fastlane 2.182.0 → 2.184.1

data/match/lib/match/migrate.rb

@@ -91,9 +91,8 @@ module Match
     end
 
     def api_token(params)
-      @api_token ||= Spaceship::ConnectAPI::Token.create(**params[:api_key]) if params[:api_key]
-      @api_token ||= Spaceship::ConnectAPI::Token.from_json_file(params[:api_key_path]) if params[:api_key_path]
-      return @api_token
+      api_token = Spaceship::ConnectAPI::Token.from(hash: params[:api_key], filepath: params[:api_key_path])
+      return api_token
     end
 
     def ensure_parameters_are_valid(params)

data/match/lib/match/nuke.rb

@@ -102,9 +102,11 @@ module Match
     end
 
     def spaceship_login
-      if api_token
+      if (api_token = Spaceship::ConnectAPI::Token.from(hash: params[:api_key], filepath: params[:api_key_path]))
         UI.message("Creating authorization token for App Store Connect API")
         Spaceship::ConnectAPI.token = api_token
+      elsif !Spaceship::ConnectAPI.token.nil?
+        UI.message("Using existing authorization token for App Store Connect API")
       else
         Spaceship::ConnectAPI.login(params[:username], use_portal: true, use_tunes: false, portal_team_id: params[:team_id], team_name: params[:team_name])
       end
@@ -120,12 +122,6 @@ module Match
       end
     end
 
-    def api_token
-      @api_token ||= Spaceship::ConnectAPI::Token.create(**params[:api_key]) if params[:api_key]
-      @api_token ||= Spaceship::ConnectAPI::Token.from_json_file(params[:api_key_path]) if params[:api_key_path]
-      return @api_token
-    end
-
     # Collect all the certs/profiles
     def prepare_list
       UI.message("Fetching certificates and profiles...")

data/match/lib/match/options.rb

@@ -207,6 +207,7 @@ module Match
         FastlaneCore::ConfigItem.new(key: :s3_secret_access_key,
                                      env_name: "MATCH_S3_SECRET_ACCESS_KEY",
                                      description: "S3 secret access key",
+                                     sensitive: true,
                                      optional: true),
         FastlaneCore::ConfigItem.new(key: :s3_bucket,
                                      env_name: "MATCH_S3_BUCKET",

data/match/lib/match/runner.rb

@@ -139,9 +139,8 @@ module Match
     # rubocop:enable Metrics/PerceivedComplexity
 
     def api_token(params)
-      @api_token ||= Spaceship::ConnectAPI::Token.create(**params[:api_key]) if params[:api_key]
-      @api_token ||= Spaceship::ConnectAPI::Token.from_json_file(params[:api_key_path]) if params[:api_key_path]
-      return @api_token
+      api_token = Spaceship::ConnectAPI::Token.from(hash: params[:api_key], filepath: params[:api_key_path])
+      return api_token
     end
 
     # Used when creating a new certificate or profile

data/match/lib/match/spaceship_ensure.rb

@@ -13,6 +13,9 @@ module Match
         UI.message("Creating authorization token for App Store Connect API")
         Spaceship::ConnectAPI.token = api_token
         self.team_id = team_id
+      elsif !Spaceship::ConnectAPI.token.nil?
+        UI.message("Using existing authorization token for App Store Connect API")
+        self.team_id = team_id
       else
         # We'll try to manually fetch the password
         # to tell the user that a password is optional

data/match/lib/match/storage/google_cloud_storage.rb

@@ -123,8 +123,8 @@ module Match
       end
 
       def api_token
-        api_token ||= Spaceship::ConnectAPI::Token.create(**self.api_key) if self.api_key
-        api_token ||= Spaceship::ConnectAPI::Token.from_json_file(self.api_key_path) if self.api_key_path
+        api_token = Spaceship::ConnectAPI::Token.from(hash: self.api_key, filepath: self.api_key_path)
+        api_token ||= Spaceship::ConnectAPI.token
         return api_token
       end
 

