How to update provisioning profile?

We are trying to add Branch.io to our Expo/CRNA app. This included enabling Associated Domains on Apple’s Developer Portal and changing app.json as per https://docs.expo.io/versions/latest/sdk/branch.html. This made the current provisiong profile inactive, and we had to re-generate it, by clicking EDIT on it and then Generate.

We then tried to build this to a separate release channel (exp build:ios --release-channel test), downloaded the IPA, and tried to install it on an iPhone through Xcode and the Devices and Simulators window. However, we get the error “A valid provisioning profile for this executable was not found.” The test release channel is an existing channel. However, we also tried doing to a new channel. Still same result.

Will the exp build command take the changes to the provisioning profile into account? Are we loading the IPA wrongly? Not really sure how to do this.

1 Like

Hi, the IPA created by exp build:ios is signed for the App Store. So the best way to get it on your device is to upload it to the Apple Testflight service and add yourself as an Internal Tester. It’s not signed in a way that allows sideloading it through Xcode like that. This behavior was true both before and after your changes to your App Id.

If you are selecting “let expo handle it for you” during the build process, I believe we’ll generate all your signing stuff, including a new provisioning profile which reflects the latest state of your app id. If you choose to do it manually, then you’ll need to make sure you’re providing an App Store certificate and profile.

(semi-related, our build service can also create simulator builds, which are significantly easier to install if all you need is to use a simulator rather than a real device. For this, pass -t simulator to the build command)

2 Likes

Thanks for the swift reply Ben. We initially selected “let expo handle it for you”, and have since gone into Apple Developer and added Associated Domains to the provisioning profile manually, as well as added "associatedDomains": ["applinks:plantjammer.app.link"] to app.json. We then used ran exp build:ios --release-channel test, downloaded the IPA, and tried to upload it via Application Loader (Version 3.7.1 (1047)). However, we are getting the following error:
ERROR ITMS-90163: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.developer.associated-domains' in 'Payload/ExpoKitApp.app/ExpoKitApp'."

This seems to indicate that Expo is not actually fetching the updated provisioning profile?

1 Like

We got it working by downloading the certificates, provisioning profile and push services thingy from Apple Developer, and then adding them manually by running exp build:ios -c --release-channel test (which clears the current certificates) and then added the downloaded ones manually. Guidance for this was found in this post https://forums.expo.dev/t/exp-fetch-ios-certs-exp-build-ios/7322/2?u=kraegpoeth. The issue could also be that the provisioning profile was generated using the wrong distribution certificate, but we never got to test that.

1 Like

Running into the issues with associated domains as well. We have them set in our app.json:

"associatedDomains": [
    "applinks:pb.app.link",
    "applinks:pb-alternate.app.link",
    "applinks:pb.test-app.link",
    "applinks:pb-alternate.test-app.link"
]

and enabled under our App ID.

I build the app with exp build:ios and open Application Loader on the latest XCode. Application loader gives me back the same error @kraegpoeth had :

ERROR ITMS-90163: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.developer.associated-domains' in 'Payload/ExpoKitApp.app/ExpoKitApp'."

Along with a likely unrelated warning:

WARNING ITMS-90076: "Potential Loss of Keychain Access. The previous version of software has an application-identifier value of ['QNKTC946NB.com.summerplaybook.playbookapp'] and the new version of software being submitted has an application-identifier of ['N6C7DBAK2F.com.summerplaybook.playbookapp']. This will result in a loss of keychain access."

I also noticed our Provisioning Profile has a status of Invalid. It expires on Feb 22, 2019 (the last time we built was Feb 22, 2018). We also have two certificates, one that expires Feb 22, 2019 and one that expires Jun 28, 2019, and the profile uses the former.

Is there any fix for this that doesn’t require us to add our certificates / profile manually? Going to try uploading the app without associated domains and see if that works, but it’d be a bummer to not be able to use branch links.

– More updates as I try to debug this (maybe useful for people who come by this later, for pitfalls, for understanding my issue, etc):

  • Likely relevant text from when I checked Enable Associated Domains: “If you wish to enable Associated Domains for any existing provisioning profiles associated with this App ID, you must also regenerate them.”

  • At some point I ran exp build:ios -c and now get the following error when I try to let expo handle certificates:

[17:29:34] Only 1 team associated with your account, using Team ID: N6C7DBAK2F
? Will you provide your own Distribution Certificate? Let Expo handle the process
? Will you provide your own Push Certificate? Let Expo handle the process
[17:29:48] Error while gathering & validating credentials
[17:29:48] Reason:Unexpected response, raw:{"responseId":"3aa03466-3c48-4a71-8e1a-b099188469fa","resultCode":7460,"resultString":"Maximum number of certificates generated","userString":"You already have a current iOS Distribution certificate or a pending certificate request.","creationTimestamp":"2018-06-29T00:29:48Z","protocolVersion":"QH65B2","userLocale":"en_US","requestUrl":"https://developer.apple.com/services-account/QH65B2/account/ios/certificate/submitCertificateRequest.action","httpCode":200}
  • I just clicked regenerate on the provisioning profile with the new certificate. Didn’t fix anything, but don’t know if that’s something I should have done or not.

  • Just realized this could be related to me transferring ownership of the app from my personal developer account to a team developer account, hence the different Team IDs

  • Regenerated provisioning profile with the old cert and revoked the ones that (I think) were new. Tried another exp build:ios -c and got a different error:

? Will you provide your own Distribution Certificate? Let Expo handle the process
? Will you provide your own Push Certificate? Let Expo handle the process
[17:40:40] Error while gathering & validating credentials
[17:40:40] Reason:Unexpected response, raw:{"responseId":"8c138e7c-be2f-4eaf-9d48-d2f98f8f21ee","resultCode":35,"resultString":"There were errors in the data supplied. Please correct and re-submit.","userString":"Multiple profiles found with the name 'com.summerplaybook.playbookapp AppStore'.  Please remove the duplicate profiles and try again.","creationTimestamp":"2018-06-29T00:40:40Z","protocolVersion":"QH65B2","userLocale":"en_US","requestUrl":"https://developer.apple.com/services-account/QH65B2/account/ios/profile/createProvisioningProfile.action","httpCode":200,"validationMessages":[{"validationKey":"provisioningProfileName","validationUserMessage":"Multiple profiles found with the name 'com.summerplaybook.playbookapp AppStore'.  Please remove the duplicate profiles and try again."}]}
  • A feeling at this point: would be super nice to have some docs explaining the expo <> apple <> certs relationship. The docs don’t explain when you’d need to upload your own certs, or what to do if I get into a tricky situation like this (revoke certs?).

  • Now looking through making a p12 file, the article linked in the expo docs if you’re going to manually handle certs.

Update, like @kraegpoeth, I just manually handled the certs and that let me load/deliver my application.

My process, as someone who already had his app on the app store and ran into this issue.

  • Revoke any vestigial certificates / ones you don’t think are in actual use in All Certificates. I had some certificates I suspected were from my failed exp build:ios -c’s that I revoked.
  • Click (+) on the All Certificates page and create a new “App Store and Ad Hoc” certificate. It’ll ask you to make a .certSigningRequest file:
    – Open Keychain Access on your Mac and in the toolbar go to Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority.
    – Enter your email address, give a name like “Raphael Prod App”, request it saved to disk, press continue and save the file.
  • Upload this file to the webpage and Apple will create a .cer file for you. Download this file, double click it to add it to your Keychain. Find it in Keychain Access under “login” in the keychains column and “Keys” in the category column. It’ll have the name you entered before and a little arrow next to it on the left. Expand the arrow and shift click to select the private key as well as the distribution certificate (not the public key). Right click and press export, save it as a .p12 and be sure to add a password. Click continue, and you’ll probably have to enter your mac password twice, once for each file.
  • Now go to the App IDs page, click your app, press edit, and create a new production SSL certificate under Push Notifications. Download this file.
  • This will give you a .cer file, while expo asks for a .p12 file. As before, double click on this file to add it to your keychain, go to Keychain Access, select login/My Certificates and search “push” to find it. Right click it and hit export – for some reason this is really inconsistent and I had to right click several times to get it to say export. As before, give it a password and save it as a .p12.
  • Go to All Provisioning Profiles and click (+). Select App Store, hit continue, choose your app, hit continue, select the certificate you made earlier, hit continue, give it a name, hit continue, download the file, which should have a .mobileprovision extension.
  • You now have all the files you need. Do exp build:ios -c and include your original certificate’s .p12, your push certificate’s .p12, and the .mobileprovision file.
  • You’re done!

Important note: this is the process I went through, which doesn’t necessarily mean it’s the right one. I just found out about exp fetch:ios:certs and that seems relevant though I don’t know how it’d fit into this process. I don’t really know how this affects my existing app, or whether this means I’ll have to continue manually uploading forever or whether expo can handle future builds. I’m still not sure what exp build:ios -c really does. But these steps got me past this associated domains issue :smile:

3 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.