How can I add extra entitlements to an iOS build?

[sidiabale]

Hi,

How can I add extra entitlements to my app? The problem is that the entitlements in my app do not match those specified in the provisioning file. 

The relevant part of the provisioning file is as follows (this is the same profile that I use when sending the build to the buildserver):

<dict>

    <key>keychain-access-groups</key>

    <array>

        <string>XXX.*</string>

    </array>

    <key>get-task-allow</key>

    <true/>

    <key>application-identifier</key>

    <string>XXX.com.abc.TestApp</string>

    <key>com.apple.developer.team-identifier</key>

    <string>XXX</string>

    <key>aps-environment</key>

    <string>development</string>

</dict>

However, when I check the entitlements in the resulting iOS, they are different. In particular, the highlighted key-value pairs above are missing as evidenced by querying the entitlements on the resulting app (after unzipping it)

$ codesign -d --entitlements - Payload/Main.app

Executable=/Users/me/Documents/Payload/Main.app/Main

??qq?<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

   <dict>

       <key>application-identifier</key>

       <string>XXX.com.abc.TestApp</string>

       <key>keychain-access-groups</key>

       <array>

           <string>XXX.com.abc.TestApp</string>

       </array>

       <key>get-task-allow</key>

       <true/>

   </dict>

</plist>

I tried using the 'ios.plistInject' build hint to include the missing key-value pairs but it didn't work. How can I inject these extra entitlements?

I found the following question which is similar to the problem I'm facing: https://groups.google.com/d/topic/codenameone-discussions/iaDiqFa7I-c/discussion The solution proposed there was to define ios.includePush = true which is not an option in my case because I don't have a pro account. Moreover, I don't need any push notification services from codenameone (I'm currently experimenting with a third-party push service). All I need is to have the entitlements set correctly. 

Perhaps some more context is useful: I'm currently investigating the options to integrate push notifications from Parse. When I run the resulting app, push notification registration fails with the error: “no valid 'aps-environment' entitlement string found for application”. I have confirmed that this is not due to a problem in my configuration. In fact, when I manually resign the executable built by CN1 and provide an Entitlement.plist with the aps-environment key, everything works fine and I can register for and receive push notifications. However, resigning the ipa each time is tideous and obviously requires a Mac so I'm hoping that it's possible to include this step in the build even when ios.includePush = false.

I hope the question is clear and that you'd be willing to assist ;)

Cheers

PS: I see

If you are experiencing an issue please mention the full platform your issue applies to:
IDE: NetBeans
Device: iOS

[Shai Almog]

Hi,
is this for adding apps to an app group?
If so we recently pushed some functionality for this.

[sidiabale]

Hi,

I don't know exactly what you mean by adding apps to an app group. Basically, what I want is for my app to be signed with the same entitlements as specified in the provisioning profile. In particular, the aps-environment info is missing which causes my third-party push notification service not to work. My guess (also supported by your answer on this thread) is that the build script is filtering out some fields when ios.includePush = false. 

If the problem is still not clear, please re-read my original question; I think it has enough information. Otherwise, let me know and I'll try to clarify further

<key>com.apple.developer.team-identifier</key>

<string>XXX</string>

<key>aps-environment</key>

<string>development</string>

[Shai Almog]

Hi,
because of the way builds happen in command line we have to generate our own entitlements.
We don't have access to the provisioning profile entitlements since the format of that is proprietary and we don't want to reverse engineer something only to see it change later and break everything we built. The only way to enable push is thru the push build hint.

[sidiabale]

Hi Shai,

Why is it not an option to allow users to inject extra key-value pairs into the entitlement file that you generate? That will solve my problem because I know exactly what key-value pairs are missing and I'd like to be able to inject them.

Please consider adding this feature; it will save me a lot of manual work of resigning the app, then uploading to a webserver for on-the-fly deployment. Moreover, by doing so, you'd bring a smile not just to my face but to all others who in the future will benefit from the results of my current experiments, if successful. ;)

Thanks!

[Shai Almog]

Hi,
because we would like to keep the lights on here and don't want to go out of business because we made everything possible at every user grade.

Initially when we set out push was free for many companies but wasn't for our product. This shifted in the industry e.g. with Urban Airship dropping free users.
We need pro/enterprise/corporate customers and need to provide a migration incentive.

[sidiabale]

Hi Shai,

Thanks for your honest response.

Keeping the lights on is very important and it's not my intention to interfere with that; far from it! Although I currently only use CN1 for hobby work, I'd like to see the company grow and be successful because I think you have a great product and you guys are dedicated and supportive. That said, I'm not sure if this is the best strategy to give incentive for pro/enterprise accounts. Your product is mainly for developers so if there is a way to get push for free, albeit inconvenient, do you really think you'd stop them? Maybe it's good to evaluate the strategy and come up with incentives that will really keep the lights on. Like I told you at the beginning of the year, I still feel that CN1 is lacking proper publicity and I'm not sure much has changed since then.

I personally don't have any incentive for a pro account at this stage as I'm not (yet) using CN1 for any commercial products (I really don't even need the basic account that I have but it's my little way of showing solidarity). So, if I can get push working via a third-party, I'd share my findings with the community. I hope you can live we that and that we'll still be friends...

Cheers

[Shai Almog]

Hi,
We'll think about it. Unfortunately knowing some people, yes...
We don't do any marketing so awareness is most definitely low. I'd love to change that.

[sidiabale]

Hi,

Your reply wasn't clear to me:

1. "We'll think about it"? Think about WHAT?
2. What were you referring to when you said "Unfortunately knowing some people, yes..."?

