Unable to edit problematic keychain-access-groups setting of downloaded provisioningprofile for signing

Question

Created Feb ’25

Replies 2

Boosts 0

Participants 2

In an expo managed project which utilizes custom expo plugins, we're having trouble getting the keychain-access-groups entitlement inserted to our provisioningprofile for signing.

The provisioning profile we download from apple dev portal contains:

<key>keychain-access-groups</key>
  <array>
		<string>56APMZ7FZY.*</string>
		<string>com.apple.token</string>
  </array>

and this is not recognized by xcode for signing; an error is thrown:

Provisioning profile "ccpp" doesn't include the com.apple.developer.keychain-access-groups entitlement.

A matching error is thrown during EAS build.

So we need to find a way to modify the ccpp.mobileprovision locally and then sign the build using the modified ccpp.mobileprovision.

Or, we need guidance on the proper way to resolve this situation.

Questions:

why does the downloaded mobileprovision file have the keychain-access-groups key, and not com.apple.developer.keychain-access-groups? Both Xcode and EAS appear to demand the latter keyname.
when I use expo prebuild, I am able to see the following in the .entitlements file:

	<key>com.apple.developer.keychain-access-groups</key>
	<array>
		<string>$(AppIdentifierPrefix)com.myapp</string>
	</array>

I am adding this entitlement using a custom expo plugin. However, the mobileprovision file downloaded from apple developer portal has no knowledge of this setting which is only applied through expo prebuild.

So what I am left with at the end is an entitlements file generated by my expo prebuild which has the correct setting, and a provisioningprofile downloaded from dev portal with an incorrect setting, and I don't know how to mend the downloaded provisioningprofile (incorrect setting) with my local entitlements file (correct setting).

Boost

Answer 1

DTS Engineer OP

Apple

Feb ’25

Accepted Answer

Recommended

I don’t have any experience with the third-party tools you’re using, but this:

I am able to see the following … com.apple.developer.keychain-access-groups

is just wrong. The entitlement name is keychain-access-groups, not com.apple.developer.keychain-access-groups. That’s clearly prescribed in the docs.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

td8090 OP

Feb ’25

Solution Summary: To build using EAS build, we need an "Apple Distribution Certificate", but EAS's credentials tool creates an "iOS Distribution Certificate". Therefor what is needed is to create the distribution cert on Apple Dev portal, download the .cer file from there, add it to your OSX keychain, then export to .p12 with a password.

Then when using EAS build, you will choose:

> eas build --profile production --platform ios --local
...
...
Generate a new Apple Distribution Certificate? … no
Path to P12 file: … /path/to/your.p12
P12 password: … *the password your exported to .p12 with*
Would you like to reuse the original profile? … no
Generate a new Apple Provisioning Profile? … yes

During the build process, your OSX should prompt you for your OSX login chain pw (Your OSX admin pw, not the .p12 export password) multiple times.

As for the keychain-access-groups entitlement, even though XCode complains as follows:

Provisioning profile doesn't include the com.apple.developer.keychain-access-groups entitlement.

The XCode error is misleading, and you should assume it is adding com.apple.developer. as a prefix to what it really wants in your entitlements file.

So, set your Expo plugin as follows:

const withKeychainSharing: ConfigPlugin = (config) => {
  if (!config.ios) config.ios = {};
  if (!config.ios.entitlements) config.ios.entitlements = {};

  // Example group: using $(AppIdentifierPrefix) plus your Bundle ID
  config.ios.entitlements["keychain-access-groups"] = [
    "$(AppIdentifierPrefix)com.my.app",
  ];

  return config;
};

1