In my case, the stuff in my provisioning profile:
security cms -D -i ~/Downloads/spolskyDevelop.mobileprovision
...
<key>application-identifier</key>
<string>P5GM95Q9VV.com.dca.spolsky</string>
<key>aps-environment</key>
<string>development</string>
Was different than the stuff in the app that was actually built (you can find out where it is built by looking at Xcode's Logs tab)
codesign -d --entitlements - '/Users/drew/Library/Developer/Xcode/DerivedData/spolsky-bdbtdfjeeywhqzccpmmceqvnhgtm/Build/Products/Debug-iphoneos/spolsky-ios.app'
<dict>
<key>application-identifier</key>
<string>Y2X6Z7Z2GR.com.dca.spolsky-ios</string>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>Y2X6Z7Z2GR.com.dca.spolsky-ios</string>
</array>
</dict>
This was true even though the "Currently Matches" hint text under Code Signing Identity was indicating the correct provisioning profile--weird, huh? To make a weird story weirder, the correct provisioning profile was being installed on the device when I ran, (Settings->General->Profiles) leading me to believe the provisioning profile was right--but it was falling back to a wildcard ID when the app was actually launched.
The clue was the difference in the output of these two commands:
Y2X6Z7Z2GR.com.dca.spolsky-ios vs P5GM95Q9VV.com.dca.spolsky
When I made the bolded part match, the italicized part changed to match automatically. In addition, the output of security and codesign were in agreement, and no more aps-entitlement error.
My guess here is that XCode was using a wildcard-style match on my non-wildcard ID. ("spolsky" is, after all, quite nearly "spolsky-ios"), and this explains the "Currently Matches" output. But something in the build chain is more strict about this, so it falls back to an actual wildcard ID during the build.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
