Application Loader generates entitlements errors when uploading an iOS app containing an embedded Apple Watch app

Originator:benchatelain
Number:rdar://20468156 Date Originated:2015-04-07
Status:Open Resolved:
Product:Developer Tools Product Version:Application Loader 3.0 (670)
Classification:Serious Bug Reproducible:Always
 
Summary:
Submitting an iOS/Apple Watch app combined bundle using the Application Loader returns errors about invalid code signing entitlements on binaries which don't match the findings from the Xcode Organizer's "Validate" feature. Additionally, binaries which cannot be submitted through the Application Loader (due to the entitlements errors) can be submitted successfully via the Xcode Organizer's "Submit" feature.

Steps to Reproduce: 
1. Add a WatchKit app to an iOS app project 
2. Create an App Group for the WatchKit extension and iOS app to use for sharing data 
3. Add the App Group to the App ID for both the WatchKit extension and iOS app 
4. Add the com.apple.security.application-groups entitlement to both the WatchKit extension and iOS app 
5. Create app store distribution provisioning profiles for each of the iOS app, WatchKit extension and Watch app 
6. Create a Release build on a build server

Expected Results:
Any errors or warnings produced by the Application Loader app will match the output of the Xcode Organizer's "Validate" and "Submit" functions.

Actual Results:
The entitlements errors produced by the Application Loader app do not appear in the output of the Xcode Organizer's "Validate" and "Submit" functions. 

Below are the error messages produced by the Application Loader: 

ERROR ITMS-90075: "This bundle is invalid. The application-identifier entitlement is missing; it should contain your 10-character Apple Developer ID, followed by a dot, followed by your bundle identifier." 
ERROR ITMS-90164: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. According to the provisioning profile, the bundle contains a key value that is not allowed: '[ "org.kp.consumer.everybodywalk.watchapp" ]' for the key 'keychain-access-groups' in 'Payload/EveryBodyWalk.app/PlugIns/EveryBodyWalk WatchKit Extension.appex/EveryBodyWalk Watch App.app/EveryBodyWalk Watch App'" 
ERROR ITMS-90164: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. According to the provisioning profile, the bundle contains a key value that is not allowed: 'org.kp.consumer.everybodywalk.watchapp' for the key 'application-identifier' in 'Payload/EveryBodyWalk.app/PlugIns/EveryBodyWalk WatchKit Extension.appex/EveryBodyWalk Watch App.app/EveryBodyWalk Watch App'" 
ERROR ITMS-90046: "Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value 'org.kp.consumer.everybodywalk.watchapp' for key 'application-identifier' in 'Payload/EveryBodyWalk.app/PlugIns/EveryBodyWalk WatchKit Extension.appex/EveryBodyWalk Watch App.app/EveryBodyWalk Watch App' is not supported. This value should be a string starting with your TEAMID, followed by a dot '.', followed by the bundle identifier." 

Version: 
Xcode 6.2 (6C131e) 
OS X 10.10.2 (14C1514) 

Notes: 

Attempting to provide custom entitlements to the watch app by manually editing the project.pbxproj file and adding a CODE_SIGN_ENTITLEMENTS entry to the watch app target (since there is no UI for this as yet) simply shifts the above error messages around. While initially, Application Loader was complaining about the watch app's application-identifier entitlement not containing the TEAMID, specifying one with this value included generates an error that this application-identifier doesn't match the one in the provisioning profile. This is incorrect and again, only the Application Loader complains about this. 

Configuration: 
MacBook Pro (Retina, 15-inch, Late 2013)
OS X 10.10.2 (14C1514)

----------

Update 2015-04-22

Application Loader 3.1 (670) included with Xcode 6.3.1 (6D1002) still has this issue. We just tried submitting an update to our app containing a watch app and got the first two errors again.

ERROR ITMS-90075: "This bundle is invalid. The application-identifier entitlement is missing; it should contain your 10-character Apple Developer ID, followed by a dot, followed by your bundle identifier."
ERROR ITMS-90164: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. According to the provisioning profile, the bundle contains a key value that is not allowed: 'NP763NDP24.org.kp.consumer.everybodywalk.watchapp' for the key 'application-identifier' in 'Payload/EveryBodyWalk.app/PlugIns/EveryBodyWalk WatchKit Extension.appex/EveryBodyWalk Watch App.app/EveryBodyWalk Watch App'"

Again, loading the .xcarchive into the Xcode Organizer and using both "Validate" and "Submit to App Store" worked flawlessly with none of these errors.

Comments

Workaround

With the help of some Apple engineers at WWDC, I was able to work around this issue by hard-coding the release distribution provisioning profiles at the WatchKit Extension and WatchKit App target levels.

They mentioned that there was a fix for this but were unsure if it was included in Xcode 6.4 or 7.

By benchatelain at June 15, 2015, 3:52 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!