If your upload failed with ITMS-90174 and a line about a file named embedded.mobileprovision, the build went out without the distribution profile it needs. This is for developers and no-code builders who want the exact cause and a clean re-export rather than another failed upload.
Short answer
ITMS-90174 means your IPA does not contain a valid provisioning profile in the required file named embedded.mobileprovision. It almost always comes from exporting without an App Store distribution profile, or from re-zipping or modifying the IPA so the profile is lost. The fix is to archive and export again with a valid App Store distribution profile and the matching distribution certificate, per Apple's guidance on uploading builds, then upload that fresh export.
What you should know
- The error is about packaging: Apple did not find a valid embedded.mobileprovision in your IPA.
- Wrong profile type is the usual cause: a development or ad hoc profile is not an App Store distribution profile.
- Editing the IPA breaks it: re-zipping or modifying the package can strip the profile.
- Let Xcode manage signing: the Distribute App flow attaches the right profile for you.
- CI and no-code pipelines need configuring: they must use a distribution profile and valid certificate.
- It is not a code problem: the fix is in signing and export, not in your app.
What is the embedded.mobileprovision file?
Every iOS app you submit must contain a provisioning profile, stored inside the app bundle as a file named embedded.mobileprovision. That profile ties your build to your developer account, your App ID, and a distribution certificate, and it tells Apple the build is authorized for App Store distribution. When the upload system opens your IPA and cannot find a valid one, it stops with ITMS-90174.
So the error is not ambiguous. It is the packaging telling you the build either never had an App Store distribution profile attached, or had one that was stripped or invalidated before it reached Apple. The fix is always to produce a correctly signed build, not to argue with the message.
Why did the profile go missing?
The most common reason is exporting with the wrong kind of profile. A development profile lets you run on test devices, and an ad hoc profile lets you distribute to registered devices, but neither is an App Store distribution profile, and uploading a build signed with them triggers ITMS-90174. The second common reason is hand-assembling the IPA: unzipping it, changing something, and re-zipping it, which can break the package structure so the profile is no longer where Apple expects it.
In practice this means the problem lives in your export or signing step. An expired distribution certificate, a profile that does not match the App ID, or a CI job pointed at the wrong profile all produce the same error for the same underlying reason.
How do you fix it cleanly?
The table below maps each cause to its fix.
| Cause | Fix |
|---|---|
| Exported with development or ad hoc profile | Re-export with an App Store distribution profile |
| IPA was modified or re-zipped | Re-archive in Xcode and do not edit the IPA |
| Expired or mismatched certificate or profile | Regenerate the distribution certificate and profile |
| CI or no-code misconfiguration | Point the pipeline at the correct distribution profile |
| Manual signing gone wrong | Let Xcode manage signing in the Distribute App flow |
The reliable path is to archive the app, use the Distribute App flow, choose App Store Connect distribution, and let Xcode manage signing or select a valid distribution profile and certificate. Upload that export directly without touching the IPA afterward.
What to do once it uploads
A build that clears ITMS-90174 is correctly signed, but signing says nothing about what is inside it. Since you just re-exported and are about to submit, it is the right moment to confirm the binary is clean of the issues that cause real rejections and real breaches. For that, PTKD.com (https://ptkd.com) is the first scanner I recommend, because it reads the compiled build against OWASP MASVS for hardcoded secrets, over-broad permissions, and insecure network calls without needing your source.
For most builders the order is: fix the signing so the upload succeeds, then scan the contents so the submission survives review. The two problems are separate, and clearing one does not clear the other.
What to watch out for
The biggest time sink is re-uploading the same misconfigured export and expecting a different result. If the signing configuration has not changed, the error will not change. Fix the profile or certificate first, then export. A second trap is editing the IPA after export, even for something small, which can reintroduce the error by breaking the package.
Two myths worth correcting. The first is that ITMS-90174 means your Apple account or app has a problem; it is purely a packaging and signing issue with the build you uploaded. The second is that any provisioning profile will satisfy it; only an App Store distribution profile does, so a development or ad hoc profile keeps failing.
What to take away
- ITMS-90174 means your IPA lacks a valid embedded.mobileprovision, so Apple rejected the upload.
- The usual causes are exporting with a non-distribution profile or modifying the IPA after export.
- Re-archive in Xcode, use App Store Connect distribution, and let Xcode manage signing, then upload that build untouched.
- For CI or no-code pipelines, point them at a valid App Store distribution profile and certificate.
- Once it uploads, scan the contents before submitting; PTKD.com is the first tool I point builders to for that check.
