We have an app which is hybrid using React Native and Native features. We released our app recently which showed issues related to missing packages/corrupt package but xCode didn't gave any error and we were able to Archive and submit app successfully.

I regularly see questions from folks who’ve run into code-signing problems with their third-party IDE. There’s a limit to how much I can help you with such problems. This post explains a simple test you can run to determine what side of that limit you’re on. If you have any questions or comments, please put them in a new thread here on DevForums. Put it in Code Signing > General topic area and apply whatever tags make sense for your specific situation. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Investigating Third-Party IDE Code-Signing Problems DTS doesn’t support third-party tools. If you’re using third-party tooling and encounter a code-signing problem, run this test to determine whether you should seek help from Apple or from your tool’s vendor. IMPORTANT Some third-party tools create Xcode projects that you then build and run in Xcode. While that approach is understandable, it’s not something that DTS supports. So, the steps below make sense even if you’re already using Xcode. To check that code-signing is working in general: Launch Xcode. In Xcode > Settings > Accounts, make sure you’re signed in with your developer account. Create a new project from the app project template for your target platform. For example, if you’re targeting iOS, use the iOS > App project template. When creating the project: Select the appropriate team in the Team popup. Choose a bundle ID that’s not the same as your main app’s bundle ID. Choose whatever language and interface you want. Your language and interface choices are irrelevant to code signing. Choose None for your testing system and storage model. This simplifies your project setup. In the Signing & Capabilities editor, make sure that: "Automatically manage signing” is checked. The Team popup and Bundle Identifier fields match the value you chose in the previous step. Select a simulator as the run destination. Choose Product > Build. This should always work because the simulator doesn’t use code signing [1]. However, doing this step is important because it confirms that your project is working general. Select your target device as the run destination. Choose Product > Build. Then Product > Run. If you continue to have problems, that’s something that Apple folks can help you with. If this works, there’s a second diagnostic test: Repeat steps 1 through 10 above, except this time, in step 4, choose a bundle ID that is the same as your main app’s bundle ID. If this works then your issue is not on the Apple side of the fence, and you should escalate it via the support channel for the third-party tools you’re using. On the other hand, if this fails, that’s something we can help you with. I recommend that you first try to fix the issue yourself. For links to relevant resources, see Code Signing Resources. You should also search the forums, because we’ve helped a lot of folks with a lot of code-signing issues over the years. If you’re unable to resolve the issue yourself, feel free to start a thread here in the forums. Put it in Code Signing > General topic area and apply whatever tags make sense for your specific situation.

Hi guys, Is there any good up-to-date tutorial about publishing a Python based app on Apple Store? Now, I have developed a standalone Python app from PyCharm, and it's using Pyside6 for UI and some major Python libraries. It's a productivity app with a little A.I. features. I used PyInstaller to prepare the app. Currently, I am stuck at the stage of codesign and Apple Review process, because I am manually doing codesign and building the package from command-line. Without using Xcode, things can get messy or miss easily. It would be nice to follow a up-to-date tutorial about how to complete the codesign and Apple Review process for a Python based app. For example, what to do, how to do, what to be careful during the Apple Review process, etc. Thanks!

I added a watchkit extension to an existing app. I get this error when uploading to App Store Connect. Building the archive itself is fine: Prepared archive for uploading Upload failed error: Validation failed Missing Info.plist value. A value for the key “WKApplication”, or “WKWatchKitApp” if your project has a WatchKit App Extension target, is required in “Runner.app/Watch/watch_Watch_App.app” bundle. For details, see: https://developer.apple.com/documentation/watchkit/creating_independent_watchos_apps/setting_up_a_watchos_project have the exact same issue when bundling. I added the flag manually in a additional plist fields entry with WKApplication=1 because my Info.Plist is generated and it didn't help. I wrote a custom Run Script Phase that added the flag and that didn't help as well. I need a reply from someone from Apple here. This needs to be fixed.

