Darwin Build Environment Help Center

Invalid Code Signing Entitlements

append delete ateo

Windows 11 Pro
Builder v3.82
iOS SDK 18.0
https://pmbaty.com/paste/?7d97ff86eb48d707#8UE7pGSzsbCrtUBpNxd4TBVnY7LuQ7JDTP91Uapi13VC

After Uploading the Build I get an error email from Apple:
(I redacted sensitive information)

----------

Hello,

We noticed one or more issues with a recent delivery for the following app:

Gambonanza
App Apple ID 6747752407
Version 0.14.4
Build 4
Please correct the following issues and upload a new binary to App Store Connect.

ITMS-90046: Invalid Code Signing Entitlements - Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value '*' for key 'com.apple.developer.icloud-services' in 'Payload/Gambonanza.app/Gambonanza' is not supported.

ITMS-90211: Invalid Code Signing Entitlements - The signature for your app bundle contains entitlement values that are not supported. For the com.apple.developer.ubiquity-kvstore-identifier entitlement, the value must start with the prefix provided by Apple in the provisioning profile, followed by characters that are uppercase or lowercase Roman letters [A-Z, a-z], the digits 0 through 9, dot ['.'], or hyphen ['-'], and not contain any wildcard characters. Specifically, value 'XXXXXXXXXX.*' for the key 'com.apple.developer.ubiquity-kvstore-identifier' in 'Payload/Gambonanza.app/Gambonanza' is not supported.

Apple Developer Relations

----------

When Archiving and Uploading the Same Build on a mace using the same provisioning profile and certificates, It works without issues.

Reply RSS

Replies

append delete #1. ateo

I have checked "re-sign" with the following distribution provisioning profile

Apple provisioning profile
=====================

Name: ***
Creation date : ***
Expiration date: ***
App ID: Gambonanza Mobile
(XXXXXXXXXX.com.strayfawnstudio.gambonanza)
Team name: ***
Filename: my_provisioning_profile.mobileprovision

----------Embeded certificates-----------
Apple Distribution (Stray Fawn GmbH (XXXXXXXXXX)

----------Usage restrictions----------
Suitable for App Store Connect uploads

append delete #2. ateo

I have an assumption, that it issue ITMS-9021 might be linked to the development provisioning profile that I have also installed (for local testing) wich is a wildcard profile for XXXXXXXXXX.com.strayfawnstudio.* but I have not selected this to re-sign during upload (or build even)
but since they sxplicitlly state:
Specifically, value 'XXXXXXXXXX.*' for the key 'com.apple.developer.ubiquity-kvstore-identifier' in 'Payload/Gambonanza.app/Gambonanza' is not supported.
'XXXXXXXXXX.*' might also not be related to that wildcard profile.

append delete #3. Pierre-Marie Baty

Hello

This is not related to which provisioning profile you choose, but to your app’s entitlements configuration. One or several of those entitlements contain a wildcard character, and that isn’t accepted with a distribution profile.

See the documentation about entitlements and how to configure them using a plist file. Basically you need to open the entitlements plist file your app uses and fix the relevant key/values as indicated by Apple in the message you received.

append delete #4. ateo

Thank you for the fast response, I only saw it just now.

--------------------------------------------------

I tried disabling this setting in Unity

**Automatically add capabilities**
Generate an entitlements.plist file and add capabilities for Game Center if detected in your project. Disable this setting if you intend to sign your app with an enterprise certificate or use a wildcard bundle identifier.

--------------------------------------------------

also I tried checking the checkbox in the upload tool
**Entitlements from .plist file"

and added this empty entitlments.plist file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
</dict>
</plist>

--------------------------------------------------

But when trying to upload I still get the same error email from apple
Hello,

We noticed one or more issues with a recent delivery for the following app:

Gambonanza
App Apple ID 6747752407
Version 0.14.5
Build 5
Please correct the following issues and upload a new binary to App Store Connect.

