How to properly add iOS entitlements to an app?

Questions
#1

I am trying to add iCloud Documents Capabilities to my iOS application Bundled in Defold and I keep getting errors.

On the Apple Developer site I’ve created an iCloud Container Identifier and enabled iCloud Capabilities (Compatible with Xcode 5) in the App ID . I’ve also created and downloaded an Ad Hoc app Profile with the iCloud Capabilities App ID.
“iCloud Compatible with Xcode 5” excludes support for CloudKit which is not needed.

With Xcode I generated this iCloud entitlements file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.icloud-container-identifiers</key>
	<array>
		<string>iCloud.com.new.test.id</string>
	</array>
	<key>com.apple.developer.icloud-services</key>
	<array>
		<string>CloudDocuments</string>
	</array>
	<key>com.apple.developer.ubiquity-container-identifiers</key>
	<array>
		<string>iCloud.com.new.test.id</string>
	</array>
</dict>
</plist>

In the Defold project file I point to /builtins/manifests/ios/Info.plist for the Info.plist setting and I point to /iCloud.entitlements for the Custom entitlements setting.

I get this error in Defold when I bundle for iOS application:
java.io.IOException: Invalid custom iOS entitlements key 'com..apple..developer..icloud-container-identifiers'.

When I add this setting: override_entitlements = 1
to the Defold project file the application builds without errors but I get the following error when I try to install the app with Xcode on a device:
The executable was signed with invalid entitlements.
The entitlements specified in your application’s Code Signing Entitlements file are invalid, not permitted, or do not match those specified in your provisioning profile. (0xE8008016).

When I add the entitlements manually to a custom Info.plist file the app builds, installs and launches on the device but it immediately crashes with these errors.
<Error>: secTaskDiagnoseEntitlements MISSING keychain entitlements: no stored taskRef found
<Notice>: AMFI: hook..execve() killing pid 13563: entitlements not XML

Development environment: OSX Version 10.11.6, Defold Version:1.2.164

Any ideas on how to proceed would be most appreciated.

Apple Game Center and Google Play Services support
#2

I think there is a bug with overriding entitlements in Defold but I’m posting this in case I’m missing something.

From the docs : Entitlements
“If specified, can override wildcard entitlements defined in the supplied provisioning profile (.entitlements, .xcent, .plist).”

The entitlements in my downloaded Provision file created on the Apple dev site has 3 wildcard values in these keys: keychain-access-groups, com.apple.developer.ubiquity-kvstore-identifier and com.apple.developer.icloud-services.
NewTestIDadHoc3Devices.mobileprovision entitlements:

<key>Entitlements</key>
<dict>
	<key>com.apple.developer.ubiquity-container-identifiers</key>
	<array>
		<string>iCloud.com.new.test.id</string>
	</array>
	<key>application-identifier</key>
		<string>4ZX4Z3MVHG.com.new.test.id</string>
	<key>keychain-access-groups</key>
	<array>
		<string>4ZX4Z3MVHG.*</string>
	</array>
		
	<key>get-task-allow</key>
		<false/>			
	<key>com.apple.developer.team-identifier</key>
		<string>4ZX4Z3MVHG</string>
	<key>com.apple.developer.ubiquity-kvstore-identifier</key>
		<string>4ZX4Z3MVHG.*</string>		
	<key>com.apple.developer.icloud-services</key>
		<string>*</string>		
	<key>com.apple.developer.icloud-container-environment</key>
	<array>
		<string>Production</string>
		<string>Development</string>
	</array>		
	<key>com.apple.developer.icloud-container-identifiers</key>
	<array>
		<string>iCloud.com.new.test.id</string>
	</array>		
	<key>com.apple.developer.icloud-container-development-container-identifiers</key>
	<array>
		<string>iCloud.com.new.test.id</string>
	</array>
</dict>

When I point to Custom entitlements /iCloud.entitlements file in game.project.
iCloud.entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>keychain-access-groups</key>
	<array>
		<string>4ZX4Z3MVHG.com.new.test.id</string>
	</array>
	<key>com.apple.developer.ubiquity-kvstore-identifier</key>
		<string>4ZX4Z3MVHG.com.new.test.id</string>	
	<key>com.apple.developer.icloud-services</key>
	<array>
		<string>CloudDocuments</string>
	</array>
</dict>
</plist>

Then Bundle an iOS Application with the above Provisiong profile, NewTestIDadHoc3Devices.mobileprovision. The embedded.mobileprovision entitlements wildcard “*” values are unchanged with or without adding override_entitlements = 1 to the game.project settings.

