Diagnosing Issues with Entitlements

IOS转行ing
258 阅读3分钟

参考链接

[Diagnosing Issues with Entitlements](developer.apple.com/documentati…)

权限文件的作用

  1. grant an exacutable permission to use a service or technology

  2. codesignature store it's entitlement.

Key-value pairs that grant an executable permission to use a service or technology.

Check Your Provisioning Profile

You can inspect the entitlements associated with your provisioning profile inside of Xcode by clicking the info button (a small, gray disk with a lowercase “i” in the center) next to the Provisioning Profile field in the Signing editor, in your developer account online, or by downloading your provisioning profile and viewing its contents using a command-line tool in the Terminal.

Every App ID listed in your developer account can have a number of capabilities associated with it and some of those capabilities are paired with entitlements. Compare the capabilities listed for your App ID with the capabilities selected in your app’s Signing & Capabilities tab and the entitlements appearing in your app’s entitlements file or files.

Provisioning profiles have entitlements associated with them. You can download any of your provisioning profiles from your developer account and inspect its entitlements by running a command-line tool. For example, if you downloaded a provisioning profile named iOSTeamProfile.mobileprovison, you’d use the following command to get a list of the entitlements for a provisioning profile:

% security cms -D -i iOSTeamProfile.mobileprovision | 
xmllint --xpath "/plist/dict/key[text()='Entitlements']/following-sibling::dict[position()=1]" -

When you run this command, the security tool returns a plist file that describes the entire contents of the provisioning profile and the xmllint command runs an xpath query to pull out the dictionary that lists the entitlements. In that list you will see all the entitlements specifically encoded in your provisioning profile. For example, here is a sample of output from the command:

<dict>


<key>application-identifier</key>
<string>Z3P45X123C.*</string>


<key>keychain-access-groups</key>
<array>
<string>Z3P45X123C.*</string>
</array>


<key>get-task-allow</key>
<true/>


<key>com.apple.developer.sample</key>
<string>Z3P45X123C</string>


</dict>

security 的cms命令说明

   cms [-C|-D|-E|-S] [options...] Encode or decode CMS messages.
     -C              create a CMS encrypted message
     -D              decode a CMS message
     -E              create a CMS enveloped message
     -S              create a CMS signed message

            Decoding options:
            -c content      use this detached content file
            -h level        generate email headers with info about CMS message (output level >= 0)
            -n              suppress output of content

            Encoding options:
            -r id,...       create envelope for comma-delimited list of recipients, where id can be a certificate nickname or email address
            -G              include a signing time attribute
            -H hash         hash = MD2|MD4|MD5|SHA1|SHA256|SHA384|SHA512 (default: SHA1)
            -N nick         use certificate named "nick" for signing
            -P              include a SMIMECapabilities attribute
            -T              do not include content in CMS message
            -Y nick         include an EncryptionKeyPreference attribute with certificate (use "NONE" to omit)
            -Z hash         find a certificate by subject key ID

            Common options:
            -e envelope     specify envelope file (valid with -D or -E)
            -k keychain     specify keychain to use
            -i infile       use infile as source of data (default: stdin)
            -o outfile      use outfile as destination of data (default: stdout)
            -p password     use password as key db password (default: prompt)
            -s              pass data a single byte at a time to CMS
            -u certusage    set type of certificate usage (default: certUsageEmailSigner)
            -v              print debugging information

其中 

  1. -D decode a CMS message 是解密CMS消息

  2. -i infile 输入文件

Check the Entitlements In Your Build Log and App

Verify that Xcode is using the provisioning profile you expect when building your app by inspecting the signing step in your build log. You’ll find the name of the provisioning profile Xcode used to sign your app in the invocation of the codesign tool’s command-line parameters.

Once you’ve build your app, inspect the entitlements built into your app by running the following command in the terminal:

% codesign --display --entitlements :- YourApp.app

This command prints a plist that contains all of the entitlements built into the app.

 --entitlements path
             When signing, take the file at the given path and embed its contents in the signature as entitlement data. If the data at path does not already begin with a suitable binary ("blob") header, one is attached automatically.
             When displaying a signature, extract any entitlement data from the signature and write it to the path given in an abstract representation. If needed --xml or --der may be passed in to output the entitlements in a desired
             format, if you pass in both then DER will be printed. Use "-" as the path to write to standard output.  If the signature has no entitlement data, nothing is written (this is not an error).

其中 :

  • - 是指的标准输出

Check the Entitlements When Submitting Your App

When you submit your app to Apple, Xcode displays a list of entitlements associated with your app in the confirmation window for uploading your app. Verify that all of the entitlements shown are consistent with the entitlements you’ve selected in your project.

Fix Installation-Failure Entitlement Issues

You can remove following entitlements from your entitlements file if they are present and cause an error during installation. These may be present in older projects for legacy reasons.

  1. application-identifier; this entitlement is defined by the provisioning profile instead.

  2. get-task-allow; this entitlement is defined by the provisioning profile instead.

If you receive the error message “Upgrade’s application-identifier entitlement string [....] does not match installed application’s application-identifier string [....]; rejecting upgrade.” and you’ve changed your application’s id, then you need to add a previous-application-identifiers entitlement to your provisioning profile. Contact Apple Developer programs for assistance using your account’s Developer Contact page > Membership > Enrollment and Account > Apple Developer Program Support form.

Fix Problems With Special Entitlements

If you received authorization to use a specific entitlement from a group at Apple and you’re having difficulty with that entitlement, contact that group for troubleshooting assistance.

avatar
文章
阅读
粉丝