Hello
Consider the following sequence of events:
Developer 1 takes package A.ipa, resigns it with his own certificate yielding B.ipa.
Developer 2 takes package B.ipa, resigns it with his own certificate yielding C.ipa.
Both certificates are developer certificates and the embedded provisioning profile is
a developer profile.
If Developer 1 or Developer 2 attempt to install B.ipa using their local Mac and iOS device,
it fails with 'invalid entitlements'. If Developer 2 attempts to install C.ipa it succeeds.
When I print the entitlements using 'codesign -d --entitlements - Payload/***.app' the
results are identical.
When I diff the provisioning profiles Payload/embedded.mobileprovision in both packages
the results are identical.
When I print the signature info using 'codesign -dv --verbose=4 Payload/***.app' in both
packages I see that the 'Authority' shows the correct certificate name. Comparing the
name with the information shown using 'Quick look' on the embedded provisioning profile
shows that both certificates are included in the profile.
To summarize: we have two ipa's with identical entitlements and identical profiles, both
signed with certificates that are included in the profile, and one ipa fails to install and the
other doesn't. The error message 'invalid entitlements' doesn't even remotely make sense
in this context. Does anyone have an explanation what exactly could have happened here?
The only difference I see between the two ipa's is the certificate that was used to sign.
