Copy link to clipboard
Copied
My Distribution Certificate finally expired for the first time on the App Store as well as my Apple Push Notification Certificates. I removed all of my certificates, created a new one for Distribution and Push Notifications, recreated my distribution profiles, compiled my .ipa as I have always done and when I upload my app, I get the following error:
ERROR ITMS-90164: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. According to the provisioning profile, the bundle contains a key value that is not allowed: 'true' for the key 'get-task-allow' in 'Payload/MyApp.app/MyApp'.
Nowhere in my descriptor file do I even mention 'get-task-allow' in my entitlements so I don't know what is happening. I thought that perhaps I had done something wrong creating all of my new certificates and distribution profiles, so I recreated all of them and tried again. Same thing. Has anyone ever seen this? Can you give me some direction?
(My app does not currently do any push notifications, but I wanted to keep that door open while I was developing. I can't remember, do I need to do anything with the push notification certificate when I package the app, or does it just need to exist on Apple's servers?)
Copy link to clipboard
Copied
I believe get-task-allow is automatically added to development provisioning profiles, and are not added to distribution provisioning profiles. Are you sure you didn't accidentally try building an App Store distribution build with your development profile instead of your distribution profile?
If you have a Mac, you can also check to see what Entitlements are included in your provisioning profile with this Terminal command:
security cms -D -i /path/to/your/profile.mobileprovision
I just checked on my development profiles and they do have get-task-allow set to true, while my adhoc and appstore distribution profiles have get-task-allow set to false, so it might be worth checking the profile you're using for the App Store build to make sure it didn't get swapped for a development one.
Copy link to clipboard
Copied
Flipline, I really appreciate your detailed explanation, it quickly gave me hope But alas, this does not appear to be the issue at first glance. Under entitlements, the app-environment is set to "production", and get-task-allow is set to "false" even though the error is reporting that it is set to true???
I don't know if it is simply the standard name of the key or if I actually am using a Developer Certificate by accident somehow, but there is a key named <key>DeveloperCertificates</key> with a huge string after it. I figured it would be called DistributionCertificate or ProductionCertificate since it is a Distribution Profile. Could you tell me if when you run the script you sent me in the Terminal, if your Production Profiles have a key named DeveloperCertificates?
Copy link to clipboard
Copied
I just checked an older profile that I still had, DeveloperCertificates is just the name of the key. Any other thoughts?
Copy link to clipboard
Copied
I will add that Apple's Certificate section of the website changed recently, and the profiles that it spits out do not look exactly as they used to. For instance, the <dict> key under entitlements used to look like this:
<dict>
<key>keychain-access-groups</key>
<array>
<string>Y2T6PFZR4H.*</string>
</array>
<key>get-task-allow</key>
<false/>
<key>application-identifier</key>
<string>Y2T6PFZR4H.com.myapp.myapp</string>
<key>com.apple.developer.team-identifier</key>
<string>Y2T6PFZR4H</string>
<key>aps-environment</key>
<string>production</string>
<key>beta-reports-active</key>
<true/>
</dict>
And the profile that it spit out today looks like the following:
<dict>
<key>beta-reports-active</key>
<true/>
<key>aps-environment</key>
<string>production</string>
<key>application-identifier</key>
<string>Y2T6PFZR4H.com.myapp.myapp</string>
<key>keychain-access-groups</key>
<array>
<string>Y2T6PFZR4H.*</string>
</array>
<key>get-task-allow</key>
<false/>
<key>com.apple.developer.team-identifier</key>
<string>Y2T6PFZR4H</string>
</dict>
It's basically all scrambled up!
Copy link to clipboard
Copied
Just for giggles, I added this to my descriptor file in my entitlements:
<key>get-task-allow</key>
<false/>
And it worked! The question is why??? The provisioning profile already has this value set to false based on the script that Flipline provided, and I have never had to add it to any of my builds before in the past two years. So why do I have to add it now? Does this have something to do with Apple's new Certificates interface? Have they changed something?
Copy link to clipboard
Copied
Are you using SDK33 or 32? I compiled and published with 32 last week without problem.
