com.apple.developer.payment-pass-provisioning missing in TestFlight build despite provisioning profile having it

Code Signing Entitlements
anantcred OP
Created 1w
Replies 8
Boosts 0
Views 584
Participants 2

In Xcode, under Signing & Capabilities (Release) for our bundle ID the selected provisioning profile does include the entitlement: com.apple.developer.payment-pass-provisioning

However, when we upload a new build to TestFlight, the Build Metadata → Entitlements section for the same bundle ID does not include com.apple.developer.payment-pass-provisioning. Because of this, PKAddPaymentPassViewController does not open in TestFlight builds. This suggests that while the entitlement is enabled for the App ID and visible in Xcode, it may not yet be propagated to App Store Connect’s signing service for TestFlight/App Store builds.

Please Note: The Wallet Entitlements team had confirmed that they had granted entitlements for our team and the apple IDs

Xcode : 26.0.1 Profile being used: Distribution Profile

Answered by DTS Engineer in 875518022

Thanks for that dump. Much nicer!

My reading of the stuff in your latest post suggests that you’re authorised to use the entitlement but you’re not actually claiming it. Remember that a provisioning profile acts an allowlist. It tells the system what entitlements you’re allowed to claim, but it doesn’t actually claim them. You actually claim entitlements in your app’s code signature.

Note To learn more about how this works, see TN3125 Inside Code Signing: Provisioning Profiles.

I usually debug problems like this by first confirming the nature of the problem:

  1. Instead of sending my app directly to App Store Connect, I export an archive. For example, when using Xcode’s organiser window I click Distribute App and then follow the Custom > App Store Connect > Export workflow.
  2. I then upload that archive using Transporter.
  3. Presuming that reproduces the problem, I unpack the archive by hand. See Unpacking Apple Archives.
  4. I can then dump the profile and the entitlements in the resulting app. The profile dump command is the same as the one I showed above. To dump the entitlements claimed by the app, do this:
% codesign -d --entitlements - /path/to/your.app

In your case I’d expect to see com.apple.developer.payment-pass-provisioning authorised by the profile but not claimed by the app. If that’s the case, you can work backwards through the build process to see how the app got that way.

Or perhaps you’ll see something different, which is interesting in and of itself.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  8
Boosts  0
Views  584
Participants  2
DTS Engineer OP
Apple
6d

Which Team ID is this? 9________X? Or 2________7?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
anantcred OP
5d

Hi eskimo,

Team ID is 2 _ _ _ _ _ _ _ _ 7 and Apple ID(s) for corresponding production : 6_ _ _ _ _ _ _ _ 8

Let me know if you need anything else. Thanks.

0
DTS Engineer OP
Apple
5d

Thanks for the confirmation.

My view of Team ID 2________7 indicates that it has access to In-App Provisioning capability (authorising the use of com.apple.developer.payment-pass-provisioning) for App Store distribution, and that’s the relevant thing for TestFlight. Please try this:

  1. In Certificates, Identifiers, and Profiles > Identifiers, navigate to your App ID and check that the In-App Provisioning capability is enabled for your app’s App ID.

  2. Certificates, Identifiers, and Profiles > Profiles, create a new Distribution > App Store Connect profile for that App ID.

  3. Download that profile.

  4. And dump its contents:

    % security cms -D -i /path/to/profile | plutil -p -

Does the profile include com.apple.developer.payment-pass-provisioning in its entitlements allowlist?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
anantcred OP
5d

Hi Quinn,

I followed your steps and the profile dump is as below. It has "com.apple.developer.payment-pass-provisioning" => 1 :

