How to > AppSec Release Orchestration > Code Signing Protected Android & iOS Apps > How to Extract and Use iOS Entitlements Files for Signing Secured iOS App

How to Extract and Use iOS Entitlements Files for Signing Secured iOS App

Last updated November 28, 2022 by Appdome

Signing iOS apps is a prerequisite for installing any app on a mobile iOS device.
A valid signature, which uses an Apple-issued certificate, ensures the integrity of an app and stands as proof that the app comes from a known and approved source and has not been tampered with.
By enforcing mandatory code signing, Apple ensures that no third-party app loads unsigned code resources or uses self-modifying code.

During the Appdome app Build, Build process adapters are added to the app to achieve the requested added functionality. As a result, the app’s original signature is invalidated and must be resigned to allow deploying the app on mobile devices.

Appdome allows signing an app via the Sign tab, by using any of the following methods:

  • On Appdome

Allowing Appdome to take care of the entire signing process. You only need to provide the signing credentials. For details, see topic How to Sign Secured iOS Apps without Xcode.

  • Private Signing

Gives you full responsibility for handling the entire signing process. For details, see topic How to Privately Code Sign Sealed iOS Apps using DevSecOps Build System.

  • Auto-DEV Private Signing

Allows you to sign the app without uploading the signing certificate to Appdome’s cloud service.
Appdome provides you with a script (.sh file), which runs on your trusted environment and signs the app by using your credentials (certificate and password) as input. For details, see topic How to Automate Secure iOS App Code Signing in DevOps CI/CD.

As part of the Appdome signing process of secured iOS apps, by using either Auto-dev Private Signing or Signing on Appdome, you are required to extract and upload a Provisioning Profile and an entitlement file for each executable in the app. When using signing on Appdome, you also need a P12 certificate and its password.

This article provides instructions for extracting the Entitlements and for using them via the Appdome signing process.

What are iOS app Entitlements Files?

In order to sign an iOS executable, you need to define each executable’s capabilities and permissions via the executable’s entitlements.
The entitlements are part of the signature and are embedded into the executable.

If the app does not request an entitlement, the OS will not allow the matching application service at run time. Example entitlements are push notification, App-Groups (allow IPC between applications on the same device), Keychain access groups, and iCloud.

The image below displays an example of an entitlements file, which can be opened and edited by any text editor.

Microsoftteams Image

Extracting and Obtaining iOS app entitlements.plist files 

An entitlements.plist file is created per each provisioning profile (app executable) produced by Xcode during the application build step.

If your secured app contains any Extensions or Frameworks, multiple entitlements files will be created by Xcode’s build process and are required for the app signature. Each specific entitlements file will be used for signing the matching executable in the secured app for each Extension or Framework.

You will also need to provide the same number of provisioning profiles as part of the signing process.

For example, if your iOS app was built with WatchKit framework, Watch Extension, and Siri Extention, Xcode will create four entitlements files (and four app executables):

  • Entitlements file for the Main executable (always present for the app)
  • Entitlements file for the Watch App executable (only present if the app was built with this framework/extension)
  • Entitlements file for the Watch Extension executable (only present if the app was built with this framework/extension)
  • Entitlements file for the Siri executable (only present if the app was built with this framework/extension)

Before archiving the entitlements.plist file in Xcode, verify that your environment is set with your distribution/ad-hoc provisioning profile and certificate.

trying to upload to the store an application that was signed with development certificate will result in failure.

The entitlements.plist file for each app executable will be located under the relevant Derived Data folder.

For example:

  • Entitlements file for the Main executable

/Users/<username>/Library/Developer/Xcode/DerivedData/<iOS App project name>/Build/Intermediates.noindex/ArchiveIntermediates/<iOS App project name>/IntermediateBuildFilesPath/<iOS App project name>.build/Release-iphoneos/<iOS App project name>.build/DerivedSources/Entitlements.plist

  • Entitlements file for the Watch Extention executable

/Users/<username>/Library/Developer/Xcode/DerivedData/<iOS App project name>/Build/Intermediates.noindex/ArchiveIntermediates/<iOS App project name>/IntermediateBuildFilesPath/<iOS App project name>.build/Release-watchos/<iOS App name>_watchkit Extension.build/DerivedSources/Entitlements.plist

  • Entitlements file for the Watch App executable

/Users/<username>/Library/Developer/Xcode/DerivedData/<iOS App project name>/Build/Intermediates.noindex/ArchiveIntermediates/<iOS App project name>/IntermediateBuildFilesPath/<iOS App project name>.build/Release-watchos/<iOS App name>_watchkit.build/DerivedSources/Entitlements.plist

  • Entitlements file for the Siri executable

/Users/<username>/Library/Developer/Xcode/DerivedData/<iOS App project name>/Build/Intermediates.noindex/ArchiveIntermediates/<iOS App project name>/IntermediateBuildFilesPath/<iOS App project name>.build/Release-iphoneos/<iOS App project name>_siri Extension.build/DerivedSources/Entitlements.plist

To open the DerivedData Root Folder:

  1. Open Xcode.
  2. Open your iOS app project in Xcode.
  3. Go to the Xcode menu bar: Product>
  4. Build your iOS app in Xcode.
  5. Locate the Xcode’s DerivedData folder that holds your iOS app build products:
    1. Go to the Xcode menu bar: Xcode > Preferences.
    2. Select the Locations tab and click to open the DerivedData folder path
      Screen Shot 2022 10 03 At 15.30.45
      This directory contains all your generated entitlements files.

How to use the Obtained Entitlements.plist Files on Appdome’s Signing?

Note:

Regardless of the method used (GUI/API), the order in which the entitlement files are uploaded is not important. Appdome will automatically match them to the executables.

When using Appdome GUI:

  1. Turn ON Manual Entitlement Matching in the Sign Step.
  2. Upload all entitlements.plist files gathered as mentioned above.
  3. Sign the app on Appdome.
Screen Shot 2022 10 03 At 15.33.02

When using Appdome API:

  1. Add the key and value manual_entitlements_matching: true, to the override parameters
  2. Send all the previously obtained entitlements.plist files as an array using API parameter entitlements_files, by using the same method used for sending the provisioning profiles array.

To see examples and use the python API library, see appdome-api-python

Congratulations! You have now extracted the entitlements file required for signing your secured iOS application.

FAQ

How do I extract the target bundle identifier from an entitlements file?

  1. Open your entitlements.plist file in a text editor.
  2. Look for the application-identifier key.
    The value for this key is a prefix with the team identifier used when generating this target, followed by the target bundle identifier.

How do I extract the team identifier from an entitlements file?

  1. Open your entitlements.plist file in a text editor.
  2. Look for the com.apple.developer.team-identifier key.
    The value for this key is your team identifier.

How do I check if my entitlements are development?

  1. Open your entitlements.plist file in a text editor.
  2. Check whether the value of the get-task-allow key is true.
    If so, the entitlements were extracted when archiving for development.

How do I extract entitlements from executable?

The best way to do it is by using codesign apple tool (only possible on Mac machines):

  1. Open your ipa file by using unzip.
  2. Open the Payload folder.
  3. Left-click on your package name and click show package content.
  4. Locate your executable file.
  5. Run in your terminal app:
 codesign -d –-entitlements --xml - <exe_path>

Note: the –xml switch will not work on macOS versions older than Monterey.

What is the use of the beta-reports-active key in entitlements files?
The beta-reports-active key is used for allowing you to test your application by using iTunes connect (test-flight).
If you wish to test your application by using this technique, make sure you sign your application with this key set to True.

What is the difference between the Entitlements section in my provisioning profile file and the entitlements used for signing my application?
The entitlements used for signing your application, and that are being saved in the derived data folder by Xcode, are the entitlements that your application is using.
The entitlements section that the provisioning profile file contains are the entitlements you declared for your application in your Apple developer account when generating your provisioning profile.

For Further Details:

You can Request a demo at any time.

If you have any questions, you are welcome to contact us at support@appdome.com or via the chat window on the Appdome platform.

NEED HELP?

let's solve it together

OhadMaking your security project a success!
By filling out this form, you opt-in to recieve emails from us.