iOS: Executable signed with invalid entitlements

Problem

When attempting to deploy an ipa using Xcode, this error appears:

The executable was signed with invalid entitlements.
The entitlements specified in your application’s Code Signing Entitlements file do not match those specified in your provisioning profile. (0xE8008016).

Context

When an ipa is secured with Blue Cedar, it needs to be re-signed with a valid provisioning profile and signing certificate in order to be deployed on an iOS device. The policy console offers two ways to do this:

  1. The iOS signing server: a Mac running Xcode and OS X with a valid distribution certificate and provisioning profile
  2. The signing script: a script that runs on a Mac with a valid distribution certificate and provisioning profile

Most problems deploying secured apps are caused by signing issues—even in cases where the signing process completes without error.

Solution

This error is caused by a mismatch between your provisioning profile and your distribution certificate. Typically, Apple allows an organization to have two distribution certificates. When a provisioning profile is created, it is associated with one or the other. To correctly sign an ipa, the distribution certificate and private key on the Mac where the signing is occurring must match that which was selected when the provisioning profile was created.

To check which distribution certificate you have, access your keychain.

To understand more about the code signing process and troubleshooting issues, see the Apple developer site:

https://developer.apple.com/support/technical/code-signing/