Application failed codesign verification. The signature was invalid, contains disallowed entitlements, or it was not signed with a Distribution

Question

I'm trying to push an iOS application to iTunes Connect, but I get this error when I try to validate it in Xcode:

Application failed codesign verification. The signature was invalid, contains disallowed entitlements, or it was not signed with an iPhone Distribution Certificate

I've seen loads of questions related to the same issue, but those didn't work for me. I follow every single step of Apple's Technical Note TN2250. I check that in the build settings a distribution profile is selected for release (have tried with the wildcard and a custom one for the app) and the schema is the correct one. To ensure the app was signed with that profile, I use the codesign -d -vvvv MyApp.app command, and get something like:

Executable=/Users/myuser/Library/Developer/Xcode/Archives/2012-09-17/myapp 17-09-12 09.27.xcarchive/Products/Applications/MyApp.app/MyApp
Identifier=com.example.MyApp
...
Authority=iPhone Distribution: My Company
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
...

I check the entitlements, which I haven't modified, with security cms -D -i MyApp.app/embedded.mobileprovision, getting this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ApplicationIdentifierPrefix</key>
    <array>
        <string>PR3F1X</string>
    </array>
    <key>CreationDate</key>
    <date>2012-09-17T07:20:35Z</date>
    <key>DeveloperCertificates</key>
    <array>
        <data>
                ...
        </data>
    </array>
    <key>Entitlements</key>
    <dict>
        <key>application-identifier</key>
        <string>PR3F1X.com.example.MyApp</string>
        <key>get-task-allow</key>
        <false/>
        <key>keychain-access-groups</key>
        <array>
            <string>PR3F1X.*</string>
        </array>
    </dict>
    <key>ExpirationDate</key>
    <date>2013-09-16T07:20:35Z</date>
    <key>Name</key>
    <string>PROFILE NAME</string>
    <key>TeamIdentifier</key>
    <array>
        <string>PR3F1X</string>
    </array>
    <key>TimeToLive</key>
    <integer>364</integer>
    <key>UUID</key>
    <string>...</string>
    <key>Version</key>
    <integer>1</integer>
</dict>
</plist>

The bundle id of this app looks like com.example.MyApp, and I thought the upper cases could be the problem, but changed them and it didn't do. After that, I revoked my certificates, got fresh mobileprovision profiles and went through the whole process again, with no success.

The software I'm using is Xcode 4.3.2 with Mac OS X 10.7.4

I can't see where the problem is, I'm missing something.

EDIT 1: Does modifying the bundle ID requires I change some other setting manually?

EDIT 2: I just made a sample app from scratch, signed it with the same certificates and everything goes smooth, so it seems that the problem is in the configuration. I'm trying to see the differences between those two project's settings, but the only remarkable ones would be that the first one is iPad only and it uses a couple of PhoneGap plugins.

Answer 1

I had the same problem. You had to check your Application's Signature, see How do I check the entitlements on my Application's Signature with following:

codesign -d --entitlements - /path/to/MyGreatApp.app

It's OK and I don't know what the error you have, if you get something like:

Executable=/path/to/MyGreatApp.app/MyGreatApp
??qq?<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>application-identifier</key>
        <string>ABC123DE45.com.appleseedinc.mygreatapp</string>
        <key>get-task-allow</key>
        <false/>
        <key>keychain-access-groups</key>
        <array>
            <string>ABC123DE45.com.appleseedinc.mygreatapp</string>
        </array>
    </dict>
</plist>

But If you get only:

Executable=/path/to/MyGreatApp.app/MyGreatApp

Then, it's a problem. Probably, you damaged the entitlements during the code resigning with codesign tool.

I've made next steps to fix it:

1. Archive any app in Xcode.
2. Choose 'Distribute ...'->'Save for Enterprise Ad-Hoc Deployment' as AppName.ipa
3. Unzip AppName.ipa
4. Create Application's Signature entitlements file: codesign -d --entitlements :enterprise.plist Payload/PathToApp.app/
5. Go to the folder where uploaded app located.

6. Create Provisioning profile entitlements file:

   security cms -D -i /path/to/the.app/embedded.mobileprovision > provision_entitlements.plist

7. Open provision_entitlements.plist and enterprise.plist. Modify settings of enterprise.plist , it should be equal to provision_entitlements.plist->Entitlements property. Save the changes.

8. When resign the app add argument --entitlements enterprise.plist to codesign tool.

   codesign -fs "iPhone Distribution: My Company" APP_DIRECTORY --entitlements enterprise.plist