{ "AppIDName" => "XC com s_ _ _ _ _ _ d" "ApplicationIdentifierPrefix" => [ 0 => "2 _ _ _ _ _ _ 7" ] "CreationDate" => 2026-02-05 15:09:44 +0000 "DER-Encoded-Profile" => {length = 3857, bytes = 0x30820f0d 06092a86 4886f70d 010702a0 ... 73b0c49b eb3ffec9 } "DeveloperCertificates" => [ 0 => {length = 1487, bytes = 0x308205cb 308204b3 a0030201 02021007 ... b474d99f 14730350 } ] "Entitlements" => { "application-identifier" => "2 _ _ _ _ _ _ 7.com.s _ _ _ _ _ _ d" "aps-environment" => "production" "beta-reports-active" => 1 "com.apple.developer.associated-domains" => "" "com.apple.developer.in-app-payments" => [ 0 => "merchant.com.s_ _ _ _ _ _ d" ] "com.apple.developer.networking.slicing.appcategory" => [ 0 => "communication-9000" 1 => "games-6014" 2 => "streaming-9001" ] "com.apple.developer.networking.slicing.trafficcategory" => [ 0 => "defaultslice-1" 1 => "video-2" 2 => "background-3" 3 => "voice-4" 4 => "callsignaling-5" 5 => "responsivedata-6" 6 => "avstreaming-7" 7 => "responsiveav-8" ] "com.apple.developer.payment-pass-provisioning" => 1 "com.apple.developer.team-identifier" => "2 _ _ _ _ _ _ _ 7" "get-task-allow" => 0 "keychain-access-groups" => [ 0 => "2_ _ _ _ _ _ _ _7." 1 => "com.apple.token" ] } "ExpirationDate" => 2027-01-14 03:49:44 +0000 "IsXcodeManaged" => 0 "Name" => "S_ _ _ _ _ _ d Distribution Profile with Wallet" "Platform" => [ 0 => "iOS" 1 => "xrOS" 2 => "visionOS" ] "PPQCheck" => 0 "TeamIdentifier" => [ 0 => "2 _ _ _ _ _ _ 7" ] "TeamName" => "S _ _ _ C_ _ D LLC" "TimeToLive" => 342 "UUID" => "7 _ _ d88-f496-4218-87e4-10fd6 _ _ _ _ _6" "Version" => 1 }

But still the app I uploaded again on testflight with above profile - 1.0.17 (20250205100) has missing entitlement: com.apple.developer.payment-pass-provisioning

Entitlements (under Build Metadata on testflight) S_ _ _ _ C_ D.app/S _ _ _ C_ D application-identifier: 2 _ _ _ _ _ _ 7.com.sirencard beta-reports-active: true get-task-allow: false com.apple.developer.associated-domains: ( "webcredentials:securewebview.s _ _ _ _ _ _ d.com", "applinks:secu_ _ _ _ _ _ _ w.s_ _ _ _ _ _ _ d.com", "applinks:apply.s_ _ _ _ _ _ _ d.com", "applinks:securewebview-rc-prod.s_ _ _ _ _ _ _ d.com", "applinks:go.s_ _ _ _ _ _ _ d.com" ) com.apple.developer.in-app-payments: ( "merchant.com.s_ _ _ _ _ _ _ d" ) com.apple.developer.team-identifier: 2_ _ _ _ _ _ _ _7 aps-environment: production

Why would that happen ? Appreciate your help in resolving this issue. Please let me know if you need anything else.

0
DTS Engineer OP
Apple
4d

Hmmm, that’s really hard to read )-: Please repost it using code blocks for the preformatted text. See tip 5 in Quinn’s Top Ten DevForums Tips for info on how to do that.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
anantcred OP
3d

Hi Quinn,

Profile dump with preformed text for your reference is as below. It has "com.apple.developer.payment-pass-provisioning" => 1:

anantpatel@BLR-WS-004 Downloads % security cms -D -i Si_ _ _c_ _d_Distribution_Profile_with_Wallet.mobileprovision| plutil -p -
{
  "AppIDName" => "XC com s_ _ _ _ _ _ _ _d”
  "ApplicationIdentifierPrefix" => [
    0 => "2_ _ _ _ _ _ _ _7"
  ]
  "CreationDate" => 2026-02-05 15:09:44 +0000
  "DER-Encoded-Profile" => {length = 3857, bytes = 0x30820f0d 06092a86 4886f70d 010702a0 ... 73b0c49b eb3ffec9 }
  "DeveloperCertificates" => [
    0 => {length = 1487, bytes = 0x308205cb 308204b3 a0030201 02021007 ... b474d99f 14730350 }
  ]
  "Entitlements" => {
    "application-identifier" => “2_ _ _ _ _ _ _ _7.com.si_ _ _c_ _d"
    "aps-environment" => "production"
    "beta-reports-active" => 1
    "com.apple.developer.associated-domains" => "*"
    "com.apple.developer.in-app-payments" => [
      0 => "merchant.com.si_ _ _c_ _d"
    ]
    "com.apple.developer.networking.slicing.appcategory" => [
      0 => "communication-9000"
      1 => "games-6014"
      2 => "streaming-9001"
    ]
    "com.apple.developer.networking.slicing.trafficcategory" => [
      0 => "defaultslice-1"
      1 => "video-2"
      2 => "background-3"
      3 => "voice-4"
      4 => "callsignaling-5"
      5 => "responsivedata-6"
      6 => "avstreaming-7"
      7 => "responsiveav-8"
    ]
    "com.apple.developer.payment-pass-provisioning" => 1
    "com.apple.developer.team-identifier" => "2_ _ _ _ _ _ _ _7"
    "get-task-allow" => 0
    "keychain-access-groups" => [
      0 => "2_ _ _ _ _ _ _ _7.*"
      1 => "com.apple.token"
    ]
  }
  "ExpirationDate" => 2027-01-14 03:49:44 +0000
  "IsXcodeManaged" => 0
  "Name" => “Si_ _ _c_ _d Distribution Profile with Wallet"
  "Platform" => [
    0 => "iOS"
    1 => "xrOS"
    2 => "visionOS"
  ]
  "PPQCheck" => 0
  "TeamIdentifier" => [
    0 => "2_ _ _ _ _ _ _ _7"
  ]
  "TeamName" => “S_ _ _ _ C_ _ _D LLC"
  "TimeToLive" => 342
  "UUID" => "7a926d88-f496-4218-87e4-10fd62f0d926"
  "Version" => 1
}