Hello, I have a macOS app built with Flutter’s macOS target (native Xcode project). The app is unsigned (no Developer ID code signing / notarization). The .app bundle looks valid: CFBundlePackageType = APPL Unique CFBundleIdentifier No LSUIElement or LSBackgroundOnly Executable exists and is runnable Placed at /Applications/MyApp.app (top-level), runs fine from Finder However, it does not show up in Launchpad. What I tried: Remove quarantine: xattr -dr com.apple.quarantine "/Applications/MyApp.app" Force Launch Services registration: /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -f "/Applications/MyApp.app" Rebuild LS caches: /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -kill -r -domain local -domain system -domain user Reset Launchpad DB and restart Dock: defaults write com.apple.dock ResetLaunchPad -bool true && killall Dock Verified bundle structure/type: mdls -name kMDItemContentType -name kMDItemKind "/Applications/MyApp.app" → shows com.apple.application-bundle / Application Questions Is code signing/notarization required for an app to appear in Launchpad (even if it runs from Finder)? What additional conditions cause Launchpad to skip an otherwise valid, unsigned .app in /Applications? Are there deeper Launch Services or Dock database checks I can run to diagnose why this specific app is excluded?

Our app .dmg file was successfully code signed. We then revised the app and created a new .dmg. Running codesign gave an "app is already signed" message. Then running codesign -dv said "code object is not signed at all" Older solutions said to use -f to force signing, but that is no longer an option.

I made a macOS application using Swift Package and distributed it in dmg format through Apple Notary service. However, we received a report from a user that it can be launched from a disk image mounted from dmg, but when copied to /Applications, the app is broken and does not start. I looked into why this happened, I noticed that the codesign command returned different results when copying the application bundle and /Applications on the volume mounted dmg with Finder. Mounted dmg: OK ❯ codesign --verify --deep --verbose /Volumes/azoo-key-skkserv/azoo-key-skkserv.app /Volumes/azoo-key-skkserv/azoo-key-skkserv.app: valid on disk /Volumes/azoo-key-skkserv/azoo-key-skkserv.app: satisfies its Designated Requirement Copied by Finder: Bad codesign reports that there are 148 added/missing files. ❯ codesign --verify --deep --verbose /Applications/azoo-key-skkserv.app /Applications/azoo-key-skkserv.app: a sealed resource is missing or invalid file added: /Applications/azoo-key-skkserv.app/Contents/Resources/AzooKeyKanakanjiConverter_KanaKanjiConverterModuleWithDefaultDictionary.bundle/Contents/Resources/Dictionary/louds/グ1.loudstxt3 (skip...) file missing: /Applications/azoo-key-skkserv.app/Contents/Resources/AzooKeyKanakanjiConverter_KanaKanjiConverterModuleWithDefaultDictionary.bundle/Contents/Resources/Dictionary/louds/グ1.loudstxt3 (skip...) Copied by ditto: OK ❯ ditto /Volumes/azoo-key-skkserv/azoo-key-skkserv.app /Applications/azoo-key-skkserv.app ❯ codesign --verify --deep --verbose /Applications/azoo-key-skkserv.app /Applications/azoo-key-skkserv.app: valid on disk /Applications/azoo-key-skkserv.app: satisfies its Designated Requirement I made a simple macOS application to explain this problem in an easy-to-understand way. You can download dmg in github releases, mount dmg, copy it in the Finder, and check if there is a problem by running the codesign command. https://github.com/mtgto/example-utf8-mac-notarization As a result, I learned the following two things. Occurs only with resources with file names whose values change due to NFC/NFD normalization No problems occur with the resources of the application itself. Generated by the Swift Package resources that the application depends on I think this is a problem with Finder or Gatekeeper.

In Swift I'm using unzip by launching a Process to unzip a file. I added a launchRequirement to the process in order to make sure the executable is code signed by Apple and the identifier is com.apple.unzip. After testing out my code on another machines (both physical and virtual), I found out that in some the identifier is actually com.apple.zipinfo, which broke the SigningIdentifier requirement. It's safe to assume that /usr/bin/unzip can be trusted since it's in a System Integrity Protection (SIP) location, but I'm wondering why this executable has different identifiers?

