Invalid Code Signing Entitlements

append delete 13 Nov ’25 · 16:50 #1. ateo

I have checked "re-sign" with the following distribution provisioning profile

Apple provisioning profile
=====================

Name: ***
Creation date : ***
Expiration date: ***
App ID: Gambonanza Mobile
(XXXXXXXXXX.com.strayfawnstudio.gambonanza)
Team name: ***
Filename: my_provisioning_profile.mobileprovision

----------Embeded certificates-----------
Apple Distribution (Stray Fawn GmbH (XXXXXXXXXX)

----------Usage restrictions----------
Suitable for App Store Connect uploads

append delete 13 Nov ’25 · 17:10 #2. ateo

I have an assumption, that it issue ITMS-9021 might be linked to the development provisioning profile that I have also installed (for local testing) wich is a wildcard profile for XXXXXXXXXX.com.strayfawnstudio.* but I have not selected this to re-sign during upload (or build even)
but since they sxplicitlly state:
Specifically, value 'XXXXXXXXXX.*' for the key 'com.apple.developer.ubiquity-kvstore-identifier' in 'Payload/Gambonanza.app/Gambonanza' is not supported.
'XXXXXXXXXX.*' might also not be related to that wildcard profile.

append delete 13 Nov ’25 · 18:37 #3. Pierre-Marie Baty

Hello

This is not related to which provisioning profile you choose, but to your app’s entitlements configuration. One or several of those entitlements contain a wildcard character, and that isn’t accepted with a distribution profile.

See the documentation about entitlements and how to configure them using a plist file. Basically you need to open the entitlements plist file your app uses and fix the relevant key/values as indicated by Apple in the message you received.

append delete 17 Nov ’25 · 16:02 #4. ateo

Thank you for the fast response, I only saw it just now.

--------------------------------------------------

I tried disabling this setting in Unity

**Automatically add capabilities**
Generate an entitlements.plist file and add capabilities for Game Center if detected in your project. Disable this setting if you intend to sign your app with an enterprise certificate or use a wildcard bundle identifier.

--------------------------------------------------

also I tried checking the checkbox in the upload tool
**Entitlements from .plist file"

and added this empty entitlments.plist file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
</dict>
</plist>

--------------------------------------------------

But when trying to upload I still get the same error email from apple
Hello,

We noticed one or more issues with a recent delivery for the following app:

Gambonanza
App Apple ID 6747752407
Version 0.14.5
Build 5
Please correct the following issues and upload a new binary to App Store Connect.

ITMS-90046: Invalid Code Signing Entitlements - Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value '*' for key 'com.apple.developer.icloud-services' in 'Payload/Gambonanza.app/Gambonanza' is not supported.

ITMS-90211: Invalid Code Signing Entitlements - The signature for your app bundle contains entitlement values that are not supported. For the com.apple.developer.ubiquity-kvstore-identifier entitlement, the value must start with the prefix provided by Apple in the provisioning profile, followed by characters that are uppercase or lowercase Roman letters [A-Z, a-z], the digits 0 through 9, dot ['.'], or hyphen ['-'], and not contain any wildcard characters. Specifically, value 'RX5HNX6Z2T.*' for the key 'com.apple.developer.ubiquity-kvstore-identifier' in 'Payload/Gambonanza.app/Gambonanza' is not supported.

Apple Developer Relations

--------------------------------------------------

Do I maybe need to edit a different .plist file? Or create a build Postprocessor in Unity to get this to work? Or might it be a weird setup with my distributino certificate maybe?
As I mentioned, when I open the Xcode project on a mac I can distribute without any issues using the same certificate and provisioning profile.

append delete 17 Nov ’25 · 20:06 #5. Pierre-Marie Baty

My apologies, I probably said something wrong in my reply. It does seem the problem could come from your wildcard profile, but I wonder how is it possible that you could upload your app signed with a *distribution* certificate and a *wildcard* profile ? Normally, distribution certificates require explicit provisioning profiles.

Please go to the iOS Provisioning Portal online and check the configuration of the provisioning profile you use for App Store submission. It's likely that you're using the wrong profile (and that would also mean there's a "bug" in the App Store upload tool, because it should detect that discrepancy and prevent you to upload in the first place.)

You need an explicit (non-wildcard) profile that's purposed for App Store submission, that embeds a Distribution certificate, and sign your app with that distribution certificate. Let me know if that was indeed the cause.

append delete 18 Nov ’25 · 10:47 #6. ateo

No worries, maybe I was not clear enough either.

I am not using a wildcard profile. Though I have added one, but only use it for testing with OTA deployment. but for uploading I intend to use the distribution profile that is only linked to this app "com.strayfawnstudio.gambonanza".

