Debugging iPhone provision profiles/certificates

July 16, 2008

If you’re in the iPhone Developer Program, you’ll be able to run you code in a phisical device, with the following process:

  • Create a Certificate Signing Request (CSR) and submit to the developer portal
  • Download and install the code singing certificate (Development/Distribution certificate) to your Keychain
  • Download and install the WWDR certificate
  • Create/Download a Provisioning profile listing the devices you intend to run the program on
  • Install the provisioning profile to your development machine by dropping it into iTunes
  • Set the Certificate/Provision profile in your XCode project

Throubleshooting/things to verify:

First re-read iPhone Developer Portal Program Guide PDF to make sure you’ve followed every step correctly.
The two basic types of issues you can have:

  • The app is not signed
  • The app is signed, but you cannot run/load it into the device

Verifying if your app is signed

You can check if you app is signed by verifying the followin 2 things:

  • There was a CodeSign step during the build
  • The built package contains a CodeResource and embedded.mobileprovision

If it’s not signed double check the followings:

  • XCode project is set up correctly Code Sigining Identity is: iPhone Development: yourname or iPhone Distribution: yourname and the Code signing provisioning profile is set to a porfile you’ve downloaded. It shouldn’t be Default provisioning profile for code signing identity
  • If you set these things at project level make sure they aren’t overriden in target level
  • Voodoo: Quit XCode, clean, rebuild

If you can’t even select the provisioning profile in XCode check the followings:

  • Is the active target in XCode the same as the settings you’re editing? Here is the thing: it seems that the provision profile popup contains profiles matching the active target’s certificate (and no the one you’re editing). So make sure that you select the current configuration in Project/Set Active Build Configuration
  • Do you have the WWDR certificate installed? Check Apple Wordwide Developer Relations Certification in Keychain
  • Do you have my Distribution Certificate in keychain? Check for 'iPhone Developer: name' and/or 'iPhone Distribution: name' in Keychain. There should be a gray trinangle to the left of if, and on open it should show your private key.
  • Do you have the provisioning profile installed in ~/Library/MobileDevice/Provisioning Profiles/. Drag and drop the profile to iTunes to fix this.

The app is signed, but you cannot run/load it into the device

First get iPhone Configuration Utility, it’s a great app to get more information, you can check your console log, install single application and check installed provisioning profiles.

  • Do you have the provisioning profile installed to your iPhone? Use iPhone Configuration Utility to verify

There can be also issues with App-ID that will prevent from application to run.

  • In my experiecnce you should just use * as app id.
  • If you have a entitlement 'application-identifier' has value not permitted by provisioning profile in your iPhone console log, then try using a wildcard (*) App ID

Ad Hoc profiles:

I just couldn’t get Ad Hoc profiles to work. I always have this error in my iPhone console log:
entitlement 'get-task-allow' has value not permitted by provisioning profile
I’ve tried following every step of the iPhone Developer Portal Program Guide PDF, and i still get this.
In iTunes i either get a 0xE8000001 or 0xE8000013 when trying to install an application with an AdHoc provisioning profile.

Update: Apple has just updated the instructions in iPhone Developer Portal Program Guide PDF. They now tell to add ‘Entitlements.plist’ with ‘get-task-allow’ set to false to the Entitlements.
You should also verify your provision profile with a text editor. The plist embedded should contain these lines:


You should also remove old provision profiles without the iPhone (Use iPhone Configuration Utility). As having a bad provisioning profile will prevent your app from installing.


OSX 10.5.3: enable Gmail Contact Sync without iPhone

June 7, 2008

10.5.3 adds ability to sync your address book with gmail contact list.

Unfortunately it only enabled if you’ve ever connected iPhone/iPod touch to your mac.
You can use the following terminal command, to enable the syncing option, if your mac have never seend an iPhone.

defaults write Devices -dict-add 000A27001A56740D '{ "Family ID" = 10001; }'

note this is a single line, and not a two line command.

AuthorizationExecuteWithPrivileges + StdErr + PID

February 7, 2006

AuthorizationExecuteWithPrivileges is a MacOSX function can be used to programmatically execute a command as root. (It presents a dialog asking for administrator password).There’s 2 information that this function doesn’t give you back:

  • executed process’s pid – so that you can wait for it, and get the exitCode of it
  • file handle to stderr
Please note that this function is probably not secure enough. (But probably not much worse than most uses of AEWP). See the BetterAuthorizationSample code for truly secure solution.

