iOS provisioning profiles

[PanayotCankov]

(a.k.a iOS provisioning hell)

Naïve overview on iOS provisioning and certificates

Provisioning profiles can be 3 types and each of them binds together some properties to identify its type, the devices it can deploy to, the code signing certificate that can be used with it:

• AdHoc
  • Name and UUID
  • Supports all devices
  • Bound to a single distribution certificate
  • When app signed with AdHoc provisioning profile is deployed on device it requests additional permissions to launch the app
  • Application identifier
  • Team ID
  • Expiration date
• Development
  • Name and UUID
  • App identifier
  • Signing entitlements (specifying extended range of native capabilities such as push notifications)
  • Device UDIDs that apps signed with this provisioning profile can be deployed to
  • Development code signing certificates that can be used to sign with this certificate
  • Team ID
  • Expiration date
• Distribution
  • Name and UUID
  • Can not deploy to device but rather upload to the App Store
  • Bound to a single distribution certificate
  • App identifier
  • Team ID
  • Expiration date

In addition as of Xcode 8 there two signing styles: "Manual" and "Automatic". When enabled "Automatic" signing style within the Xcode the IDE will be allowed to recreate provisioning profiles and code signing certificates, during build a team id is provided, either through the flags in the pbxproj or xcconfig and the xcodebuild command line tool would select a provisioning profile and signing certificate for that team. When set to "Manual" a provisioning profile is provided either through the pbxproj or xcconfig and the xcodebuild will use this exactly provisioning profile. When a certificate is automatically generated by Xcode it can not be used with "Manual" signing.

N.B> The team id and provisioning profiles can also be specified through the command line of xcodebuild but when building multi-target projects (such is the case with Cocoapods) the provided signing is also applied to the pods frameworks, often resulting in mismatch. (given provisioning profile with org.nativescript.* app id it will fail to sign the org.cocoapods.* frameworks).

App identifier can be categorized in:

• Wildcard (org.nativescript.*) that can support broad range of app ids
• Specific (org.nativescript.examples) that can target a single id but such non-wildcard identifier is required for most advanced native capabilities such as push notifications, keychain access, health kit etc.

Certificates can be two types:

• Distribution
  • An organization can have a limited number of distribution certificates
• Development
  • Every developer in an organization can have exactly one code signing certificate
    Certificates contain a public and a private key, the public key is uploaded to apple member center, while the private key stays on the admin or developer's machine. Loosing the private key requires the certificate to be revoked and a new one to be created. Recreating a certificate results in cascading need to renew the provisioning profiles it was used in.

Within {N}

Currently we have to support three main separate scenarios:

• Development
• App Store submission
• CI

Development

During development a provisioning profile should be provided in order the app to be sign so it can be deployed on a device.

AppStore

Building for the store requires the app to be built for release and distribution provisioning profile in pair with distribution certificate to be used when signing the app.

CI

CI usually is performed either for test and automation or automated App Store submission.

---

Existing Microinteractions in the NativeScript CLI

Specifying provisioning profile with Manual signing style using --provision

With the #2393 specifying provisioning profile and "Manual" signing style has been enabled. The workflow is as follow:

1. Run tns prepare|build|run ios --provision will list a table with eligible provisioning profiles. The App ID, devices, etc. will filter provisioning profiles that will not support the current app.
2. Run tns prepare|build|run ios --provision <uuid-or-name> will save the specified provisioning profile in the platforms/ios/.pbxproj` along "Manual" signing style. Once set all subsequent commands will use the provided provision.

Along this, should "Manual" signing and a provision be specified using Xcode in the .pbxproj the CLI should respect it and use it if no --provision is specified on the command line

This behavior should also allow for CI to set a provision during build

Specifying development team with Automatic signing style using --team-id

When tns build|run ios --team-id <team-id> is called, the team-id will be provided to the xcodebuild and Automatic signing style will be used to sign the app.

N.B.> In contrast with --provision this will not update the pbxproj as this option precede the --provision and during its implementation we had no convenient method to update the pbxproj.

N.B.> This have been reported to fail due to xcodebuild picking a wrong provisioning profile when multiple profiles are available.

Specifying team-id for Automatic signing style when no other means to sign the app si provided

When tns build|run ios is called and targets a device, and no signing is specified in any other way, an interactive dialog will prompt for a team-id. It can be persisted in the app/iOS/build.xcconfig. The team-id will be provided to the xcodebuild and Automatic signing style will be used to sign the app.

N.B.> This have been reported to fail due to xcodebuild picking a wrong provisioning profile when multiple profiles are available.

