Xamarin-macios: Regression - Fail to sign Mac OS project with Entitlements properly

Created on 6 Mar 2018 · 18Comments · Source: xamarin/xamarin-macios

Steps to Reproduce

I am experiencing a regression after upgrading. I can no longer build and run the signed application. I have already checked on another machine and worked before upgrading to todays release. I am assuming it is something to do with building a Mac OS project with Entitlements, fails to sign correctly and therefore fails to run.

/Library/Frameworks/Mono.framework/External/xbuild/Xamarin/Mac/Xamarin.Mac.Common.targets (_CompileEntitlements target) ->

Entitlements.plist:  warning : iCloud entitlements such as 'com.apple.developer.ubiquity-container-identifiers' require a Provisioning Profile.
Entitlements.plist:  warning : Cannot expand $(TeamIdentifierPrefix) in Entitlements.plist without a provisioning profile.

Expected Behavior

Builds and Signs the project and runs it.

Actual Behavior

Crashes due to invalid cert

Environment

=== Visual Studio Community 2017 for Mac ===

Version 7.4 (build 1033)
Installation UUID: eb84151c-06d1-4fb8-9a53-a5ebe900626c
Runtime:
    Mono 5.8.0.129 (2017-10/835a98d8559) (64-bit)
    GTK+ 2.24.23 (Raleigh theme)

    Package version: 508000129

=== NuGet ===

Version: 4.3.1.4445

=== .NET Core ===

Runtime: /usr/local/share/dotnet/dotnet
Runtime Versions:
    2.0.5
    2.0.0
SDK: /usr/local/share/dotnet/sdk/2.1.4/Sdks
SDK Versions:
    2.1.4
    2.0.0
MSBuild SDKs: /Library/Frameworks/Mono.framework/Versions/5.8.0/lib/mono/msbuild/15.0/bin/Sdks

=== Xamarin.Profiler ===

Version: 1.6.1
Location: /Applications/Xamarin Profiler.app/Contents/MacOS/Xamarin Profiler

=== Apple Developer Tools ===

Xcode 9.2 (13772)
Build 9C40b

=== Xamarin.Mac ===

Version: 4.2.0.20 (Visual Studio Community)

=== Xamarin.iOS ===

Version: 11.8.0.20 (Visual Studio Community)
Hash: 1c6f300e
Branch: d15-6
Build date: 2018-02-07 23:42:40-0500

=== Xamarin.Android ===

Version: 8.2.0.15 (Visual Studio Community)
Android SDK: Not found

=== Xamarin Inspector ===

Version: 1.4.0
Hash: b3f92f9
Branch: master
Build date: Fri, 19 Jan 2018 22:00:34 GMT
Client compatibility: 1

=== Build Information ===

Release ID: 704001033
Git revision: 053991068f3c88497d3e5cc52fe7fdf57c28b62f
Build date: 2018-02-28 05:02:28-05
Xamarin addins: cc3283953e0af0b8bfab1bdfdf847d9e403c4606
Build lane: monodevelop-lion-d15-6

=== Operating System ===

Mac OS X 10.13.3
Darwin 17.4.0 Darwin Kernel Version 17.4.0
    Sun Dec 17 09:19:54 PST 2017
    root:xnu-4570.41.2~1/RELEASE_X86_64 x86_64

=== Enabled user installed addins ===

Internet of Things (IoT) development (Preview) 7.1

Build Logs

BuildLog.txt

VS bug #580963

bug macOS vs-sync

Source

lilleydnSub

Most helpful comment

Just tested and worked perfectly, Thanks

lilleydnSub on 12 Mar 2018

❤1 🎉1

All 18 comments

Originally from https://forums.xamarin.com/discussion/comment/322516

chamons on 6 Mar 2018

Possibly related to this change - https://github.com/xamarin/xamarin-macios/commit/0059e3e5b5519ac96070916453b2f7a8dab26ef0#diff-feb51d3d10608ee1834e88a88dabf8e3 ?

chamons on 6 Mar 2018

Also see https://forums.xamarin.com/discussion/120338/developer-id-code-signing-provisioning-profiles-not-working-xamarin-mac-code-signing-vs-7-4

chamons on 6 Mar 2018

Hi @lilleydnSub,

I'm having trouble reproducing your issue. Could you provide the entitlements you're using as well as a test case if possible? Are you getting any crash logs you can share with us?

