Code signing is flaky and unreliable

Originator:atomicbird
Number:rdar://18731831 Date Originated:21-Oct-2014 08:41 PM
Status:Open Resolved:
Product:Developer Tools Product Version:6.1
Classification:Serious Bug Reproducible:Sometimes
 
Summary:
In order to run an app on a device it's necessary to have both an appropriate signing certificate and provisioning profile on the development Mac. In principle this is a straightforward though somewhat cumbersome process. In practice it's a steaming pile of shit that's prone to breaking for no readily apparent reason, accompanied by meaningless, confusing, or just plain incorrect error messages. Occasionally it also resumes working, also for no readily apparent reason.

For whatever it's worth, I've been developing iOS apps since early 2008 and I regard the code signing process as conceptually straightforward. In practice though, it's flaky and unreliable. More than six years in and I still routinely lose a day to trying to get code signing working again.

This happened last month:

I had been building and debugging an app on a couple of devices for a few weeks when one day Xcode informed me that no valid provisioning profiles could be found. I found that the same profile I had been using all along was in fact still present and unchanged.

I consulted with other team members, who informed me that device builds worked for them.

Digging through the project I found that the code signing identity was set to "automatic". Although this worked for everyone else, I made sure to explicitly configure it to use the correct identity. No luck.

Next, the provisioning profile. In most places the provisioning profile was set to "automatic" (the project has multiple targets, some of which depend on one or more of the others). Although "automatic" worked for everyone else, I changed the setting in several places to explicitly use the already-present and known good provisioning profile.

After a while I was able to get a successful build. Hooray!

But then I tried to run the app on a device. Xcode informed me that the entitlements requested in the app's entitlements file did not match those on the provisioning profile. So, the app could not run. Sadly Xcode did not give any useful hints as to which entitlement(s) were incorrect.

So I took the liberty of examining both the provisioning profile and the app settings. I opened the provisioning profile in BBEdit to review the embedded property list. The certificate was... well, who knows? There's nothing there that I can correlate to anything in Keychain Access. The entitlements clearly matched. The device I was using was included. Basically, everything I could make sense of was correct.

By this time my project changes had gotten somewhat confused, so I told git to reset to the latest commit so I could start over.

BUT FIRST, I decided to try building and running on the device. It worked.

Let me be clear: Device builds wouldn't work. I made a bunch of changes but couldn't fix it. So I went back to where I had been at the start, only now device builds DID work. Net result: No lessons learned, nothing that I could potentially apply in future situations, just an unexplained change in behavior.

Steps to Reproduce:
1. Create an app that requires code signing (basically any iOS app)
2. Attempt to build and run this code on any iOS-based device

Expected Results:
Assuming the presence of a valid certificate and provisioning profile,

1. The app would install on a device and run
2. This process would continue to work until the certificate expired or the certificate and/or profile were changed in some way.

Actual Results:
[continued from "Description" section]

So I settled into an uneasy peace with device builds for a while. But then I had to travel for a couple of weeks, leaving my beloved iMac at home. When I finally returned, device builds were broken again. Symptoms were exactly as they had been before.

I looked at the same issues at before-- certificates, provisions, entitlements. I got as far as Xcode claiming that entitlements were not correct again. I tried for about three hours without success before switching to the simulator and hoping for the best. This random screwing around in Xcode is fun and all, but I needed to get some work done.

Looking at it again today, nothing had changed. There's no reason I should have expected it to change, except that last time it started working again with no explanation.

Desperate to get a device build, I tried switching to another Mac. To be clear: This other Mac has

1. The same developer accounts configured in Xcode
2. The same certificates in Keychain access
3. The same provisioning profiles
4. The same project

And it worked! AND I HAVE NO IDEA WHY.

So to recap:

1. Code signing broke, but started working after changing a bunch of related project settings AND THEN REVERTING ALL OF THOSE CHANGES.

2. Code signing broke again, with identical symptoms, but so far has not responded to the "screw around for a while and then revert changes" approach that worked before. However on an apparently-identical Mac, everything is fine.

In summary: Code signing works or doesn't work for incomprehensible reasons. Getting signing working again does not result in learning any useful skills that can be applied to future attempts.


Version:
Xcode 6.0 and Xcode 6.1 currently, but this kind of problem has existed for years.

Notes:
A couple of images are attached:

provisioning.png : error message from Xcode incorrectly claiming that there is a problem with the provisioning profile. [For Open Radar: see http://cl.ly/image/2s3b0P2S0523 ]

entitlements.png : error message from Xcode incorrectly claiming that there is a problem with the app entitlements. [For Open Radar: see http://cl.ly/image/232y3f0N0W1c ]

Configuration:


Attachments:
'Archive.zip' was successfully uploaded.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!