Failed to get token, error is :Error Domain=NSCocoaErrorDomain Code=3000 “no valid ‘aps-environment’ entitlement string found for application” UserInfo=0xb8cdb0 {NSLocalizedDescription=no valid ‘aps-environment’ entitlement string found for application}

I’ve read Where does xcode take application’s Identifier from? , XCode bundle identifier formatting from {PRODUCT_NAME} , and loads more but…

I’m trying to get push notifications going and getting the dreaded

“Error Domain=NSCocoaErrorDomain Code=3000 “no valid ‘aps-environment’ entitlement string found for application” UserInfo=0x15b200 {NSLocalizedDescription=no valid ‘aps-environment’ entitlement string found for application}” error.

I’m fairly certain I’ve followed all the steps correctly, including:

  • made the push certificate well in advance of the provisioning cert
  • made a ‘Entitlements.plist’
  • added a get-task-allow boolean and set it to true (ad-hoc release)

The only think I can’t quite get my head around is the Bundle Identifier

The push certificate is for

XXXXXXXXXX.com.julianbaker.pwcnewsuk

The Bundle Indentifier in PwCNewUK-Info.plist is for

com.julianbaker.${PRODUCT_NAME:rfc1034identifier}

If I manually change it to

com.julianbaker.pwcnewsuk

I get a UDID mismatch error as the app is seen as PwCNewsUK

When I’ve Googled this there seems to be some confusion over the matter, but it seems they have to match?

QUESTION:

What should the Bundle Indentifer be to match the push certificate of
XXXXXXXXXX.com.julianbaker.pwcnewsuk ?

QUESTION:

Do I need to add a “aps-environment” entitlement to the provisioning profile, and if so where and how? (See http://www.airplaysdk.com/node/3174 amongst others)

Loving iPhone development but sheesh it can be a headbanger at times!

asked Apr 15 ’11 at 18:59
JulianB
6621620
 
4  
Digging a little deeper I found the ANSWER to the second question… apple should include the “aps-environment” pair in the mobileprovision file, the value should be “development” or “distribution”. There is apparently a bug where this pair is sometimes omitted when generating the certificate. Check by opening the file in a text editor –  JulianB Apr 16 ’11 at 1:31
   
And it appears that the app Bundle Identifier is case sensitive (Indentifier field in the Properties pane of the Target Info window) –  JulianB Apr 16 ’11 at 1:36
28  
THIS PROBLEM MAKES ME WANT TO CRY –  Kyle Clegg Aug 20 ’12 at 18:11

add comment

15 Answers

I found this question when I was moving from a development environment to a production one on an application that I am working on. This process involved the creation of a new profile, a new app ID, etc. I created the app ID and a profile, but the Team Agent had to configure the push notifications. I ran into the problem of “no valid ‘aps-environment’ entitlement string found for application” when I tried to resume testing with the new profile (after the app had been configured for push notifications). I then remembered reading a little caveat in the documentation:

“You have to modify the profile in some way (for example, toggle an option) for the portal to generate a new provisioning profile. If the profile isn’t so “dirtied”, you’re given the profile without the push entitlements.”

Source: Local and Push Notification Programming Guide

For me, “dirtying” the provisioning profile and reinstalling it was all that was needed to fix the issue. Per the documentation, this was required because the provisioning profile was created before the app was configured for push notifications. This may or may not help anyone, but this probably explains (and eliminates) the need to manually add anything to the provisioning profile.

answered Sep 25 ’11 at 18:33
 
8  
Totally worked for me, thanks! Absolutely unacceptable that the Apple dev site work so shoddily. – diatrevolo Dec 1 ’11 at 21:48
1  
Yes it worked for me. Whenever you update App-id,update your provisioning profiles. You will not get any intimation from Apple to do so. But you have to do it. No need to edit any XML’s or entitlements –  Dhilip Apr 3 ’12 at 12:36
   
I ran into this issue when I deleted my development app from my IPad then tried to run it again. I followed the instructions for “dirtying” the provisioning profile, redownloaded via organizer, closed and opened xcode, rebuilt and deployed, then it worked. This is a lame workaround. –  Paul Fryer Aug 16 ’12 at 19:08
   
Worked for me!! –  scurioni Jan 22 ’13 at 2:29

add comment

I ran into the same “no valid ‘aps-environment’ entitlement string found for application” problem, but the above solutions did not work for me.

I could not find very good documentation about this error or even just the key “aps-environment”.

After some tinkering around, here is what solved the problem for me:

Open your development provisioning certificate, “Appname.mobileprovision” with a text editor, look for the key “Entitlements” then add all of the values found here to your Entitlements file referenced by your Code Signing Entitlements setting.

Here is an example of what keys/values you’ll find inside:

<key>application-identifier</key>
<string>xyz.com.xyz.xyz</string>
<key>aps-environment</key>
<string>development</string>
<key>com.apple.developer.ubiquity-container-identifiers</key>
<array>
<string>xyz.*</string>
</array>
<key>com.apple.developer.ubiquity-kvstore-identifier</key>
<string>xyz.*</string>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>xyz.*</string>
</array>

After adding all of these values to my Entitlements file my app builds successfully and I can finally get back to working on Push Notifications.

