Reputation: 2195
iOS deployment fails with invalid entitlements - but entitlements are valid?
My colleague has made some changes recently to our app, and enabled Data Protection.
However, ever since, we're unable to deploy the app to any real device. The error happens at application verification with this error:
ApplicationVerificationFailed: Failed to verify code signature of /private/var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.YDQn6e/extracted/[appname].app : 0xe8008016 (The executable was signed with invalid entitlements.)
(Due to NDA requirements I have to hide any identifying information from any logs, and such, I replaced them with static labels in [] brackets).
I've checked the entitlements using Apple's own guide, using the security and codesign tools.
codesign output the following information:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>get-task-allow</key>
<false/>
<key>application-identifier</key>
<string>[teamId].[appname]</string>
<key>com.apple.developer.team-identifier</key>
<string>[teamId]</string>
<key>aps-environment</key>
<string>production</string>
<key>keychain-access-groups</key>
<array>
<string>[teamId].[appname]</string>
</array>
</dict>
</plist>
And here is the output of the security command:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppIDName</key>
<string>[appPublicName]</string>
<key>ApplicationIdentifierPrefix</key>
<array>
<string>[teamId]</string>
</array>
<key>CreationDate</key>
<date>2017-07-06T11:55:52Z</date>
<key>Platform</key>
<array>
<string>iOS</string>
</array>
<key>DeveloperCertificates</key>
<array>
<data>[devCert]</data>
</array>
<key>Entitlements</key>
<dict>
<key>keychain-access-groups</key>
<array>
<string>[teamId].*</string>
</array>
<key>get-task-allow</key>
<false/>
<key>application-identifier</key>
<string>[teamId].[appname]</string>
<key>com.apple.developer.associated-domains</key>
<string>*</string>
<key>com.apple.developer.team-identifier</key>
<string>[teamId]</string>
<key>aps-environment</key>
<string>production</string>
</dict>
<key>ExpirationDate</key>
<date>2018-04-25T13:18:41Z</date>
<key>Name</key>
<string>[appPublicName]</string>
<key>ProvisionedDevices</key>
<array>
[provisioned devices]
[The device I'm trying to deploy to is listed here]
</array>
<key>TeamIdentifier</key>
<array>
<string>[teamId]</string>
</array>
<key>TeamName</key>
<string>[teamName]</string>
<key>TimeToLive</key>
<integer>293</integer>
<key>UUID</key>
<string>[id]</string>
<key>Version</key>
<integer>1</integer>
</dict>
</plist>
What on earth is going wrong here?
Upvotes: 0
Views: 1430
Answers (1)
Reputation: 13619
Updating entitlements in an iOS app requires a couple of steps if you are not using automatic code signing. You need to update both the application's project and the provisioning profile used to build the app. If the two are out of sync (or more precisely, if your app is trying to use an entitlement not allowed by the provisioning profile's allowed entitlements, you will get this error.
When changing entitlements, you need to update the entitlements in the project itself (as documented here) as well as in the provisioning profile. I suspect this is all you have done so far.
To update the entitlements in your provisioning profile, log into the Apple developer site and go to the "Certificates, Identifiers & Profiles" section. Select Application IDs on the left, and find the app ID for the app you are trying to build. Click the edit button and turn on the entitlement for Data Protection. Once you have done this, click "Done". The App ID is now configured, but you'll need to regenerate your provisioning profile to pick up the changes to your app ID. Go to the Provisioning Profiles link on the left, find your profile for the app ID, click Edit, then click the Generate button at the bottom. Once done, click the download button to get the new profile that has the new entitlements for the App ID.
Also, just to be safe, I would delete all your old provisioning profiles from the Mac before downloading and installing the new one. That way you can be sure it is picking up the correct provisioning profile. You can find the location of the provisioning profiles here.
Upvotes: 2
Related Questions
- Entitlements don't match Provisioning Profile (0xE8008016)
- Entitlements file do not match those specified in your provisioning profile.(0xE8008016)
- In-house provisioning not working
- Code Signing Entitlements file do not match those specified in your provisioning profile.
- xcode the signature was invalid contains disallowed entitlements Error in ios
- Entitlements Do Not Match: Provisioning Profile Issue
- entitlement 'application-identifier' has value not permitted by a provisioning profile
- Entitlement has value not permitted by a provisioning profile error
- "Entitlement has value not permitted by a provisioning profile", but it does not
- Entilements not matching provisioning