Bundle Identifier and push certificate… aps-environment entitlement error

I found this question when I was moving from a development environment to a production one on an application that I am working on. This process involved the creation of a new profile, a new app ID, etc. I created the app ID and a profile, but the Team Agent had to configure the push notifications. I ran into the problem of "no valid 'aps-environment' entitlement string found for application" when I tried to resume testing with the new profile (after the app had been configured for push notifications). I then remembered reading a little caveat in the documentation:

"You have to modify the profile in some way (for example, toggle an option) for the portal to generate a new provisioning profile. If the profile isn't so "dirtied", you're given the profile without the push entitlements."

Source: Local and Push Notification Programming Guide

For me, "dirtying" the provisioning profile and reinstalling it was all that was needed to fix the issue. Per the documentation, this was required because the provisioning profile was created before the app was configured for push notifications. This may or may not help anyone, but this probably explains (and eliminates) the need to manually add anything to the provisioning profile.

I ran into the same "no valid 'aps-environment' entitlement string found for application" problem, but the above solutions did not work for me.

I could not find very good documentation about this error or even just the key "aps-environment".

After some tinkering around, here is what solved the problem for me:

Open your development provisioning certificate, "Appname.mobileprovision" with a text editor, look for the key "Entitlements" then add all of the values found here to your Entitlements file referenced by your Code Signing Entitlements setting.

Here is an example of what keys/values you'll find inside:

<key>application-identifier</key>
<string>xyz.com.xyz.xyz</string>
<key>aps-environment</key>
<string>development</string>
<key>com.apple.developer.ubiquity-container-identifiers</key>
<array>
<string>xyz.*</string>
</array>
<key>com.apple.developer.ubiquity-kvstore-identifier</key>
<string>xyz.*</string>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>xyz.*</string>
</array>

After adding all of these values to my Entitlements file my app builds successfully and I can finally get back to working on Push Notifications.

I'm not sure if these values are supposed to be automatically added to your entitlements file by XCode, but they certainly weren't being generated for me in my project.

Setup:

Mac OS X 10.8 + Xcode 4.4

My Simple Solution:

1. Reissue your ad hoc provisioning profile after you have setup push notifications for your app ID and import them to Xcode.
2. Take a look into your .xcodeproj folder (right click -> Show Package Contents) and delete the xcuserdata folder.
3. That's it ;)

Some hints on that issue:

After activating Push Notifications for my app I suddenly couldn't create ad hoc files anymore. I ran across errors in my Console log on my iPhone while trying to install my app such as those:

Apr  1 20:56:10 unknown installd[384] <Error>: entitlement 'keychain-access-groups' has value not permitted by a provisioning profile
Apr  1 20:56:10 unknown installd[384] <Error>: entitlement 'get-task-allow' has value not permitted by a provisioning profile
Apr  1 20:56:10 unknown installd[384] <Error>: entitlement 'application-identifier' has value not permitted by a provisioning profile
Apr  1 20:56:10 unknown installd[384] <Error>: 2ff66000 verify_signer_identity: Could not copy validate signature: -402620394
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 preflight_application_install: Could not verify executable at /var/tmp/install_staging.44jV0O/foo_extracted/Payload/PersonalTrainer-Tester-iPhone.app
Apr  1 20:56:11 unknown com.apple.itunesstored[392] <Notice>: MobileInstallationInstall: failed with -1
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 install_application: Could not preflight application install
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 handle_install: API failed
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 send_message: failed to send mach message of 71 bytes: 10000003
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 send_error: Could not send error response to client

There is some technical note which recommends using codesign -d --entitlements - <YourAppName>.app to check if your app is signed properly for Apple Push Notifications. In case the output of the codesign command does not have an aps-environment set to production or development there is something fishy!