My AuthorizationExecuteWithPrivilegesStdErrAndPID tries to overcome both limitation. Here’s the code.

Eclipse launcher

January 22, 2006

The eclipse laucnher on MacOSX has the following problem:

If you store it in dock it creates a second icon.

Current architecure of the Eclipse launcher:

  • an LSUIElement=1 application, => won’t have a Dock icon. It just shows a startup screen while launching the eclipse.
  • java: will have an eclipse icon, but the location is /usr/bin/java, so will be a diffrent item in the dock.


  1. shall not be an LSUIElement 1 application, so that it will appear in the dock when running.
  2. The application that shows the startupscreen shall be an LSUIElement 1 application. Packaged inside
  3. OSX shall be fooled when launching /usr/bin/java to think that is has launched from the location.

Fooling the system about the location of the laucnhed(/usr/bin/java) application:

We have 3 solutions:

  1. Before laucnhing set CFProcessPath, to the bundle executable. It works, but someone has to kill the CFProcessPath variable after eclipse started otherwise all programs started from eclipse will be behaving like it has the location. Unfortunatedly this doesn’t seems to work. Event tough the CFGetMainBundle will return the correct thing. (Eclipse package instead of Java) It won’t have the correct location displayed in the dock for Show Original. It’ll also create a different icon if the icon is in the dock.
  2. Launch with a command like this:
    This causes java to be started but when CFBundleGetMainBundle called it will return the Eclipse bundle.
  3. Write a custom java launcher app.

Runtime behaviour with (2):

  1. User clicks tha
  2. OSX starts executing and bounches the icon
  3. Eclipse app forks, and starts EclipseLaucnher. The quits bouncing stops.
  4. EclipseLaucnher starts /usr/bin/java, and fakes as the process location, this causes the icon to appear.

See Eclipse Bug 53260, cannot keep eclipse app in the Dock.

GCC dynamic_cast and type_info and symbols visibility

January 17, 2006

In one ouf our framework i have a code like this:


class DLLEXPORT DOMElement : DOMNode

virtual ~ DOMElement() {};


In the application we have code like:


#include “DOMElement.hpp”

if(node->getNodeType()== DOMNode::ELEMENT_NODE )

DOMElement* element = dynamic_cast(node);

The DLLEXPORT expands to __attrbiute((visibility(“default”)) in XMLParser.framework
The DLLEXPORT expands to __attrbiute((visibility(“hidden”)) in XMLTest

The issue is that the dynamic_cast fails by returning 0.

I see the followings:

  1. the DOMElement class has two type_info entries:
    • one inside the XMLParser.dylib with default visibility
    • one inside the XMLTest application with hidden visibiliy
  2. the linker looks for the type_info entry of DOMElement: __ZTIN10DOMElementE
    It sees a __ZTIN10DOMElementE entry marked with hidden in XMLTest.cpp.o, it also sees a the same entry marked as default in XMLParser.dyld
  3. From runtime it seems that the linker selects the hidden one. And this causes issue with dynamic_cast, as there’s two entries with the same symbol.


  • It seems that linker prefers the hidden symbol the same DSO to the visible in the different DSO?! Is this a rule?!

It seems to make sense: You have a DSO with NewWindow, then you have an internal function called NewWindow (“hidden”). If the linker should choose, it should prefer the “hidden” one to the one in different framework.

  • If so wouldn’t it be logical to have an “imported” visibility, where the visible symbol in the different DSO would be preferred over the “imported” symbol in the same DSO.
  • Setting the type_info visible in both modules seems to solve the problem. Why? What happens if the linker sees 2 visible entries, one in the actual module the other in a different DSO?!


First MachOViewer release 1.0a0

January 15, 2006

I’ve just relased the first MachOViewer alpha.


  1. Opens Frameworks, Bundles, Applications
  2. Displays used libraries, can open used library by double clicking it’s name
  3. Universal Binary aware (you can select the architecture you’re interested in in the top left corner)
  4. Displays imported exported symbols filter for library name or imported symbol name.


OSX: dumping LaunchServices database

January 15, 2006
How to dump & interpret the contents of the LaunchServices database
You shall use the lsregister command:/System/Library/Frameworks/ApplicationServices.framework/Frameworks/LaunchServices.framework/Versions/Current/Support/lsregister

cd /System/Library/Frameworks/ApplicationServices.framework/Frameworks/LaunchServices.framework/Versions/Current/Support/
lsregister local -dump

Related links