iOS Build Environment Help Center

Issues after loading ipa to App Store Connect

append delete Artem

Windows 10
Builder 3.45
iOS SDK 15.0
Hello, I'm trying to load my .ipa file to App Store Connect via Upload Tool correctly. I use correct provision profile with production certificate and App Id with correctly configured capabilities. Uploading passes normally, without errors. But after that I receive email with similar content:

Dear Developer,

We identified one or more issues with a recent delivery for your app, "RMAZOR" 1.0 (3). Please correct the following issues, then upload again.

ITMS-90046: Invalid Code Signing Entitlements - Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value '*' for key 'com.apple.developer.icloud-services' in 'Payload/MazeBlade.app/MazeBlade' is not supported.

ITMS-90046: Invalid Code Signing Entitlements - Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value 'Development' for key 'com.apple.developer.icloud-container-environment' in 'Payload/MazeBlade.app/MazeBlade' is not supported.

ITMS-90211: Invalid Code Signing Entitlements - The signature for your app bundle contains entitlement values that are not supported. For the com.apple.developer.ubiquity-kvstore-identifier entitlement, the value must start with the prefix provided by Apple in the provisioning profile, followed by characters that are uppercase or lowercase Roman letters [A-Z, a-z], the digits 0 through 9, dot ['.'], or hyphen ['-'], and not contain any wildcard characters. Specifically, value '5R8U9QXLT7.*' for the key 'com.apple.developer.ubiquity-kvstore-identifier' in 'Payload/MazeBlade.app/MazeBlade' is not supported.

Best regards,

The App Store Team

It seems, that build sings by provision file with incorrect content. I tried to solve this problem by recreating provision files (https://developer.apple.com/forums/thread/12758),
but it didn't help. Then I tried manually edit provision file (not the best idea) to remove concrete asterisks for issues 1 and 3, but got this message on next upload:

ITMS-90165: Invalid Provisioning Profile Signature - The provisioning profile included in the bundle 'com.MazingLabCo.MazesForever' (Payload/MazeBlade.app) cannot be used to submit apps to the iOS App Store until it has a valid signature from Apple. For more information, visit the iOS Developer Portal.

Best regards,

The App Store Team

If anyone has encountered a similar problem and managed to solve it successfully, please help.

Reply RSS

Replies

append delete #1. Pierre-Marie Baty

Hello

Your app uses specific entitlements; I assume they have to be configured in some sort of Entitlements.plist file somewhere in your Xcode project directory tree (the builder should tell you the location of that file btw).

You need to edit this file with a text editor and configure each specific entitlement as per Apple's directions. Let's take them one after the other: 

% item one
value '*' for key 'com.apple.developer.icloud-services' in 'Payload/MazeBlade.app/MazeBlade' is not supported.
%

For this one, check https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_icloud-services and https://developer.apple.com/documentation/xcode/configuring-icloud-services
You see that its value should be an array of strings, that define the iCloud services that your app needs. Define the value of that entitlement accordingly, in XML PList format. 

% item two
value 'Development' for key 'com.apple.developer.icloud-container-environment' in 'Payload/MazeBlade.app/MazeBlade' is not supported.
%

My guess is that the value here should be "Production", isn't it ? See https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_icloud-container-environment 

% item three
value '5R8U9QXLT7.*' for the key 'com.apple.developer.ubiquity-kvstore-identifier' in 'Payload/MazeBlade.app/MazeBlade' is not supported.
%

In my opinion, as this is a *distribution* build you should put your full bundle ID here, in place of the asterisk. Such as "5R8U9QXLT7.com.yourcompany.yourappname".

Take the time to read through the links I posted and generally, when you get error messages by Apple that mention a specific identifier, ask Google Search what they think about that identifier and open one link or two to get a better understanding of what Apple is talking about.

Don't hesitate to ask again if you need more explanations or if something is unclear.