As far as I knew so far, my apps signed with an adhoc provisioning profile always have an embedded.mobileprovision inside the <YourAppName>.app folder with a specific part in them such as:

<key>Entitlements</key>
<dict>
    <key>application-identifier</key>
    <string>ABCDEFGH.com.myappname.tester</string>
    <key>aps-environment</key>
    <string>production</string>
    <key>get-task-allow</key>
    <false/>
    <key>keychain-access-groups</key>
    <array>
        <string>ABCDEFGH.*</string>
    </array>
</dict>

After using codesign I realized that the actual binary in <YourAppName>.app had some XML included as well, which said something very different than my embedded.mobileprovision file:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>ABCDEFGH.com.myappname.tester</string>
    <key>get-task-allow</key>
    <true/>
    <key>keychain-access-groups</key>
    <array>
        <string>ABCDEFGH.com.myappname.tester</string>
    </array>
</dict>
</plist>

I assume this is the cause for the error message we are all experiencing. (although this error can have some different roots as well as other posts on stackoverflow suggest)

The executable was signed with invalid entitlements.
The entitlements specified in your application's Code Signing Entitlements
file do not match those specified in your provisioning profile. (0xE8008016).

My guess is that there is some bug in Xcode which keeps the settings in your plist from being updated in you schemes which then causes your app to be signed with the wrong provisioning profile in the end. So by deleting the xcuserdata folder you delete all schemes. Therefore Xcode will recreate them next time with the proper settings and you are happy again.

Essentially the answer is the same vague one everyone else says

• Make sure you have a "Entitlements.plist" added (New File/Code Signing/Entitlements)
• Add "get-task-allow" (Boolean Off) to Entitlements.plist
• Add "aps-environment" "production" pair to Entitlements.plist -- This last step may be unnecessary but it was one of the steps I did just before it worked
• Delete old mobileprovision files from iPhone/iPod (In Settings/General),
• Delete old mobileprovision files from XCode Organiser
• Delete App from iPhone/iPod
• Quit XCode
• Download fresh copy of Provisioning Certificate
• Check for "aps-environment" "production" pair in certificate with a Text Editor
• Start XCode
• Add fresh mobileprovision file by dragging to XCode Doc icon
• Make sure you have reassigned/assigned the correct certificate in the Target Info : Code Signing : Code Signing Identity
• Double check that the Build Results to see it it's using the correct profile and is signed correctly

Repeat these steps calmly until it works, took me about five goes of various combinations. I also switched from Development to Ad-hoc which apparently isn't necessary but did guarantee a new mobileprovision file.

Using XCode4 and receiving the same "no valid 'aps-environment' entitlement string found for application" I had to do the following:

• Delete old provisioning profiles from both Library + Device panels in Organizer
• Regenerate new profile with APN dev enabled from the developer portal website
• Make sure new profile is added to both Library + Device panels in Organizer
• Manually delete my app off my device (holding till it jiggles and hitting X)
• CMD+OPT+SHIFT+K (Clean Build Folder) and CMD+SHIFT+K (Clean)
• Set the proper profile under Project > Build Settings > Code Signing
• Make sure 'Use Entitlements' is not checked under Targets > Summary

Under 'Project' -> 'Build Settings' -> 'Code Signing', make sure you have selected the correct Provisioning profile (the one with push enabled).

That was all I needed to change in order to make it work.

None of the above worked for me!

1. Delete all Provisioning Profiles in Xcode Organizer
2. Delete all Developers certificates in Keychain
3. Delete all Provisioning Profiles in iPhone device
4. In iOS Provisioning Portal, delete Development Provisioning Profile which was created automatically by Xcode
5. Create a new Provisioning Profile by assigning the correct (Certificate/AppID/Device) combination
6. Download the new Provisioning Profile
7. Import the new Provisioning Profile into Xcode Organizer
8. CMD + Option + Shift + K
9. CMD + Shift + K
10. CMD + R
11. Hooray :)

Make sure that you are using the app in the correct way with the provisioning profile.