[Shai Almog]

I meant we'll give some thought to your feedback.

[nickk...@gmail.com]

Hi Shai,

Any progress on this?

I've just started using the parse4cn1 library and its excellent - well done sidiabale.

I'm a pro subscriber and have been waiting for years for CN1 to be able to support push with channels or segmentation.  I've worked around a number of hacks to get projects up and running with what I need.  For the latest project the best solution is parse and the parse4cn1 library is great.  However having to resign the .ipa just to get the right entitlements for push on iOS is a complete pain.  I totally understand the need to keep the lights on, I run a business too, but I don't think you should be holding that feature to ransom when actually there is a superior option out there (that supports channels and delivery statistics) AND there is a workaround anyway.

Even though I'm a pro subscriber I'm left with the option of resigning each of my builds, using push that doesn't support the features that I need, or building a server solution to manage channels (and hidden data) myself.  

I'm not going to drop my pro subscription just because I can get push working elsewhere - there are plenty of other benefits for having a pro subscription.  But even the new push servers are not yet fit for the purpose I need them for and there is a community developed alternative that is I don't think its too much to ask to be able to add entitlements via build hints the same way we can inject data into the plist, or control most of what goes into the AndroidManifest.  

I could be selfish and say just add it for pro users but actually I really don't think that withholding this build hint should be a motivating factor for people to upgrade.  On the pro account support is good, sources are valuable, push is good for most applications, unlimited build credits are very important.  I've even played around with desktop builds.  

Putting in a vote to have entitlements added to the build hints.

In the meantime I'll get back to resigning my builds.

[Shai Almog]

Hi,
sidiable was able to workaround this in a way that didn't require that we deal with this issue. He was able to make it work with parse4cn1 so this became a non-issue.

[sidiabale]

Hi,

I support Nick's (?) request. Forcing developers to resort to a workaround doesn't seem a great idea if it can be enabled via build hints. By the way, I had the workaround even BEFORE I started this thread as can clearly be seen in my original question. So it didn't become a non-issue because I found a workaround. I just gave up on pushing the request but now someone else is asking, perhaps you can reconsider your stance ;-)

[Shai Almog]

Hi,
OK. We didn't understand that this was still a problem.
Since Nick already has a pro account this should be a non-issue for him since your original request was to do what the "include push" checkbox does. So I don't quite understand the issue?

[Nick @ LittleMonkey]

Checking  'include push' will not just add the entitlements (which is what the question is asking) but will also add the implementation for didRegisterForRemoteNotificationsWithDeviceToken and other things into the app delegate that we don't want.

--

Nick Koirala

LittleMonkey Ltd
PO Box 13057, Johnsonville
Wellington, New Zealand
0800 356 783
+64 (0) 4 974 5574
www.littlemonkey.co.nz

[sidiabale]

Hi,

The request has always been to add provisioning entitlements via build hints. The includePush build hint is orthogonal to that and not at all helpful even for pro subscribers because it's either push from CN1 (includePush=true) or push from Parse (includePush=false). Both cannot be combined.

To clear the confusion, here's an excerpt from my original question. I think it clearly states what the request is. if not, please let me know and I'll try to clarify further.

------------------------------------------------------------------

Hi,

How can I add extra entitlements to my app? The problem is that the entitlements in my app do not match those specified in the provisioning file. 

The relevant part of the provisioning file is as follows (this is the same profile that I use when sending the build to the buildserver):

<dict>

    <key>keychain-access-groups</key>

    <array>

        <string>XXX.*</string>

    </array>

    <key>get-task-allow</key>

    <true/>

    <key>application-identifier</key>

    <string>XXX.com.abc.TestApp</string>

    <key>com.apple.developer.team-identifier</key>

    <string>XXX</string>

    <key>aps-environment</key>

    <string>development</string>

</dict>

However, when I check the entitlements in the resulting iOS, they are different. In particular, the highlighted key-value pairs above are missing as evidenced by querying the entitlements on the resulting app (after unzipping it)

$ codesign -d --entitlements - Payload/Main.app

Executable=/Users/me/Documents/Payload/Main.app/Main

??qq?<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

   <dict>

       <key>application-identifier</key>

       <string>XXX.com.abc.TestApp</string>

       <key>keychain-access-groups</key>

       <array>

           <string>XXX.com.abc.TestApp</string>

       </array>

       <key>get-task-allow</key>

       <true/>

   </dict>

</plist>

I tried using the 'ios.plistInject' build hint to include the missing key-value pairs but it didn't work. How can I inject these extra entitlements?

[Shai Almog]

Hi,
so if I understand this correctly. If we add something like ios.includePushEnt that will make the exact changes that ios.includePush makes to the entitlements and nothing else this should be fine?

[Nick @ LittleMonkey]

That would be perfect thanks.

Nick

On 30/11/15 04:53, Shai Almog wrote:

Hi,
so if I understand this correctly. If we add something like ios.includePushEnt that will make the exact changes that ios.includePush makes to the entitlements and nothing else this should be fine?

[Shai Almog]

OK, we'll add that hint in the next update of the server probably today or tomorrow.

[sidiabale]

Thanks, Shai!

If you can let us know when the update has been performed, I'll test it and provide feedback/update the parse4cn1 documentation accordingly if it works as desired.

[Shai Almog]

It should be up to date now.

[sidiabale]

Thanks Shai,

I've tested the new build hint and it works!

@Nick: I've updated the iOS set up steps on the parse4cn1 wiki. Let me know if you're able to get push working on iOS as well.