I'm writing some build scripts for a continuous-integration situation where the code will be deployed on another machine, and needs to be able to build and correctly sign an Xcode Project, followed my a scripted upload to ITC. So far I was able to work out the build and archive to .ipa, verify the code signing, but ITC is failing with the following error. Why would this error be occurring and what can I add to fix this situation?
Error on ITC after upload of .ipa:
Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. According to the provisioning profile, the bundle contains a key value that is not allowed: '[ "AAAAAAAA.com.domain.Product" ]' for the key 'keychain-access-groups' in 'Payload/Product.app/Product'"
Note that on the target build machine I install the .mobileprovision file in "$HOME/Library/Provisioning Profiles", and create a custom keychain that has the relevant .cert and .p12 private key, such that the build can sign the file. This took quite a bit of finagling until xctool finally recognized the key and profile.
I'm using the same Distribution App Store certificate and provisioning profile that I can use on Xcode on my machine, where this works fine.
Here is how I'm building the code and archiving the ipa.
xctool -project ./$PROJECT_NAME.xcodeproj
-scheme $SCHEME
-configuration Release
CODE_SIGN_IDENTITY="${IDENTITY}"
PROVISIONING_PROFILE="${PROVISIONING_PROFILE_UUID}"
OTHER_CODE_SIGN_FLAGS="--keychain $HOME/Library/Keychains/$KEYCHAIN"
clean archive
-archivePath ./$PROJECT_NAME.xcarchive
xcodebuild -exportArchive -archivePath ./$PROJECT_NAME.xcarchive
-exportPath $PROJECT_NAME
-exportFormat ipa
-exportProvisioningProfile "$PROVISIONING_PROFILE_NAME"
I'm also able to verify the unziped ipa app is signed, if that means anything. It certainly fails if the signing doesn't occur as above.
$codesign --verify -vvvv Payload/Product.app
Payload/Product.app: valid on disk
Payload/Product.app: satisfies its Designated Requirement
EDIT:
I did a build/archive/export using XCode, which is accepted by ITC, and compared the result to the build generated by the scripts.
The scripted ipa is missing a file, archived-expanded-entitlements.xcent. This seems to be the root of the problem.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>AAAAAAA.com.domain.Product</string>
<key>keychain-access-groups</key>
<array>
<string>AAAAAAA.com.domain.Product</string>
</array>
</dict>
</plist>
Here is the fix I found that has worked.
Original .ipa creation line
Replaced with this line:
This also required setting the "Code Signing Resource Rules Path" setting in Xcode to have a value of "$(SDKROOT)/ResourceRules.plist", since it throws an error about this otherwise. Not happy with needing to do this for every project, but it's a one time thing and solved the problem.