Xcode@5 Code Signing Error when building a project with embedded framework that does not support manual signing

[ericallam]

Required Information

Type: Bug
Task Name: Xcode@5

Environment

All

Issue Description

Xcode@5 fails to build an Xcode project that has multiple targets that have mixed signing needs, resulting in a Code Signing Error with this format:

<Framework> does not support provisioning profiles. <Framework> does not support provisioning profiles, but provisioning profile <Provisioning Profile Name> has been manually specified. Set the provisioning profile value to "Automatic" in the build settings editor.

In my case, I am trying to build an Xcode project produced by Unity 2019.3, which includes a new UnityFramework that does not support manual code signing.

According to the Unity Documentation, a new set of command line arguments for xcodebuild are to be used to target manual code signing to the main Unity-iPhone target only, and leave UnityFramework to be able to signed automatically.

Using PROVISIONING_PROFILE_APP and PROVISIONING_PROFILE_SPECIFIER_APP instead of PROVISIONING_PROFILE and PROVISIONING_PROFILE_SPECIFIER in the xcodebuild command fixes this issue.

Adding a "Custom Provisioning Profile Argument Suffix" parameter to Xcode under the Signing action would allow this issue to be fixed. See this blob post for more information about how the suffixes are used in building Xcode projects with multiple targets.

Here is a Unity produced Xcode project that can be used to demonstrate the issue:

https://content-infrastructure-uploadbucket-iuhbmg0o97e6.s3.amazonaws.com/uploads/AzureXcodeCodeSignError.zip

You can attempt to build it using a command similar to this:

/usr/bin/xcodebuild -sdk iphoneos13.2 -configuration Release -project ./Unity-iPhone.xcodeproj -scheme Unity-iPhone archive CODE_SIGN_STYLE=Manual CODE_SIGN_IDENTITY="<Code Sign Identity>" PROVISIONING_PROFILE_APP="<Provisioning Profile UUID>" PROVISIONING_PROFILE_SPECIFIER_APP="<Provisioning Profile Name>"

[fortunacio]

Hi @ericallam did u find any solution?

[fortunacio]

I manage to solve this by creating a custom task to provide "Custom Provisioning Profile Argument Suffix" to the Xcode Build task. If anyone wants the task let me know so I can share it.

Cheers.

[Paul-ICS]

Hi @fortunacio,
I'm getting the same problem as this with my Ionic project, could you share what you did to make it sign and build?
Thanks,
Paul

[fortunacio]

Yes, for sure, can you give me the name of your organization so I can share the task? El jue., 16 de abril de 2020 12:05 p. m., Paul-ICS <notifications@github.com> escribió:

…

Hi @fortunacio <https://github.com/fortunacio>, I'm getting the same problem as this with my Ionic project, could you share what you did to make it sign and build? Thanks, Paul — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#12263 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACAW2STG3MYNLFQOJLP5VZLRM4NEPANCNFSM4KNWN6QQ> .

[Paul-ICS]

My DevOps org is called: ics-development

Thanks,
Paul

[fortunacio]

Done. if u are using YAML pipeline u need to replace the Xcode@5 task for the new one (Wololo.build-release-wololo-task.custom-build-release-task.WololoBuild@0) which has exactly the same functionality but with a new input (provisioningProfileSuffix) so for use it u need to fill the suffix under input task section, eg (provisioningProfileSuffix: APP). if u are using the classic visual editor u can find the extension under the Utility tab and the provisioningProfileSuffix option under Advance options of the task. Cheers, Federico. El jue., 16 abr. 2020 a las 13:50, Paul-ICS (<notifications@github.com>) escribió:

…

My DevOps org is called: ics-development Thanks, Paul — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#12263 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACAW2STYT3XOKGWOLZXKIBLRM4ZNJANCNFSM4KNWN6QQ> .

[Paul-ICS]

Just a quick update, we tried your task and specified the suffix of APP, but it didn't seem to make any difference to the build. I also tried it locally and couldn't get xcodebuild to do anything with PROVISIONING_PROFILE_APP. It did the same as if it wasn't specified.

