I have a Safari Extension deployed to test flight built and deployed using CLI tools in Azure Devops. It appears to be building, signing, and deploying properly. But when users try to install on TestFlight, they see an error saying something about an invalid provisioning profile. This seems to just be on the "installer" portion of the app. The extension shows up in safari settings and is otherwise useable. The users just aren't seeing the splash screen that instructs them to go to Safari Settings. I'm not really sure what's wrong here. This is what my build pipeline looks like - task: Bash@3 displayName: "Build export.plist file" inputs: targetType: 'inline' script: /usr/libexec/PlistBuddy -c "Add :method string mac-application" $(Pipeline.Workspace)/export.plist && /usr/libexec/PlistBuddy -c "Add :provisioningProfiles dict" $(Pipeline.Workspace)/export.plist && /usr/libexec/PlistBuddy -c "Add :provisioningProfiles:$(APP_IDENTIFIER) string $(InstallDistProvisioningProfile.provisioningProfileUuid)" $(Pipeline.Workspace)/export.plist && /usr/libexec/PlistBuddy -c "Add :signingCertificate string '$(InstallDistCerts.signingIdentity)'" $(Pipeline.Workspace)/export.plist && /usr/libexec/PlistBuddy -c "Add :signingStyle string manual" $(Pipeline.Workspace)/export.plist && /usr/libexec/PlistBuddy -c "Add :teamID string $(APPLE_TEAM_ID)" $(Pipeline.Workspace)/export.plist && /usr/libexec/PlistBuddy -c "Add :iCloudContainerEnvironment string Production" $(Pipeline.Workspace)/export.plist && /usr/libexec/PlistBuddy -c "Add :stripSwiftSymbols bool true" $(Pipeline.Workspace)/export.plist && /usr/libexec/PlistBuddy -c "Add :compileBitcode bool false" $(Pipeline.Workspace)/export.plist - task: Xcode@5 displayName: "Build Safari Extension" inputs: action: "archive" sdk: "macosx" packageApp: true xcodeVersion: "15" args: "-verbose CODE_SIGNING_REQUIRED=Yes CODE_SIGNING_ALLOWED=Yes" exportOptions: "plist" exportOptionsPlist: '$(Pipeline.Workspace)/export.plist' exportMethod: "mac-application" archivePath: '$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.xcarchive' signingOption: "default" - script: | xcodebuild -exportArchive \ -archivePath $(Build.ArtifactStagingDirectory)/SafariDesktopExtension.xcarchive \ -exportPath $(Build.ArtifactStagingDirectory) \ -exportOptionsPlist $(Pipeline.Workspace)/export.plist displayName: 'Export Distribution-signed App' - task: DownloadSecureFile@1 displayName: "Download Provisioning Profile" name: downloadProvisioningProfile inputs: secureFile: $(PROVISIONING_PROFILE_DIST) - script: | cp "$(downloadProvisioningProfile.secureFilePath)" "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.app/Contents/embedded.provisionprofile" displayName: "Embed provisioning profile in Top-Level Executable" - script: | cp "$(downloadProvisioningProfile.secureFilePath)" "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.app/Contents/PlugIns/SafariDesktopExtension Extension.appex/Contents/embedded.provisionprofile" displayName: "Embed provisioning profile in Extension" - script: | codesign --deep --force --verify --verbose --sign "$(InstallDistCerts.signingIdentity)" --entitlements "$(rootFolder)/safari/SafariDesktopExtension/SafariDesktopExtension/SafariDesktopExtension.entitlements" $(Build.ArtifactStagingDirectory)/SafariDesktopExtension.app displayName: "Codesign" - task: Bash@3 displayName: "Package Application" inputs: targetType: "inline" script: | productbuild --sign "$(InstallInstallerCert.signingIdentity)" --component "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.app" /Applications "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.pkg" I'm sure there's a bit of garbage here as I'm new to developing in the apple ecosystem. But it appears to work and the resulting .pkg can be submitted successfully. Effectively, that's building an archive using a plist for export options, exporting the archive for distribution, copying the distribution provisioning profile for the top-level executable (the one that's not working) and the extension itself, code signing, and packaging using the installer cert. The provisioning profile (attached to a Mac distribution certificate) mentioned has the correct application identifier and matches the entitlements. I'm not really sure what's going on here and the generic "invalid provisioning profile" error isn't helping. Any help would be appreciated. I'd also love to know if this could hold up a release.