I'm trying to convert an older family of applications to modern standards. In doing so, one requirement is to link them all together using Keychain Groups and App Groups. However, once I do this, I get the following crash logged in Console.app:
6/28/18 11:13:10.295 AM taskgated-helper[507]: embedded provisioning profile not valid: file:///Users/me/Desktop/Primary App.app/Contents/embedded.provisionprofile
6/28/18 11:13:10.295 AM taskgated-helper[507]: Found 0 provisioning profiles
6/28/18 11:13:10.295 AM taskgated-helper[507]: Disallowing com.company.OurApp[pid 510] because no provisioning profiles found
6/28/18 11:13:10.295 AM taskgated[101]: killed com.company.OurApp[pid 510] because its use of the keychain-access-groups entitlement is not allowed (error code -67050)
6/28/18 11:13:10.314 AM ReportCrash[509]: Trying to extract VM information using cr2
6/28/18 11:13:10.343 AM ReportCrash[509]: Saved crash report for Primary App[510] version ??? to /Users/me/Library/Logs/DiagnosticReports/Primary App_2018-06-28-111310_My-Mac.crash
The crash log contains these lines which are common to certificate/entitlement issues:
Exception Type: EXC_CRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Built on macOS High Sierra using Xcode 8.3.3 (I know...). Crash occurred while testing on a Mac OS X El Capitan 10.11.6 VM (I know...)
This is related to Code signing issues and crashes after attempting to set up Keychain sharing, which involves different components on a different OS, but seems to have the same root cause
This is also related to Mac App signed with Developer ID fails to start, I get com.apple.developer.networking.vpn.api entitlement is not allowed (error code -67050) which is caused by a different broken entitlement, but has the same end result.
When you change an application's entitlements in Xcode, you also need to ensure you have granted those entitlements in the provisioning profile. To do that, you need to log into Apple's Developer site, and update the entitlements for you app ID. Then you will need to generate / re-generate the provisioning profile for that app ID. Once you have done that, delete the old provisioning profiles and install the new ones downloaded, which should have the proper entitlements. You should now be able to use the new capabilities (in your case, Keychain Groups).