13

From what I understand, Xcode can re-sign an .ipa from an archive during the App store submission process, making it possible for you to create an archive with a Developer Provisioning Profile, and then sign it with a Distribution profile later. Here is a post that explains what I am talking about: http://oleb.net/blog/2011/06/code-signing-changes-in-xcode-4/

Unfortunately, I can't get it to work. When I create an archive using a Developer profile, then try to submit it with a Distribution profile, I get the following error: "Application failed codesign verification. The signature was invalid, contains disallowed entitlements or it was not signed with an iPhone Distribution Certificate"

The application does not use any entitlements and has no entitlements file. The error is correct that "it was not signed with an iPhone Distribution Certificate", because it was originally signed with a developer certificate, and I am attempting to resign it with a Distribution certificate. I thought this was a valid thing to do...

Richard Venable
  • 8,310
  • 3
  • 49
  • 52
  • Why not just sign it right the first time? Xcode's organizer's archives code signs it again just to be safe upon upload or validation, it doesnt replace the signature. – CodaFi Feb 06 '12 at 21:51
  • The reason I'm doing it this way is because I work with a team, and not everyone has access to our Distribution profile. So I want them to be able to build the archive with their Developer profiles, send it to me; then I re-sign it and submit it. – Richard Venable Feb 07 '12 at 04:59

1 Answers1

9

The problem here is that when you originally archived it would have set the entitlements to be compatible with a developer profile, such as the get-task-allow set to true but you're re-signing using a distribution profile which requires get-task-allow to be false. Unfortunately it can't go and change the entitlements and so you get this problem.

I'm not entirely sure why Apple can't make it so that it can go and change the entitlements and do all the magic there. The code, resources, etc will all be the same after all.

mattjgalloway
  • 34,792
  • 12
  • 100
  • 110
  • 1
    So, if this is true, then I should be able to add an entitlements file and set get-task-allow to false. Then I will be able to build a release archive with the entitlements file using a developer profile, and re-sign it later with the distribution profile? I will give this a shot soon. Thanks for the help! – Richard Venable Feb 07 '12 at 04:56
  • How can I set This. please help me – Vineesh TP May 02 '12 at 13:53