• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Did something happen with developer.apple.com?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Did something happen with developer.apple.com?

  • Subject: Re: Did something happen with developer.apple.com?
  • From: Alex Zavatone <email@hidden>
  • Date: Tue, 28 Feb 2017 17:31:23 -0600
For anyone who cares, 1/2 of our team is still using Xcode 7 while the other half is using Xcode 8 with automatic provisioning.

Apparently, if you have 2 distro certs and one is about to expire, Xcode 8 refreshes the provisioning profiles and swaps out the cert with the other certificate.

If you have to code sign (iOS) with more than one provisioning profile per build, both your certificates MUST be made off of the same id, as in the team ID, not a personal developer ID.

If this is not done and your apps are using keychain sharing, this will immediately trigger a sequence of misleading errors about entitlements when you are distributing your IPA.

Why?

If you had one cert made against your team ID, and you are planning on using keychain sharing or app groups, that might get an identifier like this:
ABABAB.com.myawesomecompany.myepicproduct

This will go into your provisioning profiles, even if you specified

com.myawesomecompany.myepicproduct

in the app groups or keychain sharing set up.

But if any other dist certs are not made against the same ID, as in against your personal developer ID, or for an app extension, you'll get the ID of that cert in front of your bundle identifier and this will be added to the provisioning profiles made from that cert.

Instantly, you'll have provisioning profiles that you didn't touch that use 2 different certs, and the entitlements specified for the app won't match what's in the provisioning profiles, resulting in code signing and entitlements errors when trying to build or export an IPA.

You didn't do anything to cause this. Xcode 8 did, even if you are using Xcode 7.  We just had this lovely feature hit about 4 of our products and build and distro server, so please be careful, because everyone's distro certs are probably going to be expiring through out the year.

The terribly frustrating thing is that Xcode 8 causes the provisioning profiles that are up in the dev center to become invalid and there are NO notifications to the admins or agent that this has happened or why and you only hear about it when other team members mention that they can't build in Xcode 8, because of entitlement and code signing issues, simply because automatic code signing swapped certs when it updated profiles in the background.

Fun times.  We're still mopping this up after 4 AM Sunday morning sessions getting our Jenkins build server working again, even with no one on the team changing the build code signing options.

Just beware if you use more than one provisioning profile for your bulds, the certs within them have to be made from the same team identifier or somewhere within the year, you'll be in provisioning profile hell without doing anything to cause it.

- Alex Zavatone




On Feb 23, 2017, at 2:12 PM, Alex Zavatone wrote:

> The reason I ask is that I made new iOS provisioning profiles at 4:15 this morning.
>
> We have 2 distribution certs.  One expires in April 14, the other March 22nd.
>
> I NEVER use the April 14th cert.
>
> At 11 AM, I look and see that all the provisioning profiles I made at 4 this morning were Invalid.
>
> I make new ones.  Ad Hoc and distribution.
>
> I archive and code sign our app.
>
> "Certificates used in this binary do not match certificates made in that binary."
>
> WTF?  I just made these.
>
> I look at them.  Every one is using the April 14th cert, not the March 22 cert that I just selected.
>
> I switch to another Mac, sign in to developer.apple.com and make new provisioning profiles and i select the MARCH 22 distribution cert and download the provisioning profiles.
>
> I open them up and look at them.
>
> They are all using April 14th.
>
> WTF?  I did not select these.  What is going on with the developer site?
>
> Alex Zavatone
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Xcode-users mailing list      (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Did something happen with developer.apple.com? (From: Alex Zavatone <email@hidden>)

  • Prev by Date: Re: Couldn't compile a Swift enum test
  • Next by Date: How can I save code coverage output?
  • Previous by thread: Did something happen with developer.apple.com?
  • Next by thread: Couldn't compile a Swift enum test
  • Index(es):
    • Date
    • Thread