Xcode entitlement problem location and resolution guide

Background Story

Two days ago, a normal, packaged test is not a problem, the Xcode project suddenly burst into a variety of strange entitlement errors:

• What signature is inconsistent with the configuration file.

Or

• Unable to install because the signature or configuration file is misconfigured.

After tossing the big half day, only to find a place, Apple's developer certificate was reset by a classmate ... Although it has been repeatedly stressed to be careful not to be sure, but this kind of thing can not be completely avoided. I have no words to those students who do not read the information hint.

However, although I rebuilt the certificate and updated all the relevant configuration files (provisioning profile), it was a variety of inexplicable errors.

Finally, I gave up, looking for a professional to do iOS development classmate to help, he pointed out:

There is a problem with Xcode's cache, and sometimes modifying the configuration does not take effect.

Under his guidance, after deleting the account information, restart xcode-> re-login, restart xcode-> re-download configuration file, reconfigure the signature. I don't know how many times I restarted Xcode, in short, at the moment when all the errors disappeared, I took a long sigh: cao~~~~~~~~~~~

To be honest, Xcode is all good, that is, the management of these signature files is a bit anti-human, like itunes, you never seem to understand its logic.

Then, I again Google a bit of the entitlement error I met, and sure enough to find an Apple official article "Entitlement Problem location Guide":

Https://developer.apple.com/library/ios/technotes/tn2415/_index.html

The spirit of "know it, know the reason why", read through a few times, finally to Xcode management configuration file principle, have a slightly clearer concept. Here are some notes:

What is entitlement?

Entitlement (permissions) can be imagined as a string in the app that describes which services the app can invoke. Apple's operating system (Mac OS or iOS) checks the string to determine whether the app can invoke the relevant functionality. such as icloud permissions, push services, health services, etc.

Common entitlement Errors

• When compiling the package

The executable is signed with invalid entitlements. The entitlements specified in your application ' s Code Signing entitlements file does not match those specified in your provi Sioning profile.

• During installation

Could not install the application. Your code signing/provisioning Profiles is not correctly configured ... you have a entitlement not supported by Your cur Rent Provisioning Profile ... (error:0xe8008016).

• When submitted to the Apple Store

Invalid Code Signing entitlements. The entitlements in your app bundle signature does not match the ones that is contained in the provisioning profile. According to the provisioning profiles, the bundle contains a key value that's not allowed: ' [A1B2C3D4E5.com.appleseedinc. MyGreatApp] ' for the key "Keychain-access-groups" in "Payload/mygreatapp.app/mygreatapp"

• Wrong value

Entitlement ' keychain-access-groups ' have value not permitted by a provisioning profile

Error-Checking process

Is the complete inspection process when encountering a entitlement error:

Note: PP = Provisioning profile Profiles

1. Set the target app's function in Xcode (target capabilities)

2. APP ID Service for Apple Developer User Center website

3. Create provisioning Profile (Pre-config file) via web site (same as 2)

4. Pre-configured file libraries for Web sites

5. Check the permissions settings in the provisioning profile

6. Install provisioning profile into Xcode

7. Xcode's local provisioning profile library

8. Configure which provisioning profile to use in Xcode

9. Check which provisioning profile is used in the compilation log

10. Check the permissions contained in the packaged app

11. The operating system checks the app for permissions during installation or startup

The first step

The generation of entitlement, which is what permissions an app needs to have, can be set up automatically via Xcode or on the developer's website.

Turn on or off the specified feature with capabilities, project, Target, Xcode

In theory , "Fix issues" is ordered, and Xcode does the following things automatically:

1. Update permission requirements

2. Register App ID

3. Turn on or off the service for the app ID

4. Create or update provisioning profile

5. Download and install the provisioning profile, as it is required to sign the application behind.

If the network and luck are good, then there is nothing.

Manual operation

But the problem with Apple's website and China's network may not be so smooth. If Xcode does not automatically complete the task, you need to do it manually:

• Create an app ID and turn on the service

Some services require additional information, such as a push service, which requires a certificate to be specified.

