Audit ServiceTypeByKey — add Ignored entries for newer Apple entitlements#326
Open
Badlazzor wants to merge 1 commit intofix/healthkit-access-entitlementfrom
Open
Audit ServiceTypeByKey — add Ignored entries for newer Apple entitlements#326Badlazzor wants to merge 1 commit intofix/healthkit-access-entitlementfrom
Badlazzor wants to merge 1 commit intofix/healthkit-access-entitlementfrom
Conversation
Apple has added several entitlement keys since `ServiceTypeByKey` was last extended. Any key missing from the map hard-errors `Entitlement.Capability()` with `unknown entitlement key: …`, aborting `SyncBundleID` / `ensureBundleID` during automatic code signing. Adds three entries that are safe to treat as `Ignored` (do not appear on the developer portal, no App Store Connect registration required): - `com.apple.developer.kernel.extended-virtual-addressing` - `com.apple.developer.kernel.increased-memory-limit` - `com.apple.developer.authentication-services.credential-provider-ui` Adds a regression test (`TestCapability_IgnoredKeys`) covering both `Capability()` and `AppearsOnDeveloperPortal()` for each new key. Out of scope (needs maintainer decision): - `com.apple.developer.weatherkit` — WeatherKit is a registrable service in App Store Connect; likely needs a new `CapabilityType` constant, not `Ignored`. - `com.apple.developer.matter.allow-setup-payload` — Matter support entitlement; ASC registration requirements unclear.
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
Any iOS/macOS entitlement key that is not present in
ServiceTypeByKey(autocodesign/devportalclient/appstoreconnect/capabilities.go) causesautocodesign.Entitlement.Capability()to return:That error propagates up through
ProfileClient.SyncBundleID→autocodesign/profiles.go#ensureBundleIDand aborts the entire automatic-code-signing phase with:The map currently has 34 entries. Apple has added a number of entitlement keys since it was last extended (see current entitlements reference), and each such addition is a latent production break the moment a user project declares that key. #325 is the most recently reported instance (
com.apple.developer.healthkit.access, iOS 17.5+).Intent
Audit
ServiceTypeByKeyfor entitlement keys that should be safely mapped toIgnoredbecause they do not require App Store Connect registration (matching the existing treatment of e.g.com.apple.developer.icloud-container-identifiers). Flag keys that likely need a realCapabilityTypemapping for maintainer review in a follow-up.Changes
Three new
Ignoredentries — build/runtime entitlements, not App Store Connect-registrable:com.apple.developer.kernel.extended-virtual-addressingcom.apple.developer.kernel.increased-memory-limitcom.apple.developer.authentication-services.credential-provider-uiAutofillCredentialProvidercapability; metadata-onlyPlus a table-driven regression test (
TestCapability_IgnoredKeys) covering bothCapability()andAppearsOnDeveloperPortal()for each new key.Intentionally out of scope
Flagging for maintainer decision — these likely need a real
CapabilityType, notIgnored:com.apple.developer.weatherkit— WeatherKit is a registrable service (appears under Services → WeatherKit in App Store Connect). Needs a newCapabilityTypeconstant (e.g.WeatherKit) and a decision on whether the step should auto-register it.com.apple.developer.matter.allow-setup-payload— Matter companion entitlement for HomePod/Apple TV setup payloads; ASC registration requirements unclear from public docs. Worth checking against the ASC API before classifying.Anything else currently missing from the map that you'd like folded in here, happy to add — just flagging in review.
Follow-up
There is also a structural hardening worth considering — making
Capability()warn-and-skip on unknown keys rather than hard-erroring — so a fresh Apple entitlement does not break every affected build until the allow-list catches up. Proposing that as a separate stacked PR after this one.Test plan
go test ./autocodesign/...go vet ./autocodesign/...TestCapability_IgnoredKeyspasses for all three keyskernel.increased-memory-limitvia[email protected]after dep bump; confirm nounknown entitlement keyerror🤖 Generated with Claude Code