Specifying singing in the xcconfig

Currently the app/App_Resources/iOS/build.xcconfig is used for the app target and as such can hold flags used for singing. The workflow would be as follow:

1. Run tns prepare ios --provision to list provisioning profiles and team along with their ids.
2. In the app/App_Resources/build.xcconfig set either:

DEVELOPMENT_TEAM = CHSQ******;

or

PROVISIONING_PROFILE = 5dca****-bd**-4d**-ab**-************;

Note that step 2 can either be done manually or it can be automated with CI scripts to allow for {N} apps to be build on CI.

Building and uploading to the App Store

tns publish ios will build the app for release, produce Xcode archive, then export ipa signed for App Store distribution and use the Application Loader program to upload it to the App Store. Several options can be provided either through the command line or should command line args be omitted - through interactive dialog: iTunes Connect username and password, distribution provisioning profile;

---

As some of these interactions differ in behavior, we should consolidate the whole provisioning experience.

[vchimev]

Handling CI for iOS

Setting up CI you can run tns prepare ios --provision to list the provisioning profiles, including distribution provisioning profiles, with their names and uuids. Then you can add CI script to set the app/App_Resources/iOS/build.xcconfig as follows:

ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
ASSETCATALOG_COMPILER_LAUNCHIMAGE_NAME = LaunchImage;

CODE_SIGN_IDENTITY = iPhone Distribution;
PROVISIONING_PROFILE = <distribution provision uuid like c535****-****-****-****-************;

Mind the build version should be updated in the app/App_Resources/iOS/Info.plist since you cannot upload a bundle with the same version number twice.

And then execute tns publish ios <itunesconnect username> <itunesconnect password> on CI. This will archive the Xcode project, export and sign IPA for distribution and upload to itunesconnect.

[pkoleva]

• Setting provisioning profile does not work if the project folder name differs from the app id. The app target is named after the folder, but the CLI signing tries to set provisioning profiles for target named as the app id.
• Way to setup provisioning and certificate globally and use it as default for signing all apps for devices

[hshristov]

On a clean machine without any provisioning profile downloaded running tns run ios give the following error:

ENOENT: no such file or directory, scandir '/Users/hhristov/Library/MobileDevice/Provisioning Profiles/'

[PanayotCankov]

This may be of interest: https://pewpewthespells.com/blog/migrating_code_signing.html

[PanayotCankov]

Selecting provisioning profile is tightly coupled with the xcodebuild, archive and export workflow and these should probably be tracked together. tns build ios now always exports using development mode. This is unexpected when AdHoc or AppStore distribution profiles are specified through --provision or through the .xcconfig file. For more information: #3020

[adityamenon]

@hristoborisov I got the same error just now. What worked for me:

1. Open XCode.
2. Create a new blank iOS app project.
3. Run it in the simulator.

I figured that these steps will force macOS to do whatever is needed to setup for running simulators, and it worked!

[BMwanza]

Hi, I am currently having some trouble with the Provisioning File(s) for my app when I try running it on a physical device. I am not sure if this is the right place place this issue But I was hoping someone could help me troubleshoot this process.

Here is my console output after running the tns run ios --teamId [myTeamID] command:

Code Signing Error: Automatic signing is unable to resolve an issue with the "noSnow" target's entitlements. Automatic signing can't add the com.apple.keystore.device and com.apple.keystore.access-keychain-keys entitlements to your provisioning profile. Switch to manual signing and resolve the issue by downloading a matching provisioning profile from the developer website. Alternatively, to continue using automatic signing, remove these entitlements from your entitlements file and their associated functionality from your code.
Code Signing Error: Provisioning profile "iOS Team Provisioning Profile: org.nativescript.noSnow" doesn't include the com.apple.keystore.access-keychain-keys and com.apple.keystore.device entitlements.
Code Signing Error: Code signing is required for product type 'Application' in SDK 'iOS 11.4'
Code Signing Error: Code signing is required for product type 'Application' in SDK 'iOS 11.4'
Code Signing Error: Code signing is required for product type 'Application' in SDK 'iOS 11.4'
Code Signing Error: Code signing is required for product type 'Application' in SDK 'iOS 11.4'
Code Signing Error: Code signing is required for product type 'Application' in SDK 'iOS 11.4'
Code Signing Error: Code signing is required for product type 'Application' in SDK 'iOS 11.4'
Code Signing Error: Code signing is required for product type 'Application' in SDK 'iOS 11.4'
** ARCHIVE FAILED **

Any help would be greatly appreciated, thanks

[gatodeveloper]

tns run ios --emulator

[mehdinourollah]

+1 ...Any news on the code signing problem solving ?!

[endarova]

Closing this feature. All tasks described in it are implemented. For any problems regarding ios code signing please log separate issue, providing as much details as you can.