• Add Provisioning Profile

• Check the service content that Provisiong profile contains

• Checks whether the local profile contains the required permissions

Security cms-d-i/path/to/iosteamprofile.mobileprovision

• Install profile to Xcode

If the. Mobileprovision is downloaded from the Web site, double-clicking the file will automatically install to the location specified by Xcode.

• Check the Xcode local provisioning profile Library

Xcode > Preferences > Accounts > (your account) > View Details

Note that this is the old version, the latest version 7.3 is slightly different. The biggest difference is that the refresh button is gone!! Instead of the "Download All" button, this is probably the way:

In the Action column, if the file is not local, there will be a "Download" download button, if it has been downloaded to the local, there is no.

Right-click a file that has already been downloaded with 2 options:

1. Display in Finder

2. Delete (then you can re-download it)

• Setting up the provisioning profile in Xcode

If the required provisioning profile files have been downloaded to the local, you can consider let Xcode automatically select, specific configuration method, refer to another Apple document: Https://developer.apple.com/library/mac /qa/qa1814/_index.html

After the configuration is successful, it should look like this:

Of course, you can also manually specify the signature identifier (Code Signing identity), and provisioning profile.

in particular, it is worth mentioning that : If the provisioning profile is not a problem, when you have specified one, the Code sigining identity drop-down list will prompt for the profile's developer account.

If not, it means there is a problem with the file or there is a problem with Xcode.

(This is also the method that my professional colleague introduced, the measurement is very useful.) ）

To this step, all right, should be no problem.

There are some additional checks in the rear:

• View the compilation log

If the compilation is successful, the log will indicate which profile to use:

• Check if the compiled app contains the correct permissions

Command line:

$ codesign-d--ent:-/path/to/the.app

There are several details:

A. When the app is signed, the relevant service permissions are transferred from the profile to the application's signature.

B. Profile will also be built into the app. If you open the app package view, you can see the embedded.mobileprovision

• The operating system checks the app for permissions

The OS check is based on the two places you just said: Apply your own signature, built-in profile. When they are inconsistent, they will get an error. In addition to permissions, the operating system checks that the app ID is consistent.

• Check permission settings before submitting to Apple Store

This is the last place in the entire process to check if permissions are wrong

other

• adding entitlement files Manually

Typically, Xcode automatically manages entitlement files, so we don't need to buidling Settings, code Signing, code Signing entitlements in Xcode project Deliberately set the file.

For older versions of Xcode, you need to add the entitlement file yourself:

Format of the. entitlements file (it should also be. plist format)

• Entitlement Common fields Introduction

• Whether beta-reports-active can be published via Testfilight

• The team ID of the team-identifier Development Account, consisting of 10 numeric and alphabetic characters. This value is also the default app ID prefix.

• Get-task-allow Whether Xcode can debug the app.

• App ID for application-identifier app, format is <prefix>.<bundle_id>

• keychain-access-groups Keychain Permission Group (for more information, refer to https://developer.apple.com/library/ios/documentation/Security/ reference/keychainservices/)

• push-notification When the push service is turned on, this field will have a value indicating whether it is a production environment (production) or a development environment (development).

• App ID prefix check

The operating system also checks the app ID prefix (that is, the team ID), and if it finds that the prefix in the app signature is inconsistent with the profile, it will also get an error.

Reference to the App ID prefix:

• APP ID Prefix inconsistency error: https://developer.apple.com/library/ios/qa/qa1879/_index.html

• Manage multiple App ID prefixes: https://developer.apple.com/library/ios/technotes/tn2311/_index.html

• Keychain Access Warning: https://developer.apple.com/library/ios/qa/qa1726/_index.html

• The app ID is not consistent with the app you're currently installing when you upgrade your app: Https://developer.apple.com/library/ios/technotes/tn2319/_index.html#//apple_ref/doc /uid/dts40013778-ch1-errormessages-upgrade_s_application_identifier_does_not_match_the_installed_app

Xcode entitlement problem location and resolution guide