Invalid IPA: The keychain-access-group in the embedded.mobileprovision and your binary don’t match.

Update 2014/03/12 This QuickLook plugin is a great way of seeing what’s in your provisioning profiles: https://github.com/chockenberry/Provisioning

Provisioning profiles are such a delight.  My latest battle with them involved getting the following error:

Invalid IPA: The keychain-access-group in the embedded.mobileprovision and your binary don’t match.

The background to the situation is this: I’d run out of devices on one of my Apple Developer accounts and needed to send out a test build to some new users. So I created a new bundle ID in my second account, re-archived the app and sent it out. The tester came back with the above error when they tried to install it.

The problem lay with me not changing the application-identifier and keychain-access-groups values in the entitlements file. These need to match the new provisioning profile values. The values for these changed because I was using a different developer account. keychain-access-groups is easy to miss as it’s folded when you open the entitlements file in Xcode.

You’ll find the correct values in your provisioning profile as well as in the App IDs page in the iOS Provisioning Portal.

Another error I hit with my second dev account was:

entitlement ‘application-identifier’ has value not permitted by a provisioning profile

This turns out to be caused by signing the IPA with the wrong identity. How did I manage that you ask? I was using my auto archive script and I’d forgotten to change what identity to use when signing. There’s two hours sleep I’ll never get back.

Previously: The executable was signed with invalid entitlements. (0xE8008016)

One thought on “Invalid IPA: The keychain-access-group in the embedded.mobileprovision and your binary don’t match.”

  1. Any .mobileprovision file is generated with a specific number/group of devices in mind and is associated with a development- or distribution certificate. This certificate typically belongs to the developer of the application and is used for code signing in the Target/project and Target/build properties of an app.

    Once you code-sign your app with your own signing identity, nothing can go wrong when exporting your app from xcode to .ipa and launching it on your device(s).

    HOWEVER 🙂 and here it gets confusing… If you are planning to send your app to someone else, so it can be installed on someone else’ development device a common mistake is to import a .mobileprovision file of someone else but code sign the app with your own identity. Doing this will result in an .ipa that runs on no device, since the signing identity in the code does not match the identity of the licensor of the target device. E.g. “The executable was signed with invalid entitlements. (0xE8008016)”

    When you are planning to send your app elsewhere for testing, ask for the .p12 of the other party, which lets you install their signing identity and a .mobileprovision containing their devices. Then:

    Install their .p12 (encrypted, requires password)
    import their .mobileprovision.
    Under target settings/build choose the new signing identity
    Then go to Product Menu and click “Archive”
    Then open Organizer, pick the correct archive and hit “Distribute…”
    Pick the imported .mobileprovision from the dropdown and click “Export”

    Voillá – a working build that runs on the device(s) of a third party.

Leave a Reply

Your email address will not be published. Required fields are marked *