data/match/lib/match/storage/s3_storage.rb

@@ -196,8 +196,8 @@ module Match
       end
 
       def api_token
-        api_token ||= Spaceship::ConnectAPI::Token.create(**self.api_key) if self.api_key
-        api_token ||= Spaceship::ConnectAPI::Token.from_json_file(self.api_key_path) if self.api_key_path
+        api_token = Spaceship::ConnectAPI::Token.from(hash: self.api_key, filepath: self.api_key_path)
+        api_token ||= Spaceship::ConnectAPI.token
         return api_token
       end
     end

data/pilot/lib/pilot/build_manager.rb

@@ -105,8 +105,10 @@ module Pilot
         app_version: app_version,
         build_version: app_build,
         poll_interval: config[:wait_processing_interval],
+        timeout_duration: config[:wait_processing_timeout_duration],
         return_when_build_appears: return_when_build_appears,
-        return_spaceship_testflight_build: false
+        return_spaceship_testflight_build: false,
+        select_latest: config[:distribute_only]
       )
 
       unless latest_build.app_version == app_version && latest_build.version == app_build
@@ -365,6 +367,7 @@ module Pilot
     # If there are fewer than two teams, don't infer the provider.
     def transporter_for_selected_team(options)
       # Use JWT auth
+      api_token = Spaceship::ConnectAPI.token
       unless api_token.nil?
         api_token.refresh! if api_token.expired?
         return FastlaneCore::ItunesTransporter.new(nil, nil, false, nil, api_token.text)
@@ -447,7 +450,7 @@ module Pilot
     end
 
     def update_review_detail(build, info)
-      info = info.collect { |k, v| [k.to_sym, v] }.to_h
+      info = info.transform_keys(&:to_sym)
 
       attributes = {}
       attributes[:contactEmail] = info[:contact_email] if info.key?(:contact_email)
@@ -463,7 +466,7 @@ module Pilot
     end
 
     def update_localized_app_review(build, info_by_lang, default_info: nil)
-      info_by_lang = info_by_lang.collect { |k, v| [k.to_sym, v] }.to_h
+      info_by_lang = info_by_lang.transform_keys(&:to_sym)
 
       if default_info
         info_by_lang.delete(:default)
@@ -509,7 +512,7 @@ module Pilot
     end
 
     def update_localized_build_review(build, info_by_lang, default_info: nil)
-      info_by_lang = info_by_lang.collect { |k, v| [k.to_sym, v] }.to_h
+      info_by_lang = info_by_lang.transform_keys(&:to_sym)
 
       if default_info
         info_by_lang.delete(:default)

data/pilot/lib/pilot/manager.rb

@@ -17,9 +17,11 @@ module Pilot
     end
 
     def login
-      if api_token
+      if (api_token = Spaceship::ConnectAPI::Token.from(hash: config[:api_key], filepath: config[:api_key_path]))
         UI.message("Creating authorization token for App Store Connect API")
         Spaceship::ConnectAPI.token = api_token
+      elsif !Spaceship::ConnectAPI.token.nil?
+        UI.message("Using existing authorization token for App Store Connect API")
       else
         config[:username] ||= CredentialsManager::AppfileConfig.try_fetch_value(:apple_id)
 
@@ -33,12 +35,6 @@ module Pilot
       end
     end
 
-    def api_token
-      @api_token ||= Spaceship::ConnectAPI::Token.create(**config[:api_key]) if config[:api_key]
-      @api_token ||= Spaceship::ConnectAPI::Token.from_json_file(config[:api_key_path]) if config[:api_key_path]
-      return @api_token
-    end
-
     # The app object we're currently using
     def app
       @app_id ||= fetch_app_id

