Bug 57119 - Code signing no longer expands wildcards (*) in distribution provisioning profiles
Summary: Code signing no longer expands wildcards (*) in distribution provisioning pro...
Status: RESOLVED FIXED
Alias: None
Product: iOS
Classification: Xamarin
Component: MSBuild ()
Version: XI 10.10 (d15-2)
Hardware: Macintosh Mac OS
: --- normal
Target Milestone: Untriaged
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2017-06-02 20:24 UTC by Sean Fisher
Modified: 2017-06-09 14:43 UTC (History)
2 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
Entitlements.xcent after updating Xamarin (379 bytes, application/xml)
2017-06-07 16:03 UTC, Sean Fisher
Details
mobileprovision profile (7.31 KB, application/x-apple-aspen-mobileprovision)
2017-06-07 16:03 UTC, Sean Fisher
Details


Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Description Sean Fisher 2017-06-02 20:24:07 UTC
After updating from Xamarin Studio 6.1.5 -> 6.3 (and the included Xamarin iOS version) on Mac, our distribution provisioning profile, which includes a wildcard, is no longer expanding into the proper bundle identifier in the app signature during code signing, causing an installation failure on in-house upgrading over the top of a previous version of an app (without deleting/reinstalling - deleting and reinstalling the app fixes the installation issue) onto an iPad.

From Apple's documentation:

https://developer.apple.com/library/content/technotes/tn2415/_index.html#//apple_ref/doc/uid/DTS40016427-CH1-ENTITLEMENTSFILE

> It is expected to see asterisks in the profile and not in the app's signature. Therefore, not all entitlement values in the provisioning profile will textually match those on an app signed with that profile in this regard. For the purpose of creating the entitlements that are written into the app's signature during a build, Xcode replaces all asterisk portions of entitlements found in the profile such as application-identifier, iCloud, keychain-access-groups, and others, to be fully qualified based on the values defined in the target's code signing entitlements file.

## Before the Xamarin iOS update:

Provisioning profile excerpt:

$ security cms -D -i /path/to/bundle.app/embedded.mobileprovision

[...]
<key>application-identifier</key>
<string>TEAMIDENTIFIER.com.company.*</string>
[...]

App signature excerpt:

$ codesign -d --ent :- /path/to/bundle.app

[...]
<key>application-identifier</key>
<string>TEAMIDENTIFIER.com.company.myapp.qa</string>
[...]

## After the Xamarin iOS update:

Provisioning profile excerpt (same content as above):

$ security cms -D -i /path/to/bundle.app/embedded.mobileprovision

[...]
<key>application-identifier</key>
<string>TEAMIDENTIFIER.com.company.*</string>
[...]

App signature excerpt (different than above):

$ codesign -d --ent :- /path/to/bundle.app

[...]
<key>application-identifier</key>
<string>TEAMIDENTIFIER.com.company.*</string>
[...]


## Current version info:
Xamarin Studio Community
Version 6.3 (build 864)
Installation UUID: b5c9907e-ae50-4247-b3e1-aa60f1afaf2c
Runtime:
	Mono 5.0.1.1 (2017-02/5077205) (64-bit)
	GTK+ 2.24.23 (Raleigh theme)

	Package version: 500010001

NuGet
Version: 3.5.0.0

Xamarin.Profiler
'/Applications/Xamarin Profiler.app' not found

Xamarin Inspector
Not Installed

Xamarin.Android
Version: 7.3.1.2 (Xamarin Studio Community)
Android SDK: /Users/me/Library/Developer/Xamarin/android-sdk-macosx
	Supported Android versions:
		4.0.3 (API level 15)
		4.4   (API level 19)
		6.0   (API level 23)

SDK Tools Version: 24.4.1
SDK Platform Tools Version: 23.0.1
SDK Build Tools Version: 23.0.1

Java SDK: /usr
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) 64-Bit Server VM (build 24.71-b01, mixed mode)

Android Designer EPL code available here:
https://github.com/xamarin/AndroidDesigner.EPL

Apple Developer Tools
Xcode 8.2.1 (11766.1)
Build 8C1002

Xamarin.Mac
Version: 3.4.0.36 (Xamarin Studio Community)

Xamarin.iOS
Version: 10.10.0.36 (Xamarin Studio Community)
Hash: d2270eec
Branch: d15-2
Build date: 2017-05-22 16:30:53-0400

Build Information
Release ID: 603000864
Git revision: 6c2f6737278ccc3e81e12276d49c0d92f975f189
Build date: 2017-04-24 11:26:01-04
Xamarin addins: d8d46e577d8507c35260ce9d73df3c33415bb214
Build lane: monodevelop-lion-d15-1

Operating System
Mac OS X 10.11.6
Darwin Mac-mini.local 15.6.0 Darwin Kernel Version 15.6.0
    Thu Jun 23 18:25:34 PDT 2016
    root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64
Comment 1 Manuel de la Peña [MSFT] 2017-06-05 09:18:24 UTC
Hello,

Can you please try the same with Visual Studio for Mac or provide a sample project to confirm the issue? I'll create a profile with a wildcard to confirm the issue.
Comment 2 Sean Fisher 2017-06-05 17:28:38 UTC
I tried with Visual Studio for Mac and received the same error. 

I'll upload a sample project. Steps to repro with the sample project:

1. Start with the “old” environment listed below (Xamarin Studio 6.1.5/Xamarin iOS 10.3.1.8)
2. Change the bundle identifier in the Info.plist to anything of your choosing - I'll use the example io.seafish.bug-57119-repro, but you can adapt the following steps to whatever you create.
3. Create a distribution certificate in the apple developer portal if you don't already have one
4. Create a wildcard App ID in the apple developer portal of `io.seafish.*` (or whatever you changed the bundle id to)
5. Create an Ad-Hoc Distribution provisioning profile in the apple developer portal that points to the wildcard App ID
6. Install the provisioning profile/certificate on your Mac
7. Edit the Bug57119Repro project's iOS Bundle Signing Options for Debug|iPhone to point to the specific distribution signing identity and wildcard provisioning profile
8. Build and run the app on an attached iPad - should succeed
9. Run the command line code sign tool to examine the signed provisioning profile’s application-identifier: codesign -d --ent :- /path/to/Bug57119Repro/iOS/bin/iPhone/Debug/Bug57119Repro.iOS.app/Bug57119Repro.iOS
10. Update to the latest Xamarin Studio (6.3) and Xamarin iOS (10.10.0.36)
11. Build and attempt to run on the device - installation will fail.
12. Run the command line code sign tool to examine the signed provisioning profile’s application-identifier codesign -d --ent :- /path/to/Bug57119Repro/iOS/bin/iPhone/Debug/Bug57119Repro.iOS.app/Bug57119Repro.iOS
13. Notice the two signed signature application-identifiers are different before and after the upgrade.


Old environment version

Xamarin Studio Community
Version 6.1.5 (build 0)
Installation UUID: d716f8c6-8441-424a-9157-d9a38dda91af
Runtime:
	Mono 4.6.2 (mono-4.6.0-branch/ac9e222) (64-bit)
	GTK+ 2.24.23 (Raleigh theme)

	Package version: 406020016

NuGet
Version: 3.4.3.0

Xamarin.Profiler
Not Installed

Apple Developer Tools
Xcode 8.2.1 (11766.1)
Build 8C1002

Xamarin.Android
Not Installed

Xamarin Android Player
Not Installed

Xamarin.Mac
Not Installed

Xamarin.iOS
Version: 10.3.1.8 (Xamarin Studio Community)
Hash: 7beaef4
Branch: cycle8-xi
Build date: 2016-12-20 02:58:14-0500

Build Information
Release ID: 601050000
Git revision: 7494718e127af9eaec45a3bd6282d3da927488bd
Build date: 2017-01-17 10:31:01-05
Xamarin addins: c92d0626d347aaa02839689eaac2961d24c9f446
Build lane: monodevelop-lion-cycle8

Operating System
Mac OS X 10.12.4
Darwin DrPepper.local 16.5.0 Darwin Kernel Version 16.5.0
    Fri Mar  3 16:52:33 PST 2017
    root:xnu-3789.51.2~3/RELEASE_X86_64 x86_64
Comment 3 Sean Fisher 2017-06-05 17:45:15 UTC
I can't figure out the attachment thing, it won't let me paste in a link. Here's the sample project.

https://www.dropbox.com/s/tzw52kgbkpb9h4m/Bug57119Repro.zip?dl=0
Comment 4 Manuel de la Peña [MSFT] 2017-06-07 09:56:46 UTC
Confirming and moving to msbuild since AFAIK should be the correct right project to deal with.
Comment 5 Jeffrey Stedfast 2017-06-07 15:13:56 UTC
Can you attach your Entitlements.xcent file (should be in the obj directory)?
Comment 6 Jeffrey Stedfast 2017-06-07 15:14:50 UTC
Can you also attach the *.mobileprovision file that is being used?
Comment 7 Jeffrey Stedfast 2017-06-07 15:15:44 UTC
I suspect the problem is not a change in the MSBuild logic, but rather a new key or something in the provisioning profiles.
Comment 8 Jeffrey Stedfast 2017-06-07 15:26:09 UTC
never mind, I found the culprit:

commit c76fd77ac08ce1a48d2f6c1732b26d46e2fabd35
Comment 9 Jeffrey Stedfast 2017-06-07 15:39:40 UTC
PR: https://github.com/xamarin/xamarin-macios/pull/2182
Comment 10 Sean Fisher 2017-06-07 16:03:16 UTC
Created attachment 22752 [details]
Entitlements.xcent after updating Xamarin
Comment 11 Sean Fisher 2017-06-07 16:03:52 UTC
Created attachment 22753 [details]
mobileprovision profile
Comment 12 Sean Fisher 2017-06-07 16:06:47 UTC
Ah, sorry, didn't see your latest comments while prepping the attachments. Thanks for the quick investigation.
Comment 13 Jeffrey Stedfast 2017-06-09 14:43:24 UTC
this got merged into 15.3 and master