问题
I'm looking to encrypt user data in an app, and the NSFileProtection mechanism looks perfect for this.
This SO Question / Answer thread pointed me at the WWDC 2011 Video Securing iOS Apps which gave the 'too good to be true' tip of setting Data Protection across the app via entitlements (see from 33 minutes in).
So, I tried this for my iOS 5.x+ app, and ran into the problem where it complains about Invalid Entitlements.
I've configured Data Protection for the specific app via the iOS Provisioning Portal, and updated my app Provisioning, so in theory I should all be set, but I still get the error.
If I remove the specific FileProtectionComplete setting from the Entitlement, the app runs without the Invalid Entitlement error.
In investigating this, I also saw the some folk are getting their apps rejected (at the point they upload the binary) as this isn't supported (or deprecated?). Please note that I'm specifically asking about Data Protection, and not Passbook.
At this stage, I'm thinking, maybe it really is, 'too good to be true'. So, I'm about to give up on this magic entitlements flag, and instead use the programmatic method, of adding NSFileProtectionComplete as a write option.
However, before I do that, can anyone confirm they've been able to successfully add Data Protection just by using the Entitlements flag? Thanks.
回答1:
NSFileProtectionComplete isn't supported via entitlements anymore. Instead, it is specified in the provision profile.
I had the exact same problem you did. When I tried to build and run on a device, I got the following alert:
The executable was signed with invalid entitlements.
The entitlements specified in your application’s Code Signing Entitlements file do not match those specified in your provisioning profile.
(0xE8008016).
In the console, it manifested itself as this error:
May 6 16:18:13 XXXXX installd[54] : entitlement 'DataProtectionClass' has value not permitted by a provisioning profile
Eventually, I found the proper settings. You must log in to the developer portal and enable data protection on the app id associated with the provisioning profile you're using. See the image below:
回答2:
It wouldn't work for me using the wildcard for the profile id (i.e. my.company.app.*) so had to create a new fully qualified one. It works for me with my Entitlements.plist looking like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.default-data-protection</key>
<string>NSFileProtectionComplete</string>
<key>get-task-allow</key>
<false/>
</dict>
</plist>
and with my profile section for it looking like this: ....
<dict>
<key>application-identifier</key>
<string>xxx.my.company.app</string>
<key>com.apple.developer.default-data-protection</key>
<string>NSFileProtectionComplete</string>
<key>get-task-allow</key>
<false/>
<key>keychain-access-groups</key>
<array>
<string>xxxxxxxx</string>
</array>
</dict>
....
回答3:
To enable data protection, switch it on in the Capabilities pane of your target in Xcode.
Details: App Distribution Guide: Adding Capabilities
回答4:
I have tried data protection using entitlements and it works fine. The trick is to make sure your entitlements file entry in your Xcode project is the same as that of your provisioning profile.
Specifically, the following 2 settings in entitlements file and provisioning profile should be same:- "com.apple.developer.default-data-protection" - I have set this as NSFileProtectionComplete. "application-identifier" - I am not using wildcards in identifier though I think it should work as well.
来源:https://stackoverflow.com/questions/14734758/data-protection-nsfileprotectioncomplete-successfully-supported-through-enti