Code Signing or Xcode adding mysterious entitlements that not exist in project

Code Signing Entitlements
eof-bg OP
Created Jul ’25
Replies 6
Boosts 0
Views 205
Participants 3

Hello Engineers

My app was rejected with the message below, BUT I don't have this entitlements in my project! I already removed all Xcode files under ${HOME}/Developer/Xcode, but the problem still alive!

Guideline 2.4.5(i) - Performance

In order to continue reviewing your app, we require additional information.

Your app uses one or more entitlements which do not appear to have matching functionality within the app. Please reply to this message in App Store Connect and describe how and where the app uses the following entitlements. You will not need to upload a new binary to provide this information.

Apps should have only the minimum set of entitlements necessary for the app to function properly. If there are entitlements that are not needed, please remove them and submit an updated binary. You will need to Developer Reject the app to upload an updated version.

"com.apple.security.assets.pictures.read-write" "com.apple.security.assets.movies.read-write" "com.apple.security.assets.music.read-write" "com.apple.security.files.downloads.read-write"

Here my entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>group.org.eof.apps</string>
	</array>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
</dict>
</plist>
code-block

Who or where are these entitlements inserted? Which button should be clicked to deactivate them?

Link to my project:

DRFXBuilder

Regards

Answered by DTS Engineer in 849276022
I found also that this additional written to file DRFXBuilder.build/DerivedSources/Entitlements.plist

That doesn’t look like an Xcode thing. When Xcode processes your entitlements, it puts them into the .xcent file.

So I downloaded your project and took a look:

% grep Entitlements.plist -r .                  
./xcode-fix-entitlements.sh:# ---> ${SOURCE_ROOT}/../../Entitlements.plist
…

I’m not sure what this actually does, but it’s clear that your project is set up to create its entitlements via some non-standard processes. My advice is that you dig into that setup in more depth. Or just remove it, and let Xcode handle this complexity for you.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  6
Boosts  0
Views  205
Participants  3
eof-bg OP
Jul ’25

I removed the permissions for a temporary file during the build process. My entitlements file doesn't contain any of the entitlements mentioned. Why does the code sign tool or Xcode's built-in ProductPackagingUtility have to change my decisions? Is this artificial stupidity?

ProcessProductPackaging /Users/xxxxx/EoF/DRFXBuilder/DRFXBuilder_sandbox.entitlements /Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DRFXBuilder.app.xcent (in target 'DRFXBuilder' from project 'DRFXBuilder')

    cd /Users/xxxxx/EoF/DRFXBuilder/build/xcode
    Entitlements:
    {
    "com.apple.application-identifier" = "IDIDIDIDI.org.eof.tools.DRFXBuilder";
    "com.apple.developer.team-identifier" = IDIDIDID;
    "com.apple.security.app-sandbox" = 1;
    "com.apple.security.application-groups" =     (
        "group.org.eof.apps"
    );

    "com.apple.security.assets.movies.read-write" = 1;   <<<<- NOT MY DECISION
    "com.apple.security.assets.music.read-write" = 1;   <<<<- NOT MY DECISION
    "com.apple.security.assets.pictures.read-write" = 1;  <<<<- NOT MY DECISION
    "com.apple.security.files.downloads.read-write" = 1;   <<<<- NOT MY DECISION

    "com.apple.security.files.user-selected.read-write" = 1; <<<<<- YES MY DECISION
}

    builtin-productPackagingUtility /Users/xxxx/EoF/DRFXBuilder/DRFXBuilder_sandbox.entitlements -entitlements -format xml -o /Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DRFXBuilder.app.xcent

error: could not write entitlements file '/Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DRFXBuilder.app.xcent': Permission denied (13) (in target 'DRFXBuilder' from project 'DRFXBuilder')
0
eof-bg OP
Jul ’25

.... AND MORE FUNNY ... I removed the Sandbox entitlement and the Xcode artificial stupidity still want to insert the entitlements !!!

ProcessProductPackaging /Users/xxxxx/EoF/DRFXBuilder/DRFXBuilder_sandbox.entitlements /Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DRFXBuilder.app-Simulated.xcent (in target 'DRFXBuilder' from project 'DRFXBuilder')
    cd /Users/xxxxx/EoF/DRFXBuilder/build/xcode

    Entitlements:

    {
}

    builtin-productPackagingUtility /Users/xxxxx/EoF/DRFXBuilder/DRFXBuilder_sandbox.entitlements -entitlements -format xml -o /Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DRFXBuilder.app-Simulated.xcent

ProcessProductPackagingDER /Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DRFXBuilder.app-Simulated.xcent /Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DRFXBuilder.app-Simulated.xcent.der (in target 'DRFXBuilder' from project 'DRFXBuilder')
    cd /Users/xxxxx/EoF/DRFXBuilder/build/xcode
    /usr/bin/derq query -f xml -i /Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DRFXBuilder.app-Simulated.xcent -o /Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DRFXBuilder.app-Simulated.xcent.der --raw

WriteAuxiliaryFile /Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DerivedSources/Entitlements.plist (in target 'DRFXBuilder' from project 'DRFXBuilder')
    cd /Users/xxxxx/EoF/DRFXBuilder/build/xcode
    write-file /Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DerivedSources/Entitlements.plist

