[build-tools][eas-cli] Support iOS Development provisioning profiles#3496
[build-tools][eas-cli] Support iOS Development provisioning profiles#3496
Conversation
|
Subscribed to pull request
Generated by CodeMention |
| targetName, | ||
| buildConfiguration, | ||
| }); | ||
| xcBuildConfiguration.buildSettings.CODE_SIGN_IDENTITY = '"Apple Development"'; |
There was a problem hiding this comment.
Do we need to worry about the old default somehow? yonaskolb/XcodeGen#691 Like… may the provisioning profile be still valid for "iPhone Developer" in which case we should infer the identity from the provisioning profile for this setting?
I was able to create a certificate just now for "iOS Development" and "Development" which have different signing identifies.
There was a problem hiding this comment.
Good point! You're right that hardcoding "Apple Development" doesn't cover all certificate types. I've updated overrideCodeSignIdentityForDevelopment() to accept the targetProvisioningProfiles map and use profile.certificateCommonName for each target instead. This way whatever signing identity the certificate actually has (e.g. "iPhone Developer", "iOS Development", "Apple Development") will be used correctly.
qwertey6
force-pushed
the
fix/development-provisioning-profile
branch
from
cf7b3fe to
8aed306
Compare
| targetName, | ||
| buildConfiguration, | ||
| }); | ||
| xcBuildConfiguration.buildSettings.CODE_SIGN_IDENTITY = `"${profile.certificateCommonName}"`; |
There was a problem hiding this comment.
Would you be able to put this upstream? The cleaner fix would be to add an optional codeSignIdentity parameter to setProvisioningProfileForPbxproj upstream in
expo/expo (in packages/@expo/config-plugins/src/ios/ProvisioningProfile.ts). You'd default it to
"iPhone Distribution" so existing callers are unaffected. Then the call sites in configure.ts can pass
profile.certificateCommonName for development profiles directly, and the overrideCodeSignIdentityForDevelopment function can
be removed entirely.
There was a problem hiding this comment.
Done! Opened expo/expo#43986 to add an optional codeSignIdentity parameter to setProvisioningProfileForPbxproj (defaults to "iPhone Distribution" so existing callers are unaffected). Once that's merged and released, I'll update this PR to pass profile.certificateCommonName directly and remove overrideCodeSignIdentityForDevelopment.
There was a problem hiding this comment.
thank you! working on getting that merged upstream
There was a problem hiding this comment.
new version of config-plugins is published now!
There was a problem hiding this comment.
Update: the upstream change landed in @expo/config-plugins@55.0.7 (expo/expo#43986). However, this repo depends on @expo/config-plugins@9.0.12 which is on a different major version line (Expo SDK 52), and the 9.x line hasn't had a release since 9.1.7 (April 2025).
So until eas-cli upgrades to a newer @expo/config-plugins major version, the overrideCodeSignIdentityForDevelopment workaround in this PR is necessary. Once the dependency is bumped, it can be replaced with a codeSignIdentity parameter passed directly to setProvisioningProfileForPbxproj.
Update update (lol): I made #3522 to bump the version as would be needed in THIS diff. If that's what you had in mind @quinlanj , feel free to approve that PR and I'll update this one. If you had something else in mind just lmk 🤠
There was a problem hiding this comment.
Thanks! Already rebased on top of that and replaced the workaround — now passing codeSignIdentity: profile.certificateCommonName directly to setProvisioningProfileForPbxproj. The overrideCodeSignIdentityForDevelopment function is gone.
There was a problem hiding this comment.
thank you! we had a bit of a hiccup with the config/config-plugins bump, so i had to revert it temporarily, but once we can get it landed again we should be good to go. appreciate your patience on all this 🙏 !
| targetName, | ||
| buildConfiguration, | ||
| }); | ||
| xcBuildConfiguration.buildSettings.CODE_SIGN_IDENTITY = `"${profile.certificateCommonName}"`; |
There was a problem hiding this comment.
See above — upstream PR at expo/expo#43986 will allow removing this workaround.
Next StepsThis PR currently uses an I've opened an upstream PR to fix this: expo/expo#43986 — it adds an optional Once that's merged and released, I'll update this PR to:
|
…rrect code signing identity Add DEVELOPMENT distribution type to distinguish Development profiles from Ad Hoc. Development profiles have get-task-allow=true in their entitlements; Ad Hoc profiles don't. When a Development profile is detected, override CODE_SIGN_IDENTITY to "Apple Development" instead of the "iPhone Distribution" that @expo/config-plugins hardcodes. This fixes builds that use credentialsSource: "local" with Development profiles (e.g., for Family Controls entitlement). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ibution Fix isAdHocProfile() to distinguish Development from Ad Hoc profiles by checking the get-task-allow entitlement. Add isDevelopmentProfile() for explicit detection. Update assertProvisioningProfileType() to accept Development profiles for internal distribution, and reject them for store distribution. This enables credentialsSource: "local" with Development profiles needed for entitlements like Family Controls (com.apple.developer.family-controls) that only work with Development provisioning profiles. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…identity
Address review feedback: use the certificate common name from the
provisioning profile instead of hardcoding "Apple Development", which
doesn't cover all certificate types (e.g. "iPhone Developer", "iOS
Development"). Also fix grammar in error message ("an development" →
"a development").
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…e fix Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…around Now that @expo/config-plugins@55.0.7 supports the optional codeSignIdentity parameter in setProvisioningProfileForPbxproj, pass profile.certificateCommonName directly for development profiles and remove the overrideCodeSignIdentityForDevelopment workaround that was reading/writing the pbxproj a second time. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
qwertey6
force-pushed
the
fix/development-provisioning-profile
branch
from
8aed306 to
24ad60c
Compare
3 participants
Why
EAS does not distinguish iOS Development provisioning profiles from Ad Hoc profiles. Both have
ProvisionedDevices, so EAS treats them identically — settingCODE_SIGN_IDENTITY = "iOS Distribution"andEXPORT_METHOD = "ad-hoc". This causes builds to fail with:This is a blocker for entitlements like Family Controls (
com.apple.developer.family-controls) that only work with Development provisioning profiles — Apple does not grant this entitlement for Ad Hoc or App Store profiles. Users withcredentialsSource: "local"who supply a Development profile + Development certificate hit this immediately.Companion to #3484 (multi-cert matching fix). Related issues: #3192, #1201, #3185.
How
@expo/build-tools— detect Development profiles and set correct code signing identity:DEVELOPMENT = 'development'to theDistributionTypeenumresolveDistributionType()to checkEntitlements['get-task-allow']—truefor Development profiles,falsefor Ad Hoc@expo/config-pluginshardcodesCODE_SIGN_IDENTITY = "iPhone Distribution", override it to"Apple Development"when a Development profile is detectedios/credentials/provisioningProfile.tsandsteps/utils/ios/credentials/provisioningProfile.tsios/configure.tsandsteps/utils/ios/configure.tseas-cli— accept Development profiles for internal distribution:isAdHocProfile()to returnfalsefor Development profiles (checkget-task-allow)isDevelopmentProfile()utilityassertProvisioningProfileType()to accept Development profiles fordistribution: "internal", and reject them for store distributionTest Plan
configure.test.ts(both copies) verifying a Development profile results inCODE_SIGN_IDENTITY = "Apple Development"instead of"iPhone Distribution"yarn typecheckpasses across all 13 packagesyarn lintandyarn fmtpass🤖 Generated with Claude Code