Bundle Identifier and push certificate... aps-environment entitlement error

I found this question when I was moving from a development environment to a production one on an application that I am working on. This process involved the creation of a new profile, a new app ID, etc. I created the app ID and a profile, but the Team Agent had to configure the push notifications. I ran into the problem of "no valid 'aps-environment' entitlement string found for application" when I tried to resume testing with the new profile (after the app had been configured for push notifications). I then remembered reading a little caveat in the documentation:

"You have to modify the profile in some way (for example, toggle an option) for the portal to generate a new provisioning profile. If the profile isn't so "dirtied", you're given the profile without the push entitlements."

Source: Local and Push Notification Programming Guide

For me, "dirtying" the provisioning profile and reinstalling it was all that was needed to fix the issue. Per the documentation, this was required because the provisioning profile was created before the app was configured for push notifications. This may or may not help anyone, but this probably explains (and eliminates) the need to manually add anything to the provisioning profile.


I ran into the same "no valid 'aps-environment' entitlement string found for application" problem, but the above solutions did not work for me.

I could not find very good documentation about this error or even just the key "aps-environment".

After some tinkering around, here is what solved the problem for me:

Open your development provisioning certificate, "Appname.mobileprovision" with a text editor, look for the key "Entitlements" then add all of the values found here to your Entitlements file referenced by your Code Signing Entitlements setting.

Here is an example of what keys/values you'll find inside:

<key>application-identifier</key>
<string>xyz.com.xyz.xyz</string>
<key>aps-environment</key>
<string>development</string>
<key>com.apple.developer.ubiquity-container-identifiers</key>
<array>
<string>xyz.*</string>
</array>
<key>com.apple.developer.ubiquity-kvstore-identifier</key>
<string>xyz.*</string>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>xyz.*</string>
</array>

After adding all of these values to my Entitlements file my app builds successfully and I can finally get back to working on Push Notifications.

I'm not sure if these values are supposed to be automatically added to your entitlements file by XCode, but they certainly weren't being generated for me in my project.


Setup:

Mac OS X 10.8 + Xcode 4.4

My Simple Solution:

  1. Reissue your ad hoc provisioning profile after you have setup push notifications for your app ID and import them to Xcode.
  2. Take a look into your .xcodeproj folder (right click -> Show Package Contents) and delete the xcuserdata folder.
  3. That's it ;)

Some hints on that issue:

After activating Push Notifications for my app I suddenly couldn't create ad hoc files anymore. I ran across errors in my Console log on my iPhone while trying to install my app such as those:

Apr  1 20:56:10 unknown installd[384] <Error>: entitlement 'keychain-access-groups' has value not permitted by a provisioning profile
Apr  1 20:56:10 unknown installd[384] <Error>: entitlement 'get-task-allow' has value not permitted by a provisioning profile
Apr  1 20:56:10 unknown installd[384] <Error>: entitlement 'application-identifier' has value not permitted by a provisioning profile
Apr  1 20:56:10 unknown installd[384] <Error>: 2ff66000 verify_signer_identity: Could not copy validate signature: -402620394
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 preflight_application_install: Could not verify executable at /var/tmp/install_staging.44jV0O/foo_extracted/Payload/PersonalTrainer-Tester-iPhone.app
Apr  1 20:56:11 unknown com.apple.itunesstored[392] <Notice>: MobileInstallationInstall: failed with -1
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 install_application: Could not preflight application install
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 handle_install: API failed
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 send_message: failed to send mach message of 71 bytes: 10000003
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 send_error: Could not send error response to client

There is some technical note which recommends using codesign -d --entitlements - <YourAppName>.app to check if your app is signed properly for Apple Push Notifications. In case the output of the codesign command does not have an aps-environment set to production or development there is something fishy!

As far as I knew so far, my apps signed with an adhoc provisioning profile always have an embedded.mobileprovision inside the <YourAppName>.app folder with a specific part in them such as:

<key>Entitlements</key>
<dict>
    <key>application-identifier</key>
    <string>ABCDEFGH.com.myappname.tester</string>
    <key>aps-environment</key>
    <string>production</string>
    <key>get-task-allow</key>
    <false/>
    <key>keychain-access-groups</key>
    <array>
        <string>ABCDEFGH.*</string>
    </array>
</dict>

After using codesign I realized that the actual binary in <YourAppName>.app had some XML included as well, which said something very different than my embedded.mobileprovision file:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>ABCDEFGH.com.myappname.tester</string>
    <key>get-task-allow</key>
    <true/>
    <key>keychain-access-groups</key>
    <array>
        <string>ABCDEFGH.com.myappname.tester</string>
    </array>
</dict>
</plist>

I assume this is the cause for the error message we are all experiencing. (although this error can have some different roots as well as other posts on stackoverflow suggest)

The executable was signed with invalid entitlements.
The entitlements specified in your application's Code Signing Entitlements
file do not match those specified in your provisioning profile. (0xE8008016).

My guess is that there is some bug in Xcode which keeps the settings in your plist from being updated in you schemes which then causes your app to be signed with the wrong provisioning profile in the end. So by deleting the xcuserdata folder you delete all schemes. Therefore Xcode will recreate them next time with the proper settings and you are happy again.


Essentially the answer is the same vague one everyone else says

  • Make sure you have a "Entitlements.plist" added (New File/Code Signing/Entitlements)
  • Add "get-task-allow" (Boolean Off) to Entitlements.plist
  • Add "aps-environment" "production" pair to Entitlements.plist -- This last step may be unnecessary but it was one of the steps I did just before it worked
  • Delete old mobileprovision files from iPhone/iPod (In Settings/General),
  • Delete old mobileprovision files from XCode Organiser
  • Delete App from iPhone/iPod
  • Quit XCode
  • Download fresh copy of Provisioning Certificate
  • Check for "aps-environment" "production" pair in certificate with a Text Editor
  • Start XCode
  • Add fresh mobileprovision file by dragging to XCode Doc icon
  • Make sure you have reassigned/assigned the correct certificate in the Target Info : Code Signing : Code Signing Identity
  • Double check that the Build Results to see it it's using the correct profile and is signed correctly

Repeat these steps calmly until it works, took me about five goes of various combinations. I also switched from Development to Ad-hoc which apparently isn't necessary but did guarantee a new mobileprovision file.