No beta-reports-active attribute for ad-hoc prov. profiles. Best strategy to manage multiple

Question

our IOS ad-hoc builds distributed through testflight stopped being installable very recently.

We're getting the 'Unable to download' issue (http://help.testflightapp.com/customer/portal/articles/829652-received-an-unable-to-download-application-message-what-does-this-mean-).

Error in xcode logs is

Dec 8 15:50:09 ipad3 installd[34] : entitlement 'beta-reports-active' has value not permitted by provisioning profile 'TestFlight WWTK ALL Projects'

We have identified the root cause (mismatch between prov. profile and entitlement) but are unsure on how to proceed. Here are the details:

1. our developer portal contains multiple distribution provisioning profiles, but in particular one ad-hoc and one distribution one managed by x-code

2. the ad hoc provisioning profile, even if force generated through http://developer.apple.com, never gets the beta-reports-active attribute. We suspect it's normal but haven't found a confirmation. the xcode managed ios distribution one gets the attribute set to true

3. our build process uses the ios distribution profile to build. As part of this step, xcode automatically generates an entitlement file that matches the first distribution profile. Thus the bundled entitlement file contains the beta-reports-active attribute:

   builtin-productPackagingUtility /Applications/Xcode5.1.1.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.1.sdk/Entitlements.plist -entitlements -format xml -o /Users/Shared/Jenkins/Home/jobs/game_addtetris-master_iOS/workspace/target/addtetris_ios/build/Unity-iPhone.build/Release-iphoneos/Unity-iPhone.build/addtetris.xcent
   

4. our build re-signs the resulting ipa using our ad-hoc certificate and uploads the resulting IPA into testflight

   /usr/bin/xcrun -sdk iphoneos PackageApplication -v /Users/Shared/Jenkins/Home/jobs/game_addtetris-master_iOS/workspace/target/addtetris_ios/build/Unity-iPhone.build/addtetris.app -o /Users/Shared/Jenkins/Home/jobs/game_addtetris-master_iOS/workspace/target/addtetris_ios/build/Unity-iPhone.build/addtetris-Release-addtetris_1.x_253.ipa --embed /Users/Shared/Jenkins/Home/local/embedded.mobileprovision --sign "iPhone Distribution: WeWantToKnow AS"
   

So we now have a conflicting pair of prov. profile and entitlements. One with beta-reports-active, one without.

We should be able to work-around the problem by adding the following post-build script somewhere (we've validated that it creates the proper IPA)

/usr/libexec/PlistBuddy -c "Delete :beta-reports-active" "${TARGET_TEMP_DIR}/${PRODUCT_NAME}.app.xcent"
ipa=`ls $BUILT_PRODUCTS_DIR/*.ipa`
/usr/bin/xcrun -sdk iphoneos PackageApplication -v "${CODESIGNING_FOLDER_PATH}" -o "${ipa}" --embed "${EMBEDDED_MOBILEPROVISION}" --sign "${CODE_SIGN_IDENTITY}"

which is very similar in some way to Forcing code signing refresh in Xcode

This requires changing our tool chain a bit (e.g. the jenkins xcode plugin)

But we would be happy to understand a bit better the underlying issue and see if there's a better solution. In particular ?

• should the ad-hoc prov. profile generated by developer.apple.com contain the new beta-reports-active ?

• has the process for generating ad-hoc packages changed ? https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/TestingYouriOSApp/TestingYouriOSApp.html#//apple_ref/doc/uid/TP40012582-CH8-SW17 states

If necessary, Xcode creates a distribution certificate and an ad hoc provisioning profile for you. The name of the ad hoc provisioning profile beings with the text XC:.

Yet those AdHoc prov. profiles do not contain UDIDs anymore so they look fishy.

• was our workflow too brittle to start with ? E.g. should we have been signing using our ad-hoc right from the start instead ?

• any better idea ?

Answer 1

I got answer to most of my questions:

• yes, ad-hoc provisioning profiles will not contain the beta-reports-active attribute. Confirmed by testflight support

• I've migrated our jenkins xcode plugin to use exported developerProfiles and, combined with the way xcode manages the profiles, it helps signing the IPA properly without having to resign it. It's much more consistent and secure to setup a server that way anyway

• as for how xcode manages profiles, I still don't have a full understanding of the xcode preferences sync with developer.apple.com feature. It somewhat looks incomplete even after forcing refresh/sync of the client data. Missing ad-hoc prov. profile, etc. To investigate further.

Hope that helps someone.

Answer 2

I got the same problem while uploading to TestFlight.

Rather than saving for Ad Hoc Development, I save for iOS App Store Development where it uses a production provisioning profile not ad hoc provisioning profile.

Even if it moves to the uploading step through App store, I think it is the only way to upload the binary wrapped entitlement 'beta-reports-active'