Maui Rc1 and .net 7 app crashes if you have entitlements

[gabsamples6]

Description

Added anything inside the Entitlement crashes the app and you can no longer debug (windows pc - hotrestart)

Am I missing something obvious?

Attached file below

MauiWithEntitlements.zip

Steps to Reproduce

1. Create a maui app
2. add an entitlment plist
3. add something like

<?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <plist version="1.0">
      <dict>
	      <key>aps-environment</key>
	      <string>development</string>
      </dict>
      </plist>

4. Build the app and deploy
5. Get an error "there were deployment errors..."

Remove any text from entitlements and it builds and deploy..

Link to public reproduction project repository

see below

Version with bug

8.0.0-rc.1.9171

Is this a regression from previous behavior?

Not sure, did not test other versions

Last version that worked well

Unknown/Other

Affected platforms

iOS

Affected platform versions

VS 2022 any version

Did you find any workaround?

no

adding below did not help

<PropertyGroup Condition="'$(Configuration)|$(TargetFramework)|$(Platform)'=='Debug|net7.0-ios|AnyCPU'"> <CodesignEntitlements>Platforms\iOS\Entitlements.plist</CodesignEntitlements> </PropertyGroup>

<PropertyGroup Condition="'$(Configuration)|$(TargetFramework)|$(Platform)'=='Release|net7.0-ios|AnyCPU'"> <CodesignEntitlements>Platforms\iOS\Entitlements.plist</CodesignEntitlements> </PropertyGroup>

Relevant log output

No response

[roughiain]

Are the entitlements matched in the provisioning profile?

[gabsamples6]

Are the entitlements matched in the provisioning profile?

yes. they do . but I might be missing a step and I just want to make sure - what I am doing is correct.

1. I have all setup cert- Prov Profile - P8 key etc... and in my prov profile is says "Associated domains - In-AppPurchase- Push notification

How do I check that they match.. I am asking the obvious in case I am missing the obvious

many thanks

[roughiain]

You can run security cms -D -i Profile.mobileprovision | xmllint --xpath "/plist/dict/key[text()='Entitlements']/following-sibling::dict[position()=1]" -

Apple Developer Docs

[mattleibow]

Just confirming, this is an issue on an iPhone plugged into a Windows PC? Or is this the Pair to Mac deploy?

[mattleibow]

@rolfbjarne Does the hot restart app support custom entitlements?

[gabsamples6]

@mattleibow its an iPhone plugged to a windows pc

[gabsamples6]

Hi wondering if this gets any attention - how can we possible work in a debug environment ? This is very basic requirement.
Any suggestions or workarounds?

[rolfbjarne]

@rolfbjarne Does the hot restart app support custom entitlements?

No, as far as I can tell Hot Restart doesn't support custom entitlements.

CC @emaf do we have an issue for supporting custom entitlements with Hot Restart elsewhere?

[emaf]

@rolfbjarne We do execute CompileEntitlements, is there anything else we are missing?

https://github.com/xamarin/xamarin-macios/blob/main/msbuild/Xamarin.iOS.Tasks.Windows/Xamarin.iOS.HotRestart.targets#L139

[mattleibow]

What about plists in the app?

[rolfbjarne]

@emaf

@rolfbjarne We do execute CompileEntitlements, is there anything else we are missing?

xamarin/xamarin-macios@main/msbuild/Xamarin.iOS.Tasks.Windows/Xamarin.iOS.HotRestart.targets#L139

The entitlements are used when signing the app:

https://github.com/xamarin/xamarin-macios/blob/1487bfe645140e61656873a97ed526c49756c650/msbuild/Xamarin.MacDev.Tasks/Tasks/CodesignTaskBase.cs#L241-L245

but Hot Restart aren't using them when signing for Hot Restart:

https://github.com/xamarin/xamarin-macios/blob/1487bfe645140e61656873a97ed526c49756c650/msbuild/Xamarin.iOS.Tasks.Windows/Xamarin.iOS.HotRestart.targets#L267-L271

[emaf]

@emaf

@rolfbjarne We do execute CompileEntitlements, is there anything else we are missing?
xamarin/xamarin-macios@main/msbuild/Xamarin.iOS.Tasks.Windows/Xamarin.iOS.HotRestart.targets#L139

The entitlements are used when signing the app:

https://github.com/xamarin/xamarin-macios/blob/1487bfe645140e61656873a97ed526c49756c650/msbuild/Xamarin.MacDev.Tasks/Tasks/CodesignTaskBase.cs#L241-L245

but Hot Restart aren't using them when signing for Hot Restart:

https://github.com/xamarin/xamarin-macios/blob/1487bfe645140e61656873a97ed526c49756c650/msbuild/Xamarin.iOS.Tasks.Windows/Xamarin.iOS.HotRestart.targets#L267-L271

@rolfbjarne The codesign code is internally looking for the entitlement file saved into the pre-built app bundle which is where the CompileEntitlements task is saving the compiled entitlements file. There sill be a bug but it looks everything needed for this to work is there.