Anyway, we found that using the original Xcode build task and specifying an argument of "CODE_SIGNING_ALLOWED=No" made it all build and sign correctly.

Thanks for you help.

[pandey-laxman]

@Paul-ICS can you please be more specific about where you specified "CODE_SIGNING_ALLOWED=No" . is it in task: Xcode@5 ? on somewhere in xcode project.
I have some embedded framework for those getting below error.

error: Domain does not support provisioning profiles. Domain does not support provisioning profiles, but provisioning profile xxxxx has been manually specified. Set the provisioning profile value to "Automatic" in the build settings editor. (in target 'Domain' from project 'xxxxx')

Can you please provide more details to fix this issue?
I have been spent hours to fix this issue but still no luck.

[Paul-ICS]

@pandey-laxman, sorry missed this email!

It needs to go in the arguments field in the Xcode task.
This is how my Xcode task looks (in yaml):

          - task: Xcode@5
            inputs:
              actions: 'build'
              xcWorkspacePath: '**/myproj.xcworkspace'
              scheme: 'myproj'
              xcodeVersion: 'specifyPath'
              xcodeDeveloperDir: '/Applications/Xcode_11.1.app'
              packageApp: true
              exportPath: 'output/$(SDK)/$(BuildConfiguration)'
              exportOptions: 'plist'
              exportOptionsPlist: 'pipelines/export.debug.plist'
              signingOption: 'manual'
              signingIdentity: '$(APPLE_CERTIFICATE_SIGNING_IDENTITY)'
              provisioningProfileUuid: '$(APPLE_PROV_PROFILE_UUID)'
              args: 'CODE_SIGNING_ALLOWED=No'

[pandey-laxman]

@Paul-ICS Thank you very much, it worked I have created exportOptions.plist file in provided in above path and it worked.
But I have some doubts if you anyone can clear will highly be appreciated.

1. what/how would be the workflow for app build(every PR merge) / distribute(on specific Tag) for different environment those are created configuration(dev, demo, qa and prod) for adhoc and App store.
2. how to push release notes ?

there is no documentation I have found regarding this.

[imzahahs]

Does anyone know why "CODE_SIGNING_ALLOWED=No" works? I can't find any docs regarding this. (I used this for automating iOS builds for Unity 2020 via Jenkins).

[craigktreasure]

For me, CODE_SIGNING_ALLOWED=No allowed my build to complete, but I couldn't use the resulting app because it wasn't signed. So, I don't believe that's a good solution.

[EvilCreamsicle]

I manage to solve this by creating a custom task to provide "Custom Provisioning Profile Argument Suffix" to the Xcode Build task. If anyone wants the task let me know so I can share it.

Cheers.

@fortunacio
I would like this custom task, if it is still available. Please and thank you.

[fortunacio]

@EvilCreamsicle Yes, for sure, can you give me the name of your organization?

[EvilCreamsicle]

@EvilCreamsicle Yes, for sure, can you give me the name of your organization?

my organization is 'powerley-development',
Thanks

[datran-msft]

We are currently hitting this issue with Unity 2019 too.

We signed manually on Unity 2018 as automatic signing is not an option for us, but updating to Unity 2019 is causing the <Framework> does not support provisioning profiles.

Setting CODE_SIGNING_ALLOWED=No doesn't address the issue since we still need to sign it.

Is there a workaround? Is there a task we can use that has supports for the suffixes?
Thanks

[kmikkel]

We ran into this problem too after upgrading from Unity 2018 to Unity 2020. Haven't found a workaround yet.

[kmikkel]

I have been struggling with this issue. Here are my findings (pretty much the same conclusion as in the original post).

When running this Xcode task:

- task: Xcode@5
  displayName: 'Xcode build Unity-iPhone'
  inputs:
    xcWorkspacePath: 'iOSBuild/Unity-iPhone.xcworkspace'
    scheme: 'Unity-iPhone'
    sdk: 'iphoneos'
    packageApp: true
    archivePath: iOSBuild
    exportPath: $(Build.ArtifactStagingDirectory)/ios
    signingOption: 'manual'
    signingIdentity: '<SigningIdentity>'
    args: 'PROVISIONING_PROFILE_APP=<ProvisioningProfileUuid> PROVISIONING_PROFILE_SPECIFIER_APP=<ProvisioningProfileName>'
    useXcpretty: false
  condition: succeeded()

it generates this xcodebuild command, adding empty entries for PROVISIONING_PROFILE and PROVISIONING_PROFILE_SPECIFIER:

/usr/bin/xcodebuild -sdk iphoneos -configuration $(Configuration) -workspace /Users/runner/work/1/s/iOSBuild/Unity-iPhone.xcworkspace -scheme Unity-iPhone build PROVISIONING_PROFILE_APP=<ProvisioningProfileUuid> PROVISIONING_PROFILE_SPECIFIER_APP=<ProvisioningProfileName> CODE_SIGN_STYLE=Manual CODE_SIGN_IDENTITY=<SigningIdentity> PROVISIONING_PROFILE= PROVISIONING_PROFILE_SPECIFIER=

The empty entries makes the xcodebuild command fail with the error reported in the initial post.
So if the Xcode task could generate a xcodebuild command without adding the empty entries the problem could be fixed.

[Strepto]

We are also having this issue. Is there any way to resolve this?

Unity 2020.3

[palhagen]

I am experiencing the same problem when upgrading from Unity 2018.4 to 2020.3 and it is a show stopper for automatic builds. A solution to this problem would be appreciated!

[datran-msft]

The work around we used was to use a custom bash task that would execute all the commands that the xcode task would do, but with our own arguments.

You can find what all the commands are by observing the logs or outputs from the xcode task.

[eirikwah]

Although workarounds are described above, it would be nice is this issue would be fixed in this official repo. Are there any updates? Is this issue prioritized, and/or will it be?

[sewerow]

Are there any updates? I have the same problems. And I need to implement custom scripts, no other options do not fit

[AnnaOpareva]

Hi, @ericallam

The problem that you experience is specific for Unity Framework, our task is a more generic tool and we don't plan to support specific frameworks like Unity. If it is required to build Unity Framework we could suggest you implement the task for this by yourself, which will consider Unity-specific features and options. Introducing any changes for support of specific frameworks in the existing Xcode task will make it more complex and also it would take effort to keep the task in sync with new framework versions. We don't want to complicate the existing task structure by introducing framework-specific logic.

[trevorbye]

Edit: this did not end up being the final solution, see my new comment below for the full build script that uses separate archive/export archive steps.

Wish msft had more customer empathy with this kind of thing. Yes, this task isn't specific to Unity, but it is specific to xcode, and Unity is a common framework to build in xcode. I agree it probably doesn't warrant an implementation change on your side, but even mentioning something in your docs about how to work around this would be helpful because it is still an issue, rather than simply saying "not our problem".

The original solution of using PROVISIONING_PROFILE_APP and PROVISIONING_PROFILE_SPECIFIER_APP here worked for me, and everything builds/signs successfully. I ended up just using a bash script because at the end of the day this task is really only useful for learning what xcodebuild runs under the hood... because even passing manual args doesn't work correctly as you can see above in some other replies.

Here is the relevant section of the pipeline to show more explicitly how to work around this. See this doc on signing if you need context on how to use/setup the InstallAppleCertificate@2 and InstallAppleProvisioningProfile@1 tasks.

- task: InstallAppleCertificate@2
  inputs:
    certSecureFile: '$(certFileInSecureLibrary)'
    certPwd: '$(cert_password)'
    keychain: temp
    deleteCert: true
 
- task: InstallAppleProvisioningProfile@1
  inputs:
    provisioningProfileLocation: 'secureFiles'
    provProfileSecureFile: '$(yourProfileFile)'
    removeProfile: true

- task: Bash@3
  inputs:
    targetType: inline
    script: >
      /usr/bin/xcodebuild
      -sdk iphoneos
      -configuration Release
      -project $(xcodeRoot)/Unity-iPhone.xcodeproj
      -scheme Unity-iPhone
      build
      CODE_SIGN_STYLE=Manual
      CODE_SIGN_IDENTITY='$(APPLE_CERTIFICATE_SIGNING_IDENTITY)'
      PROVISIONING_PROFILE_APP=$(APPLE_PROV_PROFILE_UUID)
      PROVISIONING_PROFILE_SPECIFIER_APP=your-provisioning-profile-name
      CONFIGURATION_BUILD_DIR=$(xcodeRoot)/build-output/

In this example, the variable $(xcodeRoot) is set to $(Pipeline.Workspace)/s because in our case we aren't cloning a repo in this job, we pull down the Unity xcode project files from a preceding job that runs on a windows VM, and manually put it in the dir where AzDo normally expects your repo root to be e.g. /Users/runner/work/1/s/.

Additionally, because we were building the xcode project files on a windows box, there is one other task we needed. There are two shell scripts in the xcode project root that were getting permission denied errors, so you can simply just add a bash task to chmod them first before running your xcodebuild script:

- task: Bash@3
  displayName: 'chmod shell scripts in xcode project root'
  inputs:
    targetType: inline
    script: |
      chmod +x $(xcodeRoot)/MapFileParser.sh
      chmod +x $(xcodeRoot)/process_symbols.sh

[rafek]

@trevorbye I did exactly as you advised - with the only difference that I'm building .xcworkspace rather than .xcodeproj:

- task: Bash@3
  inputs:
    targetType: inline
    script: >
      /usr/bin/xcodebuild
      -sdk iphoneos
      -configuration Release
      -workspace $(Build.BinariesDirectory)/Unity-iPhone.xcworkspace
      -scheme Unity-iPhone
      build
      CODE_SIGN_STYLE=Manual
      CODE_SIGN_IDENTITY='$(APPLE_CERTIFICATE_SIGNING_IDENTITY)'
      PROVISIONING_PROFILE_APP='$(APPLE_PROV_PROFILE_UUID)'
      PROVISIONING_PROFILE_SPECIFIER_APP=my-prov-profile-name
      CONFIGURATION_BUILD_DIR=$(Build.BinariesDirectory)/build_output

and it still tries to CodeSign UnityFramework.

[trevorbye]

@trevorbye I did exactly as you advised - with the only difference that I'm building .xcworkspace rather than .xcodeproj:

- task: Bash@3
  inputs:
    targetType: inline
    script: >
      /usr/bin/xcodebuild
      -sdk iphoneos
      -configuration Release
      -workspace $(Build.BinariesDirectory)/Unity-iPhone.xcworkspace
      -scheme Unity-iPhone
      build
      CODE_SIGN_STYLE=Manual
      CODE_SIGN_IDENTITY='$(APPLE_CERTIFICATE_SIGNING_IDENTITY)'
      PROVISIONING_PROFILE_APP='$(APPLE_PROV_PROFILE_UUID)'
      PROVISIONING_PROFILE_SPECIFIER_APP=my-prov-profile-name
      CONFIGURATION_BUILD_DIR=$(Build.BinariesDirectory)/build_output

and it still tries to CodeSign UnityFramework.

I realized that what I posted did not end up as the final solution. Instead of building in one step, you need to do two separate bash scripts invoking xcodebuild; one creates an archive, and the next exports that archive. you also need to create an exportoptions.plist file to reference as well. here is what the relevant parts of the pipeline look like:

variables:
  plistBuddy: '/usr/libexec/PlistBuddy' # default macos utility for building plist files
  exportOptions: '$(Pipeline.Workspace)/exportOptions.plist'
  xcodeBundleId: 'com.yourpackagename.foo'
  appleProvProfileName: 'name-of-provisioning-profile' # this is just the string name you give the profile when you create it
  appleTeamId: 'your-apple-team-ID' # this value isn't secret e.g. it's useless on it's own, can find in app store connect

  - job: buildXcode
    pool:
      vmImage: 'macOS-latest'
    steps:
    - checkout: none

    - task: DownloadPipelineArtifact@2
      displayName: 'Get XCode project files'
      name: xCodeProjectFiles
      inputs:
        source: current
        artifact: 'iOS_XCodeProject_BuildArtifact'
        path: $(xcodeRoot)/

