Can't automatically create distribution signed IPAs

I'm trying to create a bot to automatically make an iOS distribution IPA as described in the "What's New in Signing for Xcode and Xcode Server" session.


According to the session, I need to configure the Archives preference to be "Use Custom Export Options plist", and the plist I supplied looks as follows:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/
<plist version="1.0">
<dict>
  <key>signingStyle</key>
  <string>automatic</string>
  <key>method</key>
  <string>app-store</string>
</dict>
</plist>


Then, in the signing tab I have the two "Allow Xcode Server..." boxes checked, and my Developer team configured. I added my distrubution certificate as well.


When I integrate, what I see in the reports navigator:


Assertion: Provisioning profile "iOS Team Provisioning Profile: *" doesn't support the App Groups capability.
Assertion: Provisioning profile "iOS Team Provisioning Profile: *" doesn't support the group.com.mycompany.myapp App Group.
Assertion: Provisioning profile "iOS Team Provisioning Profile: *" doesn't include the com.apple.security.application-groups entitlement.
Assertion: Code signing is required for product type 'App Extension' in SDK 'iOS 11.0'


The app contains a couple of app extensions with it.


To further diagnose, I viewed the Raw Build log in the reports navigator. What I see at the end are the above assertions, labeled as Code Signing Errors. It looks like the last thing attempted was building my Today Extension:


=== BUILD TARGET myAppTodayExtension OF PROJECT myproject WITH CONFIGURATION Release ===
Check dependencies


What I see though is that earlier, several targets are built successfully: a dynamic framework, a Notification Service Extension, a Notification Content Extension, and a 3rd party library.


Going back to the errors, I took a look at the Target settings for my Today Extension. Clicking the "i" button next to Xcode Managed Profile says that the target has the app group capability, is part of the correct app group, and has the com.apple.security.application-groups entitlement.


So I'm not really sure what's going wrong here. Any help would be appreciated.

Replies

We have a similar issue, and I've traced it to App Groups.


This appears in the logs:


2017-10-17 16:02:24.279 xcodebuild[67534:543855]  DVTPortal: Service '<DVTPortalListAppGroupContainerService: 0x7fb367c267c0; action='listApplicationGroups'>' encountered an unexpected result code from the portal ('1200')


I tried to post more details, but that post was stuck in moderation for a week. (I'll re-post it as a reply here, maybe with any luck it will show up eventually)


So some API call to the portal to list app groups fails, and this breaks the automatic provisioning profile downloads. Verified that disabling app groups removes this error.

Here's a more complete log, removing URLs because allegedly that avoids moderation delays:


2017-10-17 16:02:24.154 xcodebuild[67534:543855]  DVTSigningCertificateSource: -[DVTSigningCertificate isIdentityOnKeychains:]: keychains (null)
2017-10-17 16:02:24.155 xcodebuild[67534:543855]  DVTSigningCertificateSource: -[DVTSigningCertificate isIdentityOnKeychains:]: <DVTSigningCertificate: 0x7fb361e744d0; name='iPhone Developer: OS X Server REDACTED...'>  is an identity
2017-10-17 16:02:24.279 xcodebuild[67534:543855]  DVTPortal: Service '<DVTPortalListAppGroupContainerService: 0x7fb367c267c0; action='listApplicationGroups'>' encountered an unexpected result code from the portal ('1200')
2017-10-17 16:02:24.279 xcodebuild[67534:543855]  DVTPortal: Error:
Error Domain=DVTPortalServiceErrorDomain Code=1200 "You are not allowed to perform this operation.  Please check with one of your Team Admins, or, if you need further assistance, please contact Apple Developer Program Support. [APPLE DEVELOPER SUPPORT WEBSITE]" UserInfo={payload=<CFBasicHash 0x7fb3657ac360 [0x7fffacb975b0]>{type = mutable dict, count = 10,
entries =>
0 : <CFString 0x7fb3657ac680 [0x7fffacb975b0]>{contents = "requestId"} = <CFString 0x7fb3657ac190 [0x7fffacb975b0]>{contents = "A204ECFA-565C-40DE-B7BA-4EBC6D218681"}
1 : responseId = <CFString 0x7fb3657acc10 [0x7fffacb975b0]>{contents = "f46ca70f-5000-4ef1-ba2c-52edc1c54590"}
2 : <CFString 0x7fffacabab38 [0x7fffacb975b0]>{contents = "protocolVersion"} = QH65B2
3 : <CFString 0x7fb3657acad0 [0x7fffacb975b0]>{contents = "requestUrl"} = <CFString 0x7fb3657acb10 [0x7fffacb975b0]>{contents = "HTTPS developerservices1 DOT apple DOT com /services/QH65B2/ios/listApplicationGroups.action"}
6 : <CFString 0x7fb3657aca70 [0x7fffacb975b0]>{contents = "userLocale"} = en_US
8 : resultCode = <CFNumber 0x4b037 [0x7fffacb975b0]>{value = +1200, type = kCFNumberSInt64Type}
9 : userString = <CFString 0x7fb3657ac810 [0x7fffacb975b0]>{contents = "You are not allowed to perform this operation.  Please check with one of your Team Admins, or, if you need further assistance, please contact Apple Developer Program Support. [APPLE DEVELOPER SUPPORT WEBSITE]"}
10 : <CFString 0x7fb3657ab750 [0x7fffacb975b0]>{contents = "resultString"} = <CFString 0x7fb3657ac810 [0x7fffacb975b0]>{contents = "You are not allowed to perform this operation.  Please check with one of your Team Admins, or, if you need further assistance, please contact Apple Developer Program Support. [APPLE DEVELOPER SUPPORT WEBSITE]"}
11 : httpCode = <CFNumber 0xc837 [0x7fffacb975b0]>{value = +200, type = kCFNumberSInt64Type}
12 : <CFString 0x7fb3657ac650 [0x7fffacb975b0]>{contents = "creationTimestamp"} = <CFString 0x7fb3657ac280 [0x7fffacb975b0]>{contents = "2017-10-17T23:02:24Z"}
}
, NSLocalizedDescription=You are not allowed to perform this operation.  Please check with one of your Team Admins, or, if you need further assistance, please contact Apple Developer Program Support. [APPLE DEVELOPER SUPPORT WEBSITE]}

We're seeing this same error with Xcode Server CI. When we disable automatic signing, it goes away, but then we get signing errors. I saw in your other thread that you used `fastlane sigh` to solve this. Is that still your solution?

I know this is a bit stale, but sadly still relevant as I'm experiencing this in Xcode 10 today. Did either of you find a way around this? Many thanks.

Yeah, I'm seeing this as well. I filed 2 radars for this (41271497 and 44704694), one is still open, one got closed.


Our current workaround, with automatic signing enabled on all machines, is a pre-build phase on the bot, which downloads all team profiles (fastlane has a one shot solution for that).

Then generate the certificates on your developer machine. For development builds this is done anyways, and for adhoc/distribution builds, it can be done by importing the built archive from Xcode server and going through the steps of exporting in Xcode's organizer.

No, unfortunately. I wound up just accepting that this wasn't going to work with Automatic signing.


In more recent months we've added CarPlay support which means we can't use Automatic signing anymore anyway, so may give this a try again soon.