When I add the <key>Entitlements</key> to the iCloud.entitlements file and Bundle for iOS in Defold I get this error:
Unknown source
java.io.IOException: Invalid custom iOS entitlements key 'Entitlements.keychain-access-groups'.

When When I add <key>Entitlements</key> to the iCloud.entitlements file combined with adding override_entitlements = 1 to game.project I get this error:
Unknown source
/var/folders/wr/37b7w66x6rs7tf0z52cf_gfm0000gn/T/entitlement3795777977671083398.xcent: unrecognized blob type (accepting blindly) /var/folders/wr/37b7w66x6rs7tf0z52cf_gfm0000gn/T/entitlement3795777977671083398.xcent: invalid length in entitlement blob

Is there some step I am missing or is this a bug?

#3

Not sure. Let’s check with @sven and @JCash.

1 Like
#4

When this is set to 1, the file you specified in ios.entitlements will be used directly, without alteration.

When it is set to 0(or left out), we will try to merge it with our own entitlements.
However, this merging is a bit buggy still, so I’d advice you to use a full entitlements file, ans set the value to 1.

As to why is doesn’t work in your case, I don’t know. Do you get any output at all?

2 Likes
#5

I just retested using this custom FulliClould.entitlements file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<key>Entitlements</key>
<dict>
	<key>com.apple.developer.ubiquity-container-identifiers</key>
	<array>
		<string>iCloud.com.new.test.id</string>
	</array>
	<key>application-identifier</key>
		<string>4ZX4Z3MVHG.com.new.test.id</string>
	<key>keychain-access-groups</key>
	<array>
		<string>4ZX4Z3MVHG.com.new.test.id</string>
	</array>
	<key>get-task-allow</key>
		<false/>
	<key>com.apple.developer.team-identifier</key>
		<string>4ZX4Z3MVHG</string>
	<key>com.apple.developer.ubiquity-kvstore-identifier</key>
		<string>4ZX4Z3MVHG.com.new.test.id</string>
	<key>com.apple.developer.icloud-services</key>
		<string>CloudDocuments</string>
	<key>com.apple.developer.icloud-container-environment</key>
	<array>
		<string>Production</string>
		<string>Development</string>
	</array>
	<key>com.apple.developer.icloud-container-identifiers</key>
	<array>
		<string>iCloud.com.new.test.id</string>
	</array>
	<key>com.apple.developer.icloud-container-development-container-identifiers</key>
	<array>
		<string>iCloud.com.new.test.id</string>
	</array>
</dict>
</plist>

Without override_entitlements = 1 in game.project, without <key>Entitlements</key> in FulliCloud.entitlements:
No build errors. No change to entitlements in embedded.mobileprovision from entitlements in AdHoc Provision, wildcard values are still wildcard “*”.

Without override_entitlements = 1 in game.project, with <key>Entitlements</key> in FulliCloud.entitlements:
Build Error Unknown source
java.io.IOException: Invalid custom iOS entitlements key 'Entitlements.com..apple..developer..ubiquity-container-identifiers'.

With override_entitlements = 1 in game.project, without <key>Entitlements</key> in FulliCloud.entitlements:
No build errors. No change to entitlements in embedded.mobileprovision from entitlements in AdHoc Provision, wildcard values are still wildcard “*”.

With override_entitlements = 1 in game.project, with <key>Entitlements</key> in FulliCloud.entitlements:
Build Error Unknown source
unknown exception

Bundle iOS Application settings:
Sign application: [x]
Code signing identity: Distribution
Provision profile: AdHoc
Architectures: [x] 32-bit, [x] 64-bit
Variant: Release

This a barebones test project created from the Defold Mobile game template.
In all my tests I am unable to get the custom entitlements to merge or completely overwrite the AdHoc Provision entitlements.

1 Like
#6

I reported this as a bug #2925.