xcodemacosapp-store-connectmac-app-store

How to prevent Xcode from adding malformed entitlements to my dylibs?


I have a Mac app that was accepted to the Mac App Store when I built it using Xcode 13 (exactly the way I do it now, code signing set to automatic, uploading to the App store using the Organizer in Xcode), but now with Xcode 14.2, minutes after submitting it to the Mac App Store, I will receive a refusal mail with lots of "ITMS-90288: Invalid Code Signing Entitlements" and "TMS-90286: Invalid Code Signing Entitlements" errors, two for each embedded dynamic library.

TMS-90288: Invalid Code Signing Entitlements - The entitlements in your app
bundle signature do not match the ones that are contained in the provisioning
profile. According to the provisioning profile, the bundle contains a key value
that is not allowed: '(My team id).' for the key 'com.apple.application-identifier'
in 'Spatterlight.app/Contents/Frameworks/libc64diskimage.dylib'

ITMS-90286: Invalid Code Signing Entitlements - Your application bundle's
signature contains code signing entitlements that are not supported on macOS.
Specifically, value '(My team id).' for key 'com.apple.application-identifier'
in 'Spatterlight.app/Contents/Frameworks/libc64diskimage.dylib' is not supported.
This value should be a string starting with your TEAMID, followed by a dot '.',
followed by the bundle identifier .

The reply at https://developer.apple.com/forums/thread/710598 seems to indicate that dylibs shouldn't have entitlements at all, but apparently Xcode is adding them anyway, making the app unacceptable to the App Store.

I have tried cleaning the build folder, disabling and enabling automatic signing, signing manually when uploading the app (providing profiles from lists in Xcode rather than doing it automatically). The result is the same.

Note that there are plenty of questions here that may look like duplicates of this (usually with titles like "ERROR ITMS-XXXXX: 'Invalid Code Signing Entitlements'", but none of them seem to be about this problem, which makes me think I am doing something uniquely wrong.


Solution

  • To prevent Xcode from adding malformed entitlements to your dylibs, you can do the following steps:

    Create a custom entitlements file: In Xcode, go to File > New > File and select "Entitlements" from the list of file templates. This will create a new .entitlements file in your project.

    Specify the custom entitlements file: In your target's Build Settings, find the "Code Signing Entitlements" setting and set it to the name of your custom entitlements file.

    Review and edit the entitlements file: Open the custom entitlements file and review the contents. Ensure that only the necessary entitlements are included, and that they are correctly formatted.

    Build and sign your dylib: Build your dylib and sign it with your custom entitlements file. You can verify that the entitlements were correctly added by running the codesign command in the Terminal and examining the output.