data/pilot/lib/pilot/options.rb

@@ -286,6 +286,14 @@ module Pilot
                                      verify_block: proc do |value|
                                        UI.user_error!("Please enter a valid positive number of seconds") unless value.to_i > 0
                                      end),
+        FastlaneCore::ConfigItem.new(key: :wait_processing_timeout_duration,
+                                     env_name: "PILOT_WAIT_PROCESSING_TIMEOUT_DURATION",
+                                     description: "Timeout duration in seconds to wait for App Store Connect processing. If set, after exceeding timeout duration, this will `force stop` to wait for App Store Connect processing and exit with exception",
+                                     optional: true,
+                                     type: Integer,
+                                     verify_block: proc do |value|
+                                       UI.user_error!("Please enter a valid positive number of seconds") unless value.to_i > 0
+                                     end),
         FastlaneCore::ConfigItem.new(key: :wait_for_uploaded_build,
                                      env_name: "PILOT_WAIT_FOR_UPLOADED_BUILD",
                                      deprecated: "No longer needed with the transition over to the App Store Connect API",

data/precheck/lib/precheck/runner.rb

@@ -18,6 +18,14 @@ module Precheck
                                          hide_keys: [:output_path],
                                              title: "Summary for precheck #{Fastlane::VERSION}")
 
+      api_token = if (token = Spaceship::ConnectAPI::Token.from(hash: Precheck.config[:api_key], filepath: Precheck.config[:api_key_path]))
+                    UI.message("Creating authorization token for App Store Connect API")
+                    token
+                  elsif (token = Spaceship::ConnectAPI.token)
+                    UI.message("Using existing authorization token for App Store Connect API")
+                    token
+                  end
+
       if api_token
 
         # As of 2020-09-15, App Store Connect API does not have support for IAPs yet
@@ -29,7 +37,6 @@ module Precheck
           UI.user_error!("Precheck cannot check In-app purchases with the App Store Connect API Key (yet). Exclude In-app purchases from precheck, disable the precheck step in your build step, or use Apple ID login")
         end
 
-        UI.message("Creating authorization token for App Store Connect API")
         Spaceship::ConnectAPI.token = api_token
       elsif Spaceship::Tunes.client.nil?
         # Username is now optional since addition of App Store Connect API Key
@@ -75,12 +82,6 @@ module Precheck
       return true
     end
 
-    def api_token
-      @api_token ||= Spaceship::ConnectAPI::Token.create(**Precheck.config[:api_key]) if Precheck.config[:api_key]
-      @api_token ||= Spaceship::ConnectAPI::Token.from_json_file(Precheck.config[:api_key_path]) if Precheck.config[:api_key_path]
-      return @api_token
-    end
-
     def print_items_not_checked(processor_result: nil)
       names = processor_result.items_not_checked.map(&:friendly_name)
       UI.message("😶  Metadata fields not checked by any rule: #{names.join(', ')}".yellow) if names.length > 0

data/scan/lib/scan/runner.rb

@@ -122,7 +122,7 @@ module Scan
       suites = failing_tests.split(/(?=\n\s+[\w\s]+:\n)/)
 
       suites.each do |suite|
-        suite_name = suite.match(/\s*([\w\s]+):/).captures.first
+        suite_name = suite.match(/\s*([\w\s\S]+):/).captures.first
 
         test_cases = suite.split(":\n").fetch(1, []).split("\n").each
                           .select { |line| line.match?(/^\s+/) }

data/sigh/lib/assets/resign.sh

@@ -75,6 +75,9 @@
 # new features August 2020
 # 1. fixes usage for users with GNU-sed in their $PATH
 #
+# new features May 2021
+# 1. fix entitlements merging when changing team
+#
 
 # Logging functions
 
@@ -346,7 +349,7 @@ function provision_for_bundle_id {
 }
 
 # Find the bundle identifier contained inside a provisioning profile
-function bundle_id_for_provison {
+function bundle_id_for_provision {
 
     local FULL_BUNDLE_ID=$(PlistBuddy -c 'Print :Entitlements:application-identifier' /dev/stdin <<< "$(security cms -D -i "$1")")
     checkStatus
@@ -384,7 +387,7 @@ function add_provision {
         error "Provisioning profile '$PROVISION' file does not exist"
     fi
 
