0

My colleague has made some changes recently to our app, and enabled Data Protection.

However, ever since, we're unable to deploy the app to any real device. The error happens at application verification with this error:

ApplicationVerificationFailed: Failed to verify code signature of /private/var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.YDQn6e/extracted/[appname].app : 0xe8008016 (The executable was signed with invalid entitlements.)

(Due to NDA requirements I have to hide any identifying information from any logs, and such, I replaced them with static labels in [] brackets).

I've checked the entitlements using Apple's own guide, using the security and codesign tools.

codesign output the following information:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>get-task-allow</key>
    <false/>
    <key>application-identifier</key>
    <string>[teamId].[appname]</string>
    <key>com.apple.developer.team-identifier</key>
    <string>[teamId]</string>
    <key>aps-environment</key>
    <string>production</string>
    <key>keychain-access-groups</key>
    <array>
        <string>[teamId].[appname]</string>
    </array>
</dict>
</plist>

And here is the output of the security command:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AppIDName</key>
    <string>[appPublicName]</string>
    <key>ApplicationIdentifierPrefix</key>
    <array>
    <string>[teamId]</string>
    </array>
    <key>CreationDate</key>
    <date>2017-07-06T11:55:52Z</date>
    <key>Platform</key>
    <array>
        <string>iOS</string>
    </array>
    <key>DeveloperCertificates</key>
    <array>
        <data>[devCert]</data>
    </array>
    <key>Entitlements</key>
    <dict>
        <key>keychain-access-groups</key>
        <array>
            <string>[teamId].*</string>     
        </array>
        <key>get-task-allow</key>
        <false/>
        <key>application-identifier</key>
        <string>[teamId].[appname]</string>
        <key>com.apple.developer.associated-domains</key>
        <string>*</string>
        <key>com.apple.developer.team-identifier</key>
        <string>[teamId]</string>
        <key>aps-environment</key>
        <string>production</string>
    </dict>
    <key>ExpirationDate</key>
    <date>2018-04-25T13:18:41Z</date>
    <key>Name</key>
    <string>[appPublicName]</string>
    <key>ProvisionedDevices</key>
    <array>
        [provisioned devices]
        [The device I'm trying to deploy to is listed here]
    </array>
    <key>TeamIdentifier</key>
    <array>
        <string>[teamId]</string>
    </array>
    <key>TeamName</key>
    <string>[teamName]</string>
    <key>TimeToLive</key>
    <integer>293</integer>
    <key>UUID</key>
    <string>[id]</string>
    <key>Version</key>
    <integer>1</integer>
</dict>
</plist>

What on earth is going wrong here?

fonix232
  • 2,132
  • 6
  • 39
  • 69
  • If you log into the developer portal to manage provisioning profiles, is the current profile listed as valid? Enabling data protection might require you to get re-generate the provisioning profile and use the new provisioning profile. But I would expect the old one to still be usable. – Mats Dec 20 '17 at 14:25
  • Yes, I've had to re-generate the profile, and I've even tried making a brand new profile which immediately showed up in both XCode and Visual Studio (not sure if it's related, but this is a Xamarin app, not a native one, written in C# instead of Swift/ObjC). – fonix232 Dec 20 '17 at 14:50
  • Ok :-). I asked because the `CreationDate` was set to July in you question. – Mats Dec 21 '17 at 12:39
  • Yes, it was created in July, but updated in the meantime :) – fonix232 Dec 21 '17 at 13:02

1 Answers1

2

Updating entitlements in an iOS app requires a couple of steps if you are not using automatic code signing. You need to update both the application's project and the provisioning profile used to build the app. If the two are out of sync (or more precisely, if your app is trying to use an entitlement not allowed by the provisioning profile's allowed entitlements, you will get this error.

When changing entitlements, you need to update the entitlements in the project itself (as documented here) as well as in the provisioning profile. I suspect this is all you have done so far.

To update the entitlements in your provisioning profile, log into the Apple developer site and go to the "Certificates, Identifiers & Profiles" section. Select Application IDs on the left, and find the app ID for the app you are trying to build. Click the edit button and turn on the entitlement for Data Protection. Once you have done this, click "Done". The App ID is now configured, but you'll need to regenerate your provisioning profile to pick up the changes to your app ID. Go to the Provisioning Profiles link on the left, find your profile for the app ID, click Edit, then click the Generate button at the bottom. Once done, click the download button to get the new profile that has the new entitlements for the App ID.

Also, just to be safe, I would delete all your old provisioning profiles from the Mac before downloading and installing the new one. That way you can be sure it is picking up the correct provisioning profile. You can find the location of the provisioning profiles here.

wottle
  • 13,095
  • 4
  • 27
  • 68