From 9e996460bf5cf1c8c021bdf4b8b3f89d3272c30e Mon Sep 17 00:00:00 2001
From: Gerald Versluis <gerald.versluis@microsoft.com>
Date: Wed, 8 Apr 2026 17:17:11 +0200
Subject: [PATCH] fix: inject application-identifier from profile into
 entitlements

TestFlight requires the application-identifier entitlement in the
app signature. codesign doesn't inject it automatically (Xcode does).

Now that the profile uses the base bundle ID (nl.versluis.polypilot),
the extracted value (AY5KBJ6RN9.nl.versluis.polypilot) matches what
Apple expects.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/release-apps.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/.github/workflows/release-apps.yml b/.github/workflows/release-apps.yml
index ecad790c7..646834581 100644
--- a/.github/workflows/release-apps.yml
+++ b/.github/workflows/release-apps.yml
@@ -257,6 +257,25 @@ jobs:
           cp "$RUNNER_TEMP/maccatalyst.provisionprofile" "$APP_PATH/Contents/embedded.provisionprofile"
           echo "Embedded provisioning profile in app bundle"
 
+      - name: Inject application-identifier into entitlements
+        run: |
+          # Extract application-identifier and team-identifier from provisioning profile
+          # and add them to the entitlements file. codesign doesn't do this automatically
+          # (Xcode does). Required for TestFlight eligibility.
+          PROFILE_PLIST=$(security cms -D -i "$RUNNER_TEMP/maccatalyst.provisionprofile")
+          APP_ID=$(echo "$PROFILE_PLIST" | plutil -extract Entitlements.com\\.apple\\.application-identifier raw -o - -)
+          TEAM_ID=$(echo "$PROFILE_PLIST" | plutil -extract Entitlements.com\\.apple\\.developer\\.team-identifier raw -o - -)
+          echo "Application identifier: $APP_ID"
+          echo "Team identifier: $TEAM_ID"
+
+          ENTITLEMENTS="PolyPilot/Platforms/MacCatalyst/Entitlements.AppStore.plist"
+          /usr/libexec/PlistBuddy -c "Add :com.apple.application-identifier string $APP_ID" "$ENTITLEMENTS" 2>/dev/null || \
+            /usr/libexec/PlistBuddy -c "Set :com.apple.application-identifier $APP_ID" "$ENTITLEMENTS"
+          /usr/libexec/PlistBuddy -c "Add :com.apple.developer.team-identifier string $TEAM_ID" "$ENTITLEMENTS" 2>/dev/null || \
+            /usr/libexec/PlistBuddy -c "Set :com.apple.developer.team-identifier $TEAM_ID" "$ENTITLEMENTS"
+          echo "Updated entitlements:"
+          cat "$ENTITLEMENTS"
+
       - name: Re-sign app bundle (inside-out)
         env:
           CODESIGN_KEY: ${{ secrets.IOS_CODESIGN_KEY }}