Could not disable Game Center in my App ID for macOS

App Review looks at the entitlements in your app, not the entitlements in your provisioning profile. Do this:

1. In the Organizer, click Distribute App.

2. Select App Store Connect and click Next.

3. Select Export and click Next.

4. Continue the export process.

5. Unpack the resulting product.

6. In Terminal, run the following command to dump your entitlements:

Code Block  
		 % codesign -d --entitlements :- /path/to/your.app
		

What do you see?

Repeat step 6 for every code item in your app.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

@eskimo thanks a million for the reply!

You're right, it contains the Game Center item:

Code Block 
com.apple.developer.game-center
true

But I'm curious since I'm pretty sure my App.entitlements does not contains Game Center lines. Could you please show me a clear path how to solve this glitch?

Kindly Regards,

Yang.Y

Are you using Xcode? If so, what version?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Yes, I'm using Xcode version 11.6 (11E708) and macOS version 10.15.6 (19G73) for building, archiving, and distributing.

Here is the content of App.entitlements file:

Code Block 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.icloud-container-identifiers</key>
	<array>
		<string>iCloud.$(CFBundleIdentifier)</string>
	</array>
	<key>com.apple.developer.icloud-services</key>
	<array>
		<string>CloudDocuments</string>
	</array>
	<key>com.apple.developer.ubiquity-container-identifiers</key>
	<array>
		<string>iCloud.$(CFBundleIdentifier)</string>
	</array>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>$(TeamIdentifierPrefix)xx.yy.zz</string>
		<string>$(TeamIdentifierPrefix)xx.yy</string>
	</array>
	<key>com.apple.security.files.downloads.read-write</key>
	<true/>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>keychain-access-groups</key>
	<array>
		<string>$(AppIdentifierPrefix)xx.yy.zz</string>
	</array>
</dict>
</plist>

The same results when I repeat above 6 steps for elder archives which approved by App Review weeks or months ago, no entitlements changes, only code changes.

@eskimo thanks for pay attention to this problem, let know if you need further information or testing.

Kindly Regards,

Yang

Yes, I'm using Xcode version 11.6

Cool. Older versions of Xcode would try to merge the entitlements in your profile with the entitlements in your .entitlements file, which could cause problems like this, but that’s definitely not the case with Xcode 11.

Does the problem reproduce with a development build of your app? That is, if you do a standard build (choose Product > Build) and then dump the entitlements of the resulting app (using the codesign command from above), does it have com.apple.developer.game-center set?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

@eskimo, here is the result of the development build:

Code Block 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
				<key>com.apple.application-identifier</key>
				<string>EEEEE.x.y.z</string>
				<key>com.apple.developer.game-center</key>
				<true/>
				<key>com.apple.developer.icloud-container-identifiers</key>
				<array>
								<string>iCloud.x.y.z</string>
				</array>
				<key>com.apple.developer.icloud-services</key>
				<array>
								<string>CloudDocuments</string>
				</array>
				<key>com.apple.developer.team-identifier</key>
				<string>EEEEEEEEEE</string>
				<key>com.apple.developer.ubiquity-container-identifiers</key>
				<array>
								<string>iCloud.***.yyy</string>
				</array>
				<key>com.apple.security.app-sandbox</key>
				<true/>
				<key>com.apple.security.application-groups</key>
				<array>
								<string>***.yyy.zzz</string>
								<string>***.yyy</string>
				</array>
				<key>com.apple.security.files.downloads.read-write</key>
				<true/>
				<key>com.apple.security.files.user-selected.read-write</key>
				<true/>
				<key>com.apple.security.get-task-allow</key>
				<true/>
				<key>com.apple.security.network.client</key>
				<true/>
				<key>keychain-access-groups</key>
				<array>
								<string>***.yyy.zzz</string>
				</array>
</dict>
</plist>

It has com.apple.developer.game-center set.

Older versions of Xcode would try to merge the entitlements…

How older? I always trying to keep my Xcode up to date, but this problem seems exist for a long time.

Do you have any method to eliminate com.apple.developer.game-center from exported app? App Review Board rejected my appeal with a templated email, now I'm stuck 😭

Kindly Regards,

Yang

How older?

I think we fixed this in Xcode 9. It’s definitely fixed in Xcode 10.

here is the result of the development build:

…

It has com.apple.developer.game-center set.

That’s actually good news because the build process for a developer build is much more transparent. Do a clean build and then export the full build transcript (go to the Report navigator, select your build on the left, and then click the Export button in the editor). You’ll find a Sign (code signing) step towards the end. This takes an entitlement file as an input (not the .entitlements file your source code, but an .xcent file that Xcode has built from that). You can look at that file to see whether the entitlement is present (I expect it will be). You can trace back through the build process to find the steps that created the .xcent file, and examine each of their inputs.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

I did a clean build, in the exported build transcript, there are two commands contain the relevant xcent file:

Code Block 
Entitlements:
{
    "com.apple.application-identifier" = "EEEEE.x.y.z";
    "com.apple.developer.game-center" = 1;
    "com.apple.developer.icloud-container-identifiers" =     (
        "iCloud.xx.yy.zz"
    );
    "com.apple.developer.icloud-services" =     (
        CloudDocuments
    );
    "com.apple.developer.team-identifier" = EEEEEEEEEE;
    "com.apple.developer.ubiquity-container-identifiers" =     (
        "iCloud.xx.yy.zz"
    );
    "com.apple.security.app-sandbox" = 1;
    "com.apple.security.application-groups" =     (
        "EEEEEEE.***.yyy.zzz",
        "EEEEEEE.***.yyy"
    );
    "com.apple.security.files.downloads.read-write" = 1;
    "com.apple.security.files.user-selected.read-write" = 1;
    "com.apple.security.get-task-allow" = 1;
    "com.apple.security.network.client" = 1;
    "keychain-access-groups" =     (
        "EEEEEEE.xx.yy.zz"
    );
}
    builtin-productPackagingUtility -entitlements -format xml -o [USERHOME]/Library/Developer/Xcode/DerivedData/[APPWORKSPACE]-ftmmaepwxuqgfmgphytjtotwjrsu/Build/Intermediates.noindex/[APPNAME].build/Debug/[APPNAME].build/[APPNAME].app.xcent

and:

Code Block 
    cd [USERHOME]/[APPWORKSPACE]
    export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
    
Signing Identity:     "Apple Development: Yang (XXXXXXXXXX)"
Provisioning Profile: "Mac Team Provisioning Profile: [APP ID]]"
                      (xxxxx-yyyyy-zzzzz-wwwww)
    /usr/bin/codesign --force --sign EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE -o runtime --entitlements [USERHOME]/Library/Developer/Xcode/DerivedData/[APPWORKSPACE]-ftmmaepwxuqgfmgphytjtotwjrsu/Build/Intermediates.noindex/[APPNAME].build/Debug/[APPNAME].build/[APPNAME].app.xcent --timestamp=none /[USERHOME]/Library/Developer/Xcode/DerivedData/[APPWORKSPACE]-ftmmaepwxuqgfmgphytjtotwjrsu/Build/Products/Debug/[APPNAME].app

Both Entitlements: section and [APPNAME].app.xcent have com.apple.developer.game-center set. No idea what builtin-productPackagingUtility exactly do, and seems the first command has no input, maybe Entitlements: section is the input?

Kindly Regards,

Yang

@eskimo I notice Entitlements.plist file in following command also have com.apple.developer.game-center set to true:

Code Block 
WriteAuxiliaryFile [USERHOME]/Library/Developer/Xcode/DerivedData/[APPWORKSPACENAME]-ftmmaepwxuqgfmgphytjtotwjrsu/Build/Intermediates.noindex/[APPNAME].build/Debug/[APPNAME].build/DerivedSources/Entitlements.plist (in target '[APPNAME]' from project '[APPNAME]')
    cd [APPWORKSPACE]
    write-file [USERHOME]/Library/Developer/Xcode/DerivedData/[APPWORKSPACENAME]-ftmmaepwxuqgfmgphytjtotwjrsu/Build/Intermediates.noindex/[APPNAME].build/Debug/[APPNAME].build/DerivedSources/Entitlements.plist

That WriteAuxiliaryFile step is effectively copying the .entitlements file from your target to the DerivedSources sources directory. If the destination file has com.apple.developer.game-center, it’s almost certain that the source file has that set too.

Earlier you wrote:

But I'm curious since I'm pretty sure my App.entitlements does not
contains Game Center lines.

The most likely explanation here is that you’re looking at the wrong .entitlements file. Check the Code Signing Entitlements build setting (CODE_SIGN_ENTITLEMENTS) to confirm that you have the right file.

---

Also, consider this:

1. Create a new project from the iOS > Single View App template.

2. Configure code signing in Signing & Capabilities.

3. Add the Game Center and Keychain Sharing capabilities (you don’t need to add any keychain access groups, just add that capability and leave it empty).

4. Build.

You’ll see that the keychain-access-groups entitlement flows through .xcent file as expected. However, there’s no mention of the com.apple.developer.game-center entitlement at all. If you dump the app’s entitlements you’ll see this:

Code Block  
% codesign -d --entitlements :- Test657552.app
…
<dict>
  <key>application-identifier</key>
  <string>SKMME9E2Y8.com.example.apple-samplecode.Test657552</string>
  <key>com.apple.developer.team-identifier</key>
  <string>SKMME9E2Y8</string>
  <key>get-task-allow</key>
  <true/>
  <key>keychain-access-groups</key>
  <array/>
</dict>
</plist>

And the profile’s entitlement allowlist shows this:

Code Block  
% security cms -D -i Test657552.app/embedded.mobileprovision 
…
<dict>
  …
  <key>Entitlements</key>
  <dict>
    <key>application-identifier</key>
    <string>SKMME9E2Y8.com.example.apple-samplecode.Test657552</string>
    <key>keychain-access-groups</key>
    <array>
    <string>SKMME9E2Y8.*</string>
      <string>com.apple.token</string>
    </array>
    <key>get-task-allow</key>
    <true/>
    <key>com.apple.developer.team-identifier</key>
    <string>SKMME9E2Y8</string>
  </dict>
  …
</dict>
</plist>

Again, no mention of com.apple.developer.game-center. This is because Game Center isn’t a real entitlement. Rather, Game Center is available to all apps use an explicit App ID provisioning profile.

You’ll see this reflected on the developer web site. If you go to create a new App ID, you have two options:

• Explicit

• Wildcard

In the former case, Game Center > iOS is always checked. In the latter, it’s always unchecked.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

@eskimo I checked the Code Signing Entitlements build setting (CODE_SIGN_ENTITLEMENTS), and I confirm that I have the right file.

Since the forum does not support attaching screenshot, I wrote a letter with screenshots to you, I hope you'll take the time to read it.

It's a macOS app, not a iOS app. Another macOS app of mine does not have the Game Center problem, it got reviewed and updated without problem. But its Game Center enabled on iOS, not macOS.

My gut is telling me that this problem is related to App Identifier or Xcode didn’t fix this thoroughly.

Thanks again for helping,

Yang

My gut is telling me that this problem is related to App Identifier or
Xcode didn’t fix this thoroughly.

Given that we’ve ruled out all the standard causes of problems like this, my advice is that you open a DTS tech support incident so that I can spend more time investigating this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

@eskimo, I just requested a DTS as you suggested, the follow-up number is 744221113.

Kindly Regards,

Yang.Y

@eskimo, hello!

I just faced the same issue while updating my macOS game.

My entitlements are:

<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>

But when I try to upload a build to AppStoreConnect, I see com.apple.developer.game-center entitlement added.

The issue only affect version with in-app purchase enabled. The version without in-app purchase is not affected.

Any news or ideas about how the case can be resolved?

Any news or ideas about how the case can be resolved?

Yeah, but it’s not exactly satisfactory:

• One bug was filed requesting that Xcode not automatically set the Game Center entitlement just because the capability is enabled in the profile (FB8596548). That was closed as “behaves correctly”, for reasons I’m not able to adequately explain.

• Another bug was filed requesting that the developer web site allow developers to disable this capability (FB8596394). I’m not able to check on its status but, based on the fact that you’ve reanimated this thread, it sounds like it hasn’t been fixed.

• yang.y was able to ship their app by convincing App Review that there’s no reasonable way for them to disable this entitlement (based on the bugs above), and at that point I stopped pushing on this )-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"