starred/LiveContainer
1
0
Fork 0
mirror of https://github.com/LiveContainer/LiveContainer.git synced 2026-04-25 17:15:50 +03:00
Code Issues 37 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #566] [BUG] Dev Certificate Signing issue #510

New issue
Closed
opened 2026-03-03 15:34:12 +03:00 by kerem · 5 comments
kerem commented 2026-03-03 15:34:12 +03:00
Owner
Copy link

Originally created by @m1337v on GitHub (Jun 8, 2025).
Original GitHub issue: https://github.com/LiveContainer/LiveContainer/issues/566

Describe the bug

When livecontainer is installed with an apple dev account and the p12 used to sign is imported (to enable more entitlements like icloud) it shows an error for

  • bundle identifier
    Likely bc dev accounts allow using the "original" Bundle ID (e.g. com.kdt.livecontainer), while free accounts append the Team ID (com.kdt.livecontainer.)
  • keychain-access groups
    Likely related to bundle id mismatch and wildcard access

Why this matters

Missing cloudkit entitlements seems a re-occuring issue. Some users may want to import their Dev certificate to gain access to the missing entitlements (e.g. iCloud, CloudKit).

It might be useful to add a short guide to the FAQ section referencing entitlement issues and how to fix them:

  • How to properly import Dev certificates.
  • How to handle bundle ID adjustments.
  • Which entitlements may require explicit App ID configuration.

If helpful, I can also provide you my p12 certificate for testing purposes.

Image

Full Entitlements

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>application-identifier</key>
	<string>XA69….com.kdt.livecontainer.XA69…</string>
	<key>aps-environment</key>
	<string>development</string>
	<key>com.apple.developer.applesignin</key>
	<array>
		<string>Default</string>
	</array>
	<key>com.apple.developer.associated-domains</key>
	<string>*</string>
	<key>com.apple.developer.default-data-protection</key>
	<string>NSFileProtectionComplete</string>
	<key>com.apple.developer.devicecheck.app-attest-opt-in</key>
	<array>
		<string>CDhash</string>
	</array>
	<key>com.apple.developer.devicecheck.appattest-environment</key>
	<array>
		<string>development</string>
		<string>production</string>
	</array>
	<key>com.apple.developer.icloud-container-development-container-identifiers</key>
	<array/>
	<key>com.apple.developer.icloud-container-identifiers</key>
	<array/>
	<key>com.apple.developer.icloud-services</key>
	<string>*</string>
	<key>com.apple.developer.team-identifier</key>
	<string>XA69…</string>
	<key>com.apple.developer.ubiquity-container-identifiers</key>
	<array/>
	<key>com.apple.developer.ubiquity-kvstore-identifier</key>
	<string>XA69….*</string>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>group.com.SideStore.SideStore.XA69…</string>
		<string>group.com.rileytestut.AltStore.XA69…</string>
	</array>
	<key>get-task-allow</key>
	<true/>
	<key>keychain-access-groups</key>
	<array>
		<string>XA69….*</string>
		<string>com.apple.token</string>
	</array>
</dict>
</plist>

Instructions to reproduce

install LC with Dev account
Export p12 certificate
Import p12 certificate in LC
go to jit-less mode diagnostics>entitlement file

What version of LiveContainer are you using?

3.4.63 (latest multitask nightly)

Other info

No response

Originally created by @m1337v on GitHub (Jun 8, 2025). Original GitHub issue: https://github.com/LiveContainer/LiveContainer/issues/566 ### Describe the bug When livecontainer is installed with an apple dev account and the p12 used to sign is imported (to enable more entitlements like icloud) it shows an error for - bundle identifier Likely bc dev accounts allow using the "original" Bundle ID (e.g. com.kdt.livecontainer), while free accounts append the Team ID (com.kdt.livecontainer.<TeamID>) - keychain-access groups Likely related to bundle id mismatch and wildcard access Why this matters Missing cloudkit entitlements seems a re-occuring issue. Some users may want to import their Dev certificate to gain access to the missing entitlements (e.g. iCloud, CloudKit). It might be useful to add a short guide to the FAQ section referencing entitlement issues and how to fix them: - How to properly import Dev certificates. - How to handle bundle ID adjustments. - Which entitlements may require explicit App ID configuration. If helpful, I can also provide you my p12 certificate for testing purposes. ![Image](https://github.com/user-attachments/assets/e16101d6-c87e-4186-b8aa-d939c67ad0a9) Full Entitlements ``` <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>application-identifier</key> <string>XA69….com.kdt.livecontainer.XA69…</string> <key>aps-environment</key> <string>development</string> <key>com.apple.developer.applesignin</key> <array> <string>Default</string> </array> <key>com.apple.developer.associated-domains</key> <string>*</string> <key>com.apple.developer.default-data-protection</key> <string>NSFileProtectionComplete</string> <key>com.apple.developer.devicecheck.app-attest-opt-in</key> <array> <string>CDhash</string> </array> <key>com.apple.developer.devicecheck.appattest-environment</key> <array> <string>development</string> <string>production</string> </array> <key>com.apple.developer.icloud-container-development-container-identifiers</key> <array/> <key>com.apple.developer.icloud-container-identifiers</key> <array/> <key>com.apple.developer.icloud-services</key> <string>*</string> <key>com.apple.developer.team-identifier</key> <string>XA69…</string> <key>com.apple.developer.ubiquity-container-identifiers</key> <array/> <key>com.apple.developer.ubiquity-kvstore-identifier</key> <string>XA69….*</string> <key>com.apple.security.application-groups</key> <array> <string>group.com.SideStore.SideStore.XA69…</string> <string>group.com.rileytestut.AltStore.XA69…</string> </array> <key>get-task-allow</key> <true/> <key>keychain-access-groups</key> <array> <string>XA69….*</string> <string>com.apple.token</string> </array> </dict> </plist> ``` ### Instructions to reproduce install LC with Dev account Export p12 certificate Import p12 certificate in LC go to jit-less mode diagnostics>entitlement file ### What version of LiveContainer are you using? 3.4.63 (latest multitask nightly) ### Other info _No response_
kerem 2026-03-03 15:34:12 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-03-03 15:34:13 +03:00
Author
Owner
Copy link

