Provisioning profiles are such a delight. My latest battle with them involved getting the following error:
Invalid IPA: The keychain-access-group in the embedded.mobileprovision and your binary don’t match.
The background to the situation is this: I’d run out of devices on one of my Apple Developer accounts and needed to send out a test build to some new users. So I created a new bundle ID in my second account, re-archived the app and sent it out. The tester came back with the above error when they tried to install it.
The problem lay with me not changing the application-identifier and keychain-access-groups values in the entitlements file. These need to match the new provisioning profile values. The values for these changed because I was using a different developer account. keychain-access-groups is easy to miss as it’s folded when you open the entitlements file in Xcode.
You’ll find the correct values in your provisioning profile as well as in the App IDs page in the iOS Provisioning Portal.
Another error I hit with my second dev account was:
entitlement ‘application-identifier’ has value not permitted by a provisioning profile
This turns out to be caused by signing the IPA with the wrong identity. How did I manage that you ask? I was using my auto archive script and I’d forgotten to change what identity to use when signing. There’s two hours sleep I’ll never get back.