In the LightweightCodeRequirements framework, there is a LaunchCodeRequirement object which can be used as a requirement object for a Process for example. What I don't understand (I admit my macOS low-level knowledge is limited) is that how can this be used in a secure way that doesn't fall victim of a Time-of-Check/Time-of-Use issue. e.g. I specify a LaunchCodeRequirement via Process.launchRequirement for my process, let's say /usr/local/bin/mycommandlinetool. The LaunchCodeRequirement specifies my development team and a developer ID certificate. The process must be started in some form, before a SecCode/SecTask object can be created, rather than a SecStaticCode object (which only guarantees its validity checks to be intact as long as the file is not modified). But if the process was started, then I have no tools in my set to prevent it from executing its initialization code or similar. Then, by the time I'm able to check via SecCode/SecTask functions the LaunchCodeRequirement, I might have already ran malicious code - if mycommandlinetool was maliciously replaced. Or does the operating system use a daemon to copy the executable specified for Process to a secure location, then creates the SecStaticCode object, assesses the LaunchCodeRequirement and if passed, launches the executable from that trusted location (which would make sure it is immutable for replacement by malicious actors)? I have a hard time understanding how this works under the hood - if I remember correctly these are private APIs.

I am responsible for the mobile app and thus also of the apple developer and app store connect accounts of a company. An external freelancer developed a software package for us which we aim to offer for installation and use on macOS systems of our customers; distributed exclusively outside of the Apple App Store. The software package has nothing to do with the mobile app. MacOS' Gatekeeper currently warns or even prevents our customers regarding the installation of the package on their device; pretty much as described here: https://developer.apple.com/developer-id/. According to a previous talk with Apple's Support, the software package (.app) the Freelancer developed must be signed with one of our own certificates. As we cannot grant selective app store connect access to third persons (only for the concerned certificates), we prefer to not provide access to our entire apple developer account to the freelancer, for the sole reason of the certificate & signing process. According to previous attempts with Apples' support regarding the most feasible solution in this case, they recommended me to manage the signing of the package of the freelancer, and simply request the package from the freelancer. I've thus generated an according Developer ID Certificate, but regarding the signing process, I'm confused. I know how signing works with mobile apps in XCode, but regarding software that is not distributed throughout the App Store on macOS, I'm unsure about the process. Also, as far as I know, the entitlements of the application are involved in the signing process. So my concern is that simply having the software package (.app) from the freelancer is not really enough to complete the signing + notarization process? Won't I need further information about the app's entitlements etc.? I would like to have a clear solution about the procedure that is required in these cases, as online documentations and / or forums as well as previous talks with your non-technical support from Apple did not resolve the issue.

This is a lengthy one. I have basically compiled a Rust binary into a dylib and packaged into a .xcframework that contains per arch .frameworks. This loads correctly when run from Xcode into a real iOS device. However, when deployed to TestFlight the app crashes. Here is what is a bit different, the dylib is not fully self-contained. It tries to reach in an use C functions I have exposed in my library code. Calling functions that are just within the dylib and just return works fine, but the moment it tries to call one of the exposed functions it crashes. A full in-depth step by step of how I packaged the binaries can be found in my website: https://ospfranco.com/complete-guide-to-dylibs-in-ios-and-android When I look at the TestFlight crash report there are no symbols but the termination cause via WatchDog is: Termination Reason: CODESIGNING 2 Invalid Page I have declared my functions as such: OBJC_EXTERN void ios_prepare_request(const char *url) #define EXPORT __attribute__((visibility("default"), used, retain)) extern "C" { EXPORT void ios_prepare_request(const char *url) { NSString *urlString = [NSString stringWithUTF8String:url]; request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:urlString]]; } } // Function used to prevent optimization void force_symbol_registration() { // Force these symbols to be included in the binary by referencing them volatile void *ptrs[] = {(void *)ios_prepare_request,}; // Prevent compiler from optimizing away the array (void)ptrs; } And I load my framework as: opacity::force_symbol_registration(); // NSBundle *dylib_bundle = // [NSBundle bundleWithIdentifier:@"com.opacitylabs.sdk"]; // NSString *dylib_path = [dylib_bundle pathForResource:@"sdk" ofType:@""]; // // Load the dynamic library // void *handle = dlopen([dylib_path UTF8String], RTLD_NOW | RTLD_GLOBAL); // if (!handle) { // NSString *errorMessage = [NSString stringWithUTF8String:dlerror()]; // *error = // [NSError errorWithDomain:@"OpacitySDKDylibError" // code:1002 // userInfo:@{NSLocalizedDescriptionKey : // errorMessage}]; // return -1; // or appropriate error code // } // Make sure the main executable's symbols are available dlopen(NULL, RTLD_NOW | RTLD_GLOBAL); NSBundle *frameworkBundle = [NSBundle bundleWithIdentifier:@"com.opacitylabs.sdk"]; if (![frameworkBundle isLoaded]) { BOOL success = [frameworkBundle load]; if (!success) { NSString *errorMessage = @"Failed to load framework"; *error = [NSError errorWithDomain:@"OpacitySDKDylibError" code:1002 userInfo:@{NSLocalizedDescriptionKey : errorMessage}]; return -1; } } As you can see, I have also tried dlopen both work when run from Xcode but crash when deployed on testflight. I have tried re-signing the xcframework/frameworks on a pre build step but it doesn't work As stated, I can call the functions inside the dylib, but once they try to call my exposed code it crashes Is this achievable at all or just a limitation of the iOS sandbox?

