IPA created via Xcode bot fails to run for APNS but runs if built manually via Xcode itself or built as an archive by Xcode

Question

I have a CI build machine running Xcode server and using a bot to generate a build, however the .ipa built via the bot is not being entitled to register for the APNS token.

Specifically, didFailToRegisterForRemoteNotificationsWithError gets called and there is a runtime warning of ""No valid 'aps-environment' entitlement string found for application".

However if I build the app on a separte development PC, or I build it actually on the CI machine independently of the bot then everything is fine.

I've used push notifications extensively in several apps so know that the message "No valid 'aps-environment' entitlement string found for application" always appears if the app has not been signed with the correct profiles. However I have absolutely 100% confirmed that the app is being built with the same profiles when running as part of the bot build to when I build it manually.

I also know that Xcode downloads provisioning profiles to different locations when running under the bot to when running for a user, and I also know that the bot runs as system and not the logged in user when I build manually. I have taken all these differences into consideration but am still unable to get the bot build to work.

What's more I have used this exact same CI machine to previously build this app using Jenkins (which also ran as system) enabled for push and it worked!

These is what I have done/checked:

1) Download the project manually to the desktop, open in Xcode and examine the signing identity and provisioning profiles being sued in the build settings. Build and run it manually using Xcode -> it works Download the project indirectly via the bot as part of its integration run. Open the project downloaded by the Bot in Xcode (the Xcode server downloads it to: /Library/Server/Xcode/Data/BotRuns//Cache/NNNN). Do the same thing, check the signing identity and provisioning profiles. THEY ARE IDENTICAL to those used when I build on the desktop

OK so the problem is not due to a difference in the actual signing identity and provisioning profiles being used.

2) When you run Xcode manually it downloads the provisioning profiles to location X, but the Bot downloads the provisioning profiles to location Y. So I have examined the contents of X and Y to make sure there is nothing missing from Y (if there was the build would actually fail however, which it doesn't).

To make absolutely sure they are identical I have copied the entire contents of X into Y and run the bot again (they don't get overriden by the bot) - So now the bot and the desktop builds are using the exact same copies of the profiles yet still there is a difference when the .ipa executes.

Incidentally the location of X is ~/Library/MobileDevice/Provisioning Profiles and that of Y is / Library/Server/Xcode/Data/ProvisioningProfiles.

3) When I build manually it is as the logged in user, but when the bot build it is as the system. So within the keychain I have tried copying all the certificates and keys from the user's keychain into the system keychain. Yes still it makes no difference, the .ipa created by the build bot fails to run properly while the build created manually via Xcode does run.

This is driving me mad and has wasted days already, what else could I have missed or could try to resolve this?

Any suggestions or ideas?

Answer 1

I have found the exact cause, as to the reason behind the cause I don't know, thus I'm marking mine as the accepted answer as it is at least a workaround to anybody who encounters the same problem. I'm tempted to think the reason is due to a bug in the bot system which is mistakenly expecting there to be an entitlements file.

I've discovered that the reason the bot build fails is because the bot is not placing the aps-environment entitlement into the .app file even though that entitlement is within the embedded.mobileprovision. But XCode does insert it into the .app file if built manually or an archive is built.

Also I've found that I can force the bot to put the necessary entitlement and associated information into the .app file if I use an Entitlements.plist.

But this is using Xcode 5 - entitlement.plist files are a thing of the past, so it should not be necessary to use one just to force the bot to place the entitlement into the .app, hence why I suspect it might be a bot bug.