Skip to content
Latchkey

altool ERROR ITMS-90161 invalid provisioning profile in CI

App Store Connect rejected the uploaded binary with ITMS-90161 because the provisioning profile embedded in the app is not valid for an App Store submission: wrong bundle id, an expired or non-distribution profile, or a profile that does not include the signing certificate.

What this error means

altool --upload-app or Xcode Organizer fails with "ERROR ITMS-90161: Invalid Provisioning Profile. The provisioning profile included in the bundle is invalid." The build compiled and signed locally but is rejected at upload.

altool
ERROR ITMS-90161: "Invalid Provisioning Profile. The provisioning profile included in
the bundle com.example.app [Payload/App.app] is invalid. [Missing code-signing
certificate.] A Distribution Provisioning profile should be used when submitting apps
to the App Store."

Common causes

A development profile was embedded instead of distribution

The archive was exported with a Development or Ad Hoc profile. App Store uploads require an App Store distribution profile.

The profile does not include the signing certificate

The embedded profile was generated for a different distribution certificate than the one the runner signed with, so the pairing is invalid.

How to fix it

Export with an App Store distribution profile

  1. Generate or download an App Store distribution profile for the exact bundle id.
  2. Set method to app-store in the export options so the right profile is embedded.
  3. Re-archive, re-export, and re-upload.
ExportOptions.plist
<!-- ExportOptions.plist -->
<key>method</key><string>app-store</string>
<key>provisioningProfiles</key>
<dict><key>com.example.app</key><string>App Store Profile</string></dict>

Align the certificate with the profile

Ensure the Apple Distribution certificate installed on the runner is the one the profile lists. With fastlane match, run the appstore type so the certificate and profile come from the same source.

Terminal
fastlane match appstore --readonly

How to prevent it

  • Always export App Store builds with method app-store.
  • Keep the distribution certificate and profile in sync via match or a shared keychain.
  • Regenerate profiles when the distribution certificate is rotated.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →