“I’m trying to add Push Notifications to an App ID and someone higher up is telling me that in the past, flipping a switch in an App ID, like Push Notifications, will invalidate it’s provisioning profile.”
Especially if you come from a web background, things like “revoked certificates” and “invalid profiles” sound scary. However in the context of iOS development, these are common and necessary management tasks in the app creation workflow. So there is no need to be worried. In this article I will explain what is actually happening when you see the “invalid” marker on your provisioning profile, and run through a common scenario where this would occur.
Just to reassure you a bit up front: it might feel less scary if you think of the profiles as “outdated” instead of “invalid.” And “outdated” is also an accurate description. This is because the old profile has not expired or been revoked. But it no longer has the most up-to-date and correct settings.
Why is a provisioning profile marked “invalid” at all?
When any of the attributes of a provisioning profile change, the profile is marked “invalid” with the yellow yield icon. What it is actually informing you is that the attributes of the profile are now out of date. It is crucial that the all the attributes in the provisioning profile match the attributes of the app.
When your app is launched in iOS, the system checks all the attributes of the provisioning profile included with your app. One of the pieces of information it gets from that provisioning profile is which capabilities the system should enable for your app. Therefore if you want the Push Notifications feature of your app to work properly, it is a requirement that the provisioning profile bundled with the app include the Push Notification entitlement.
In this way iOS checks the provisioning profile bundled into your app file to determine what capabilities the system should grant to your app. Invalid provisioning profiles represent the situations where the attributes of that profile no longer match the latest settings.
A Common Scenario
For example, say you are adding Push Notifications to your app as a new feature. You quickly discover that one of the first steps is to modify the App ID for your app by adding the Push Notifications entitlement. Once you perform that step, you then might be concerned to discover that all the provisioning profiles related to that App ID have been marked invalid. But this is actually completely necessary and expected.
When you enable the Push Notifications capability on your App ID using the developer site, this will modify the App ID. Because the App ID is one of the attributes of a provisioning profile, it means the existing profile you have downloaded on your computer is out of date or “invalid.”
The Apple Developer site is actually providing you with a helpful indication: “Hey, you just changed the capabilities on your App ID. That means all the existing profiles that rely on that App ID should not be used anymore. If you try to use the existing ones, your app will not work as expected.” (That’s one way to get the dreaded “mismatched entitlements” error, btw.)
If you were to try running the app build to test your Push Notification feature with that existing profile, the push notifications will not work. iOS will look at the app’s provisioning profile, check that the Push Notification entitlement is not there, and therefore disallow Push Notifications capabilities for your app.
Hopefully this (very common) example gives you a bit of insight about how the invalid markers are actually helpful indicators, saving you from the time it takes to guess and check which provisioning profiles need to be re-generated.
The solution is to generate a new (replacement) provisioning profile. The new profile will include the modified App ID information, including that new Push Notifications entitlement. Once that new profile has been downloaded to your computer, and Xcode includes it in the next build of your app, then the app will have the provisioning needed for iOS to allow Push Notifications for that app.
In this way it is actually a requirement that the existing provisioning profiles become invalidated when adding the Push Notifications entitlement to your app. The same can be said for any of the attributes of a provisioning profile. If you need to make a change, the existing profile will be marked “invalid” to let you know that a new one should be generated that has all the updated attributes.
Attributes of a Provisioning Profile
If you’ve made it this far, you understand what happened in the Push Notification example. Now you might be wondering: What exactly are the attributes of a provisioning profile anyway?
The attributes that make up a provisioning profile are:
- App ID
- Entitlements and Services (e.g. Push Notifications, CloudKit, Apple Pay, etc.)
- The app identifier’s suffix string (whether explicit or wildcard)
- Signing certificate
- iOS uses this certificate to check the code signing on the app’s compiled code.
- List of Devices
- A list of devices onto which the app can be installed. If the device is not in the list, it will not run.
- Note that the Device List is for Development and Ad Hoc provisioning profiles, but not App Store Distribution profiles.
If any of the above change, the existing profile is now out of date and will be marked as “invalid.” Generate a new one that includes the updated attributes. The old one has not expired, but it is no longer useful to you because it contains outdated attributes.
The invalid marker on provisioning profiles is actually a very useful and helpful tool. It informs you at a glance that the attributes of your provisioning profile have changed without the need to manually inspect all the components yourself. No need to be worried next time you see that invalid marker.
Subscribe to the newsletter to stay up to date with new articles.