Xcode 14 beta code signing issues when SPM targets include resources

bartosz-treeline · September 15, 2022, 2:16pm

Any updates on the issue? How this can be solved?
I am using SPM and I am receiving similar errors. What I've noticed is that those errors come from packages/local packages that have Resources - basically Xcode14/SPM tries to codesign resource package bundles, but this is not supported.

I am distributing the app through fastlane and am not able to resolve the issue. What I've tried already:

use automatic signing on CI side
use manual signing on CI side & pass code signing related env vars via build_app xcargs / codesigning_identity arguments

honkmaster · September 15, 2022, 3:53pm

I submitted a TSI to Apple after closing of the feedback.
The answer was, that when passing PROVISIONING_PROFILE_SPECIFIER or PROVISIONING_PROFILE to xcodebuild, that setting is applied every target that subsequently built for Xcode 14 (as known...). The suggested approach was to set these vars not via xcodebuild, but instead setting them to each target individually. This led us to our solution:

We set the PROVISIONING_PROFILE_SPECIFIER etc. to custom vars, here MY_ PROVISIONING_PROFILE_SPECIFIER in build settings. Then we passed them via args. These are the corresponding lines from our Azure Devobs job.

    - task: InstallAppleCertificate@2
      displayName: 'Install Apple Certificates'
      inputs:
        certSecureFile: ${{ parameters.ADHOC_CERTIFICATE }}
        certPwd:  ${{ parameters.ADHOC_CERTIFICATE_PASSWORD }}
        keychain: 'temp'

    - task: InstallAppleProvisioningProfile@1
      displayName: 'Install Apple Provisioning Profile'
      inputs:
        provisioningProfileLocation: 'secureFiles'
        provProfileSecureFile: ${{ parameters.ADHOC_PROVISIONING_PROFILE }}

    - task: Bash@3
      displayName: 'Build exportOptions.plist file'
      inputs:
        targetType: 'inline'
        script: |
          /usr/libexec/PlistBuddy -c "Add :method string ad-hoc" $(system.defaultworkingdirectory)/export.plist
          /usr/libexec/PlistBuddy -c "Add :provisioningProfiles dict" $(system.defaultworkingdirectory)/export.plist
          /usr/libexec/PlistBuddy -c "Add :provisioningProfiles:${{ parameters.ADHOC_BUNDLE_ID }} string $(APPLE_PROV_PROFILE_UUID)" $(system.defaultworkingdirectory)/export.plist
          /usr/libexec/PlistBuddy -c "Add :signingCertificate string $(APPLE_CERTIFICATE_SIGNING_IDENTITY)" $(system.defaultworkingdirectory)/export.plist
          /usr/libexec/PlistBuddy -c "Add :signingStyle string manual" $(system.defaultworkingdirectory)/export.plist
          /usr/libexec/PlistBuddy -c "Add :teamID string ${{ parameters.ADHOC_TEAM_ID }}" $(system.defaultworkingdirectory)/export.plist

...

    - task: Xcode@5
      displayName: 'Build and Archive'
      inputs:
        # Currently, Xcode 13 is the default. Therefore, the version needs to be changed to Xcode 14.
        xcodeVersion: 'specifyPath'
        xcodeDeveloperDir: '/Applications/Xcode_14.0.app'
        # By default, 'packageApp: true' will already build and archive the app so don't do anything here.
        # https://developercommunity.visualstudio.com/content/problem/1222720/why-is-xcode-ado-task-building-our-ios-project-twi.html
        actions: 'clean'
        scheme: ${{ parameters.SCHEME }}
        sdk: ${{ parameters.SDK }}
        configuration: 'Release'
        xcWorkspacePath: '**/*.xcodeproj/project.xcworkspace'
        signingOption: 'default'
        packageApp: true
        archivePath: '$(system.defaultworkingdirectory)/build/${{ parameters.SCHEME }}.xcarchive'
        exportPath: '$(system.defaultworkingdirectory)/build'
        # At this point we deliberately do not use the parameters signingIdentity and provisioningProfileUuid. 
        # When we do use them, they are applied to the app and all Swift packages in the app (new since Xcode 14). However, these often do not support signing. 
        # The parameters passed here are only applied to the app itself (see build setting and project.yml).
        args: '-destination generic/platform=iOS -verbose MY_PROVISIONING_PROFILE_SPECIFIER=$(APPLE_PROV_PROFILE_UUID) MY_CODE_SIGN_IDENTITY="$(APPLE_CERTIFICATE_SIGNING_IDENTITY)" MY_DEVELOPMENT_TEAM=${{ parameters.ADHOC_TEAM_ID }}'
        exportOptions: 'plist'
        exportOptionsPlist: '$(system.defaultworkingdirectory)/export.plist'