ITMS-90046: Invalid Code Signing Entitlements - Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value '*' for key 'com.apple.developer.icloud-services' in 'Payload/Gambonanza.app/Gambonanza' is not supported.

ITMS-90211: Invalid Code Signing Entitlements - The signature for your app bundle contains entitlement values that are not supported. For the com.apple.developer.ubiquity-kvstore-identifier entitlement, the value must start with the prefix provided by Apple in the provisioning profile, followed by characters that are uppercase or lowercase Roman letters [A-Z, a-z], the digits 0 through 9, dot ['.'], or hyphen ['-'], and not contain any wildcard characters. Specifically, value 'RX5HNX6Z2T.*' for the key 'com.apple.developer.ubiquity-kvstore-identifier' in 'Payload/Gambonanza.app/Gambonanza' is not supported.

Apple Developer Relations

--------------------------------------------------

Do I maybe need to edit a different .plist file? Or create a build Postprocessor in Unity to get this to work? Or might it be a weird setup with my distributino certificate maybe?
As I mentioned, when I open the Xcode project on a mac I can distribute without any issues using the same certificate and provisioning profile.

append delete #5. Pierre-Marie Baty

My apologies, I probably said something wrong in my reply. It does seem the problem could come from your wildcard profile, but I wonder how is it possible that you could upload your app signed with a *distribution* certificate and a *wildcard* profile ? Normally, distribution certificates require explicit provisioning profiles.

Please go to the iOS Provisioning Portal online and check the configuration of the provisioning profile you use for App Store submission. It's likely that you're using the wrong profile (and that would also mean there's a "bug" in the App Store upload tool, because it should detect that discrepancy and prevent you to upload in the first place.)

You need an explicit (non-wildcard) profile that's purposed for App Store submission, that embeds a Distribution certificate, and sign your app with that distribution certificate. Let me know if that was indeed the cause.

append delete #6. ateo

No worries, maybe I was not clear enough either.

I am not using a wildcard profile. Though I have added one, but only use it for testing with OTA deployment. but for uploading I intend to use the distribution profile that is only linked to this app "com.strayfawnstudio.gambonanza".

I can provide screenshots of the profile and certificate in use
https://privatebin.unige.ch/?40b0d13f88831191#G2Pi8N9utrRAUXU6Fw2nReCf1t3ymb4wTSMztxxuKv2X
password is "darwin"

I have tried the following methods:
- building with distribution profile and uploading.
- building with development (wildcard) profile and resigning with distribution profile on upload
- building with distribution profile and re-signing with distribution profile on upload
But I always keep getting the same error email from Apple.

append delete #7. ateo

I created both certificates (development and distribution) from the same private key inside project builder. Might that cause problems? After reimporting the .p12 files of the certificates on a second windows installation, it then just imported 1 key each time, I guess they would be identical, but are hard linked to their certificate from import.
But yeah, I mean signing does work and it would still be weird that it works when using the same profile on OSX/XCode.

append delete #8. ateo

I also looked into the info.plist file that gets generated in the Xcode project root, and in there I see no keys like "com.apple.developer.icloud-services" or "com.apple.developer.ubiquity-kvstore-identifier".

---------------

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CADisableMinimumFrameDuration</key>
<true />
<key>CADisableMinimumFrameDurationOnPhone</key>
<true />
<key>CFBundleAllowMixedLocalizations</key>
<true />
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleDisplayName</key>
<string>Gambonanza</string>
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIdentifier</key>
<string>${PRODUCT_BUNDLE_IDENTIFIER}</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>${PRODUCT_NAME}</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>0.14.4</string>
<key>CFBundleVersion</key>
<string>4</string>
<key>LSRequiresIPhoneOS</key>
<true />
<key>UILaunchStoryboardName</key>
<string>LaunchScreen-iPhone</string>
<key>UILaunchStoryboardName~ipad</key>
<string>LaunchScreen-iPad</string>
<key>UILaunchStoryboardName~iphone</key>
<string>LaunchScreen-iPhone</string>
<key>UILaunchStoryboardName~ipod</key>
<string>LaunchScreen-iPhone</string>
<key>UIPrerenderedIcon</key>
<false />
<key>UIRequiredDeviceCapabilities</key>
<array>
<string>arm64</string>
<string>metal</string>
</array>
<key>UIRequiresFullScreen</key>
<true />
<key>UIRequiresPersistentWiFi</key>
<false />
<key>UIStatusBarHidden</key>
<true />
<key>UIStatusBarStyle</key>
<string>UIStatusBarStyleDefault</string>
<key>UISupportedInterfaceOrientations</key>
<array>
<string>UIInterfaceOrientationLandscapeRight</string>
<string>UIInterfaceOrientationLandscapeLeft</string>
</array>
<key>UIViewControllerBasedStatusBarAppearance</key>
<true />
<key>Unity_LoadingActivityIndicatorStyle</key>
<integer>-1</integer>
</dict>
</plist>

---------------

Looks like just some default settings that I checked in unity. I really don't understand where they would come from.

append delete #9. Pierre-Marie Baty

Let's correct 2 misunderstandings first.

1. Creating multiple certificates from one private key is not a problem.

2. The entitlements of an app do not go in its Info.plist, instead they are stamped in the app binary itself at signing time. You may view then on Mac with the command-line utility "codesign -d --entitlements" and on PC with the command-line utility "ldid -v" (in the builder's Toolchain directory).

I would like to completely clarify the situation because you're reporting a lot of different combinations, and in each of them just a single thing off track could lead to the manifestation of the problem. Let us focus on one single use case please.

I see in the screenshots you posted that you use a DEVELOPMENT certificate ("Certificate Type: Development"). You may use this certificate to sign your app and deploy it to your device, but you *may not* submit to the App Store an app signed with a development certificate. In order to submit your app to the App Store, you must either rebuild+sign it (or simply re-sign it), using a DISTRIBUTION certificate.

The provisioning profile you use is okay though.

When you sign your app, you typically choose a provisioning profile in the droplist, and the certificate to use is automatically deduced from it. Assuming you chose the provisioning profile you posted in the screenshot, what is the name of the certificate that is displayed in the builder UI? Does it start with "Apple Development: Your Name" (or "iOS Development: Your Name"), or does it start with "Apple Distribution: Your Name" (or "iOS Distribution: Your Name")? It *has* to mention the word "Distribution". If that's not the case, the entitlements will not be set up correctly in the signed app.

Technical note: by "correctly" hear "filtered and fixed so that they are accepted by the App Store". The App Store has more strict requirements about entitlements: some which provide convenience privileges during development have to be stripped, and some others which include generic names or wildcards must have these wildcards replaced with the exact bundle ID of the app.

So, to be completely clear, let me know if the issue persists when the .ipa you uploaded to the App Store is signed with the provisioning profile shown in your screenshot stamped in it, and with a certificate whose 2nd word spells "Distribution".

If the issue persists then, it will mean that the filtering/patching rules I mentioned in the technical note 2 paragraphs above needs to be reviewed.

Do not post multiple replies that change the problem's data, please. Just answer this question clearly, and we'll proceed from there.

append delete #10. ateo

I'm sorry for creating the confusion with the developer certificate. I accidentally screenshotted the wrong one. I am of course using a distribution certificate with the distribution profile. I don't even think Apple allows me to create an "AppStore" Provisioning Profile with a "Development" certificate.

here are screenshot of the certificate, provisioning profile, build config, upload config & error
https://privatebin.unige.ch/?0a0e17d90d6fdac7#3nNEFYcQABaNVeCTRQZkSqCtEmtFAxMPBapiDDvEfKsM
https://privatebin.unige.ch/?a67295b24bf4e1df#GZG9AtH9T2czpWHDXUfRjbNARN1snpaMWg3jJzxf351v
https://privatebin.unige.ch/?98e2d9b3480c4821#9kFD5L594YPZYbXAhFx6nxENHEUPxuVkDjGgY1J87vxg
https://privatebin.unige.ch/?44290e4b42501ef3#FYckZXyvMk1mhzwjGCKsg8Y65CVJ22CGqWBCq1VKFQoX
https://privatebin.unige.ch/?ee638e3502c81580#E3RMM9GCHzugRQs56FoszXQ3bU9tH9GzGN4JX4vv3PeU
password: darwin

Because I think the certificates are OK I am now looking at paragraph 2 that you mentioned.
It looks like the app was not being sign properly or not event signed at all maybe.

after running ldid on Windows i get an error
PS C:\Darwin\gambonanza\Packages> & "C:\Users\ateo\Project Builder for Unity\Toolchain\ldid.exe" -v "./Gambonanza.ipa"
ldid: fatal: file './Gambonanza.ipa' does not contain any Mach-O slice.

On OSX i also get an error saying that the object is not signed at all.
[ateo@mac-mini % codesign -d ./Gambonanza.ipa
./Gambonanza.ipa: code object is not signed at all

Or do i have to inspect another object and not the the .ipa itself?
Or is it because I have not ticked "re-sign" on upload? (i assumed signing during build with the correct profile would be sufficient)

Thank you for the support. I appreciate it a lot

append delete #11. Pierre-Marie Baty

Okay. It was just a wrong screenshot, so that clears a bit of the confusion.

You must not run ldid or codesign on the .ipa file, you must extract the .ipa file first like a zip archive and run the tool on the app’s main binary.

.ipa (iTunes Packaged Archive) is just a zip file renamed. Zip files can’t be signed, but their individual contents may.

If you want to send me both .ipa files (the one generated by Xcode and the one generated by the builder, both signed for App Store distribution) by mail I can compare them and check for discrepancies. Confidentiality is guaranteed.

append delete #12. ateo

Sure. I just built both binaries and made sure they are from the exact same source Xcode project.

On OSX i am however not sure how to retrieve the .ipa file
When I click click Product > Archivein Xcode I get an .xcarchive file and not an .ipa
would you like that one?

I can click on Distrubute > Ad Hoc Testing it builds a .app file that i can export and it creates a folder with a .ipa, but that one shows it has a different Profile "iOS Team Ad Hoc Profile" (i guess autogenerated) but the certificate is the correct distribution certificate.

----------

SUMMARY
Team: Stray Fawn GmbH
Certificate: Apple Distribution (Expires 13.11.2026)
Profile: iOS Team Ad Hoc Provisioning Profile: com.strayfawnstudio.gambonanza (Expires 13.11.2026)
Architectures: arm64
Version: 0.15.1 (5)
ENTITLEMENTS
application-identifier
RX5HNX6Z2T.com.strayfawnstudio.gambonanza
com.apple.developer.team-identifier
RX5HNX6Z2T
get-task-allow
false

----------

Could you specify which file you need from the OSX (Xcode) Build?

#13. ateo

This post was deleted by its owner

append delete #14. ateo

here is the windows build
https://www.swisstransfer.com/d/2b792db8-b065-453e-a628-ffccbae33d0b
(download link is only valid a single time, and password is darwin)

and the build log, just in case
https://pmbaty.com/paste/?52b5b68a59f3b7cc#Hgpa3q8syWmxTDosHua4dM5YB2nxWcKTxprjKMear2B1

append delete #15. Pierre-Marie Baty

Thank you, I downloaded it.

.xcarchive is a packaging variant which stores the .app directory and the .dSYM bundles (debug symbols). It's a "bundle", which in Apple's terminology means a simple directory masquerading itself as a file. Just right-click on the .xcarchive file in macOS' file explorer (the "Finder") and select "Show package contents" to browse inside this directory. If you use the Terminal, it's even simpler: simply "cd" in it like you would for any other directory.

I'll be looking at your app's entitlements in the Windows build now and report back what I find.

append delete #16. Pierre-Marie Baty

So here are your entitlements (I used "ldid -e" to show just the entitlements instead of the whole code signature information): 

% ldid -e Gambonanza
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>application-identifier</key>
        <string>RX5HNX6Z2T.com.strayfawnstudio.gambonanza</string>
        <key>beta-reports-active</key>
        <true/>
        <key>com.apple.developer.game-center</key>
        <true/>
        <key>com.apple.developer.icloud-container-identifiers</key>
        <array>
        </array>
        <key>com.apple.developer.icloud-services</key>
        <string>*</string>
        <key>com.apple.developer.team-identifier</key>
        <string>RX5HNX6Z2T</string>
        <key>com.apple.developer.ubiquity-container-identifiers</key>
        <array>
        </array>
        <key>com.apple.developer.ubiquity-kvstore-identifier</key>
        <string>RX5HNX6Z2T.*</string>
        <key>get-task-allow</key>
        <false/>
        <key>keychain-access-groups</key>
        <array>
                <string>RX5HNX6Z2T.*</string>
        </array>
</dict>
%

And indeed, these entitlements contain: 

%
        <key>com.apple.developer.icloud-services</key>
        <string>*</string>
%

and 

%
        <key>com.apple.developer.ubiquity-kvstore-identifier</key>
        <string>RX5HNX6Z2T.*</string>
%

which is consistent with the error message Apple sent you. I would be interested in knowing whether these entitlements are *stripped* or *edited* (e.g. the '*' character is resolved with your app's bundle ID?) in the version produced by Xcode.

:: @Pierre-Marie Baty added on 19 Nov ’25 · 15:08

*edit* According to Apple here https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.developer.icloud-services?language=objc the "com.apple.developer.icloud-services" entitlements *cannot* have '*' as a value, the only accepted values are either "CloudDocuments", "CloudKit" and "CloudKit-Anonymous". So I wonder where this '*' value comes from. Probably a misconfigured value in the Unity editor? This also hints towards the hypothesis that Xcode silently drops invalid entitlements (such as this one) from binaries it's signing, which is - in my opinion - a somewhat brutal way of gettings things done! Isn't there at least a warning about it in the Xcode build logs?

#17. ateo

This post was deleted by its owner

append delete #18. ateo

Wow that would be pretty wild if Xcode actually did that silently. at least it never warned me or anything.

There is a .app file in the .xarchive directory indeed. I zipped the whole thing and uploaded it for you.
https://www.swisstransfer.com/d/3ee8afd1-b9ee-4ce6-888b-4ff7f805c605
(again 1-time download pw darwin)

I'll try to get the build logs from OSX then

append delete #19. Pierre-Marie Baty

I downloaded it.

Well, it clears up a lot of things !

Here are the final entitlements that are stamped in the app binary by Xcode: 

% ldid -e Gambonanza
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>application-identifier</key>
        <string>RX5HNX6Z2T.com.strayfawnstudio.gambonanza</string>
        <key>beta-reports-active</key>
        <true/>
        <key>com.apple.developer.team-identifier</key>
        <string>RX5HNX6Z2T</string>
        <key>get-task-allow</key>
        <false/>
</dict>
</plist>
%

As you can see, Xcode simply stripped 80% of them silently. Amazing...

I suppose the ones that contain empty values (such as empty arrays) can be legitimately stripped. These are "com.apple.developer.icloud-container-identifiers" and "com.apple.developer.ubiquity-container-identifiers". I also suppose that those that contain "default values" can be stripped as well. Those would be: "com.apple.developer.game-center" (default value: "true"), and "keychain-access-groups" (default value: "<team identifier>.*")

And indeed, after having stripped all those for legitimate reasons, the only 2 keys that remain are those that Apple complain about because their value is invalid. Which means Xcode simply strips them too.