I’m not sure if these values are supposed to be automatically added to your entitlements file by XCode, but they certainly weren’t being generated for me in my project.

answered Sep 12 ’11 at 3:38
 
2  
THIS is the correct answer. The solution is just to copy the values in your .mobileprovision file to your Entitlements file. I wish Apple documented this somewhere. If you continue getting the error after doing this, restart XCode. That fixed it for me. –  Aneil Mallavarapu Feb 2 ’12 at 16:28
   
It helped me too. I was sure I had the same values, and tried different combinations of them, but something was different and copypaste solved it. Maybe just order of keys was relevant. –  JaakL Jun 25 ’12 at 9:51

add comment

Essentially the answer is the same vague one everyone else says

  • Make sure you have a “Entitlements.plist” added (New File/Code Signing/Entitlements)
  • Add “get-task-allow” (Boolean Off) to Entitlements.plist
  • Add “aps-environment” “production” pair to Entitlements.plist — This last step may be unnecessary but it was one of the steps I did just before it worked
  • Delete old mobileprovision files from iPhone/iPod (In Settings/General),
  • Delete old mobileprovision files from XCode Organiser
  • Delete App from iPhone/iPod
  • Quit XCode
  • Download fresh copy of Provisioning Certificate
  • Check for “aps-environment” “production” pair in certificate with a Text Editor
  • Start XCode
  • Add fresh mobileprovision file by dragging to XCode Doc icon
  • Make sure you have reassigned/assigned the correct certificate in the Target Info : Code Signing : Code Signing Identity
  • Double check that the Build Results to see it it’s using the correct profile and is signed correctly

Repeat these steps calmly until it works, took me about five goes of various combinations. I also switched from Development to Ad-hoc which apparently isn’t necessary but did guarantee a new mobileprovision file.

answered Apr 29 ’11 at 16:39
JulianB
6621620
 
1  
So I didn’t need the Entitlements.plist to get this working … but I did have to redo it a few times. Mainly because the old profile kept popping up. Make sure you delete it everywhere (project and target) and keep checking to make sure it’s gone!!. –  pho0 Oct 21 ’11 at 7:32
   
Like you said, not sure what combination made it work, but after days of searching your post is the only one that solved it for me. Thank you a million fold! –  AngeloS Nov 21 ’11 at 4:44

add comment

Setup:

Mac OS X 10.8 + Xcode 4.4

My Simple Solution:

  1. Reissue your ad hoc provisioning profile after you have setup push notifications for your app ID and import them to Xcode.
  2. Take a look into your .xcodeproj folder (right click -> Show Package Contents) and delete thexcuserdata folder.
  3. That’s it 😉

Some hints on that issue:

After activating Push Notifications for my app I suddenly couldn’t create ad hoc files anymore. I ran across errors in my Console log on my iPhone while trying to install my app such as those:

Apr  1 20:56:10 unknown installd[384] <Error>: entitlement 'keychain-access-groups' has value not permitted by a provisioning profile
Apr  1 20:56:10 unknown installd[384] <Error>: entitlement 'get-task-allow' has value not permitted by a provisioning profile
Apr  1 20:56:10 unknown installd[384] <Error>: entitlement 'application-identifier' has value not permitted by a provisioning profile
Apr  1 20:56:10 unknown installd[384] <Error>: 2ff66000 verify_signer_identity: Could not copy validate signature: -402620394
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 preflight_application_install: Could not verify executable at /var/tmp/install_staging.44jV0O/foo_extracted/Payload/PersonalTrainer-Tester-iPhone.app
Apr  1 20:56:11 unknown com.apple.itunesstored[392] <Notice>: MobileInstallationInstall: failed with -1
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 install_application: Could not preflight application install
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 handle_install: API failed
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 send_message: failed to send mach message of 71 bytes: 10000003
Apr  1 20:56:11 unknown installd[384] <Error>: 2ff66000 send_error: Could not send error response to client

There is some technical note which recommends using codesign -d --entitlements - <YourAppName>.app to check if your app is signed properly for Apple Push Notifications. In case the output of the codesign command does not have an aps-environment set to production or development there is something fishy!

As far as I knew so far, my apps signed with an adhoc provisioning profile always have anembedded.mobileprovision inside the <YourAppName>.app folder with a specific part in them such as:

<key>Entitlements</key>
<dict>
    <key>application-identifier</key>
    <string>ABCDEFGH.com.myappname.tester</string>
    <key>aps-environment</key>
    <string>production</string>
    <key>get-task-allow</key>
    <false/>
    <key>keychain-access-groups</key>
    <array>
        <string>ABCDEFGH.*</string>
    </array>
</dict>

After using codesign I realized that the actual binary in <YourAppName>.app had some XML included as well, which said something very different than my embedded.mobileprovision file:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>ABCDEFGH.com.myappname.tester</string>
    <key>get-task-allow</key>
    <true/>
    <key>keychain-access-groups</key>
    <array>
        <string>ABCDEFGH.com.myappname.tester</string>
    </array>
</dict>
</plist>

I assume this is the cause for the error message we are all experiencing. (although this error can have some different roots as well as other posts on stackoverflow suggest)

The executable was signed with invalid entitlements.
The entitlements specified in your application's Code Signing Entitlements
file do not match those specified in your provisioning profile. (0xE8008016).

My guess is that there is some bug in Xcode which keeps the settings in your plist from being updated in you schemes which then causes your app to be signed with the wrong provisioning profile in the end. So by deleting the xcuserdata folder you delete all schemes. Therefore Xcode will recreate them next time with the proper settings and you are happy again.

answered Apr 1 ’12 at 22:26
vinzenzweber
2,0701320
 
   
Removing the xcuserdata folders fixed the issue for me! Thanks! –  Gilimanjaro Jul 26 ’12 at 15:41
   
The xcuserdata fixed it for us, thanks alot! I only needed to remove the map linked to the user that formerly had control of the project. –  nj. Nov 7 ’12 at 9:27

add comment

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s