-    local BUNDLE_ID=$(bundle_id_for_provison "$PROVISION")
+    local BUNDLE_ID=$(bundle_id_for_provision "$PROVISION")
     add_provision_for_bundle_id "$PROVISION" "$BUNDLE_ID"
 }
 
@@ -434,7 +437,7 @@ function resign {
         error "Use the -p option (example: -p com.example.app=xxxx.mobileprovision)"
     fi
 
-    local PROVISION_BUNDLE_IDENTIFIER=$(bundle_id_for_provison "$NEW_PROVISION")
+    local PROVISION_BUNDLE_IDENTIFIER=$(bundle_id_for_provision "$NEW_PROVISION")
 
     # Use provisioning profile's bundle identifier
     if [ "$BUNDLE_IDENTIFIER" == "" ]; then
@@ -580,7 +583,7 @@ function resign {
             # Found a reference bundle id, now get the corresponding provisioning profile for this bundle id
             REF_PROVISION=$(provision_for_bundle_id "$REF_BUNDLE_ID")
             # Map to the new bundle id
-            NEW_REF_BUNDLE_ID=$(bundle_id_for_provison "$REF_PROVISION")
+            NEW_REF_BUNDLE_ID=$(bundle_id_for_provision "$REF_PROVISION")
             # Change if not the same and if doesn't contain wildcard
             # shellcheck disable=SC2049
             if [[ "$REF_BUNDLE_ID" != "$NEW_REF_BUNDLE_ID" ]] && ! [[ "$NEW_REF_BUNDLE_ID" =~ \* ]]; then
@@ -636,6 +639,20 @@ function resign {
         log "\nApp entitlements for ${APP_PATH}:"
         log "$(cat "$APP_ENTITLEMENTS")"
 