@khanhduytran0 commented on GitHub (Jun 9, 2025):

The main issue with this being the app signer not populating entitlements correctly.

  • LiveContainer doesn't require Team ID suffix in Bundle ID, it's the application-identifier entitlement value set incorrectly: XA69….com.kdt.livecontainer.XA69…. If Info.plist CFBundleIdentifier is com.kdt.livecontainer, application-identifier must be XA69….com.kdt.livecontainer, otherwise File Picker breaks even though you have Fix File Picker & Local Notifications enabled, in this case only (Legacy) Fix File Picker works.
  • We require 128 keychain groups in entitlement, but the app signer does not handle wildcard correctly, and it overwrites whatever in the entitlement with that in mobileprovision.

This is the primary reason we rely on AltStore/SideStore, since they're the only ones populating entitlements correctly. To make it work with custom paid dev cert, there's no way but we have to add a sort of entitlements repair to re-sign LiveContainer itself with correct entitlements and install it back to your device.

Edit: I could be wrong about the app signer being fault, see @khcrysalis explanation below

<!-- gh-comment-id:2954467260 --> @khanhduytran0 commented on GitHub (Jun 9, 2025): The main issue with this being the app signer not populating entitlements correctly. - LiveContainer doesn't require Team ID suffix in Bundle ID, it's the `application-identifier` entitlement value set incorrectly: XA69…<ins>.com.kdt.livecontainer.XA69…</ins>. If Info.plist `CFBundleIdentifier` is `com.kdt.livecontainer`, `application-identifier` must be `XA69….com.kdt.livecontainer`, otherwise File Picker breaks even though you have `Fix File Picker & Local Notifications` enabled, in this case only `(Legacy) Fix File Picker` works. - We require 128 keychain groups in entitlement, but the app signer does not handle wildcard correctly, and it overwrites whatever in the entitlement with that in mobileprovision. This is the primary reason we rely on AltStore/SideStore, since they're the only ones populating entitlements correctly. To make it work with custom paid dev cert, there's no way but we have to add a sort of entitlements repair to re-sign LiveContainer itself with correct entitlements and install it back to your device. Edit: I could be wrong about the app signer being fault, see @khcrysalis explanation below
kerem commented 2026-03-03 15:34:13 +03:00
Author
Owner
Copy link

@claration commented on GitHub (Jun 9, 2025):

@khanhduytran0 app signers do populate entitlements correctly, but how these signers work is that they need a certificate pair, however these pairs are only associated with a single application identifier. So, a mismatch occurs if you have a different application identifier to the app you have installed.

<!-- gh-comment-id:2954470832 --> @claration commented on GitHub (Jun 9, 2025): @khanhduytran0 app signers do populate entitlements correctly, but how these signers work is that they need a certificate pair, however these pairs are only associated with a single application identifier. So, a mismatch occurs if you have a different application identifier to the app you have installed.
kerem commented 2026-03-03 15:34:13 +03:00
Author
Owner
Copy link

@claration commented on GitHub (Jun 9, 2025):

AltStore/SideStore automatically generate these certificates for the correct identifiers, in which (for example) Feather does not do as it just requires you to manually import an existing one (which may not work again for most if not all apps)

<!-- gh-comment-id:2954472239 --> @claration commented on GitHub (Jun 9, 2025): AltStore/SideStore automatically generate these certificates for the correct identifiers, in which (for example) Feather does not do as it just requires you to manually import an existing one (which may not work again for most if not all apps)
kerem commented 2026-03-03 15:34:13 +03:00
Author
Owner
Copy link

@hugeBlack commented on GitHub (Jun 9, 2025):

Using installation methods other than SideStore/AltStore/TollStore is discouraged, which is why we don't have a tutorial about that.

