Buck is merging invalid iCloud entitlements from profiles
Created by: rmaz
87eea587 removed some entitlements keys from the getMergeableEntitlements
method. This now merges the following keys when signing builds:
"com.apple.developer.icloud-container-environment",
"com.apple.developer.icloud-container-identifiers",
"com.apple.developer.icloud-services",
"com.apple.developer.restricted-resource-mode",
"com.apple.developer.ubiquity-container-identifiers",
"com.apple.developer.ubiquity-kvstore-identifier",
These keys are not present in an equivalent build made via Xcode, they are only added if explicitly present in the apps entitlements. The profile values for these keys contain wildcards, which will cause app store rejection:
Error Domain=ITunesConnectionOperationErrorDomain Code=1091 "Invalid Code Signing Entitlements. The signature for your app bundle contains entitlement values that are not supported. For the com.apple.developer.ubiquity-kvstore-identifier entitlement, the value must start with the prefix provided by Apple in the provisioning profile, followed by characters that are uppercase or lowercase Roman letters [A-Z, a-z], the digits 0 through 9, dot ['.'], or hyphen ['-'], and not contain any wildcard characters.
These keys should be added back to the method, they should not be merged in from the provisioning profile. This list was determined from examining the Xcode entitlements merging code, we should be mirroring the Xcode behaviour here.