I've added my Vendor ID to the appropriate entitlement files but my binary fails validation when trying to upload it to the store for distribution. The embeded.mobileprovision
file in the generated archive shows an asterisk instead of my approved Vendor ID. How can I make sure the embedded provisioning file has my Vendor ID?
Hi,
First off, a bit of background:
-
The "*" value is used as a wildcard value, meaning "match anything" (in this case, any vendor ID). Note this does NOT mean that your drive will actually load/match against "any" device. DriverKit code signing restricts what your DEXT is eligible to match with, but the IOKit matching system is what controls what you'll ACTUALLY match with.
-
The "wildcard" entitlements are how the "DriverKit < > (Development)" variants are able to match against "any" device, however, they're also what's causing this problem:
my binary fails validation when trying to upload it to the store for distribution
Unfortunately, Xcode 15 has some issues with DriverKit signing (r.124720643). It doesn't understand the difference between the development entitlements and the production entitlements, so it ends up using the Development variant "everywhere". That then breaks when you try to export builds.
Here is what recommend:
-For development purposes, automatic code signing. That works fine right now and it isn't worth the trouble of trying to "fix" it.
-As part of these issues, Xcode may replace the specific entitlement value you define with the "*" value. This should only happen if you change your signing configuration, but be aware of the issue and that you may need to reset the value.
-When you export an archived build from the Organizer, "Custom..." as the initial export type, then "Manually Manage Signing" (later in the configuration sequence).
-You'll then specify the specific provisioning profile for each executable, which you'll generate using the developer portal. This article "Create a development provisioning profile" has an overview of that process.
Hopefully that's enough to sort this out for you but if you still need help or run into anything unexpected, I'd recommend opening a DTS tech support incident .
Kevin Elliott
DTS Engineer, CoreOS/Hardware