I can provide screenshots of the profile and certificate in use
https://privatebin.unige.ch/?40b0d13f88831191#G2Pi8N9utrRAUXU6Fw2nReCf1t3ymb4wTSMztxxuKv2X
password is "darwin"

I have tried the following methods:
- building with distribution profile and uploading.
- building with development (wildcard) profile and resigning with distribution profile on upload
- building with distribution profile and re-signing with distribution profile on upload
But I always keep getting the same error email from Apple.

append delete 18 Nov ’25 · 10:52 #7. ateo

I created both certificates (development and distribution) from the same private key inside project builder. Might that cause problems? After reimporting the .p12 files of the certificates on a second windows installation, it then just imported 1 key each time, I guess they would be identical, but are hard linked to their certificate from import.
But yeah, I mean signing does work and it would still be weird that it works when using the same profile on OSX/XCode.

append delete 18 Nov ’25 · 11:02 #8. ateo

I also looked into the info.plist file that gets generated in the Xcode project root, and in there I see no keys like "com.apple.developer.icloud-services" or "com.apple.developer.ubiquity-kvstore-identifier".

---------------

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CADisableMinimumFrameDuration</key>
<true />
<key>CADisableMinimumFrameDurationOnPhone</key>
<true />
<key>CFBundleAllowMixedLocalizations</key>
<true />
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleDisplayName</key>
<string>Gambonanza</string>
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIdentifier</key>
<string>${PRODUCT_BUNDLE_IDENTIFIER}</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>${PRODUCT_NAME}</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>0.14.4</string>
<key>CFBundleVersion</key>
<string>4</string>
<key>LSRequiresIPhoneOS</key>
<true />
<key>UILaunchStoryboardName</key>
<string>LaunchScreen-iPhone</string>
<key>UILaunchStoryboardName~ipad</key>
<string>LaunchScreen-iPad</string>
<key>UILaunchStoryboardName~iphone</key>
<string>LaunchScreen-iPhone</string>
<key>UILaunchStoryboardName~ipod</key>
<string>LaunchScreen-iPhone</string>
<key>UIPrerenderedIcon</key>
<false />
<key>UIRequiredDeviceCapabilities</key>
<array>
<string>arm64</string>
<string>metal</string>
</array>
<key>UIRequiresFullScreen</key>
<true />
<key>UIRequiresPersistentWiFi</key>
<false />
<key>UIStatusBarHidden</key>
<true />
<key>UIStatusBarStyle</key>
<string>UIStatusBarStyleDefault</string>
<key>UISupportedInterfaceOrientations</key>
<array>
<string>UIInterfaceOrientationLandscapeRight</string>
<string>UIInterfaceOrientationLandscapeLeft</string>
</array>
<key>UIViewControllerBasedStatusBarAppearance</key>
<true />
<key>Unity_LoadingActivityIndicatorStyle</key>
<integer>-1</integer>
</dict>
</plist>

---------------

Looks like just some default settings that I checked in unity. I really don't understand where they would come from.

append delete 18 Nov ’25 · 12:53 #9. Pierre-Marie Baty

Let's correct 2 misunderstandings first.

1. Creating multiple certificates from one private key is not a problem.

2. The entitlements of an app do not go in its Info.plist, instead they are stamped in the app binary itself at signing time. You may view then on Mac with the command-line utility "codesign -d --entitlements" and on PC with the command-line utility "ldid -v" (in the builder's Toolchain directory).

I would like to completely clarify the situation because you're reporting a lot of different combinations, and in each of them just a single thing off track could lead to the manifestation of the problem. Let us focus on one single use case please.

I see in the screenshots you posted that you use a DEVELOPMENT certificate ("Certificate Type: Development"). You may use this certificate to sign your app and deploy it to your device, but you *may not* submit to the App Store an app signed with a development certificate. In order to submit your app to the App Store, you must either rebuild+sign it (or simply re-sign it), using a DISTRIBUTION certificate.

The provisioning profile you use is okay though.

When you sign your app, you typically choose a provisioning profile in the droplist, and the certificate to use is automatically deduced from it. Assuming you chose the provisioning profile you posted in the screenshot, what is the name of the certificate that is displayed in the builder UI? Does it start with "Apple Development: Your Name" (or "iOS Development: Your Name"), or does it start with "Apple Distribution: Your Name" (or "iOS Distribution: Your Name")? It *has* to mention the word "Distribution". If that's not the case, the entitlements will not be set up correctly in the signed app.

Technical note: by "correctly" hear "filtered and fixed so that they are accepted by the App Store". The App Store has more strict requirements about entitlements: some which provide convenience privileges during development have to be stripped, and some others which include generic names or wildcards must have these wildcards replaced with the exact bundle ID of the app.

So, to be completely clear, let me know if the issue persists when the .ipa you uploaded to the App Store is signed with the provisioning profile shown in your screenshot stamped in it, and with a certificate whose 2nd word spells "Distribution".

If the issue persists then, it will mean that the filtering/patching rules I mentioned in the technical note 2 paragraphs above needs to be reviewed.

Do not post multiple replies that change the problem's data, please. Just answer this question clearly, and we'll proceed from there.

Darwin Build Environment Help Center

Invalid Code Signing Entitlements

Replies

Reply