bartosz-treeline · September 16, 2022, 8:18am

Thanks @honkmaster !
Your response was super helpful! It helped me understand how xcodebuild works right now with the new Xcode14. I came up with a little different solution. Let me explain.

The issue with new Xcode14

The fastlane's build_app lane was configured in a way so it was taking the xcconfig file as a parameter.
The environment variables from xcconfig file were passed to the xcodebuild command that was invoked under the hood when the build_app lane was run.

Starting from Xcode14 when codesigning env variables (e.g. PROVISIONING_PROFILE_SPECIFIER, CODE_SIGN_IDENTITY) are passed as parameters to xcodebuild, that setting is applied to every target (even the target from SPM package) and this results in codesigning failure as not every SPM target supports codesigning.

Solution

The solution is to configure codesigning only for the app target. This can be done in Build Settings.
On the target level, we can assign codesigning related parameters:

PROVISIONING_PROFILE_SPECIFIER
CODE_SIGN_IDENTITY
CODE_SIGN_STYLE
DEVELOPMENT_TEAM
Those parameters are taken from the xcconfig file, so from now xcconfig file will be only used for the target configuration.

On a fastlane side, we were previously passing xcconfig file as a parameter to build_app lane. This resulted in passing all the env vars that were inside xcconfig to the xcodebuild script. With that setting, xcodebuild was taking the codesign related env vars and it was applying those env vars to every target (not only the main app target) - we do not want such behaviour.
By getting rid of passing xcconfig, the xcodebuild applies codesigning parameters to only the app target and the app builds successfully.

jay.py · September 16, 2022, 9:24am

So one needs to pass xconfig file to xcodebuild in order to sign the target only?

bartosz-treeline · September 16, 2022, 9:54am

The xcodebuild applies codesigning parameters to only the app target, because those parameters are only defined for that particular target in Build Settings. Like this:

I am not passing xcconfig to xcodebuild currently.

jay.py · September 16, 2022, 3:18pm

Thank you all for your contribution. I managed to solve my Xcode14.0 issue with azure's pipeline.

So here is what I did:

I created the export plist file.
I used 'default' for signing option in xcodebuild; the target's build settings are set to auto.
I passed "CODE_SIGNING_REQUIRED=Yes CODE_SIGNING_ALLOWED=No" as argument to xcodebuild.
profit!

To my understanding, in this way xcodebuild will skip signing the binaries when archiving, and then it will use the plist to sign the .ipa when exporting the archive.

Here's how the .yml looks like for exporting the archive:

- task: Bash@3
  displayName: 'Build export.plist file'
  inputs:
    targetType: 'inline'
    script:
      /usr/libexec/PlistBuddy -c "Add :method string app-store" $(Pipeline.Workspace)/export.plist &&
      /usr/libexec/PlistBuddy -c "Add :provisioningProfiles dict" $(Pipeline.Workspace)/export.plist &&
      /usr/libexec/PlistBuddy -c "Add :provisioningProfiles:$(appIdentifier) string $(APPLE_PROV_PROFILE_UUID)" $(Pipeline.Workspace)/export.plist &&
      /usr/libexec/PlistBuddy -c "Add :signingCertificate string $(APPLE_CERTIFICATE_SIGNING_IDENTITY)" $(Pipeline.Workspace)/export.plist &&
      /usr/libexec/PlistBuddy -c "Add :signingStyle string manual" $(Pipeline.Workspace)/export.plist &&
      /usr/libexec/PlistBuddy -c "Add :teamID string $(teamId)" $(Pipeline.Workspace)/export.plist &&
      /usr/libexec/PlistBuddy -c "Add :iCloudContainerEnvironment string Production" $(Pipeline.Workspace)/export.plist &&
      /usr/libexec/PlistBuddy -c "Add :stripSwiftSymbols bool true" $(Pipeline.Workspace)/export.plist &&
      /usr/libexec/PlistBuddy -c "Add :compileBitcode bool false" $(Pipeline.Workspace)/export.plist

