Profile doesn't match the entitlements file's value for the application-identifier entitlement
I'm not sure why this fixed it, but I went into my Target's Capabilities tab, turned iCloud ON, tried to do an archive build, it failed, I turned iCloud OFF again, tried to do an Archive build and it succeeded, and after that it was able to automatically resolve certificates again.
Rightclick on Finder -> Go to Folder...
~/Library/MobileDevice/Provisioning
For Xcode 11
~/Library/MobileDevice/Provisioning Profiles/
Delete all provisioning profiles, done.
The app you created has an incorrect application-identifier value, for what the provisioning profile is expecting. The cert for appID com.example.foo for the team 2ABCDEFG will be expecting application-identifier: 2ABCDEFG.com.example.foo, your app declared that its appID was com.example.foo, but the application-identifier didn't match, either you are using the wrong team-prefix, or you have the bundleID misconfigured.
In my case, I am using build schemes to allow me to build a prod app and a qa app. com.example.foo for prod, and com.example.foo.qa for QA.
I had set my bundleIdentifier in the Info.plist to $(PRODUCT_BUNDLE_IDENTIFIER)$(BUNDLE_SUFFIX), which works great in the simulator and on device for having different apps, however, when the app generates its application-identifer during the archive phase, it must not be reading the bundleIdentifier generated by the Info.plist.
To remedy the situation, I edited FooProject.xcodeproj/project.pbxproj (with a text editor) to change my QA buildSettings PRODUCT_BUNDLE_IDENTIFIER to com.example.foo.qa
You can see Apple's Technical Q&A and this page to see their in depth dive into solving this. Once you run the following on your exported app:
codesign -d --entitlements :- ./Payload/myApp.app
and see what application-identifier your app was just built with, it should be pretty quick to realize what your are doing wrong.
I didn't find that page in my Google searching, because they don't actually use the phrase from the error message or call the application-identifier by its full name, but instead say App ID.
Also, the solution to this problem isn't to generate a new provisioning profile that has the application-identifier entitlement, it does have that entitlement, however, the value in the provisioning profile, and your app have to match.