(feat): disable PREFIX substitution in entitlements (#2865)

Author: ssarad

tools/plisttool/plisttool.py

@@ -1115,15 +1115,6 @@ def __init__(self, target, options):
         # via the *_substitutions keys in the control because it takes an
         # action running to extract them from the provisioning profile, so
         # the starlark for the rule doesn't have access to the values.
-        #
-        # Set up the subs using the info extracted from the provisioning
-        # profile:
-        # - "PREFIX.*" -> "PREFIX.BUNDLE_ID"
-        bundle_id = self.options.get('bundle_id')
-        if bundle_id:
-          self._extra_raw_subs['%s.*' % team_prefix] = '%s.%s' % (
-              team_prefix, bundle_id)
-        # - "$(AppIdentifierPrefix)" -> "PREFIX."
         self._extra_var_subs['AppIdentifierPrefix'] = '%s.' % team_prefix
 
     else:
@@ -1288,7 +1279,8 @@ def _validate_entitlements_against_profile(self, entitlements):
     self._check_entitlements_array(
         entitlements, profile_entitlements,
         'keychain-access-groups', self.target,
-        supports_wildcards=True)
+        supports_wildcards=True,
+        allow_wildcards_in_entitlements=True)
 
     # com.apple.security.application-groups
     # (This check does not apply to macOS-only provisioning profiles.)

tools/plisttool/plisttool_unittest.py

@@ -1256,7 +1256,8 @@ def test_entitlements_options_var_subs(self):
         },
     }, {'Foo': 'abc123.'})
 
-  def test_entitlements_options_raw_subs(self):
+  def test_entitlements_options_preserves_wildcards(self):
+    """Verify that wildcards in entitlements are preserved (matching Xcode behavior)."""
     plist1 = {'Bar': 'abc123.*'}
     self._assert_plisttool_result({
         'plists': [plist1],
@@ -1267,7 +1268,7 @@ def test_entitlements_options_raw_subs(self):
                 'Version': 1,
             },
         },
-    }, {'Bar': 'abc123.my.bundle.id'})
+    }, {'Bar': 'abc123.*'})
 
   def test_entitlements_no_profile_for_app_id_prefix(self):
     with self.assertRaisesRegex(
@@ -1622,23 +1623,20 @@ def test_entitlements_keychain_not_allowed(self):
           },
       })
 
-  def test_entitlements_keychain_entitlements_wildcard_not_allowed(self):
-    with self.assertRaisesRegex(
-        plisttool.PlistToolError,
-        re.escape(plisttool.ENTITLEMENTS_VALUE_HAS_WILDCARD % (
-            _testing_target, 'keychain-access-groups', 'QWERTY.*'))):
-      _plisttool_result({
-          'plists': [{'keychain-access-groups': ['QWERTY.*']}],
-          'entitlements_options': {
-              'bundle_id': 'my.bundle.id',
-              'profile_metadata_file': {
-                  'Entitlements': {
-                      'keychain-access-groups': ['QWERTY.*'],
-                  },
-                  'Version': 1,
-              },
-          },
-      })
+  def test_entitlements_keychain_entitlements_wildcard_allowed(self):
+    """Verify that wildcards in keychain-access-groups are allowed (matching Xcode behavior)."""
+    self._assert_plisttool_result({
+        'plists': [{'keychain-access-groups': ['QWERTY.*']}],
+        'entitlements_options': {
+            'bundle_id': 'my.bundle.id',
+            'profile_metadata_file': {
+                'Entitlements': {
+                    'keychain-access-groups': ['QWERTY.*'],
+                },
+                'Version': 1,
+            },
+        },
+    }, {'keychain-access-groups': ['QWERTY.*']})
 
   def test_entitlements_keychain_mismatch(self):
     with self.assertRaisesRegex(