Entitlements stripped during upload to TestFlight with altool

On our CI (GitHub Actions) we are signing our .ipa with codesign and after that uploads the resulting .ipa with altool to TestFligt.

The problem is that the entitlements added by codesign no longer appear when we view the build on TestFlight.

The app requires entitlements for push notification and for associated domains.

codesign -s Distribution prod.entitlements prod.ipa

Immediately after we do a

codesign --verbose --display --entitlements -

and the entitlements show fine.

Next command is

xcrun altool --upload-app --type ios -f prod.ipa  --apiKey $api_key_id --apiIssuer $appstore_api_key_issuer

To us it seems like altool strips the entitlements from the .ipa.

What are we doing wrong?

Answered by DTS Engineer in 787228022

You’ve misunderstood how signing for distribution works. A .ipa file is basically a zip archive. Signing that makes no sense. Rather, you have to sign the binary within the zip archive.

The process I recommend is to create an Xcode archive and then export distribution stuff from that. To learn more about this, see Creating distribution-signed code for macOS. While that’s focused on the Mac, the same basic process works for iOS.

If you follow this process then you never need to re-sign a .ipa. That’s good, because doing that is a pain. You have to unpack the .ipa, re-sign the app within that, and then repack the .ipa. DTS doesn’t support this process. Indeed, we don’t support re-signing iOS apps at all. That’s why the above article is focused on the Mac. So, it’s best to avoid this tarpit by staying on the Xcode archive path.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

You’ve misunderstood how signing for distribution works. A .ipa file is basically a zip archive. Signing that makes no sense. Rather, you have to sign the binary within the zip archive.

The process I recommend is to create an Xcode archive and then export distribution stuff from that. To learn more about this, see Creating distribution-signed code for macOS. While that’s focused on the Mac, the same basic process works for iOS.

If you follow this process then you never need to re-sign a .ipa. That’s good, because doing that is a pain. You have to unpack the .ipa, re-sign the app within that, and then repack the .ipa. DTS doesn’t support this process. Indeed, we don’t support re-signing iOS apps at all. That’s why the above article is focused on the Mac. So, it’s best to avoid this tarpit by staying on the Xcode archive path.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Entitlements stripped during upload to TestFlight with altool
 
 
Q