- task: Xcode@5
  inputs:
    actions: 'clean'
    configuration: '$(configuration)'
    sdk: '$(sdk)'
    scheme: '$(scheme)'
    xcodeVersion: '14'
    signingOption: 'default'
    packageApp: true
    archivePath: '$(Pipeline.Workspace)/build/$(scheme).xcarchive'
    exportPath: '$(Build.ArtifactStagingDirectory)'
    exportOptions: 'plist'
    exportOptionsPlist: '$(Pipeline.Workspace)/export.plist'
    args: '-destination generic/platform=iOS -verbose CODE_SIGNING_REQUIRED=Yes CODE_SIGNING_ALLOWED=No'

ManojS · September 21, 2022, 7:50am

The above solution worked for us also.

igashev · September 21, 2022, 10:42am

Thanks for your help! This fixed our issue as well. This is our working .yml file in azure devops.

steps:
- task: CmdLine@2
  inputs:
    script: |
      mkdir '$(build.artifactStagingDirectory)/Archive' && cd "$_"

      /usr/libexec/PlistBuddy -c "Clear dict" $(XCODE_EXPORT_OPTIONS_PLIST_FILE_NAME)
      /usr/libexec/PlistBuddy -c "Add method string $(METHOD)" $(XCODE_EXPORT_OPTIONS_PLIST_FILE_NAME)
      /usr/libexec/PlistBuddy -c "Add signingStyle string manual" $(XCODE_EXPORT_OPTIONS_PLIST_FILE_NAME)
      /usr/libexec/PlistBuddy -c "Add signingCertificate string $(CODE_SIGN_IDENTITY)" $(XCODE_EXPORT_OPTIONS_PLIST_FILE_NAME)
      /usr/libexec/PlistBuddy -c "Add provisioningProfiles dict" $(XCODE_EXPORT_OPTIONS_PLIST_FILE_NAME)
      /usr/libexec/PlistBuddy -c "Add provisioningProfiles:$(APP_BUNDLE_ID) string $(APP_PROVISIONING_ID)" $(XCODE_EXPORT_OPTIONS_PLIST_FILE_NAME)
      /usr/libexec/PlistBuddy -c "Add teamID string $(TEAM_ID)" $(XCODE_EXPORT_OPTIONS_PLIST_FILE_NAME)
      /usr/libexec/PlistBuddy -x -c "Print" $(XCODE_EXPORT_OPTIONS_PLIST_FILE_NAME)
  displayName: 'Generate export options'

- task: Xcode@5
  displayName: 'Xcode Clean Archive $(SCHEME)'
  inputs:
    actions: 'clean archive'
    sdk: 'iphoneos'
    configuration: $(CONFIGURATION)
    xcWorkspacePath: 'Product.xcworkspace'
    scheme: $(SCHEME)
    packageApp: true
    archivePath: '$(build.artifactStagingDirectory)/Archive/Product.xcarchive'
    exportOptions: plist
    exportOptionsPlist: '$(build.artifactStagingDirectory)/Archive/$(XCODE_EXPORT_OPTIONS_PLIST_FILE_NAME)'
    xcodeVersion: 'specifyPath'
    xcodeDeveloperDir: '/Applications/Xcode_14.0.app'
    useXcpretty: true
    xcprettyArgs: '--color'

jay.py · September 21, 2022, 12:14pm

Update: My previous code snippet did work for archiving, signing and exporting the .ipa to TestFlight. However, since our project uses some Apple services .i.e. push notification, associated domains ... etc, the entitlements were not signed when exporting the .ipa. So we received a warning email from Apple stating that the binary was registered for such services but was missing entitlements in the code signature!
The work around I did to fix the entitlements issue, was to archive the project in the same previous way, then sign the app with the required entitlements, and eventually export to an .ipa.
So my final .yml file looks like this:

# install certificate, provisioning profile, and create the export plist
# ...

# Build the archive
- task: Xcode@5
  displayName: 'Xcode archive'
  inputs:
    actions: 'archive'
    configuration: '$(configuration)'
    sdk: '$(sdk)'
    scheme: '$(scheme)'
    xcodeVersion: '14'
    signingOption: 'default'
    packageApp: false
    useXcpretty: false
    args: '-destination generic/platform=iOS -archivePath $(Pipeline.Workspace)/$(scheme).xcarchive -verbose CODE_SIGNING_REQUIRED=Yes CODE_SIGNING_ALLOWED=No'


# Sign the binaries with projects entitlements
- task: Bash@3
  displayName: 'Code signing'
  inputs:
    targetType: 'inline'
    script:
      codesign --entitlements $(Build.Repository.LocalPath)/$(entitlement) -f -s "$(APPLE_CERTIFICATE_SIGNING_IDENTITY)" $(Pipeline.Workspace)/$(scheme).xcarchive/$(app-path)


# Export an ipa from the signed archive
- task: Bash@3
  displayName: 'Xcode export'
  inputs:
    targetType: 'inline'
    script:
      /usr/bin/xcodebuild -exportArchive -archivePath $(Pipeline.Workspace)/$(scheme).xcarchive -exportPath $(Build.ArtifactStagingDirectory) -exportOptionsPlist $(Pipeline.Workspace)/$(export-options)

PS the app-path points to the MyApp.app inside the archive, and entitlement points to the entitlements file in the repo

jfredsilva · September 22, 2022, 2:47pm

I was able to fix this issue on fastlane by adding skip_codesigning: true on gym

jfredsilva · September 29, 2022, 4:32pm

Adding skip_codesigning: true didn't actually fix the issue.
Entitlments and watch app would not be correctly signed.

What really solved the issue was adding xcargs: "CODE_SIGN_STYLE=Manual DEVELOPMENT_TEAM=#{options[:teamid]}"

417-72KI · October 3, 2022, 4:54am

This issue still alives on Xcode 14.0.1, and seems to be solved on fastlane with adding xcargs "CODE_SIGN_STYLE=Manual" to Gymfile.

Michael_Brown · October 8, 2022, 1:17pm

Thanks! That solved the issues for us.

MartinMajewski · November 8, 2022, 5:24pm

Have you somehow disabled the archiving in a previous Xcode task, or are you not running any "clean", or "build" tasks? Is the action "archive" enough?

I'm asking, because your current version of the Xcode task looks so different from the previous one.

jay.py · November 8, 2022, 7:40pm

In the initial xcode Task, I used 'packageApp' that will run the ´archive´ mode. But later I figured that I still needed to sign the .ipa with the entitlements. Hence I only needed to archive with extra arguments.

Ideally, one should have a build pipeline that will run a clean-build and test the code, then such pipeline to deploy the .ipa after it's verified.

maximkrouk · November 18, 2022, 11:16am

We use fastlane match for signing, so the project should be signed manually by default, so CODE_SIGN_STYLE=Manual DEVELOPMENT_TEAM=<TEAM_ID> didn't help.

The project is archived successfully on the local machine, but fails to be archived on GitHub actions....

UPD:
Finally fixed the issue by disabling automatic signing for Pods.xcodeproj targets (it was enabled by cocoapods generation for xcframeworks)
Here you can find my post_install Podfile section

github.com/fastlane/fastlane

`update_code_signing_settings` error `Seems to be a very old project file format - please open your project file in a more recent version of Xcode`