But still the app I uploaded on testflight with above profile - 1.0.17 (20250205100) has missing entitlement: com.apple.developer.payment-pass-provisioning

Entitlements under testflight on appstoreconnect for 1.0.17 (20250205100) are uploaded in the image (with team and other Ids redacted for security):

S_ _ _ _ _ _ _D.app/S_ _ _ _ _ _D
    application-identifier: 2_ _ _ _ _ _ _ _7.com.si_ _ _c_ _d
    beta-reports-active: true
    get-task-allow: false
    com.apple.developer.associated-domains: ( "webcredentials:securewebview.si_ _ _ _ _ _d.com", "applinks:securewebview.si_ _ _c_ _d.com", "applinks:apply.si_ _ _c_ _d.com", "applinks:securewebview-rc-prod.si_ _ _c_ _d.com", "applinks:go.si_ _ _c_ _d.com" )si_ _ _ _ _ _d
    com.apple.developer.in-app-payments: ( "merchant.com.si_ _ _ _ _ _d" )
    com.apple.developer.team-identifier: 2_ _ _ _ _ _ _ _7
    aps-environment: production

Please let me know if you need anything more from my end in order to help resolve this issue. Thanks.

0
DTS Engineer OP
Apple
1d
Recommended

Thanks for that dump. Much nicer!

My reading of the stuff in your latest post suggests that you’re authorised to use the entitlement but you’re not actually claiming it. Remember that a provisioning profile acts an allowlist. It tells the system what entitlements you’re allowed to claim, but it doesn’t actually claim them. You actually claim entitlements in your app’s code signature.

Note To learn more about how this works, see TN3125 Inside Code Signing: Provisioning Profiles.

I usually debug problems like this by first confirming the nature of the problem:

  1. Instead of sending my app directly to App Store Connect, I export an archive. For example, when using Xcode’s organiser window I click Distribute App and then follow the Custom > App Store Connect > Export workflow.
  2. I then upload that archive using Transporter.
  3. Presuming that reproduces the problem, I unpack the archive by hand. See Unpacking Apple Archives.
  4. I can then dump the profile and the entitlements in the resulting app. The profile dump command is the same as the one I showed above. To dump the entitlements claimed by the app, do this:
% codesign -d --entitlements - /path/to/your.app

In your case I’d expect to see com.apple.developer.payment-pass-provisioning authorised by the profile but not claimed by the app. If that’s the case, you can work backwards through the build process to see how the app got that way.

Or perhaps you’ll see something different, which is interesting in and of itself.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
anantcred OP
22h

Hi Quinn,

Thank you for above pointers.

Following it, I found that:

The release entitlements file we were using (Ro_ _ IOSS_ _ _n.entitlements) did not include com.apple.developer.payment-pass-provisioning, so the app never claimed it. That’s why App Store Connect flagged the entitlement as missing.

**Fixes I made: **

a. Added this key (entitlement) to RoboIOSSiren.entitlements manually:

<key>com.apple.developer.payment-pass-provisioning</key> <true/>

and updated aps-environment to production

<key>aps-environment</key> <string>production</string>

b. After (a) I did below in order:

  1. Clean + Archive

    • In Xcode: Product > Clean Build Folder…
    • Then: Product > Archive

  2. Verify entitlements in the archive

    • In Organizer, select the new archive → Distribute AppCustomApp Store ConnectExport
    • On the “Review IPA content” screen, confirm the entitlements list now includes:
      • com.apple.developer.payment-pass-provisioning

  3. Upload using Transporter

    • Upload the exported .ipa with Transporter.

  4. Check App Store Connect

    • Wait for processing and re-check the TestFlight build entitlements.
    • It then showed com.apple.developer.payment-pass-provisioning under build metadata.

Then while testing the app, I was finally able to invoke the Add to Card screen. (screenshot below).

I can now move forward with the required development.

Once again thank you for helping me resolve this.

0
com.apple.developer.payment-pass-provisioning missing in TestFlight build despite provisioning profile having it
First post date Last post date
 
 
Q