Now, how to fix that. I *could* align with Xcode's behavior here and do the same thing, but 1°) it's pretty brutal and 2°) that would require me to maintain a list of all possible values for all possible entitlement keys. I don't think that would be good design.

A better thing to do at this point, even if it doesn't align with what Xcode does, would be to remove those entitlements from the Entitlements.plist that's created by Unity, or fix their value so that they are accepted by the App Store. What do you think?

append delete #20. ateo

Wow ok. First off thank you again for helping investigate this, you rock!

I could write a Unity build post processing script that fixes the .plist but I am still not 100% sure where that entitlements file would lie inside the xcode project, as I have not found anything by i.e. searching for "ubiquity" in all of the files in the Xcode project root. so I am still a bit puzzled.

As an end user I would of course argue that it is the best experience if it mimics 1:1 what Xcode does, as that is kind of the purpose of using this tool. But if it means a lot of hardcoding values and keeping up with random changes on Apples Side, I think that a section describing the issue and how to solve it in the docs can be sufficient too.

append delete #21. ateo

also if you are still interested in the Build log from Xcode, here it is:
https://pmbaty.com/paste/?fbf55ed989c0978f#XcEmdgyrcJnBZjRZSRY9Bj2vTA441Ldsdkv4rKhx3c8

append delete #22. Pierre-Marie Baty

Thank you for the Xcode build log. Not a single warning indeed...

The search feature in the Windows Explorer is utterly broken. Don't expect it to find files containing something. When I look for strings in files I use another search tool, such as Midnight Commander's (a "traditional" text-mode two-panel file manager).

There can also be a list of entitlements in your provisioning profile. These ones are merged with your app's explicit entitlements at signing time. To check that, open your provisioning profile with a text editor. Skip the leading binary garbage (it's the entitlement's signature) and reach the part where the XML data starts. You might find the entitlement you're looking for there (although I wonder why the Apple Provisioning Portal would generate provisioning profiles with invalid entitlement values??) But we can't rule that out, so let me know if it's the case.

Your point that the tool should ideally mimic 1:1 what Xcode does because that's what the users expect is a heavy one and I'll take it into consideration.

:: @Pierre-Marie Baty added on 19 Nov ’25 · 16:18

*edit* Bingo.

I checked your app's embedded.mobileprovision file (that's your provisioning profile) and here goes: 

% embedded.mobileprovision, Entitlements part:

	<key>Entitlements</key>
	<dict>
		<key>beta-reports-active</key>
		<true/>
				
				<key>com.apple.developer.ubiquity-container-identifiers</key>
		<array></array>
				
				<key>com.apple.developer.game-center</key>
		<true/>
				
				<key>application-identifier</key>
		<string>RX5HNX6Z2T.com.strayfawnstudio.gambonanza</string>
				
				<key>keychain-access-groups</key>
		<array>
				<string>RX5HNX6Z2T.*</string>
				<string>com.apple.token</string>
		</array>
				
				<key>get-task-allow</key>
		<false/>
				
				<key>com.apple.developer.team-identifier</key>
		<string>RX5HNX6Z2T</string>
				
				<key>com.apple.developer.ubiquity-kvstore-identifier</key>
		<string>RX5HNX6Z2T.*</string>
				
				<key>com.apple.developer.icloud-services</key>
		<string>*</string>
				
				<key>com.apple.developer.icloud-container-identifiers</key>
		<array></array>
				
				<key>com.apple.developer.icloud-container-development-container-identifiers</key>
		<array></array>

	</dict>
%

Indenting errors preserved.

So it does look like Apple generates provisioning profiles with invalid entitlement values, as per their own documentation, and the only way they seemingly were able to fix that was to make Xcode silently strip those poor entitlements instead of fixing the problem at the source.

Well, I guess that's what I need to do too...

append delete #23. ateo

I used my IDE, so that shouldn't be an issue with "Find in Files".

