to "Manual" and then specifying specific provisioning profiles for them. In theory, that should let you archive the build and then export using the "Custom" signing flow above.
-
If THAT doesn't work, then the final option is to bypass the archive process and generate the build yourself. If you manually set the release configuration of all components to the correct provisioning profile, then the final output should be a properly signed Enterprise build. Archiving exists so that you can export multiple signing variations of EXACTLY the same build object and to simply the "back end" process (submitting builds, etc). It doesn't actually sign things "differently", so it's not actually required to generate any specific build variation.
__
Kevin Elliott
DTS Engineer, CoreOS/Hardware