xcodebuild archive fails ITMS validation

Our app has a watchkit app + extension. Archives from XCode IDE always pass iTunes store validation. However archives generated via xcodebuild command tools (Xcode 6.4; Build version 6E35b) fail this validation with the following errors:


ERROR ITMS-90163: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'aps-environment' in 'Payload/TheDodo.app/PlugIns/DodoExtension.appex/DodoExtension'."

ERROR ITMS-90164: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. According to the provisioning profile, the bundle contains a key value that is not allowed: '##########.###.##########.######' for the key 'application-identifier' in 'Payload/TheDodo.app/PlugIns/TheDodoWatchKitExtension.appex/TheDodoWatchKitExtension'"

ERROR ITMS-90163: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'aps-environment' in 'Payload/TheDodo.app/PlugIns/TheDodoWatchKitExtension.appex/TheDodoWatchKitExtension'."

ERROR ITMS-90046: "Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value '##########.###.##########.######' for key 'application-identifier' in 'Payload/TheDodo.app/PlugIns/TheDodoWatchKitExtension.appex/TheDodoWatchKitExtension' is not supported. This value should be a string starting with your TEAMID, followed by a dot '.', followed by the bundle identifier."

ERROR ITMS-90163: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'aps-environment' in 'Payload/TheDodo.app/PlugIns/TheDodoWatchKitExtension.appex/TheDodoWatchKitApp.app/TheDodoWatchKitApp'."

ERROR ITMS-90163: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.security.application-groups' in 'Payload/TheDodo.app/PlugIns/TheDodoWatchKitExtension.appex/TheDodoWatchKitApp.app/TheDodoWatchKitApp'."

The Makefile to archive and export looks something like this:

/usr/bin/xcodebuild -verbose -verbose -workspace 'rebelmouse.xcworkspace'  -scheme TheDodo -configuration "App Store" -sdk 'iphoneos' -archivePath /tmp/TheDodo.xcarchive -derivedDataPath /tmp/ROJECT.Ji9vwyH0 APPLICATION_BUILD_VERSION=2456 archive
/usr/bin/xcodebuild -exportArchive -exportFormat ipa -archivePath /tmp/TheDodo.xcarchive -exportPath /tmp/TheDodo.ipa -exportWithOriginalSigningIdentity


Any suggestion / help is very appreciated. Thanks in advance.

Up vote post of SandeepChayapathi Down vote post of SandeepChayapathi
5.4k views
Posted by
SandeepChayapathi
Reply
Add a Comment

Replies

This may not be the help you're after, but it may help you (or someone).


TL;DR: Xcode correctly exports IPA for the App Store, xcodebuild does not.


After a bit of investigation, it looks like the exportArchive step is embedding the app entitlements file in each of the embedded frameworks. You can see this using the code signing CLI tool:


codesign --display --entitlements :- /path/to/embedded/Framework.framework/Framework


It looks something like this:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>## Team ID was here##.## App ID was here##</string>
    <key>aps-environment</key>
    <string>production</string>
    <key>com.apple.developer.team-identifier</key>
    <string>## Team ID was here##</string>
    <key>com.apple.security.application-groups</key>
    <array>
        <string>group.## App ID was here##</string>
    </array>
    <key>get-task-allow</key>
    <false/>
</dict>
</plist>


I've taken out our app ID and team ID from the file, but you'll note that the application-identifier field is made up of the App ID and not the bundle ID, which I think is part of the problem. If you check a valid (built by Xcode) app bundle, then there aren't entitlements included in the embedded frameworks / bundles. This may indicate that xcodebuild is signing the app bundle just once with the --deep option - rather than signing each binary individually - as that leads to the same issue.


If you take the same archive file produced after your first xcodebuild command, open it in Xcode (i.e. double click in Finder or drag it into the organiser), and then export it from there, then the entitlements are not present in the binary library files inside your embedded frameworks and bundles.


I don't know about your use case, but exporting the IPA for the App Store from Xcode appears to be the current solution. I know that isn't what everyone wants, but it's only for submitting to iTunes Connect, I think that enterprise builds and AdHoc distribition will still work (they are for us).

Posted by
hds
Up vote reply of hds Down vote reply of hds
Add a Comment

As of almost one year later it appears Apple has still not addressed this issue, which is very unfortunate.


In my case, I am making a framework for consumption by other departments within my company. They want to build their apps using 'xcodebuild' on a TeamCity server and then use Application Loader to upload the .ipa artifacts to iTunes Connect.


With this bug in place, it means we cannot have a continuous integration process because the only way to upload to Apple is manually via Xcode.


Is Apple even AWARE of this problem?

Posted by
af_cgt
Up vote reply of af_cgt Down vote reply of af_cgt
Add a Comment

Tried xcode 8, this problem remains....

Posted by
AthrunArthur
Up vote reply of AthrunArthur Down vote reply of AthrunArthur
Add a Comment

If anyone still interested, I managed to solve the problem by using the '-exportOptionsPlist' flag and providing a proper .plist file:

xcodebuild -exportArchive \
  -archivePath "path/to/archive.xcarchive" \
  -exportPath "path/to/ipa.ipa" \
  -exportOptionsPlist "path/to/exportOptions.plist"


Thats what you get when you ignore the 'Deprecated' messages from Apple 🙂

Posted by
staselVeon
Up vote reply of staselVeon Down vote reply of staselVeon
Add a Comment