I analyzed the .mobiprovision file and indeed, the entitlemens above are all inside there.

Get-ChildItem -Recurse -Filter *.txt | Select-String "YourSearchTerm"

----------

<key>Entitlements</key>
<dict>
<key>beta-reports-active</key>
<true/>

<key>com.apple.developer.ubiquity-container-identifiers</key>
<array></array>

<key>com.apple.developer.game-center</key>
<true/>

<key>application-identifier</key>
<string>RX5HNX6Z2T.com.strayfawnstudio.gambonanza</string>

<key>keychain-access-groups</key>
<array>
<string>RX5HNX6Z2T.*</string>
<string>com.apple.token</string>
</array>

<key>get-task-allow</key>
<false/>

<key>com.apple.developer.team-identifier</key>
<string>RX5HNX6Z2T</string>

<key>com.apple.developer.ubiquity-kvstore-identifier</key>
<string>RX5HNX6Z2T.*</string>

<key>com.apple.developer.icloud-services</key>
<string>*</string>

<key>com.apple.developer.icloud-container-identifiers</key>
<array></array>

<key>com.apple.developer.icloud-container-development-container-identifiers</key>
<array></array>

</dict>
<key>ExpirationDate</key>

----------

I think I don't remember checking those manually when creating the certificate.
also when inspecting the profile in developer.apple.com in the "Enabled Capabilities" I only see
Game Center, iCloud, In-App Purchase

:: @ateo added on 19 Nov ’25 · 16:40

EDIT:

I see we have come to the same conclusion simulataneously

:: @ateo added on 19 Nov ’25 · 16:44

interesting to see what's hidden under the Rug even for companies like Apple haha

append delete #24. ateo

So now I either will have to manually post process the built .ipa or you need to mimic Xcodes shenanigans too. If you are worried that stripping these could brake other things, maybe expose an options to provide a list of entitlements to replace/strip manually

append delete #25. Pierre-Marie Baty

You won't be able to post-process the built .ipa, that would break the signature.

I am building an experimental version of ldid (the code signer) in which I extended the entitlements "blacklist" to mimic what Xcode does: 

% ldid.c somewhere
               is_distribution_signature = true; // remember we're signing for distribution

               // we are signing for distribution; cycle through all keys in the entitlements collection so as to exclude the blacklisted ones
               for (key_index = 0; key_index < ents_collection.key_count; key_index++)
               {
                  // if the entitlement name contains "-development-", it has no place in a DISTRIBUTION binary, so strip it out
                  // also, "com.apple.developer.icloud-container-identifiers" keys that contain empty arrays should be stripped
                  // also, "com.apple.developer.icloud-services" keys that contain a wildcard string should be stripped
                  // also, "com.apple.developer.ubiquity-container-identifiers" keys that contain empty arrays should be stripped
                  // also, "com.apple.developer.ubiquity-kvstore-identifier" keys that contain just the team identifier with a wildcard should be stripped
                  if ((strstr (ents_collection.keys[key_index].name, "-development-") != NULL)
                      || ((strcmp (ents_collection.keys[key_index].name, "com.apple.developer.icloud-container-identifiers") == 0) && (Buffer_CompareWithCharArray (&ents_collection.keys[key_index].raw_data, "<array></array>") == 0))
                      || ((strcmp (ents_collection.keys[key_index].name, "com.apple.developer.icloud-services") == 0) && (Buffer_CompareWithCharArray (&ents_collection.keys[key_index].raw_data, "<string>*</string>") == 0))
                      || ((strcmp (ents_collection.keys[key_index].name, "com.apple.developer.ubiquity-container-identifiers") == 0) && (Buffer_CompareWithCharArray (&ents_collection.keys[key_index].raw_data, "<array></array>") == 0))
                      || ((strcmp (ents_collection.keys[key_index].name, "com.apple.developer.ubiquity-kvstore-identifier") == 0) && (Buffer_CompareWithCString (&ents_collection.keys[key_index].raw_data, xmlenclosed_team_identifier_with_wildcard) == 0)) )
                  {
                     memmove (&ents_collection.keys[key_index], &ents_collection.keys[key_index + 1], (ents_collection.key_count - (key_index + 1)) * sizeof (plistkey_t));
                     ents_collection.key_count--; // shift the entitlements collection array one slot down (don't bother reallocating smaller)
                     key_index--; // and reparse this slot
                  }
               }
%

I would like you to test it and report to me if it solves the problem. If it does, I'll push a toolchain update.