opened 11:10AM - 22 Nov 22 UTC

maximkrouk

### New Issue Checklist - [x] Updated fastlane to the latest version - [x] I… read the [Contribution Guidelines](https://github.com/fastlane/fastlane/blob/master/CONTRIBUTING.md) - [x] I read [docs.fastlane.tools](https://docs.fastlane.tools) - [x] I searched for [existing GitHub issues](https://github.com/fastlane/fastlane/issues) ### Issue Description I'm getting [this issue (#17520)](https://github.com/fastlane/fastlane/issues/17520), but with a `Pods.xcodeproj` >`Seems to be a very old project file format - please open your project file in a more recent version of Xcode` Related to https://github.com/fastlane/fastlane/issues/20815 (this issue has a warning in title, I found out that a few pods have automatic signing enabled and that causes a signing error which is muted by `xcpretty`) ##### Command executed ```ruby update_code_signing_settings( use_automatic_signing: false, path: "Pods/Pods.xcodeproj" ) ``` ##### Complete output when running fastlane, including the stack trace and command used  <details> <pre> [REPLACE THIS WITH YOUR INFORMATION] </pre> </details> ### Environment swift-driver version: 1.62.15 <details><summary>✅ fastlane environment ✅</summary> ### Stack | Key | Value | | --------------------------- | -------------------------------------------------- | | OS | 12.5 | | Ruby | 3.1.2 | | Bundler? | true | | Git | git version 2.37.1 (Apple Git-137.1) | | Installation Source | ~/.gem/ruby/3.1.2/bin/fastlane | | Host | macOS 12.5 (21G72) | | Ruby Lib Dir | /opt/homebrew/Cellar/ruby/3.1.2_1/lib | | OpenSSL Version | OpenSSL 1.1.1s 1 Nov 2022 | | Is contained | false | | Is homebrew | false | | Is installed via Fabric.app | false | | Xcode Path | /Applications/Xcode-14.1.0.app/Contents/Developer/ | | Xcode Version | 14.1 | | Swift Version | 5.7.1 | ### System Locale | Variable | Value | | | -------- | ----------- | - | | LANG | | | | LC_ALL | en_US.UTF-8 | ✅ | | LANGUAGE | | | ### fastlane files: <details><summary>`./fastlane/Fastfile`</summary> ```ruby default_platform(:ios) # Builds lane :just_archive_ad_hoc do # match was called manually cocoapods update_code_signing_settings( use_automatic_signing: false, path: "Pods/Pods.xcodeproj" ) gym( scheme: ..., configuration: 'AdHoc', export_method: 'ad-hoc', export_options: { uploadBitcode: false, uploadSymbols: true, compileBitcode: false } ) end lane :setup do create_keychain( name: "actions_keychain", password: ..., default_keychain: true, unlock: true, timeout: 3600, lock_when_sleeps: false ) end ``` </details> <details><summary>`./fastlane/Appfile`</summary> ```ruby app_identifier(...) apple_id(...) itc_team_id(...) team_id(...) ``` </details> ### fastlane gems | Gem | Version | Update-Status | | -------- | ------- | ------------- | | fastlane | 2.211.0 | ✅ Up-To-Date | ### Loaded fastlane plugins: | Plugin | Version | Update-Status | | ----------------------------------------- | ------- | ------------- | | fastlane-plugin-firebase_app_distribution | 0.3.7 | ✅ Up-To-Date | | fastlane-plugin-json | 1.1.0 | ✅ Up-To-Date | <details><summary><b>Loaded gems</b></summary> | Gem | Version | | ----------------------------------------- | ------------ | | error_highlight | 0.3.0 | | did_you_mean | 1.6.1 | | bundler | 2.3.26 | | pathname | 0.2.0 | | rake | 13.0.6 | | rexml | 3.2.5 | | CFPropertyList | 3.0.5 | | concurrent-ruby | 1.1.10 | | i18n | 1.12.0 | | minitest | 5.16.3 | | tzinfo | 2.0.5 | | zeitwerk | 2.6.6 | | activesupport | 6.1.7 | | public_suffix | 4.0.7 | | addressable | 2.8.1 | | httpclient | 2.8.3 | | json | 2.6.2 | | algoliasearch | 1.27.5 | | artifactory | 3.0.15 | | atomos | 0.1.3 | | aws-eventstream | 