    - task: Bash@3
      displayName: 'chmod shell scripts in xcode project root'
      inputs:
        targetType: inline
        script: |
          chmod +x $(xcodeRoot)/MapFileParser.sh
          chmod +x $(xcodeRoot)/process_symbols.sh

    # automatically fetches cert from library>secure files and installs in temp keystore
    - task: InstallAppleCertificate@2
      inputs:
        certSecureFile: '$(yourCertFileLocationRef)'
        certPwd: '$(yourCertFilePasswordRef)'
        keychain: temp
        deleteCert: true
    
    # automatically fetches profile from library>secure files
    - task: InstallAppleProvisioningProfile@1
      inputs:
        provisioningProfileLocation: 'secureFiles'
        provProfileSecureFile: '$(yourProvProfileFile)'
        removeProfile: true

    - task: Bash@3
      displayName: 'Build exportOptions.plist file'
      inputs:
        targetType: inline
        script: |
          $(plistBuddy) -c "Add :compileBitcode bool false" $(exportOptions)
          $(plistBuddy) -c "Add :method string app-store" $(exportOptions)
          $(plistBuddy) -c "Add :provisioningProfiles dict" $(exportOptions)
          $(plistBuddy) -c "Add :provisioningProfiles:$(xcodeBundleId) string $(appleProvProfileName)" $(exportOptions)
          $(plistBuddy) -c "Add :signingCertificate string $(APPLE_CERTIFICATE_SIGNING_IDENTITY)" $(exportOptions)
          $(plistBuddy) -c "Add :signingStyle string manual" $(exportOptions)
          $(plistBuddy) -c "Add :stripSwiftSymbols bool true" $(exportOptions)
          $(plistBuddy) -c "Add :teamID string $(appleTeamId)" $(exportOptions)
          $(plistBuddy) -c "Add :thinning string <none>" $(exportOptions)

    - task: PublishPipelineArtifact@1
      displayName: 'Publish exportOptions.plist'
      condition: succeeded()
      inputs:
        targetPath: $(exportOptions)
        artifactName: ExportOptions_Plist

    - task: Bash@3
      displayName: 'Build Xcode Archive'
      inputs:
        targetType: inline
        script: >
          /usr/bin/xcodebuild
          -project $(xcodeRoot)/Unity-iPhone.xcodeproj
          -scheme Unity-iPhone
          -sdk iphoneos
          -configuration Release
          archive
          -archivePath $(xcodeRoot)/build-output/someFileName.xcarchive
          PROVISIONING_PROFILE_APP=$(APPLE_PROV_PROFILE_UUID)
          CODE_SIGN_IDENTITY='$(APPLE_CERTIFICATE_SIGNING_IDENTITY)'

    - task: Bash@3
      displayName: 'Export Xcode Archive'
      inputs:
        targetType: inline
        script: >
          /usr/bin/xcodebuild
          -exportArchive
          -archivePath $(xcodeRoot)/build-output/someFileName.xcarchive
          -exportOptionsPlist $(exportOptions)
          -exportPath $(xcodeRoot)/build-output/

    - task: PublishPipelineArtifact@1
      displayName: 'Publish Build Output Artifacts'
      condition: succeeded()
      inputs:
        targetPath: $(xcodeRoot)/build-output/
        artifactName: iOS_BuildArtifacts

this should result in an .ipa package in the dir where the last step publishes the build artifacts. @rafek hopefully this helps! will update my original comment to point to this one.

[rafek]

@trevorbye thanks for getting back with help so quickly. I did the very same setup and I'm getting the following now (during archive):

Unity-iPhone has conflicting provisioning settings. Unity-iPhone is automatically signed, but provisioning profile <my-prov-profile> has been manually specified. Set the provisioning profile value to "Automatic" in the build settings editor, or switch to manual signing in the Signing & Capabilities editor. (in target 'Unity-iPhone' from project 'Unity-iPhone')

[rafek]

@trevorbye also.. when I set to Auto and CODE_SIGN_IDENTITY to 'Apple Development' it ended up with CodeSign error for UnityFramework.framework..