Here it is: https://www.pmbaty.com/darwinbuildenv/ldid-ateo.zip

Unzip it and put it in the Toolchain directory of the builder, replacing the old one. Rebuild and let me know if Apple accepted your upload this time. You may also do a development build and test on your device to make sure both use cases work correctly.

#26. ateo

This post was deleted by its owner

append delete #27. ateo

*Awesome work!* It looks like it did the job. I managed to create a new build and upload it with the default (empty settings). The app also showed up in the apple developer backend.

after inspecting the binary with "ldid" I get the following:

----------

PS C:\Darwin\gambonanza\Packages\Payload\Gambonanza.app> ldid -e .\Gambonanza
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>RX5HNX6Z2T.com.strayfawnstudio.gambonanza</string>
<key>beta-reports-active</key>
<true/>
<key>com.apple.developer.game-center</key>
<true/>
<key>com.apple.developer.team-identifier</key>
<string>RX5HNX6Z2T</string>
<key>get-task-allow</key>
<false/>
<key>keychain-access-groups</key>
<array>
<string>RX5HNX6Z2T.*</string>
</array>
</dict>
</plist>

append delete #28. Pierre-Marie Baty

That aligns better with what Xcode does. The only extra keys are "com.apple.developer.game-center" and "keychain-access-groups" but they wear acceptable (default) values, so it matches.

Did you test a development build and an OTA deployment of the app on your iPhone with this code signer?

append delete #29. ateo

no as of now I have only tried a distribution build and uploaded it to App Store Connect, where it also successfully passed testing. I will try the OTA deployment right now then

append delete #30. ateo

I just testet building it with the development profile, enabled OTA deployment and remote debug console, and it all seems to work.

Heere is the build log
https://pmbaty.com/paste/?73bd77c30ff8fe01#2qyjuKxeUZyGXAiX1Q1yei1MLHQC7nnefWAAvzNggbCY

and these are the entitlemens on the executables

----------

PS C:\Darwin\gambonanza\Packages\Payload\Gambonanza.app> ldid -e .\Gambonanza
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>RX5HNX6Z2T.com.strayfawnstudio.gambonanza</string>
<key>com.apple.developer.team-identifier</key>
<string>RX5HNX6Z2T</string>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>RX5HNX6Z2T.*</string>
</array>
</dict>
</plist>
PS C:\Darwin\gambonanza\Packages\Payload\Gambonanza.app>

append delete #31. Pierre-Marie Baty

I don't understand how you can get *these* entitlements on a *development* binary. The entitlements filtering rules I posted above only enforce when a distribution certificate is detected: 

%
               if (Certificate_FindSignerCommonName (&certificates[certificate_index], certificate_common_name, sizeof (certificate_common_name))
                   && ((strncmp (certificate_common_name, "iPhone Distribution: ", 21) == 0) || (strncmp (certificate_common_name, "Apple Distribution: ", 20) == 0)))
%

But this is obviously not the case in the build log you posted: 

%
 + Signing code as Apple Development: xxxxxxxx (XXXXXXXXXX) with team ID XXXXXXXXXX...
%

Are you sure you ran ldid on the right executable ? That would mean there's one more bug I need to fix...

Reply

(Leave this as-is, it’s a trap!)

There is no need to “register”, just enter the same name + password of your choice every time.

Pro tip: Use markup to add links, quotes and more.

Moderators: Pierre-Marie Baty