@gabsamples6 Could you share device logs after reproducing the app crash? You can open the device logs from Visual Studio -> Tools -> iOS -> Device Log, then reproduce the problem and finally copy all its content.

[gabsamples6]

@emaf
my findings
if you have a project in debug with an entitlement.plist containing just

<key>aps-environment</key>
<string>development</string>

or with

<key>get-task-allow</key>
<false/>

log will say " a valid provisioning profile was not found "

Xamarin.Messaging.IDB.Local.DeployAppMessageHandler Error: 0 : An error occurred while trying to deploy the app 'MauiEnt.app'. Details: Could not install the application 'C:\Users\user\AppData\Local\Temp\Xamarin\HotRestart\Signing\MauiEnt.app\out\MauiEnt.ipa' on the device Mark’s iPhone. Details: ApplicationVerificationFailed|0xE8008015 - Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.2CFQsP/extracted/Payload/MauiEnt.app : 0xe8008015 (A valid provisioning profile for this executable was not found.)
Xamarin.iOS.Windows.WindowsiOSException: Could not install the application 'C:\Users\user\AppData\Local\Temp\Xamarin\HotRestart\Signing\MauiEnt.app\out\MauiEnt.ipa' on the device Mark’s iPhone. Details: ApplicationVerificationFailed|0xE8008015 - Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.2CFQsP/extracted/Payload/MauiEnt.app : 0xe8008015 (A valid provisioning profile for this executable was not found.)
   at Xamarin.iOS.Windows.Installer.ApplicationSession.InstallApp(String appPath, String appBundleId) in D:\a\_work\1\s\src\Tools\Xamarin.iOS.Windows.Client\Installer\ApplicationSession.cs:line 276
   at Xamarin.iOS.Windows.Installer.ApplicationSession.Deploy(String appRootFolder, String appBundleId, String appName) in D:\a\_work\1\s\src\Tools\Xamarin.iOS.Windows.Client\Installer\ApplicationSession.cs:line 95
   at Xamarin.iOS.Windows.HotRestartClient.Deploy(AppleDevice nativeDevice, String appBundleId, String appBundleName, Boolean& incremental) in D:\a\_work\1\s\src\Tools\Xamarin.iOS.Windows.Client\HotRestartClient.cs:line 250
   at Xamarin.Messaging.IDB.Local.DeployAppMessageHandler.<ExecuteAsync>d__5.MoveNext() in D:\a\_work\1\s\src\Messaging\Xamarin.Messaging.IDB.Local\Handlers\DeployAppMessageHandler.cs:line 43: 10/12/2023 05:14:00Z
    DateTime=2023-10-12T05:14:00.2876902Z: 10/12/2023 05:14:00Z

however if have the following full mapped and get-task-allow=true it will compile and run

<dict>
	<key>aps-environment</key>
	<string>development</string>

	<key>com.apple.developer.associated-domains</key>
	<string>*</string>

	<key>application-identifier</key>
	<string>xxxxx.uk.co.mycompany.demo</string>

	<key>keychain-access-groups</key>
	<array>
		<string>xxxxxxx.*</string>
		<string>com.apple.token</string>
	</array>

	<key>get-task-allow</key>
	<true/>

	<key>com.apple.developer.team-identifier</key>
	<string>xxxxx</string>
</dict>

This might all down to me not understanding how it should work. To clarify when debugging do I need an entitlement file with all the stuff above in order to work? I dont think this was the behavior in xamarin but happy to be just told how is meant to work.

But then when deploying for real my pipeline has to change the aps-environment to Production and get-task-allow to false.

hope that helps and will close or you close , but please clarify for me. thank you very much

[emaf]

@gabsamples6 I think most of those should be automatically added to the final entitlements file by the build process based on the information on your provisioning profile, so it should not be necessary for you to add things like the team identifier. Please @rolfbjarne correct me if I'm wrong.

@gabsamples6 Could you leave on your entitlement just the aps-environment entry, reproduce the deployment error, and then attach the Entitlements.plist located under %LOCALAPPDATA%\Temp\Xamarin\HotRestart\Bundles\<version>\<hash>\<AppName>.app? Version and hash are values VS set so just open the last modified directory if you have more than one. And please hide any personal information it may contain since what I need to check is what keys the build is adding.

[rolfbjarne]

@gabsamples6 I think most of those should be automatically added to the final entitlements file by the build process based on the information on your provisioning profile, so it should not be necessary for you to add things like the team identifier. Please @rolfbjarne correct me if I'm wrong.

I believe this is correct, these are the entitlements that can be automatically added from a provisioning profile (which are added depends on the provisioning profile in question, but I believe application-identifier and team-identifier are always there): https://github.com/xamarin/xamarin-macios/blob/d7b35c2dc32830d96203ccaf29dfabfc8962c2c6/msbuild/Xamarin.MacDev.Tasks/Tasks/CompileEntitlementsTaskBase.cs#L17-L43.

[ghost]

Hi @gabsamples6. We have added the "s/needs-info" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[ghost]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate.