On our CI (GitHub Actions) we are signing our .ipa with codesign and after that uploads the resulting .ipa with altool to TestFligt.
The problem is that the entitlements added by codesign no longer appear when we view the build on TestFlight.
The app requires entitlements for push notification and for associated domains.
codesign -s Distribution prod.entitlements prod.ipa
Immediately after we do a
codesign --verbose --display --entitlements -
and the entitlements show fine.
Next command is
xcrun altool --upload-app --type ios -f prod.ipa --apiKey $api_key_id --apiIssuer $appstore_api_key_issuer
To us it seems like altool strips the entitlements from the .ipa.
What are we doing wrong?
You’ve misunderstood how signing for distribution works. A .ipa file is basically a zip archive. Signing that makes no sense. Rather, you have to sign the binary within the zip archive.
The process I recommend is to create an Xcode archive and then export distribution stuff from that. To learn more about this, see Creating distribution-signed code for macOS. While that’s focused on the Mac, the same basic process works for iOS.
If you follow this process then you never need to re-sign a .ipa. That’s good, because doing that is a pain. You have to unpack the .ipa, re-sign the app within that, and then repack the .ipa. DTS doesn’t support this process. Indeed, we don’t support re-signing iOS apps at all. That’s why the above article is focused on the Mac. So, it’s best to avoid this tarpit by staying on the Xcode archive path.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"