+        # Get the old and new app identifier (prefix)
+        APP_ID_KEY="application-identifier"
+        # Extract just the identifier from the value
+        # Use the fact that we are after some identifer, which is always at the start of the string
+        OLD_APP_ID=$(PlistBuddy -c "Print $APP_ID_KEY" "$APP_ENTITLEMENTS" | grep -E '^[A-Z0-9]*' -o | tr -d '\n')
+        NEW_APP_ID=$(PlistBuddy -c "Print $APP_ID_KEY" "$PROFILE_ENTITLEMENTS" | grep -E '^[A-Z0-9]*' -o | tr -d '\n')
+
+        # Get the old and the new team ID
+        # Old team ID is not part of app entitlements, have to get it from old embedded provisioning profile
+        security cms -D -i "$TEMP_DIR/old-embedded.mobileprovision" > "$TEMP_DIR/old-embedded-profile.plist"
+        OLD_TEAM_ID=$(PlistBuddy -c "Print :TeamIdentifier:0" "$TEMP_DIR/old-embedded-profile.plist")
+        # New team ID is part of profile entitlements
+        NEW_TEAM_ID=$(PlistBuddy -c "Print com.apple.developer.team-identifier" "$PROFILE_ENTITLEMENTS" | grep -E '^[A-Z0-9]*' -o | tr -d '\n')
+
         log "Patching profile entitlements with values from app entitlements"
         PATCHED_ENTITLEMENTS="$TEMP_DIR/patchedEntitlements"
         # Start with using what comes in provisioning profile entitlements before patching
@@ -654,20 +671,14 @@ function resign {
             "com.apple.developer.icloud-container-development-container-identifiers" \
             # This key has an invalid generic value in PP (actual value is set by Xcode during export), see dedicated processing a few blocks below
             "com.apple.developer.icloud-container-environment" \
-            # PP list identifiers inconsistent with app-defined ones, must use App entitlements value
-            "com.apple.developer.icloud-container-identifiers" \
             # PP enable all available services and not app-defined ones, must use App entitlements value
             "com.apple.developer.icloud-services" \
             # Was already denylisted in previous version, but has someone ever seen this key in a PP?
             "com.apple.developer.restricted-resource-mode" \
             # If actually used by the App, this value will be set in its entitlements
             "com.apple.developer.nfc.readersession.formats" \
-            # PP list a single TeamID.* identifier and not app-defined ones, must use App entitlements value
-            "com.apple.developer.pass-type-identifiers" \
             # If actually used by the App, this value will be set in its entitlements
             "com.apple.developer.siri" \
-            # PP list identifiers inconsistent with app-defined ones, must use App entitlements value
-            "com.apple.developer.ubiquity-container-identifiers" \
             # PP define a generic TeamID.* identifier and not the app-defined one, must use App entitlements value
             "com.apple.developer.ubiquity-kvstore-identifier" \
             # If actually used by the App, this value will be set in its entitlements
@@ -680,8 +691,6 @@ function resign {
             "com.apple.developer.healthkit" \
             # If actually used by the App, this value will be set in its entitlements
             "com.apple.developer.healthkit.access" \
-            # PP list identifiers inconsistent with app-defined ones, must use App entitlements value
-            "com.apple.developer.in-app-payments" \
             # If actually used by the App, this value will be set in its entitlements
             "com.apple.developer.networking.vpn.api" \
             # If actually used by the App, this value will be set in its entitlements
@@ -694,40 +703,45 @@ function resign {
             "com.apple.developer.associated-domains" \
             # If actually used by the App, this value will be set in its entitlements
             "com.apple.developer.default-data-protection" \
-            # PP seem to list the same groups as the App, but use App entitlements value to be sure
-            "com.apple.security.application-groups" \
             # Was already denylisted in previous version, seems to be an artifact from an old Xcode release
             "com.apple.developer.maps" \
             # If actually used by the App, this value will be set in its entitlements
             "com.apple.external-accessory.wireless-configuration"
         )
 
+        # If we change team while resigning, we have no other choice than to use the following entitlements from the PP instead of the App
+        # because they are based on unique identifiers (defined in the developer portal) that can't be shared between teams
+        if [[ "$OLD_TEAM_ID" != "$NEW_TEAM_ID" ]]; then
+            warning "WARNING: Changing team while resigning"
+            warning "WARNING: Using these entitlements from the provisioning profile instead of the existing app:"
+            warning "WARNING: App Groups, Merchant IDs (Apple Pay In-App Payments), iCloud Containers, Pass Type IDs (Wallet)"
+            warning "WARNING: If these capabilities are enabled, make sure AppID and provisioning profile are properly configured"
+            # For Pass Types, PP only list a single TeamID.* identifier and not the potential restricted list defined in the existing App
+            # but we can't guess the new identifiers to be used, so this generic value is better than nothing and should be fine for most apps
+            warning "WARNING: Resigned app will allow all pass types from the new team, even if old app only allowed a restricted list"
+        else
+            DENYLISTED_KEYS+=(\
+                "com.apple.security.application-groups" \
+                "com.apple.developer.in-app-payments" \
+                "com.apple.developer.ubiquity-container-identifiers" \
+                "com.apple.developer.icloud-container-identifiers" \
+                "com.apple.developer.pass-type-identifiers" \
+            )
+        fi
+
         # Denylisted keys must not be included into new profile, so remove them from patched profile
         for KEY in "${DENYLISTED_KEYS[@]}"; do
             log "Removing denylisted key: $KEY"
             PlistBuddy -c "Delete $KEY" "$PATCHED_ENTITLEMENTS" 2>/dev/null
         done
 
-        # Get the old and new app identifier (prefix)
-        APP_ID_KEY="application-identifier"
-        # Extract just the identifier from the value
-        # Use the fact that we are after some identifier, which is always at the start of the string
-        OLD_APP_ID=$(PlistBuddy -c "Print $APP_ID_KEY" "$APP_ENTITLEMENTS" | grep -E '^[A-Z0-9]*' -o | tr -d '\n')
-        NEW_APP_ID=$(PlistBuddy -c "Print $APP_ID_KEY" "$PROFILE_ENTITLEMENTS" | grep -E '^[A-Z0-9]*' -o | tr -d '\n')
-
-        # Get the old and the new team ID
-        # Old team ID is not part of app entitlements, have to get it from old embedded provisioning profile
-        security cms -D -i "$TEMP_DIR/old-embedded.mobileprovision" > "$TEMP_DIR/old-embedded-profile.plist"
-        OLD_TEAM_ID=$(PlistBuddy -c "Print :TeamIdentifier:0" "$TEMP_DIR/old-embedded-profile.plist")
-        # New team ID is part of profile entitlements
-        NEW_TEAM_ID=$(PlistBuddy -c "Print com.apple.developer.team-identifier" "$PROFILE_ENTITLEMENTS" | grep -E '^[A-Z0-9]*' -o | tr -d '\n')
-
         # List of rules for transferring entitlements from app to profile plist
         # The format for each enty is "KEY[|ID_TYPE]"
         # Where KEY is the plist key, e.g. "keychain-access-groups"
         # and ID_TYPE is optional part separated by '|' that specifies what value to patch:
         # TEAM_ID - patch the TeamIdentifierPrefix
         # APP_ID - patch the AppIdentifierPrefix
+        # ICLOUD_ENV - patch the target iCloud Environment
         # Patching means replacing old value from app entitlements with new value from provisioning profile
         # For example, for KEY=keychain-access-groups the ID_TYPE=APP_ID
         # Which means that old app ID prefix in keychain-access-groups will be replaced with new app ID prefix
@@ -740,23 +754,32 @@ function resign {
             "com.apple.developer.healthkit" \
             "com.apple.developer.healthkit.access" \
             "com.apple.developer.homekit" \
-            "com.apple.developer.icloud-container-environment" \
-            "com.apple.developer.icloud-container-identifiers" \
+            "com.apple.developer.icloud-container-environment|ICLOUD_ENV" \
             "com.apple.developer.icloud-services" \
-            "com.apple.developer.in-app-payments" \
             "com.apple.developer.networking.HotspotConfiguration" \
             "com.apple.developer.networking.multipath" \
             "com.apple.developer.networking.networkextension" \
             "com.apple.developer.networking.vpn.api" \
             "com.apple.developer.nfc.readersession.formats" \
-            "com.apple.developer.pass-type-identifiers|TEAM_ID" \
             "com.apple.developer.siri" \
-            "com.apple.developer.ubiquity-container-identifiers" \
             "com.apple.developer.ubiquity-kvstore-identifier|TEAM_ID" \
             "com.apple.external-accessory.wireless-configuration" \
-            "com.apple.security.application-groups" \
             "inter-app-audio" \
-            "keychain-access-groups|APP_ID")
+            "keychain-access-groups|APP_ID" \
+        )
+
+        # If we change team while resigning, we have no other choice than to use the following entitlements from the PP instead of the App
+        # because they are based on unique identifiers (defined in the developer portal) that can't be shared between teams
+        # If we don't change team while resigning, we should use the following entitlements from the existing App and not from the PP
+        if [[ "$OLD_TEAM_ID" == "$NEW_TEAM_ID" ]]; then
+            ENTITLEMENTS_TRANSFER_RULES+=(\
+                "com.apple.security.application-groups" \
+                "com.apple.developer.in-app-payments" \
+                "com.apple.developer.ubiquity-container-identifiers" \
+                "com.apple.developer.icloud-container-identifiers" \
+                "com.apple.developer.pass-type-identifiers|TEAM_ID" \
+            )
+        fi
 
