Shouldn’t there be a 1-1 relationship between Xcode’s capabilities and AppID capabilities you see in Apple Developer Portal?

Question

I’m looking into AppID capabilities in Dev portal…

Shouldn’t there be a 1-1 relationship between Xcode’s capabilities and AppID capabilities? I do see Keychain sharing in Xcode if I try adding a capability.

However I don’t see such a capability in Apple developer portal for AppIDs. Why?

Answer 1

Thanks to Dave Lyon who gave me this answer:

It's very confusing!

In the dev portal you're requesting specific entitlements, but not all entitlements need to be baked in to your profile, so they don't all show up.

Every capability you see in provisioning profile of your AppID will require an entitlement.

The same is not true for every capability you add in Xcode. As a result you will find more capabilities in Xcode. Some of them may need entitlements and some may not.

Specifically in your case, Keychain sharing doesn't need entitlements, so you don't see them it when you're configuring your App ID.

EDIT: Found docs from Apple

You can set many entitlements using the Summary tab [I think that's now done using the 'Signing and Capabilities' tab] of the Xcode target editor. Other entitlements require editing a target’s entitlements property list file. Finally, a few entitlements are inherited from the iOS provisioning profile used to run the app.

The ☝️ is important and yet cryptic. That's why Apple tells us that the code signing entitlements depends is quite complex and depends on various inputs

Check the Built Binary

The first step in debugging code signing entitlement problems is to check the actual entitlements of the binary. Xcode’s process for setting entitlements is quite complex, and it depends on various inputs, so it’s important to start by checking the output rather than looking at just the inputs.

To check the entitlements in your binary run the following command:

$ codesign -d --entitlements :- NetworkExtensionSample.app

_{Source: Apple Forums}

---

This page is also worth seeing. It goes through the entitlements process.

https://developer.apple.com/library/archive/technotes/tn2415/_index.html#//apple_ref/doc/uid/DTS40016427-CH1-SOURCES

Has A LOT of good explanations. Make sure you read it inside out.

When a profile is used for code signing, Xcode transfers the profile’s associated entitlements to the resulting code signature of the .app.

During code signing, the entitlements corresponding to the app’s enabled Capabilities/Services are transferred to the app’s signature from the provisioning profile Xcode chose to sign the app.

There’s also two sections under Entitlement Sources and Entitlement Destination

Specifically under the Entitlement Destination:

• The app’s signature
• The app’s embedded provisioning profile

This implies the provisioning profiles are embedded but the app can end up having different entitlements. Basically if an entitlement is the kind that needs to be given through Provisioning profiles and your app is using it then you need to have that entitlement in your provisioning profile otherwise it would error upon code-signing.