As what khanhduytran0 said, LiveContainer requires all these entitlements to match in order to work correctly.

  1. If bundle id is incorrect, features like new file picker fix and some apps may not work
  2. If keychain access group is incorrect, our keychain separation feature may not work
  3. Most signing services don't provide a way to customize entitlements to meet our needs
  4. If you can custom your mobile provision file, you can refer to https://github.com/LiveContainer/LiveContainer/blob/main/entitlements.xml as an example
  5. It's not possible to write a tutorial for other signers since they varies a lot and some even don't provide a way to customize entitlements
  6. Even with iCloud entitlements, you still can't register the CloudKit containers these apps need, which may still lead to a crash.
<!-- gh-comment-id:2954483241 --> @hugeBlack commented on GitHub (Jun 9, 2025): Using installation methods other than SideStore/AltStore/TollStore is discouraged, which is why we don't have a tutorial about that. As what [khanhduytran0](https://github.com/khanhduytran0) said, LiveContainer requires all these entitlements to match in order to work correctly. 1. If bundle id is incorrect, features like new file picker fix and some apps may not work 2. If keychain access group is incorrect, our keychain separation feature may not work 3. Most signing services don't provide a way to customize entitlements to meet our needs 4. If you can custom your mobile provision file, you can refer to https://github.com/LiveContainer/LiveContainer/blob/main/entitlements.xml as an example 5. It's not possible to write a tutorial for other signers since they varies a lot and some even don't provide a way to customize entitlements 6. Even with iCloud entitlements, you still can't register the CloudKit containers these apps need, which may still lead to a crash.
kerem commented 2026-03-03 15:34:13 +03:00
Author
Owner
Copy link

@iMonZ commented on GitHub (Nov 29, 2025):

Using installation methods other than SideStore/AltStore/TollStore is discouraged, which is why we don't have a tutorial about that.

As what khanhduytran0 said, LiveContainer requires all these entitlements to match in order to work correctly.

  1. If bundle id is incorrect, features like new file picker fix and some apps may not work
  2. If keychain access group is incorrect, our keychain separation feature may not work
  3. Most signing services don't provide a way to customize entitlements to meet our needs
  4. If you can custom your mobile provision file, you can refer to https://github.com/LiveContainer/LiveContainer/blob/main/entitlements.xml as an example
  5. It's not possible to write a tutorial for other signers since they varies a lot and some even don't provide a way to customize entitlements
  6. Even with iCloud entitlements, you still can't register the CloudKit containers these apps need, which may still lead to a crash.

Could it be that the issue persist because the keychain access groups are hardcoded?
Would it work to append the team identified at the end? Wouldn't this fix this issue?

<!-- gh-comment-id:3591513328 --> @iMonZ commented on GitHub (Nov 29, 2025): > Using installation methods other than SideStore/AltStore/TollStore is discouraged, which is why we don't have a tutorial about that. > > As what [khanhduytran0](https://github.com/khanhduytran0) said, LiveContainer requires all these entitlements to match in order to work correctly. > > 1. If bundle id is incorrect, features like new file picker fix and some apps may not work > 2. If keychain access group is incorrect, our keychain separation feature may not work > 3. Most signing services don't provide a way to customize entitlements to meet our needs > 4. If you can custom your mobile provision file, you can refer to https://github.com/LiveContainer/LiveContainer/blob/main/entitlements.xml as an example > 5. It's not possible to write a tutorial for other signers since they varies a lot and some even don't provide a way to customize entitlements > 6. Even with iCloud entitlements, you still can't register the CloudKit containers these apps need, which may still lead to a crash. Could it be that the issue persist because the keychain access groups are hardcoded? Would it work to append the team identified at the end? Wouldn't this fix this issue?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
multitask-experimental
SecuritySignerPOC
externalstorage-poc
jitless
nightly
3.7.2
3.7.0
3.6.1
3.6.0
3.5.1
3.5.0
3.4.0
3.3.1
3.3.0
3.2.0
3.1.0
3.0.0
2.1.2
2.1.1
2.1
2.0-pre
1.0
Labels
Clear labels   
bug

   
compatibility

   
enhancement

   
multitasking

   
pull-request

Mirrored from GitHub Pull Request

  
safe area

   
status: broken

   
status: usable

   
wontfix
No labels
bug
compatibility
enhancement
multitasking
pull-request
safe area
status: broken
status: usable
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/LiveContainer#510
No description provided.