         # Loop over all the entitlement keys that need to be transferred from app entitlements
         for RULE in "${ENTITLEMENTS_TRANSFER_RULES[@]}"; do
@@ -771,7 +794,19 @@ function resign {
                 continue
             fi
 
-            if [[ "$KEY" == "com.apple.developer.icloud-container-environment" ]]; then
+            log "App entitlements value for key '$KEY':"
+            log "$ENTITLEMENTS_VALUE"
+
+            # Patch the ID value if specified
+            if [[ "$ID_TYPE" == "APP_ID" ]]; then
+                # Replace old value with new value in patched entitlements
+                log "Replacing old app ID '$OLD_APP_ID' with new app ID '$NEW_APP_ID'"
+                ENTITLEMENTS_VALUE=$(echo "$ENTITLEMENTS_VALUE" | sed "s/$OLD_APP_ID/$NEW_APP_ID/g")
+            elif [[ "$ID_TYPE" == "TEAM_ID" ]]; then
+                # Replace old team identifier with new value
+                log "Replacing old team ID '$OLD_TEAM_ID' with new team ID '$NEW_TEAM_ID'"
+                ENTITLEMENTS_VALUE=$(echo "$ENTITLEMENTS_VALUE" | sed "s/$OLD_TEAM_ID/$NEW_TEAM_ID/g")
+            elif [[ "$ID_TYPE" == "ICLOUD_ENV" ]]; then
                 # Add specific iCloud Environment key to patched entitlements
                 # This value is set by Xcode during export (manually selected for Development and AdHoc, automatically set to Production for Store)
                 # Would need an additional dedicated option to specify the iCloud environment to be used (Development or Production)
@@ -788,20 +823,16 @@ function resign {
                     fi
                 fi
 
+                OLD_ICLOUD_ENV=$(echo "$ENTITLEMENTS_VALUE" | sed -e 's,<string>\(.*\)</string>,\1,g')
                 if [[ "$certificate_name" =~ "Distribution:" ]]; then
-                    ICLOUD_ENV="Production"
+                    NEW_ICLOUD_ENV="Production"
                 else
-                    ICLOUD_ENV="Development"
+                    NEW_ICLOUD_ENV="Development"
                 fi
-                log "Overriding value for $KEY"
-                log "Old value: $ENTITLEMENTS_VALUE"
-                log "New value: $ICLOUD_ENV"
-                ENTITLEMENTS_VALUE="$ICLOUD_ENV"
+                log "Replacing iCloud environment '$OLD_ICLOUD_ENV' with '$NEW_ICLOUD_ENV'"
+                ENTITLEMENTS_VALUE=$(echo "$ENTITLEMENTS_VALUE" | sed "s/$OLD_ICLOUD_ENV/$NEW_ICLOUD_ENV/g")
             fi
 
-            log "App entitlements value for key '$KEY':"
-            log "$ENTITLEMENTS_VALUE"
-
             # Remove the entry for current key from profisioning profile entitlements (if exists)
             PlistBuddy -c "Delete $KEY" "$PATCHED_ENTITLEMENTS" 2>/dev/null
 
@@ -830,7 +861,7 @@ function resign {
         # Replace old bundle ID with new bundle ID in patched entitlements
         # Read old bundle ID from the old Info.plist which was saved for this purpose
         OLD_BUNDLE_ID="$(PlistBuddy -c "Print :CFBundleIdentifier" "$TEMP_DIR/oldInfo.plist")"
-        NEW_BUNDLE_ID="$(bundle_id_for_provison "$NEW_PROVISION")"
+        NEW_BUNDLE_ID="$(bundle_id_for_provision "$NEW_PROVISION")"
         log "Replacing old bundle ID '$OLD_BUNDLE_ID' with new bundle ID '$NEW_BUNDLE_ID' in patched entitlements"
         # Note: ideally we'd match against the opening <string> tag too, but this isn't possible
         # because $OLD_BUNDLE_ID and $NEW_BUNDLE_ID do not include the team ID prefix which is