ProcessProductPackaging /Users/xxxxx/EoF/DRFXBuilder/DRFXBuilder_sandbox.entitlements /Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DRFXBuilder.app.xcent (in target 'DRFXBuilder' from project 'DRFXBuilder')
    cd /Users/xxxxx/EoF/DRFXBuilder/build/xcode

    Entitlements:

    {
    "com.apple.application-identifier" = "IDIDID.org.eof.tools.DRFXBuilder";
    "com.apple.developer.team-identifier" = IDIDID;
    "com.apple.security.application-groups" =     (
        "group.org.eof.apps"
    );
    "com.apple.security.assets.movies.read-write" = 1;
    "com.apple.security.assets.music.read-write" = 1;
    "com.apple.security.assets.pictures.read-write" = 1;
    "com.apple.security.files.downloads.read-write" = 1;
    "com.apple.security.files.user-selected.read-write" = 1;
}

    builtin-productPackagingUtility /Users/xxxxx/EoF/DRFXBuilder/DRFXBuilder_sandbox.entitlements -entitlements -format xml -o /Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DRFXBuilder.app.xcent
error: could not write entitlements file '/Users/xxxxx/EoF/DRFXBuilder/build/xcode/DRFXBuilder.build/Release/DRFXBuilder.build/DRFXBuilder.app.xcent': Permission denied (13) (in target 'DRFXBuilder' from project 'DRFXBuilder')

So I research deep into /var/folders and I found com.apple.dt.Xcode and some Developer stuff. I removed this directories, and WoW the entitlements are gone in a next build. MY conclusion is:

Your build software has a stupid BUG! Xcode or whatever referencing any outdated temporary stuff from /var/folders instead to use the user decisions in the project tree. That's why I got every time rejects from you App Store validation !!!!!!

Regards and happy code analysis and I wait for next Xcode and developer tools update

0
guillaumehcht OP
Jul ’25

Hey man, I've been struggling with a similar issue where Apple his adding a "com.apple.developer.web-browser-engine.host" entitlements to my app although I never use it.

-> Which means I fail the validation from SPI when uploading to App Store Connect as it is supposed to be a private entitlements that needs to be granted by Apple.

Can you explain exactly what you did to solve your issue? Where did you found the /var/folders you're talking about?

Cheers man

0
eof-bg OP
Jul ’25

... and some test deeper, I added Sandbox again and I found that the unwanted entitlements are set again. I found also that this additional written to file DRFXBuilder.build/DerivedSources/Entitlements.plist with wrong entitlement setup

0
eof-bg OP
Jul ’25
Accepted Answer

So finally I found a way to fix the wrong behavior of the Xcode build and archive process ... The following script snippet patching the wrong files to the right one.

# Type a script or drag a script file from your workspace to insert its path.
# NOTE!!! -> Paste the script into Xcode Build Phase - custom build script
# Input files:
# ---> ${SOURCE_ROOT}/../../Entitlements.plist
# ---> ${SOURCE_ROOT}/../../DRFXBuilder.app.xcent 
# Output files:
#  LEAVE EMPTY
echo "-------- PATCH WRONG ENTITLEMENTS ---------"
echo "-- build env"
printenv
##--
mkdir -p ${BUILD_ROOT}/DRFXBuilder.build/Debug/DRFXBuilder.build/DerivedSources
cp -pv ${SOURCE_ROOT}/../../Entitlements.plist ${BUILD_ROOT}/DRFXBuilder.build/Debug/DRFXBuilder.build/DerivedSources/Entitlements.plist
cp -pv ${SOURCE_ROOT}/../../DRFXBuilder.app.xcent ${BUILD_ROOT}/DRFXBuilder.build/Debug/DRFXBuilder.build/DRFXBuilder.app.xcent
##--
mkdir -p ${BUILD_ROOT}/DRFXBuilder.build/Release/DRFXBuilder.build/DerivedSources
cp -pv ${SOURCE_ROOT}/../../Entitlements.plist ${BUILD_ROOT}/DRFXBuilder.build/Release/DRFXBuilder.build/DerivedSources/Entitlements.plist
cp -pv ${SOURCE_ROOT}/../../DRFXBuilder.app.xcent ${BUILD_ROOT}/DRFXBuilder.build/Release/DRFXBuilder.build/DRFXBuilder.app.xcent
##--
mkdir -p ${TARGET_TEMP_DIR}/DerivedSources
cp -pv ${SOURCE_ROOT}/../../Entitlements.plist ${TARGET_TEMP_DIR}/DerivedSources/Entitlements.plist
cp -pv ${SOURCE_ROOT}/../../DRFXBuilder.app.xcent ${TARGET_TEMP_DIR}/DRFXBuilder.app.xcent
0
DTS Engineer OP
Apple
Jul ’25
Recommended
I found also that this additional written to file DRFXBuilder.build/DerivedSources/Entitlements.plist

That doesn’t look like an Xcode thing. When Xcode processes your entitlements, it puts them into the .xcent file.

So I downloaded your project and took a look:

% grep Entitlements.plist -r .                  
./xcode-fix-entitlements.sh:# ---> ${SOURCE_ROOT}/../../Entitlements.plist
…

I’m not sure what this actually does, but it’s clear that your project is set up to create its entitlements via some non-standard processes. My advice is that you dig into that setup in more depth. Or just remove it, and let Xcode handle this complexity for you.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Code Signing or Xcode adding mysterious entitlements that not exist in project
First post date Last post date
 
 
Q