Best regards,

append delete #2. Artem

Actually, my entitlements file already looks line normal: 

% Entitlements.plist
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>aps-environment</key>
    <string>production</string>
    <key>com.apple.developer.icloud-container-identifiers</key>
    <array>
      <string>iCloud.com.MazingLabCo.MazesForever</string>
    </array>
    <key>com.apple.developer.icloud-services</key>
    <array>
      <string>CloudDocuments</string>
      <string>CloudKit</string>
    </array>
    <key>com.apple.developer.ubiquity-container-identifiers</key>
    <array>
      <string>iCloud.com.MazingLabCo.MazesForever</string>
    </array>
    <key>com.apple.developer.ubiquity-kvstore-identifier</key>
    <string>5R8U9QXLT7.com.MazingLabCo.MazesForever</string>
  </dict>
</plist>
%
append delete #3. Artem

I don't know is it normal or not, but section "Entitlements" in my distribution provision file has same wrong values that are in issues: 

% distribution.mobileprovision
	<key>Entitlements</key>
	<dict>
		<key>beta-reports-active</key>
		<true/>
				
				<key>application-identifier</key>
		<string>5R8U9QXLT7.com.MazingLabCo.MazesForever</string>
				
				<key>keychain-access-groups</key>
		<array>
				<string>5R8U9QXLT7.*</string>
				<string>com.apple.token</string>
		</array>
				
				<key>get-task-allow</key>
		<false/>
				
				<key>com.apple.developer.team-identifier</key>
		<string>5R8U9QXLT7</string>
				
				<key>com.apple.developer.ubiquity-kvstore-identifier</key>
		<string>5R8U9QXLT7.*</string>
				
				<key>com.apple.developer.icloud-services</key>
		<string>*</string>
				
				<key>com.apple.developer.icloud-container-environment</key>
		<array>
				<string>Production</string>
				<string>Development</string>
		</array>
				
				<key>com.apple.developer.icloud-container-identifiers</key>
		<array>
				<string>iCloud.com.MazingLabCo.MazesForever</string>
		</array>
				
				<key>com.apple.developer.icloud-container-development-container-identifiers</key>
		<array>
				<string>iCloud.com.MazingLabCo.MazesForever</string>
		</array>
				
				<key>com.apple.developer.ubiquity-container-identifiers</key>
		<array>
				<string>iCloud.com.MazingLabCo.MazesForever</string>
		</array>
				
				<key>aps-environment</key>
		<string>production</string>

	</dict>
%

It contains these asterisks and "Development" value in com.apple.developer.icloud-container-environment array though it is provision for production.

append delete #4. Pierre-Marie Baty

That looks abnormal indeed. Is that really a distribution profile ?

In your situation I would generate a new one.

append delete #5. Artem

Yes, it is really a distribution profile, even the buider says, that it is. I tried to regenerate it, but it didn't help.

append delete #6. Pierre-Marie Baty

Sorry for asking the obvious but, is the checkbox next to "Entitlements from .plist file" really ticked in the builder UI ? Because everything happens as if your entitlements file was ignored...

append delete #7. Artem

Yes, it was ticked

append delete #8. Pierre-Marie Baty

Ah, then I must concede that you probably have hit a bug in the code signer that I have to fix.

I need to reproduce that in vitro. Could you please share this Xcode project with me, along with your profile, certificate and private key ? Strict confidentiality is guaranteed. I will delete your files as soon as that bug is fixed.

append delete #9. Pierre-Marie Baty

Hello Artem

I restate that I am extremely interested in reproducing your situation here so as to debug it. If you're concerned about confidentiality issues, we can sign a NDA. Other confidentiality-friendly solutions can be imagined too: for example, temporarily changing your private key's passphrase or using a totally temporary signing identity (key + cert + profile) that can be revoked after. All I need is a binary that can be signed with the very entitlements that you have - and those have to correspond to the provisioning profile.

Let me know if there's anything I can do on my side to advance on this topic.

Reply

(Leave this as-is, it’s a trap!)

There is no need to “register”, just enter the same name + password of your choice every time.

Pro tip: Use markup to add links, quotes and more.

Moderators: Pierre-Marie Baty