What I mean is that if you've enabled your app for Push notifications for Distribution only, and you are trying to get push notifications to work via building with XCode, this will not work.

I ran into this problem, and by enabling push notification for Development for the App ID, and then using the development provisioning profile I no longer got the error and the correct alert view asked if I wanted to get push notifications.

the solution for 10.8 Xcode 4.4 is to open the appname.entitlements file

and if the DataProtectionClass key has the value NSFileProtectionComplete, delete it!

Deleting this key allows me to test apps from Xcode on devices (it wasn't affecting simulation).

I had the same problem. For me the fix was like this:

1. Removed and reloaded the provisioning profiles from the organizer.
2. Selected my named provisioning profile under project settings->code signing. Somehow it wanted to use the blabla.* identity.

The wildcard profile ([prefix].*) won't do when your trying to run a APN enabled application, you need to specify the APN enabled profile.

I just figured this out after a few hours, so in addition to what JulianB said,

• make sure you have an application icon. You probably have one but i happened to add push when we were between icon versions. I tried allot of different things and in the end that was all it took so it might not even be a cert or signing setting issue.
• I've also read a corrupt image file could also be the cause
• i did not add/see an aps-environment key in my entitlements.plist
• clean all targets before building

For me it worked after changing the bundle identifier to something random. Making sure that the signing error indeed shows up (remove all provision profiles from organizer and device and do a clean build CMD + OPT + SHFT + K then CMS + SHFT + K and then CMD + R) and then changing the bundle identifier back to appropriate one.

My solution was to remove and create again Development Provisioning Profile. It was listed as "Invalid" - not expired and also renew failed (Xcode 4.3.2 and iOS 5.1)

Make sure you have selected correct. Provisioning Profile. I found that I was trying with Team Provisioning profile.(for application identifier: *) Further down in the list, there was correct one for the app.

My problem was this. I created app that had configured push notifications, and in app delegate I was registering for push notifications with:

[[UIApplication sharedApplication] registerForRemoteNotificationTypes:(UIRemoteNotificationTypeAlert | UIRemoteNotificationTypeBadge | UIRemoteNotificationTypeSound)];

But before releasing app I had to create new provisioning profile on other developer portal. I created new App Id, new provisioning for development and distribution, downloaded new provisioning, in application target I've set correct provisioning. Also I changed bundle identifier. But I was getting that error.

Problem was that new AppId was not configured for push notifications, but calling

[[UIApplication sharedApplication] registerForRemoteNotificationTypes:(UIRemoteNotificationTypeAlert | UIRemoteNotificationTypeBadge | UIRemoteNotificationTypeSound)];

was creating error. When I configured push notifications error did not show again.

I had this problem, the scenario was:

I had setup an app id without push notifications support. I'm using Xcode 5.1 + iOS 7.1

Later, edited the app id to add push notifications in development and production.

Created the APNs certificates for both.

When you test PN using your device attached to Xcode, everything works ok. The problem appears when you release the app to production, you keep getting:

"Error Domain=NSCocoaErrorDomain Code=3000 "no valid 'aps-environment' entitlement string
 found for application" UserInfo=0x15b200 {NSLocalizedDescription=no valid     
'apsenvironment' entitlement string found for application}" error.

The solution that worked for me was:

1. Delete provisioning profiles for development and distribution (Xcode and Developer portal).
2. Delete your app ID (Developer portal).
3. Create a new App ID with Push Notifications Support for Development and Production.
4. Create new provisioning profiles using the NEW App ID.
5. Install them on Xcode.
6. Test on development and distribution release.

Make the profile right and this work for me.Hope this help.

In my case, the solution for this error turned out to be simple after hours of tinkering with certificates...

In the Capabilities tab of the project configuration, I had to enable the Push Notification flag in order for the environment files to be generated.

macOS Sierra 10.12 - Xcode 8.1

Actually your provisional profile deleted from apple developer site.& you get error for