Also @chamons mentioned older version that you could use to potentially fix the issue:

This is d15-6 (what you are on I believe): https://dl.xamarin.com/XamarinforMac/Mac/xamarin.mac-4.2.0.20.pkg
This is d15-5: https://dl.xamarin.com/XamarinforMac/Mac/xamarin.mac-4.0.0.216.pkg
This is d15-4: https://dl.xamarin.com/XamarinforMac/Mac/xamarin.mac-3.8.1.0.pkg

Did any of them help? If so can you tell us which one?

VincentDondain on 7 Mar 2018

Attached is my entitlements and plists

plists.zip

I believe its this entitlement is causing a issue:

        <key>com.apple.developer.ubiquity-container-identifiers</key>
    <array>
        <string>$(TeamIdentifierPrefix)com.XXX.PodBanking</string>
    </array>

probably this too

        <key>com.apple.security.application-groups</key>
    <array>
        <string>$(TeamIdentifierPrefix)com.XXX.Banking4XData</string>
    </array>

With regards logs nothing obvious, I just get the Apple invalid signature crash when trying to run it.

lilleydnSub on 7 Mar 2018

Just downloaded and install d15-5: https://dl.xamarin.com/XamarinforMac/Mac/xamarin.mac-4.0.0.216.pkg, this works.

lilleydnSub on 7 Mar 2018

I've attempted to reproduce this crash and i'm having trouble as well.

chamons on 7 Mar 2018

Could you attach a small project that shows the issue at hand?

chamons on 7 Mar 2018

Attached is a Test case I am experiencing.

The Scenario appears to only happen when it is a signed sandboxed Mac OS App with the entitlements com.apple.developer.ubiquity-container-identifiers (Sharing iCloud folder with another App.)

        <key>com.apple.developer.ubiquity-container-identifiers</key>
    <array>
        <string>$(TeamIdentifierPrefix)com.Subsembly.PodBanking</string>
    </array>

Unfortunately not so happy about putting keys and profiles on public site, but should only take a few mins to create them.
Complile and run the app under Debug and you should experience the crash.

SampleTestFailedSigning.zip

lilleydnSub on 8 Mar 2018

Thanks for the test case. Should be possible to debug this now.

jstedfast on 9 Mar 2018

You could try applying the following patch to your local installation of the latest release to confirm the fix:

--- /Library/Frameworks/Xamarin.Mac.framework/Versions/Current/lib/msbuild/Xamarin.Mac.Common.targets   2018-02-26 15:11:11.000000000 -0500
+++ msbuild/Xamarin.Mac.Tasks/Xamarin.Mac.Common.targets    2018-03-09 09:53:30.000000000 -0500
@@ -475,6 +475,9 @@
    <Target Name="_DetectSigningIdentity" DependsOnTargets="_DetectAppManifest">
        <PropertyGroup>
            <_AppBundleName>$(AssemblyName)</_AppBundleName>
+
+           <_RequireProvisioningProfile>False</_RequireProvisioningProfile>
+           <_RequireProvisioningProfile Condition="'$(CodesignEntitlements)' != ''">True</_RequireProvisioningProfile>
        </PropertyGroup>

        <DetectSigningIdentity
@@ -484,6 +487,7 @@
            AppManifest="$(_AppManifest)"
            Keychain="$(CodesignKeychain)"
            RequireCodeSigning="$(EnableCodeSigning)"
+           RequireProvisioningProfile="$(_RequireProvisioningProfile)"
            SdkPlatform="MacOSX"
            ProvisioningProfile="$(CodeSignProvision)"
            SigningKey="$(CodeSigningKey)">

jstedfast on 9 Mar 2018

Let me slap that in an easy to apply file and post it.

chamons on 9 Mar 2018

If anyone is interested in testing out the fix super early, to give us feedback if it fixes their signing use case, please follow these steps: