How to Extract and Use iOS Entitlements Files for Signing Secured iOS App

Last updated September 19, 2023 by Appdome

Learn how to extract entitlements files required for signing Appdome’s secured iOS apps.

How to Extract and Use iOS Entitlements Files for Signing Secured iOS App

Signing iOS apps is required before the app can be installed on a mobile device. A valid signature ensures the integrity of an app and stands as proof that the app has not been tampered with. As part of the Appdome signing process of secured iOS apps, the user is required to extract and upload app entitlements files for each executable in the app.

This Knowledge Base article covers how to extract entitlements files for your iOS application.
We hope you find it useful and enjoy using Appdome!

What are iOS app Entitlements Files?

In order to sign an iOS executable, each executable’s capabilities and permissions are defined by its entitlements. The entitlements are part of the signature and are embedded into the executable. If the app does not require an entitlement, the OS will not allow the matching application service at run time. Example entitlements are push notification, App-Groups (allow IPC between applications on the same device), Keychain access groups, iCloud and more.

Here is an example of an entitlements file:
Entitlements Plist

Extracting and Obtaining iOS app entitlements.plist files

An entitlements.plist file is created per each provisioning profile (app executable) produced by Xcode during the application build step.

If your secured app contains any Extensions or Frameworks, multiple entitlements files will be created by Xcode’s build process and are required for the app signature. Each specific entitlements file will be used to sign the matching executable in the secured app for each Extension or Framework.

You will also need to provide the same number of provisioning profiles as part of the signing process.

For example, if your iOS app was built with WatchKit framework, Watch Extension, and Siri Extention, Xcode will create 4 entitlements files (and 4 app executables):

  • Entitlements file for the Main executable (always present for the app)
  • Entitlements file for the Watch App executable (only present if the app was built with this framework/extension)
  • Entitlements file for the Watch Extension executable (only present if the app was built with this framework/extension)
  • Entitlements file for the Siri executable (only present if the app was built with this framework/extension)

Note: Before archiving the entitlements.plist file in Xcode, verify that your environment is set with your distribution/ad-hoc provisioning profile and certificate.

The entitlements.plist file for each app executable will be located under the relevant DerivedSources folder.
For example:

  • Entitlements file for the Main executable – /Users/<username>/Library/Developer/Xcode/DerivedData/<iOS App project name>/Build/Intermediates.noindex/ArchiveIntermediates/<iOS App project name>/IntermediateBuildFilesPath/<iOS App project name>.build/Release-iphoneos/<iOS App project name>.build/DerivedSources/Entitlements.plist
  • Entitlements file for the Watch Extention executable – /Users/<username>/Library/Developer/Xcode/DerivedData/<iOS App project name>/Build/Intermediates.noindex/ArchiveIntermediates/<iOS App project name>/IntermediateBuildFilesPath/<iOS App project name>.build/Release-watchos/<iOS App name>_watchkit Extension.build/DerivedSources/Entitlements.plist
  • Entitlements file for the Watch App executable– /Users/<username>/Library/Developer/Xcode/DerivedData/<iOS App project name>/Build/Intermediates.noindex/ArchiveIntermediates/<iOS App project name>/IntermediateBuildFilesPath/<iOS App project name>.build/Release-watchos/<iOS App name>_watchkit.build/DerivedSources/Entitlements.plist
  • Entitlements file for the Siri executable – /Users/<username>/Library/Developer/Xcode/DerivedData/<iOS App project name>/Build/Intermediates.noindex/ArchiveIntermediates/<iOS App project name>/IntermediateBuildFilesPath/<iOS App project name>.build/Release-iphoneos/<iOS App project name>_siri Extension.build/DerivedSources/Entitlements.plist

Where is the DerivedData Root Folder Located?

  1. Open Xcode
  2. Open your iOS app project in Xcode
  3. Go to the Xcode menu bar: Product > Build. Build your iOS app in Xcode.
  4. Locate the Xcode’s DerivedData folder that holds your iOS app build products. Go to the Xcode menu bar: Xcode > Preferences. Select the “Locations” tab, and click to open the DerivedData folder path:
    1

Important:
To ensure that your entitlements.plist file was not archived in development mode, open this file and verify that the development string does not appear under the aps-environment key.

How to use the Obtained Entitlements.plist Files on Appdome Signing?

When using Appdome GUI:

  • Turn ON “Manual Entitlement Matching” in the Sign Step
  • Upload all entitlements.plist files gathered in the previous step
  • Sign the app on Appdome.

Note: The order in which the entitlement files are uploaded is not important. Appdome will automatically match them to the executables.

Inbox • Liron Appdome Com

When using Appdome API:

  • Add the key and value manual_entitlements_matching: true, to the overrides parameters
  • Send all the obtained entitlements.plist files as an array using API parameter entitlements_files
    (Same way you are sending the provisioning profiles array)

Note: The order in which the entitlement files are uploaded is not important. Appdome will automatically match them to the executables. All other steps in the signing process remain the same (i.e., P12, etc.).

To see examples and use the python API library see appdome-api-python

Congratulations! You have now extracted the entitlements file required for signing your secured iOS application.

Related Articles:

Request a demo at any time.

How Do I Learn More?

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

To zoom out on this topic, visit the Appdome platform section on our website.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every mobile app on the planet by making mobile app security easy. If you don’t already have an account, you can sign up for free.

Appdome

Want a Demo?

Automated Signing of Secured Mobile Apps

AlanWe're here to help
We'll get back to you in 24 hours to schedule your demo.