1.2.0 | | aws-partitions | 1.664.0 | | aws-sigv4 | 1.5.2 | | jmespath | 1.6.1 | | aws-sdk-core | 3.168.1 | | aws-sdk-kms | 1.59.0 | | aws-sdk-s3 | 1.117.1 | | babosa | 1.0.4 | | claide | 1.1.0 | | fuzzy_match | 2.0.4 | | nap | 1.1.0 | | netrc | 0.11.0 | | ffi | 1.15.5 | | ethon | 0.16.0 | | typhoeus | 1.4.0 | | cocoapods-core | 1.11.3 | | cocoapods-deintegrate | 1.0.5 | | cocoapods-downloader | 1.6.3 | | cocoapods-plugins | 1.0.0 | | cocoapods-search | 1.0.1 | | cocoapods-trunk | 1.6.0 | | cocoapods-try | 1.2.0 | | colored2 | 3.1.2 | | escape | 0.0.4 | | fourflusher | 2.3.1 | | gh_inspector | 1.1.3 | | molinillo | 0.8.0 | | ruby-macho | 2.5.1 | | nanaimo | 0.3.0 | | xcodeproj | 1.22.0 | | cocoapods | 1.11.3 | | cocoapods-patch | 1.0.2 | | colored | 1.2 | | highline | 2.0.3 | | commander | 4.6.0 | | declarative | 0.0.20 | | digest-crc | 0.6.4 | | unf_ext | 0.0.8.2 | | unf | 0.1.4 | | domain_name | 0.5.20190701 | | dotenv | 2.8.1 | | emoji_regex | 3.2.3 | | excon | 0.94.0 | | faraday-em_http | 1.0.0 | | faraday-em_synchrony | 1.0.0 | | faraday-excon | 1.1.0 | | faraday-httpclient | 1.0.1 | | multipart-post | 2.0.0 | | faraday-multipart | 1.0.4 | | faraday-net_http | 1.0.1 | | faraday-net_http_persistent | 1.2.0 | | faraday-patron | 1.0.0 | | faraday-rack | 1.0.0 | | faraday-retry | 1.0.3 | | ruby2_keywords | 0.0.5 | | faraday | 1.10.2 | | http-cookie | 1.0.5 | | faraday-cookie_jar | 0.0.7 | | faraday_middleware | 1.2.0 | | fastimage | 2.2.6 | | jwt | 2.5.0 | | memoist | 0.16.2 | | multi_json | 1.15.0 | | os | 1.1.4 | | signet | 0.17.0 | | googleauth | 1.3.0 | | mini_mime | 1.1.2 | | trailblazer-option | 0.1.2 | | uber | 0.1.0 | | representable | 3.2.0 | | retriable | 3.1.2 | | webrick | 1.7.0 | | google-apis-core | 0.9.1 | | google-apis-androidpublisher_v3 | 0.31.0 | | google-apis-playcustomapp_v1 | 0.12.0 | | google-apis-iamcredentials_v1 | 0.16.0 | | google-apis-storage_v1 | 0.19.0 | | google-cloud-env | 1.6.0 | | google-cloud-errors | 1.3.0 | | google-cloud-core | 1.6.0 | | google-cloud-storage | 1.44.0 | | mini_magick | 4.11.0 | | naturally | 2.2.1 | | optparse | 0.1.1 | | plist | 3.6.0 | | rubyzip | 2.3.2 | | security | 0.1.3 | | simctl | 1.6.8 | | terminal-notifier | 2.0.0 | | unicode-display_width | 1.8.0 | | terminal-table | 1.8.0 | | tty-screen | 0.8.1 | | tty-cursor | 0.7.1 | | tty-spinner | 0.9.3 | | word_wrap | 1.0.0 | | rouge | 2.0.7 | | xcpretty | 0.3.0 | | xcpretty-travis-formatter | 1.0.1 | | fastlane-plugin-firebase_app_distribution | 0.3.7 | | fastlane-plugin-json | 1.1.0 | </details> *generated on:* **2022-11-22** </details>

miibpa · December 14, 2022, 3:48pm

Is this still happening on Xcode 14.2?

miibpa · December 26, 2022, 12:09pm

Confirmed, that this is still happening on Xcode 14.2

david-var · January 3, 2023, 10:03pm

+1 still facing the same issue with Xcode 14.2.
issue with fastlane gym with SPM, passing arguments didn't worked for us.
still the same issue.
codesigning_identity: "", xcargs: "CODE_SIGN_STYLE=Manual DEVELOPMENT_TEAM="
Any other workarounds?

yehorchernenko · January 7, 2023, 8:35pm

Xcode 14.1 (14B47b)
Any arguments helps
I have an iOS app target that embed 3 frameworks + widget target that is also embed those 3 frameworks.

I also tried to add predefined ExportOptions.plist but it doesn't help in any wait it ends up with following export options

{
"provisioningProfiles": {
   "com.***": "match AppStore com.***",
   "com.***.Widget": "match AppStore "com.***.Widget",
   "com.***.WebAPI": "match AppStore com.***.Widget",
   "com.***.SharedUI": "match AppStore com.***.Widget",
   "com.***.Core": "match AppStore com.***.Widget"
},
"method": "app-store",
"signingStyle": "manual"
}