rules_apple icon indicating copy to clipboard operation
rules_apple copied to clipboard
verified publisher icon bazelbuild

Unexpected changes in Entitlements when building IPA

Open dwirandytlvk opened this issue 2 years ago • 12 comments

Hey Guys! I’m trying to build IPA file using bazel, it works well, but i found a problem related to entitlements, So in my entitlements

<key>keychain-access-groups</key>
<array>
	<string>5JYEAW4GJZ.*</string>
</array>

but the problem is when i upload the IPA into app store, and check the entitlement with key keychain-access-groupsit seems have different value. I try to check it from terminal

codesign -d --entitlements :- "MyApp.app"

then i got like this

<key>keychain-access-groups</key>
<array>
   <string>5JYEAW4GJZ.com.dwirandyh.prodcution</string>
</array>

Here is snippet code of my ios_application

ios_app(
    name = "MyAppBundle",
    app_icons = glob([
        "Images.xcassets/AppIcon.appiconset/**",
    ]),
    bundle_id = "com.dwirandyh.production",
    bundle_name = "My Appp",
    entitlements = select({
        "//Config:ios-device": "Entitlements/MyApp.entitlements",
        "//conditions:default": None,
    }),
)

May i know why the wildcard is replaced with my app identifier?

dwirandytlvk avatar May 22 '23 06:05 dwirandytlvk

Hello! Is it possible that your application identifier specifies the value of 5JYEAW4GJZ.com.dwirandyh.prodcution and so Bazel overrides the value with the one specified in the provisioning profile? We have a test that verifies this exact behavior, so it should work: https://github.com/bazelbuild/rules_apple/blob/2c5e786fbcef8430d48c66c04b249937e4c8bcf2/test/starlark_tests/ios_application_tests.bzl#L288

Which is taken from the provisioning profile value here: https://github.com/bazelbuild/rules_apple/blob/2c5e786fbcef8430d48c66c04b249937e4c8bcf2/test/testdata/provisioning/integration_testing_tvos.mobileprovision#L14

BalestraPatrick avatar May 22 '23 08:05 BalestraPatrick

Hi @BalestraPatrick, from what i understand, that if my provisioning profile is like below

<key>application-identifier</key>
  <string>5JYEAW4GJZ.com.dwirandyh.prodcution</string>

and in my entitlements like below

<key>keychain-access-groups</key>
<array>
	<string>5JYEAW4GJZ.*</string>
</array>

bazel will override my entitlement to application-identifier from my provisioning profile?

dwirandytlvk avatar May 22 '23 08:05 dwirandytlvk

If I remember correctly, that's how it works. See tools/provisioning_profile_tool/provisioning_profile_tool.py.

In all our projects, we use the asterisk version in our entitlements file, as well as our application ID registered in the Apple portal and it seems to work just fine.

BalestraPatrick avatar May 22 '23 08:05 BalestraPatrick

may i know is it possible to not override my entitlements?

dwirandytlvk avatar May 22 '23 09:05 dwirandytlvk

Have you checked what the value is in your IPA built with Xcode?

BalestraPatrick avatar May 22 '23 09:05 BalestraPatrick

i have chceked the value of my IPA that build with BUCK (old build system that we use before), it seems my entitlement is still using wildcard

<key>keychain-access-groups</key>
<array>
	<string>5JYEAW4GJZ.*</string>
</array>

dwirandytlvk avatar May 22 '23 09:05 dwirandytlvk

If you run security cms -D -i /path/to/your/app.mobileprovision, what's the value of keychain-access-groups?

BalestraPatrick avatar May 22 '23 11:05 BalestraPatrick

Hi @BalestraPatrick

Here is the result of my .mobileprovision file it seems my keychain-access-groups is using wildcard 🤔

<key>keychain-access-groups</key>
<array>
    <string>5JYEAW4GJZ.*</string>
    <string>com.apple.token</string>
</array>

dwirandytlvk avatar May 23 '23 06:05 dwirandytlvk

Is it possible that your select statement isn't set up correctly, and is falling back to not using the entitlements?

entitlements = select({
        "//Config:ios-device": "Entitlements/MyApp.entitlements",
        "//conditions:default": None,
}),

Make sure that //Config:ios-device is enabled for our distributions builds, otherwise that could explain where that value for keychain-access-groups comes from.

BalestraPatrick avatar May 23 '23 08:05 BalestraPatrick

@BalestraPatrick yah i have tried to remove select in that entitlements configuration, but i still can not get keychain-access-groups that use wildcard,

btw in my provisioning profile my application-identifier is 5JYEAW4GJZ.com.dwirandyh.prodcution

dwirandytlvk avatar May 23 '23 10:05 dwirandytlvk

In my provisioning profile, i can not change the application-identifier into wildcard, since when i create identifier wildcard the capability that i need in my application is disabled e.g App Attest, App Groups, Associated Domains

dwirandytlvk avatar May 24 '23 07:05 dwirandytlvk

It seems rules_apple force to replace * into bundle id, since i try to change my entitlement into 5JYEAW4GJZ.** then i got error

ERROR: Target "@//MyApp:MyAppBundle" uses entitlements "keychain-access-groups" value of "5JYEAW4GJZ.com.dwirandyh.prodcution*", but wildcards are not expected

i'm wondering how tell bazel to not this behavior, since i want to keep using 5JYEAW4GJZ.* in keychain-access-groups entitlement

dwirandytlvk avatar May 24 '23 11:05 dwirandytlvk