Checking Distribution Entitlements
Q: How can I verify that my submission to the App Store was code signed and entitled correctly?
A: During the app distribution process through the Xcode Organizer > Archives tab, entitlements are set onto the app by way of the provisioning profile used for code signing. It is important to be aware that the re-application of entitlements at this phase creates the opportunity for unintended entitlement differences between any prior development builds you may have tested. The primary purpose of this document is to verify that your entitlements are correct for your distribution builds for beta testing and App Store submission.
Inspecting distribution build entitlements while submitting an app in Xcode
Xcode shows the distribution build's entitlements in the Summary pane during the submission workflow. This is the last opportunity you have to visually ensure that your app contains the expected entitlements before submitting your app for review.
Creating an .ipa file to check the entitlements of an iOS app store submission
Alternatively to Xcode's entitlements preview, you can check the entitlements of an iOS app store submission by first creating and inspecting an .ipa file. The following steps outline the process to do this.
Making an Inspectable .ipa file
In the Xcode Organizer, instead of Submit to the iOS App Store, do Save for Enterprise or Ad-Hoc Deployment. This will create a local copy of the .ipa file that would be submitted to the App Store.
When asked to choose the provisioning profile to sign with, select the same distribution profile you use when submitting to the App Store. Take a screenshot of your choice (command-shift-3) so you can verify this step later. During submission, this screenshot will be the only record you have identifying which profile was used to sign the app.
When asked to save the package, uncheck Save for Enterprise Distribution, then save the .ipa file.
Checking the Entitlements of an .ipa file
Find the .ipa file and change its the extension to .zip.
Expand the
.zipfile. This will produce aPayloadfolder containing your .app bundle.Use the codesign tool to check the entitlements on the .app bundle like this:
$ codesign -d --entitlements :- "Payload/YourApp.app"
where YourApp.app is the actual name of your .app bundle.
Use the security tool to check the entitlements of the app's embedded provisioning profile:
$ security cms -D -i "Payload/YourApp.app/embedded.mobileprovision"
where YourApp.app is the actual name of your .app bundle.
Checking the Entitlements of an OS X app Submission to the Mac App Store
Alternatively to Xcode's entitlements preview, you can check the entitlements of a OS X app store submission by first creating and inspecting an .ipa file. The following steps outline the process to do this.
Making an Inspectable .app bundle
In the Xcode Organizer, instead of Submit to the Mac App Store, do Export as Mac Installer Package. That will create a local copy of the .pkg file that would be submitted to the Mac App Store.
When asked to choose a provisioning profile to sign with, select the same distribution profile you use when submitting to the Mac App Store. Take a screenshot of your choice (command-shift-3) so you can verify this step later. During submission, this screenshot is the only record you'll have that identifies which profile was used to sign the app.
Save the .pkg file when prompted.
Use the pkgutil tool to expand the package into its components:
$ pkgutil --expand "YourApp.pkg" Expanded_pkg
where YourApp.pkg is the actual name of the package you created in the previous step.
Expand the compressed payload inside the package using the
opentool or by double-clicking it:$ open Expanded_pkg/com.yourcompany.yourapp/Payload
where com.yourcompany.yourapp is the actual bundle ID of your app.
Checking the Entitlements of an .app bundle
Use the codesign tool to check the entitlements on the .app bundle like this:
$ codesign -d --entitlements - "Expanded_pkg/com.yourcompany.yourapp/YourApp.app" |
where YourApp.app is the actual name of your .app bundle.
Use the security tool to check the entitlements of the app's embedded provisioning profile:
$ security cms -D -i "Expanded_pkg/com.yourcompany.yourapp/YourApp.app/embedded.provisionprofile" |
where YourApp.app is the actual name of your .app bundle.
Troubleshooting Entitlement Mismatches
Follow these steps if an entitlement is not set as expected.
1. Log into Certificates, Identifiers & Profiles > (iOS or OS X) > Provisioning Profiles > Distribution.
Click the distribution profile and ensure the desired entitlements are listed under "Enabled services." If the desired services are not enabled, navigate to the App ID section of the site and enable the necessary services on the App ID associated to the distribution profile.
Ensure the status of the distribution profile is "Valid." If the status is "Invalid," it means that the profile needs to be regenerated. A profile's status becomes invalid if there were changes made to its associated certificates or to the enabled services of its App ID. To regenerate the profile, select it from the list and click "Edit." Associate the profile to any new certificates (if necessary) and then click "Generate."
2. Follow the steps in Refreshing Provisioning Profiles in Xcode to ensure that Xcode's provisioning profile library is up to date.
3. Click "Distribute..." on the Xcode > Organizer > Archives tab and choose the distribution profile within the Provisioning Profile selection menu. Take a screenshot of your choice (command-shift-3) so you can verify this step later. During submission, this screenshot will be the only record you have that identifies which profile was used to sign the app.
Related Material
For troubleshooting general entitlement problems, see TN2415 - Entitlements Troubleshooting.
Document Revision History
| Date | Notes |
|---|---|
| 2015-10-08 | Cover Xcode's new entitlements preview. Fix error in profile entitlements command. |
| 2014-09-10 | Add requirement to check app's embedded provisioning profile. |
| 2014-05-06 | Additional troubleshooting. |
| 2014-02-24 | New document that describes how to check entitlements on development or distribution builds for accuracy before installation or submission. |
Copyright © 2015 Apple Inc. All Rights Reserved. Terms of Use | Privacy Policy | Updated: 2015-10-08