I’m facing an issue with my macOS app after code signing and notarization. The app is signed with my Developer ID and notarized using xcrun notarytool. Everything works fine on the machine where the signing was done — Gatekeeper accepts it, no warning appears, and codesign/spctl checks pass. However, when running the same .app on other Macs, users receive a Gatekeeper warning saying the app is "malicious software and cannot be opened". The signature is valid and the notarization log shows status: Accepted. What I've tried: Verified signature with codesign --verify --deep --strict --verbose=2 Checked notarization status via xcrun notarytool log Assessed Gatekeeper trust with spctl --assess --type execute Everything passes successfully on the development machine. Why would the app be treated as malicious on other systems even after notarization? I'm happy to share logs and technical details if needed.

Hi guys, New to publishing apps on Apple Store. I encounter some notarization error before and resolved it in this post. By solving the previous issue, I updated the Trust setting from "Always Trust" to "Use System Defaults" for Apple certificates. The codesign and notarization no longer give me any problem. But now, I encountered another issue. When I ran the .app on my local Macbook, it now gives me "zsh: trace trap" error. Dive a little further and check the crash report, I found the some details as following. Process: my_app [30652] Path: /Users/USER/my_app_path Identifier: my_app Version: 0.0.0 (???) Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 501 Date/Time: 2025-07-15 14:57:58.9874 -0400 OS Version: macOS 15.5 (24F74) Report Version: 12 Anonymous UUID: 2335F0B6-A26E-6446-6074-0FCE620C4B6A Time Awake Since Boot: 6000 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid)) Exception Codes: UNKNOWN_0x32 at 0x00000001064b4000 Exception Codes: 0x0000000000000032, 0x00000001064b4000 Termination Reason: Namespace CODESIGNING, Code 2 Invalid Page VM Region Info: 0x1064b4000 is in 0x1064b4000-0x1064b8000; bytes after start: 0 bytes before end: 16383 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL mapped file 1064ac000-1064b4000 [ 32K] r-x/rwx SM=COW Object_id=d2a02fbf ---> VM_ALLOCATE 1064b4000-1064b8000 [ 16K] r-x/rwx SM=PRV __TEXT 1064b8000-1068a4000 [ 4016K] r-x/rwx SM=COW my_app.app/Contents/Frameworks/Python.framework/Versions/3.12/Python I can tell it's about codesign and signature invalid. I have tried to rebuild, re-codesign and re-notarize. But the error still persists. Could someone help me? Thanks!

