iOS Entitlements replaced during build

[russriser]

iOS entitlements that were added manually through the Apple Developer portal appear to be erased during expo's eas build and replaced with one that's not useful.

I have Beta11 installed.

Here are the enabled capabilities for my app, taken from the Provisioning Profile that I manually generated in the Apple Dev portal:

Here are the entitlements in my XCode logs when running a build with and without OneSignal configured...

Without OneSignal:

{
    "application-identifier" = "TEAM_ID.com.PROJECT.www";
    "aps-environment" = production;
    "beta-reports-active" = 1;
    "com.apple.developer.applesignin" =     (
        Default
    );
    "com.apple.developer.team-identifier" = TEAM_ID;
    "get-task-allow" = 0;
}

With OneSignal:

{
    "application-identifier" = "TEAM_ID.com.PROJECT.www";
    "beta-reports-active" = 1;
    "com.apple.developer.team-identifier" = TEAM_ID;
    "get-task-allow" = 0;
    "keychain-access-groups" =     (
        "TEAM_ID.com.PROJECT.www"
    );
}

As you can see, aps-environment and applesignin are both overwritten with keychain-access-groups when the OneSignal plugin is included in the build.

Here is my OneSignal plugin configuration in app.config.ts

     plugins: [
      'sentry-expo',
      [
        'onesignal-expo-plugin',
        {
          mode: process.env.NODE_ENV || 'production',
          devTeam: 'TEAM_ID',
        },
      ]
    ],

I've tried adding the entitlements manually to my app.config.ts like so:

ios: {
     ...,
      entitlements: {
        'aps-environment': 'production',
        'com.apple.developer.applesignin': ['Default'],
        'com.apple.security.application-groups': [
          'group.com.yc14ec100daa.www.onesignal',
        ],
        'keychain-access-groups': ['9T3ZC4D4BU.com.yc14ec100daa.www'],
      },
}

And I was able to verify that the configuration was updated by running expo config --type introspect, but the entitlements were cleared again once I built using eas build

And here is the Apple email that brought the issue to my attention:

Dear Developer,
We identified one or more issues with a recent delivery for your app, "PROJECT". Your delivery was successful, but you may wish to correct the following issues in your next delivery:

ITMS-90078: Missing Push Notification Entitlement - Your app appears to register with the Apple Push Notification service, but the app signature's entitlements do not include the 'aps-environment' entitlement. If your app uses the Apple Push Notification service, make sure your App ID is enabled for Push Notification in the Provisioning Portal, and resubmit after signing your app with a Distribution provisioning profile that includes the 'aps-environment' entitlement. Xcode does not automatically copy the aps-environment entitlement from provisioning profiles at build time. This behavior is intentional. To use this entitlement, either enable Push Notifications in the project editor's Capabilities pane, or manually add the entitlement to your entitlements file. For more information, see https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/HandlingRemoteNotifications.html#//apple_ref/doc/uid/TP40008194-CH6-SW1.

After you’ve corrected the issues, you can upload a new binary to App Store Connect.
Best regards,The App Store Team

I just finished getting my builds to complete without error by following the steps here: #40

I'm hoping I just messed up a step somewhere along the way.

[rgomezp]

Howdy,
Here are some things to look at:

1. Open up the xcodeproj in the ios directory. See if there are any obvious errors/warnings.
2. When you run the eas build command and are prompted to add push notifications by the CLI, are you saying "yes" or "no"?

Best

[russriser]

I don't have an ios directory since I develop on a windows machine, but after inspecting my fastlane logs in EAS, here are the 2 warnings I have:

warning:  The file reference for "OneSignalNotificationServiceExtension" is a member of multiple groups ("Pods" and ""); this indicates a malformed project.

ld: linking against a dylib which is not safe for use in application extensions: /Users/expo/Library/Developer/Xcode/DerivedData/PROJECT/Build/Intermediates.noindex/ArchiveIntermediates/PROJECT/BuildProductsPath/Release-iphoneos/XCFrameworkIntermediates/OneSignal/OneSignal.framework/OneSignal

I started this journey back in November, and I selected 'yes' for push notifications. Since then, my logs when starting a build with eas always include this:
Push Notifications setup for PROJECT: BUNDLE_ID

[rgomezp]

Ahh. Try setting it to 'no'. Unfortunately, I'm unfamiliar with what EAS is doing under the hood, but maybe selecting 'yes' leads to Expo trying to manage the entitlements for you and this is leading to a conflict.

I would have to test this myself to know for sure when I have the time. But give that a shot.

[russriser]

Unfortunately, that didn't work.

Setting up push notifications with EAS adds an Apple Push Key to my EAS account credentials. I'm not sure how it gets applied to the build.

I removed and revoked that push key, but hit the same problem.

I have my Push Notifications Certificate uploaded to the Apple Developer Portal under the Push Notifications capability. This is the same one I uploaded to my OneSignal portal. Should I have that push cert downloaded and saved somewhere in my project?

[rgomezp]

Setting up push notifications with EAS adds an Apple Push Key to my EAS account credentials. I'm not sure how it gets applied to the build.
I removed and revoked that push key, but hit the same problem.

We don't want EAS managing your push credentials since this is something you're doing on the side and uploading to OneSignal. I wonder if EAS is still somehow managing your notifications somehow. You could try building a blank example app to see if you learn anything.

I have my Push Notifications Certificate uploaded to the Apple Developer Portal under the Push Notifications capability. This is the same one I uploaded to my OneSignal portal. Should I have that push cert downloaded and saved somewhere in my project?

That shouldn't be necessary.

[russriser]

I had my coworker build our app with his personal EAS account using a different distribution certificate (and re-generated provisioning profiles).

That didn't work, so it appears to be an issue relating to our local configuration, nothing to do with EAS managing push notification credentials.

I'll try a blank project, or something similar next.

[russriser]

I created a blank project and set up the onesignal-expo-plugin. The entitlements remained intact through the build process.

So I copied my real app's app.config.ts into the new test app and tried again (after installing the new dependencies), and the entitlements still remained intact.

Still working on finding the difference between the two...

[russriser]

Installed all of my app's dependencies in the test app. Still builds with all the entitlements fine.

I've followed the same process for creating new identifiers, provisioning profiles, and app groups for both so I'm at a loss here.

[russriser]

Well, after many hours over the last week, and countless builds with cleared entitlements, I finally found the problem.

I had googleServicesFile: './GoogleService-Info.plist' set in my app.config.ts file.

I don't know why it's incompatible with the onesignal plugin, but I actually don't think I need that file anymore, so my issue is resolved.

[russriser]

Definitely spoke too soon. I had one build work, but I haven't been able to recreate the success.

I've spent hours now analyzing my XCode logs to see if there is a substantive difference between the build that worked and the ones that don't, but I haven't found anything.

I verified in my logs that the correct provisioning profile is being used. And I inspected the provisioning profile itself and made sure it has the correct entitlements.

It's very strange. To my memory, the only thing I did between the build that worked and the one before it was remove the GoogleServicesFile from app.config.ts.

@rgomezp

[russriser]

Discovered in the XCode logs that CODE_SIGN_ENTITLEMENTS was set only in the build that worked, and is not found in the builds that didn't.

I'm unsure what this means in terms of fixing the problem.

I also made a post on the expo forums here:

https://forums.expo.dev/t/code-sign-entitlements-not-getting-set/62227

[rgomezp]

CODE_SIGN_ENTITLEMENTS

We set this setting for the NSE automatically within withOneSignalIos.ts

If it was not set, or it was replaced, it might be causing have side-effects. See if any other config plugins you are using are doing anything with this setting.

[russriser]

To give another update, after copying my app.config.ts into the blank app and installing all dependencies didn't replicate the issue, I ended up copying all my source code into the blank app. This is the only thing that caused the blank app to be built with the replaced entitlements. Why the source code is a problem, I'm not sure.

I reverted to old commits in my primary app to try and find the exact problem, but results were very inconsistent. At one point, I ran 3 builds in a row with out making any changes, and the 3rd attempt had a different result.

[rgomezp]

Let's go ahead and leave #67 open since they're duplicates and that one has more participants