If you created your provisioning profile before configuring the app ID
for push, try to regenerate the provisioning profile.
iOS Provisioning Portal -> Provisioning -> Your cert -> EDIT -> Make
an edit -> Download new provisioning
Worked for me. Now i'm able to use push.
In my case, the stuff in my provisioning profile:
security cms -D -i ~/Downloads/spolskyDevelop.mobileprovision
...
<key>application-identifier</key>
<string>P5GM95Q9VV.com.dca.spolsky</string>
<key>aps-environment</key>
<string>development</string>
Was different than the stuff in the app that was actually built (you can find out where it is built by looking at Xcode's Logs tab)
codesign -d --entitlements - '/Users/drew/Library/Developer/Xcode/DerivedData/spolsky-bdbtdfjeeywhqzccpmmceqvnhgtm/Build/Products/Debug-iphoneos/spolsky-ios.app'
<dict>
<key>application-identifier</key>
<string>Y2X6Z7Z2GR.com.dca.spolsky-ios</string>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>Y2X6Z7Z2GR.com.dca.spolsky-ios</string>
</array>
</dict>
This was true even though the "Currently Matches" hint text under Code Signing Identity was indicating the correct provisioning profile--weird, huh? To make a weird story weirder, the correct provisioning profile was being installed on the device when I ran, (Settings->General->Profiles) leading me to believe the provisioning profile was right--but it was falling back to a wildcard ID when the app was actually launched.
The clue was the difference in the output of these two commands:
Y2X6Z7Z2GR.com.dca.spolsky-ios vs P5GM95Q9VV.com.dca.spolsky
When I made the bolded part match, the italicized part changed to match automatically. In addition, the output of security and codesign were in agreement, and no more aps-entitlement error.
My guess here is that XCode was using a wildcard-style match on my non-wildcard ID. ("spolsky" is, after all, quite nearly "spolsky-ios"), and this explains the "Currently Matches" output. But something in the build chain is more strict about this, so it falls back to an actual wildcard ID during the build.
Best Answer
I found the solution. In my project info under Build > Code Signing Identity I had it set to automatic, and it was selecting an AdHoc distribution profile which did not have push notifications enabled. (It was the wrong one.) I have selected the correct profile and the error is gone.