This math-educational 3D-graphics courseware utilizes Java3D, which sits on top of hardware-dependent JOGAMP binaries (which instruct at the GPU-level). This code signing command applied to the installer .dmg: codesign -s "myName" --force --options runtime ~/DFG2D_MacOS_Manufacturing/MacOSInstallers/DFG2D_Mac_J1602_x86/DataflowGeometry2D-1.0.300.dmg is supposed to force signing of all the embedded binaries, BUT the notary tool finds about 25 jogamp-fat dynamic libraries (/ *.dylib) UNSIGNED. Processing complete id: 23d81a99-4087-48d2-a567-8072dd2820fe status: Invalid pierrebierre@Pierres-iMac ~ % xcrun notarytool log 17d2fe94-f38a-47d4-9568-cf4dc65f24c9 --apple-id "xxxxxxxxxxx" --team-id "XXXXXXXXX" --password pwpwpwpwpw { "logFormatVersion": 1, "jobId": "17d2fe94-f38a-47d4-9568-cf4dc65f24c9", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "DataflowGeometry2D-1.0.300.dmg", "uploadDate": "2025-07-13T21:28:21.147Z", "sha256": "57320c4ad4a07f144336084152bf7e3328f8c5694dd568d2cfd23a596b5b3b13", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "DataflowGeometry2D-1.0.300.dmg/DataflowGeometry2D.app/Contents/app/DFG2D_Mac_x86_300.jar/lib/jogamp-fat/jogamp-fat.jar/natives/macosx-universal/libnativewindow_awt.dylib", "message": "The binary is not signed.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "x86_64" }, { "severity": "error", "code": null, "path": "DataflowGeometry2D-1.0.300.dmg/DataflowGeometry2D.app/Contents/app/DFG2D_Mac_x86_300.jar/lib/jogamp-fat/jogamp-fat.jar/natives/macosx-universal/libnativewindow_awt.dylib", "message": "The signature does not include a secure timestamp.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733", "architecture": "x86_64" }, What is your advice on how to get these binaries signed?

Hey, So i am trying to setup OpenGL on my mac. Specs : M2 Pro, 15.5 (24F74) Now i have setup the entire project properly as far as i know. GLFW, GLAD and the OpenGL framework. the build libraries are also reference and everything. I have also included the glad.c file in the folder. i have also kept it to run locally in signing tab. its still giving me Command CodeSign failed with a nonzero exit code All the ss are provided

I spent 20 minutes trying to figure out why codesigning was failing -- I had the pf block set up correctly, my keychains were unlocked, and then, eventually, it occurred to me, hey, maybe an IP address changed, so I disabled IPv6 except for link local, and then amazingly, it went back to working. I filed FB13706261 over a year ago. This is ridiculous.

My iOS version of the app is available on the App Store with a non-team ID prefix for its bundle ID. It has been available there for a long time and I am not sure why I chose a custom prefix for it. The Mac version of the same app is available on the Mac App Store with a different bundle ID and with a prefix that matches my team ID. I am currently looking to "merge" both apps into a single bundle ID. The plan is to stop using the current Mac app and release a new one as a universal app under the existing bundle ID for the iOS app. Unfortunately, it looks like that the Mac App Store does not actually allow any submissions that have a non-team ID for a prefix. I know that it is a very specific case but any suggestions would be welcomed.