Copy link to clipboard
Copied
I published with AIR 32, but with certificates and profiles that I just created yesterday. It feels like something changed there on Apple’s end. After I manually added the entitlement I just mentioned above, the app upload was accepted, but I got another email from Apple stating
ITMS-90191: Missing beta entitlement - Your app does not include the beta-reports-active entitlement. If you intend to distribute this build via TestFlight for beta testing, please re-build this app with an App Store Distribution provisioning profile. Do not use ad-hoc profiles.
It actually was an App Store Distribution provisioning profile despite this error, I don’t use ad hoc. It is as if all the entitlements that were always accepted as defaults now have to be explicitly stated. Sure feels like a mess to me.
Copy link to clipboard
Copied
That's odd, I just generated some new provisioning profiles and everything is working fine, they look identical in structure to the profiles I generated a few months ago and to ones I generated a few years ago.
For all of the errors you're getting, that sounds exactly like what would happen if you were using a Development profile instead of an App Store profile --- a Development profile does not contain the beta-reports-active entitlement, and a Development profile has get-task-allow set to true.
Here's one more thing you could try to make sure the mobileprovision file you're using is correct -- open up the App Store ipa/app that you generated, and find the embedded.mobileprovision in the Payload folder which will be the exact provisioning profile the app is using. Copy that out of there, and then run the Terminal command on it to see exactly what is listed inside the app. An App Store profile should have beta-reports-active set to true, and get-task-allow set to false. A development profile will have get-task-allow set to true, it won't have a beta-reports-active key, and it will also have a ProvisionedDevices key.
Copy link to clipboard
Copied
Flipline, you may be right. I will check on this when I get back to my computer this afternoon. But I 100% created a distribution certificate, and when I create My App Store provisioning profile, the only certicate available during creation is the distribution certificate, not any of my development certificates, so I am 100% sure it is a App Store provisioning profile. So if it is somehow goofed up, it has to be on what Apple is handing to me. I’ll look deeper and get back on this
Copy link to clipboard
Copied
I always make sure I include the beta-reports-active set to true but I'm using testflight so I need to, if you don't then just ignore this warning. And yes I do have <key>get-task-allow</key> set to false also. I comment this out with development profile (to install on device) and uncomment it for distribution/testflight.
Copy link to clipboard
Copied
ASWC, that is fascinating to me. For the past two years, I have had nothing but this in my entitlements:
<key>aps-environment</key>
<string>production</string>
I would change "production" to "development" for my development profile to test on a device. Like you, I seem to now need to include all of these values. I don't know what may have changed to need this, but for me, I think it is going to be a requirement now. But I am glad to hear that other people are using them already, and I am not some strange use case. I don't like it when I hear that I am the only one.
Copy link to clipboard
Copied
Strange, I've never defined any Entitlements specifically for our apps (the aps-environment only applies to Push Notifications which we don't use), the app provisioning profiles contain their own Entitlement information that gets added to your app depending on which profile you select with the build.
When you say you'd change "production" to "development" for your development profile, that key only applies to how your push notifications are running and has nothing to do with the app itself, so I'm guessing you're also switching between an app store .mobileprovision file and a development .mobileprovision file when you're testing on device too?
Copy link to clipboard
Copied
Yes, when I am testing on a device, I use a development provisioning profile and therefor have to change the "production" to "development" for the aps-environment key when I switch provisioning profiles otherwise it throws an error when I try to build it on the device. I then switch it to "production" when I package my final build for the App Store and use a distribution provisioning profile. But I have NEVER had to declare any of the other entitlements to get the app to load to the App Store until recently when I got a new distribution certificate and provisioning profiles.
Copy link to clipboard
Copied
Same workflow here, the basis is, each time I need to create new certificate I make sure I can compile to prod and run on device and whatever I had to do to make it work (sometimes it changes) I just keep doing it until I need new certificate again. I know it's lazy and some people might say "you didn't have to do that" but hey it's working! I had so many "fights" with Apple certificate that once I get something working then this is it for me.
Copy link to clipboard
Copied