Store submission fails with iCloud entitlements
Created by: rmaz
When a provisioning profile has iCloud entitlements enabled, the buck signed binary will not pass store submission. A typical iCloud provisioning profile will have entitlements similar to:
<key>Entitlements</key>
<dict>
<key>keychain-access-groups</key>
<array>
<string>4ZX4Z3MVHG.*</string>
</array>
<key>application-identifier</key>
<string>4ZX4Z3MVHG.com.appleseedinc.MyProject</string>
<key>com.apple.developer.ubiquity-kvstore-identifier</key>
<string>4ZX4Z3MVHG.*</string>
<key>com.apple.developer.icloud-services</key>
<string>*</string>
<key>com.apple.developer.icloud-container-environment</key>
<array>
<string>Development</string>
<string>Production</string>
</array>
<key>com.apple.developer.icloud-container-identifiers</key>
<array>
<string>iCloud.com.appleseedinc.MyProject</string>
<string>iCloud.com.appleseedinc.container1</string>
</array>
<key>com.apple.developer.icloud-container-development-container-identifiers</key>
<array>
<string>iCloud.com.appleseedinc.MyProject</string>
<string>iCloud.com.appleseedinc.container1</string>
</array>
<key>com.apple.developer.ubiquity-container-identifiers</key>
<array>
<string>iCloud.com.appleseedinc.MyProject</string>
<string>iCloud.com.appleseedinc.container1</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>4ZX4Z3MVHG</string>
<key>aps-environment</key>
<string>production</string>
</dict>
The default entitlements handling in buck will combine the specified entitlements file with the entitlements in the provisioning profile. This will result in both the com.apple.developer.icloud-container-development-container-identifiers
and com.apple.developer.ubiquity-kvstore-identifier
keys being added to the signing entitlements. Trying to submit a binary with either of these present will result in the following iTunes store errors:
ERROR ITMS-90045: "Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, key com.apple.developer.icloud-container-development-container-identifiers in Payload/Blah.app is not supported."
and:
ERROR ITMS-90211: Invalid Code Signing Entitlements. The signature for your app bundle contains entitlement values that are not supported. For the com.apple.developer.ubiquity-kvstore-identifier entitlement, the value must start with the prefix provided by Apple in the provisioning profile, followed by characters that are uppercase or lowercase Roman letters [A-Z, a-z], the digits 0 through 9, dot, or hyphen, and not contain any wildcard characters. Specifically, value 4ZX4Z3MVHG.* for the key com.apple.developer.ubiquity-kvstore-identifier in Payload/Blah.app is not supported.
I'm not sure where the behaviour of merging the entitlements came from, is this mirroring what Xcode would do? It seems more correct to not merge the entitlements, would this result in a different error though, do we always need to merge certain keys from the provisioning profile?