We are building an installer application to install a dext. Building in Xcode, the installer app launches fine locally and installs the dext. We then try to sign it with the company Developer ID application certificate. However after doing so we cannot launch the application anymore as we get the following crash at launch: Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: CODESIGNING 1 Taskgated Invalid Signature Triggered by Thread: 0 Thread 0 Crashed: 0 dyld_path_missing 0x102e187c0 _dyld_start + 0 Thread 0 crashed with ARM Thread State (64-bit): x0: 0x0000000000000000 x1: 0x0000000000000000 x2: 0x0000000000000000 x3: 0x0000000000000000 x4: 0x0000000000000000 x5: 0x0000000000000000 x6: 0x0000000000000000 x7: 0x0000000000000000 x8: 0x0000000000000000 x9: 0x0000000000000000 x10: 0x0000000000000000 x11: 0x0000000000000000 x12: 0x0000000000000000 x13: 0x0000000000000000 x14: 0x0000000000000000 x15: 0x0000000000000000 x16: 0x0000000000000000 x17: 0x0000000000000000 x18: 0x0000000000000000 x19: 0x0000000000000000 x20: 0x0000000000000000 x21: 0x0000000000000000 x22: 0x0000000000000000 x23: 0x0000000000000000 x24: 0x0000000000000000 x25: 0x0000000000000000 x26: 0x0000000000000000 x27: 0x0000000000000000 x28: 0x0000000000000000 fp: 0x0000000000000000 lr: 0x0000000000000000 sp: 0x000000016d13fba0 pc: 0x0000000102e187c0 cpsr: 0x00000000 far: 0x0000000000000000 esr: 0x00000000 Address size fault Binary Images: 0x102e14000 - 0x102eaffff dyld_path_missing (*) <9cf0401a-a938-389e-a77d-9e9608076ccf> /dyld_path_missing 0x102cc0000 - 0x102cc3fff main_executable_path_missing (*) <5fb2bea6-ba11-340d-a7a4-8657d5a736e2> /main_executable_path_missing 0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ??? Error Formulating Crash Report: dyld_process_snapshot_get_shared_cache failed Following the different help pages from Apple, the application seems to be correctly signed. Looking at the Console, we are seeing the following message at launch: "Unsatisfied entitlements: com.apple.developer.system-extension.install, com.apple.developer.driverkit". However, the entitlement file I am using to sign the installer app contains those entitlements. We are looking at different possible issues for days now and can't figure it out. Any advice or thought would be appreciated.

We recently had an external pentest for one of our company's macOS applications and they brought up the topic of library validation. Our app has hardened runtime enabled and passes notarization. The codesign verification output includes: flags=0x10000(runtime) The pentesters brought up that both validation and runtime should be present, so I discovered that you could also add library validation by augmenting our flags with: OTHER_CODE_SIGN_FLAGS = --timestamp -o library which changes the flags to: flags=0x12000(library-validation,runtime) The pentesters insist that both options are necessary, especially to avoid library injection when SIP is off, but Apple's docs say that hardened runtime already implies library validation (see here ) My question is: does explicitly specifying library validation provide something that hardened runtime does not already? Or is it correct that hardened runtime already imply library validation? For what it's worth, I did a quick scan of some of the apps on my system, interesting some of the Apple system apps have only library validation (e.g. Safari, Photos), some have both (e.g. Podcasts), some have only hardened runtime (e.g. Mail). So that didn't help answer the question. Thank you!

Hi all, I’ve run into a signing/entitlements problem that shows up only on Big Sur (11.x). The very same .app launches perfectly on Monterey (12), Ventura (13), Sonoma (14 / 14.5) and Sequoia (15). Failure on macOS 11 com.apple.xpc.launchd[1] (application.app.myapp.exams.566312.566318[1602]): removing service since it exited with consistent failure – OS_REASON_CODESIGNING | When validating …/MyAppNameBlurred 3.13.1.app/Contents/MacOS/MyAppNameBlurred 3.13.1: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: Binary is improperly signed. Launching from Terminal: open -a "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" kLSNoLaunchPermissionErr (-10826) | Launchd job spawn failed with error: 153 What I’ve already checked # signature itself codesign -dvvv "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" # => valid, Authority = Developer ID Application, runtime enabled # full deep/strict verification codesign --verify --deep --strict -vvv "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" # => “satisfies its Designated Requirement” # Gatekeeper assessment spctl --assess --type execute --verbose=4 "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" # => accepted (override security disabled) # embedded provisioning profile matches bundle ID codesign -d --entitlements :- "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" | plutil -p - security cms -D -i "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app/Contents/embedded.provisionprofile" \ | plutil -extract Entitlements xml1 -o - # => both show the AAC entitlement and everything looks in order # notarization ticket stapler validate "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" # => “The validate action worked!” Deployment target: MACOSX_DEPLOYMENT_TARGET = 11.0 Entitlement added: com.apple.developer.automatic-assessment-configuration = true Provisioning profile: generated this year via Developer ID, includes the assessment entitlement and nothing else unusual. Runtime code: we call AEAssessmentSession's network configuration part only on 12 + (guarded with @available(macOS 12.0, *)). Has anyone hit this mismatch on 11.x? Could Big Sur be expecting something older or idk? Any pointers appreciated! Thanks!