How do I install an XCode "Archive" build on my device?

I have done what QA1764 says and I still get an "iTunes Sync: Failed to install" dialog on my iPad after syncing through iTunes. No Xcode errors prior to that. I tried both of my "Development" certs, not the "Distribution" cert. Unpacking the .ipa and running "codesign --verify -vvv" says all is good.

Console log on the device says:

001f8000 verify_signer_identity: Could not copy validate signature: -402620394

If you can make this work and can tell me what you did, in explicit detail, it would be appreciated.

Fucking codesigning. What a crock of fermented shit.

Tags: , , ,

17 Responses:

  1. David says:

    Is the device you are trying to install the IPA on listed in your ad-hoc certificate? If not, go to your Apple developer key management web site to get that shit re-fermented. (Then get the new .mobileprovision installed in Xcode, and build the IPA again.)

    • jwz says:

      I think so? It's the device that I do development on, so it must be or that wouldn't work, right? Is there a cert difference between "Xcode can run shit under gdb and leave an app behind" and "iTunes can install an app without Xcode involvement"?

      • Frode M says:

        Yes, the run-from-xcode uses the development certs and allows for on-device debugging. Non-xcode installs a.k.a "ad hoc installs" aka send-to-a-beta-tester uses adhoc distribution certs (and does not require the device to be "enabled for development" through xcode). (App store submissions uses a third configuration, appstore distribution certs) I think you need an adhoc distribution cert + mobileprovision file for what you're trying to do. Also the .ipa may need to be rebuilt, or at least ensure the embedded entitlements file (xcode4 auto-generates those these days depending on the build settings) has the correct "get-task-allow" setting.

        • jwz says:

          Ok... so... is it just me, or does that QA1764 thing where it says "use any old cert you like, FOOTNOTE, don't use distribution certs", not match what you just said?

          (This does not mean I doubt you. God I hate this shit.)

          • Frode M says:

            I think they mean "do not use the appstore distribution certs, instead, use the adhoc distribution certs".

            What I do when I set up a new app on a new dev account is:
            1. Generate a Developer certificate and a Distribution certificate
            2. Create the app ID thingy
            3. Add UDIDs
            4. Create three sets of provisioning profiles: Development profile, Ad Hoc Distribution, Appstore distribution.

            The dev profile is used for xcode on-device debugging; it sets "get-task-allow" to the value that permits gdb attachments. The adhoc profile is used for sending .ipa files to others for testing. The appstore profile is only used for uploads; appstore-profile-signed .ipas are unusable for anything else (but can probably be re-signed with the adhoc profile). Sometimes, xcode auto-generates the wrong entitlements (for example, it may end up embedding an entitlement for debug, which clashes with the adhoc profile which requires get-task-allow to be forbidden).

            The apple docs aren't very helpful, but after a lot of experimenting it sort of makes sense.

            • jwz says:

              I don't understand the difference between "Development profile" and "Ad-Hoc distribution", or which one I have, or how to create the other, or why they aren't the same thing.

              I seem to have two "Development Provisioning Profiles": one called "iOS Team Provisioning Profile: *" and one called "jwz_wildcard", which appear to be identical. Both contain an App ID (of the form "XXXXXXXXXX.*"), a Certificate (me), and lists both of my devices. Both say "Active" and the former says "Managed by Xcode" but the latter does not.

              So, both wildcard app IDs, both list my devices. What's wrong with this picture?

              I understand that "Distribution" profiles are for app-store only. I'm not using that one.

              From what Seth said below I'm guessing that these certs are fine but the get-task-allow value is wrong, but how do I change that when building the archive?

              • Frode M says:

                There are two types of distribution profiles, adhoc distribution and appstore distribution. To install a non-debug .ipa you need the adhoc distrubtion profile. Take a look in the provisioning portal under "Provisioning->Distribution". You probably have one profile there for appstore distribution. You should create another, identical one but make sure to check the "adhoc" radio button instead of "appstore" one. Both types of profile will "belong" to your one single distribution certificate.

                I try to avoid the "managed by xcode" wildcard app thing like the plague, as it seems to confuse xcode release builds and the automatic entitlements-file generation to no end.

                To try to clear up the profile confusion: A .mobileprovision file is an apple-signed file containing a triplet of (app ID + codesigning certificate reference + list of device UDIDs), plus a few other restrictions such as whether get-task-allow must be true or false. For any given app you may be developing, there are three different types of mobileprovision files that are useful: #1 The development one (generated via Provisioning->Development in the web portal) allows for gdb debugging and running via xcode. #2 The "adhoc distribution" one (generated via Provisioning->Distribution->Adhoc) allows for "beta tester" style installation through dragging .ipa files into iTunes (or, with some hassle, directly via HTTP / mobilesafari). #3 The "appstore distribution" one (generated via Provisioning->Distribution->Appstore) is only good for uploading to apple's appstore review team (who will, after review, apply the FairPlay DRM and whatever else magic blessing is required, and then put the .ipa in the itunes store).

                When you do the Xcode organizer->archive->distribute, I think it will re-codesign (and regenerate entitlements? Not sure) using either the appstore profile or the adhoc profile depending on your choices in that distribution "wizard".

                • jwz says:

                  Thank you, using "Provisioning / Distribution / New Profile / Ad Hoc" seems to have done it -- even though, I can't tell how that cert differs from the one created by "Development / New Profile", since they seem to contain the same names and devices and teams and whatnot.

                  I guess they have get-task-allow set oppositely, but neither the web site nor Xcode seem to indicate that distinction in any way.

                  • Frode M says:

                    Yeah, I think the get-task-allow is pretty much the only difference. (Until you get to more advanced entitlements configuration settings, like push notification sandbox vs production service etc). Protip: It helps to add "Ad hoc" etc into the profile names to keep them apart, and have separate dev & distribution certificates, and not click "Always allow" for the keychain prompt; makes it more obvious which certs and profiles are in play every time you code sign.

                    Quite a shame how complicated and under-documented this process is, with the weird unhelpful error messages and all.

                  • jwz says:

                    Yes, not only is this a horrible hoop to make developers jump through (generate multiple subtly different certs for a single app!) in order to prop up a corrupt and despicable system (DRM and enforced customer lock-in) but they make it fantastically difficult to do as well. They've hit some kind of sweet spot of developer- and customer-hostility here.

  2. Frode M says:

    Do you also get entitlements errors? Maybe you've got an ipa with the wrong setting for "get-task-allow". Or you may be missing the device's UDID in the mobileprovision file.

    • jwz says:

      I got no errors on the Mac side, and the only errors on the device side were A) the one dialog box and B) the console logs I pasted, plus some others that seemed to be cascades of those.

  3. I find it really helps to go less(1) the contents of the embedded.mobileprovision inside the app bundle, in particular to see whether get-task-allow is false, whether the application identifier is what you think it should be, and whether your device is listed in the ProvisionedDevices list. Xcode’s automatic provisioning profile selection often grabs the wrong profile due to wildcards or some other terrible inscrutable nonsense.

    • James says:

      No debugging distribution releases? If Wozniak had gone first, he would be spinning in his grave instead of walking his dogs.

    • jwz says:

      get-task-allow is true, is that the wrong thing? If so how do I flip that bit? The application-identifier and ProvisionedDevices seem to be sensible values.

      I just went to Organizer / Archives, selected the archive that was created when I submitted an app to the store, and selected Distribute. Does this mean that the thing I built to submit to the store was built wrong, or is there some other way to turn that store-submitted binary into a runnable .ipa?

  4. Now that you've got the distribution profile working, you might also want to consider building your archive with "Save For Enterprise Distribution" checked and putting the .ipa and .plist that result on a web server w/ a simple html file containing links to install them. I use a quick & dirty PHP script to do this that can be found here along with a more in-depth description of this: http://jeffreysambells.com/2010/06/22/ios-wireless-app-distribution

    It makes it much easier than having to plug a device into iTunes and drag shit onto it. You can just have the person you're distributing to open a URL in Mobile Safari and click a link.

    Hope this helps,

    Brandon