Provisioning profile entitlements

Question

Created 2d

Replies 2

Boosts 0

Participants 2

Hi,

I am developing a iOS app with Packet Tunnel Provider Network Extension. I manage signing manually. I created a distribution provisioning profile. Then when I archive and click "validate" I get this error:

Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value 'url-filter-provider' for key 'com.apple.developer.networking.networkextension'

So I run security cms -D -i profiles/vpn_distribution.mobileprovision and I see there

 <key>Entitlements</key>
        <dict>
                              <key>com.apple.developer.networking.networkextension</key>
                <array>
                                <string>app-proxy-provider</string>
                                <string>content-filter-provider</string>
                                <string>packet-tunnel-provider</string>
                                <string>dns-proxy</string>
                                <string>dns-settings</string>
                                <string>relay</string>
                                <string>url-filter-provider</string>
                                <string>hotspot-provider</string>
                </array>

Where are those coming from. My entitlement file has

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.networking.networkextension</key>
    <array>
        <string>packet-tunnel-provider</string>
    </array>
    <key>com.apple.security.application-groups</key>
    <array>
        <string>group.my-app-group</string>
    </array>
</dict>
</plist>

What is happening here. How can I get a provisioning profile that only has the entitlements that I actually need?

Boost

Answer 1

DTS Engineer OP

Apple

1d

How can I get a provisioning profile that only has the entitlements that I actually need?

You shouldn’t need to do this.

The entitlements in a provisioning profile act as an allowlist. For an in-depth explanation of that, see TN3125 Inside Code Signing: Provisioning Profiles.

When you enable the NE capability on an App ID and generate a profile for that App ID, the Developer website includes all NE types supported by the target platform. Hence the presence of url-filter-provider value.

However, this is just an allowlist. The entitlements you claim are those in your code signature, and that’s what the Validate App should be checking.

My entitlement file has

Your .entitlements file isn’t the source of truth here. It’s source code that acts as an input to the Xcode build system. So you need to check the entitlements on your built binary.

Do this:

In the Xcode organiser, select your archive.
Secondary click and choose Show in Finder.
Open a Terminal window and change into the Xcode archive directory and then into the directory that contains your app.
Run these commands:
```
% codesign -d --entitlements - MyApp.app
% codesign -d --entitlements - MyApp.app/PlugIns/MyAppEx.appex
```
where MyApp to the name of your app and MyAppEx is the name of your NE provider app extension.

What do you see?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

binarytwist OP

1d

Okay makes sense. Thanks for the explanation. I tweaked a bit some of my build steps and got it working. Basically I am trying to build an SDK that contains a packet tunnel provider and the signature and bundle identifier requirements for extension are giving me headaches. Since for SDK I cannot really know the host app bundle identifier or signing information at my build time.

Anyway thanks a lot. This will most likely help me forward

0