codemagic-ci-cd
`use-profiles` against MacOS app has suddenly started assigning iOS Provisioning Profiles
XCode 15.1
xcode-project 0.47.3
Starting yesterday, seemingly out of nowhere, whenever I run the same MacOS build/deploy script I've been running for months it failed to upload to App Store Connect with the error
{"tool-version":"7.006.15006","tool-path":"\/Applications\/Xcode.app\/Contents\/SharedFrameworks\/ContentDeliveryServices.framework\/Versions\/A\/Frameworks\/AppStoreService.framework","os-version":"14.2.1","product-errors":[{"message":"Asset validation failed","userInfo":{"NSUnderlyingError":"Error Domain=IrisAPI Code=-19241 \"Asset validation failed\" UserInfo={status=409, detail=Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLE_NAME} [{BUNDLE_NAME}.pkg\/Payload\/{APP_NAME}.app] is invalid. [Invalid 'com.apple.developer.aps-environment' entitlement value.] For more information, visit the macOS Developer Portal., id=f89e2586-81b4-4cc4-8c3f-8fa9414c0c48, code=STATE_ERROR.VALIDATION_ERROR.90283, title=Asset validation failed, NSLocalizedFailureReason=Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLE_NAME} [{BUNDLE_NAME}.pkg\/Payload\/{APP_NAME}.app] is invalid. [Invalid 'com.apple.developer.aps-environment' entitlement value.] For more information, visit the macOS Developer Portal., NSLocalizedDescription=Asset validation failed}","NSLocalizedDescription":"Asset validation failed","iris-code":"STATE_ERROR.VALIDATION_ERROR.90283","NSLocalizedFailureReason":"Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLE_NAME} [{BUNDLE_NAME}.pkg\/Payload\/{APP_NAME}.app] is invalid. [Invalid 'com.apple.developer.aps-environment' entitlement value.] For more information, visit the macOS Developer Portal. (ID: f89e2586-81b4-4cc4-8c3f-8fa9414c0c48)"},"code":90283}]}
If I scroll up in the build process, I can see it is choosing an iOS App Store profile:
Completed configuring code signing settings
- Using profile "iOS Team Store Provisioning Profile: {BUNDLE_NAME}" [{PROFILE_ID}] for target "Runner" [Debug] from project "Runner"
- Using profile "iOS Team Store Provisioning Profile: {BUNDLE_NAME}" [{PROFILE_ID}] for target "Runner" [Profile] from project "Runner"
- Using profile "iOS Team Store Provisioning Profile: {BUNDLE_NAME}" [{PROFILE_ID}] for target "Runner" [Release] from project "Runner"
Generated options for exporting the project
- Method: app-store
- Provisioning Profiles:
- {BUNDLE_NAME}: iOS Team Store Provisioning Profile: {BUNDLE_NAME}
- Signing Certificate: Apple Distribution
- Signing Style: automatic
- Team Id: {TEAM_ID}
Thankfully, I left my terminal open from the last release, so I can confirm that in the previous build (on January 2), it assigned my expected profiles
Completed configuring code signing settings
- Using profile "{APP_NAME} mac_app_store 1699921897" [{PROFILE_ID}] for target "Runner" [Debug] from project "Runner"
- Using profile "{APP_NAME} mac_app_store 1699921897" [{PROFILE_ID}] for target "Runner" [Profile] from project "Runner"
- Using profile "{APP_NAME} mac_app_store 1699921897" [{PROFILE_ID}] for target "Runner" [Release] from project "Runner"
Generated options for exporting the project
- Method: ad-hoc
- Provisioning Profiles:
- {BUNDLE_NAME}: {APP_NAME} mac_app_store 1699921897
- Signing Certificate: 3rd Party Mac Developer Application
- Signing Style: manual
- Team Id: {TEAM_ID}
Why would it suddenly be choosing the wrong details when building the MacOS app?
My build script is below:
export APP_STORE_CONNECT_ISSUER_ID=
export APP_STORE_CONNECT_KEY_IDENTIFIER=
export APP_STORE_CONNECT_PRIVATE_KEY=
app-store-connect fetch-signing-files {BUNDLE_ID} \
--platform MAC_OS \
--type MAC_APP_STORE \
--certificate-key=@file:$HOME/.appstoreconnect/private_keys/mac_app_key \
--create
app-store-connect list-certificates \
--type MAC_INSTALLER_DISTRIBUTION \
--certificate-key=@file:$HOME/.appstoreconnect/private_keys/mac_app_installer_key \
--save
keychain initialize
keychain add-certificates
xcode-project use-profiles --project macos/*.xcodeproj
flutter packages pub get
find . -name "Podfile" -execdir pod install \;
flutter build macos --release
APP_NAME=$(find $(pwd)/build/macos/Build/Products/Release -name "*.app")
PACKAGE_NAME=$(basename "$APP_NAME" .app).pkg
xcrun productbuild --component "$APP_NAME" /Applications/ unsigned.pkg
INSTALLER_CERT_NAME=$(keychain list-certificates \
| jq '[.[]
| select(.common_name
| contains("Mac Developer Installer"))
| .common_name][0]' \
| xargs)
xcrun productsign --sign "$INSTALLER_CERT_NAME" unsigned.pkg "$PACKAGE_NAME"
rm -f unsigned.pkg
app-store-connect publish \
--path "$PACKAGE_NAME"
keychain use-login```
Using --archive-method ad-hoc on xcode-project use-profiles seems to be a usable workaround, but I'm very confused as to why I have not needed this up until now.
@mlb5000, could it be that you are running your build script on a machine that has some other provisioning profiles already in ~/Library/MobileDevice/Provisioning Profiles before app-store-connect fetch-signing-files {BUNDLE_ID} [...] completes?
It looks like there are more profiles for xcode-project use-profiles to choose from than just those macOS ones which were obtained by app-store-connect fetch-signing-files.