Hello, In our Account we have an iOS app with an explicit identifier "ABC123.com.some.app" that is using non-team prefix which is DEF456. It has also explicit identifiers for Widgets bundle and Notification Service. Due to non-team prefix, it can't access e.g. shared keychain and data put there by our other apps. Since we are working on features that require these capabilities, we would like to update the app identifier, so it is prefixed with our team id DEF456. Initially, we thought that the process would require steps like: Create new app, team-prefixed identifier(s) for app and all things that need them Recreate the provisioning profiles with new App Identifier Roll out the app using with new profiles via App Store but when trying to create the new identifier with com.some.app and team id prefix DEF456 we are getting following error: An App ID with Identifier com.some.app is not available. Please enter a different string. Can anybody advise us how to correctly perform such change and what steps are required from our end? We would like to keep our existing App Store entry, ratings and smoothly switch users. We are aware that this kind of migration results in loss of Keychain access. Thanks for any advice on that!

I submitted a mac app for Notarization. For the first few tries the Notarization failed with an error "Team is not yet configured for Notarization" but few days after my account started to show "ENROLL" option again even though my membership was set to expire on 2026. I am doubting my account has been suspended. I have not received any emails from apple regarding the suspension. I have contacted support but no help yet ! This was the second year, i was paying for the membership. Could you please help me to - Help me get the account unsuspended (if it is, as there is no notification or information regarding this) If the account is suspended due to my app being submitted for Notarization then help me identify the reason so that i can fix them. Mac App is Time Tracking application that runs in background and capture periodic screenshot(NOTE - I am doing this after taking user consent)

Hi! We are trying to request the SensorKit entitlement (com.apple.developer.sensorkit.reader.allow) for a research app we’re working on. When we go to Apple Developer → Certificates, Identifiers & Profiles → Identifiers, we see the SensorKit capability listed under "Capability Requests", but: There’s no form or button to submit the request, unlike with other capabilities. We tested this using an Account Holder role, and also tried requesting other capabilities — which do show the form correctly, so this seems to be an issue specific to SensorKit. We’d appreciate any guidance on: Whether this is a known issue with the SensorKit request flow. If there’s an alternative way to request this capability while the form is unavailable. Thanks in advance!

Hi, I need to bundle an additional binary along my yet published application. It is a Audio Unit test application. My yet published application implemented Audio Unit plugin support. But upload is always rejected: Validation failed (409) Invalid Provisioning Profile. The provisioning profile included in the bundle com.gsequencer.GSequencer [com.gsequencer.GSequencer.pkg/Payload/com.gsequencer.GSequencer.app] is invalid. [Missing code-signing certificate.] For more information, visit the macOS Developer Portal. (ID: ****) I have followed the instructions here: Embedding a helper tool in a sandboxed app but no luck. Does anyone know whats going on? I use Transporter to upload the application, the embedded.provisioningprofile is copied from Xcode build and code signing is done manually.

The docs here outline how to create a CSR/ and request a certificate. https://developer.apple.com/help/account/certificates/create-a-certificate-signing-request "Accounts preferences Use Accounts preferences to manage developer account assets (signing certificates and provisioning profiles), add repositories, and add servers. To open Accounts preferences, choose Xcode > Preferences and click Accounts." I have the latest version of XCode, I don't see Preferences / Accounts anywhere? I can go here and create a certificate: https://developer.apple.com/account/resources/certificates/add but it wants a CSR, which loops back around to the XCode thing. So, I can't figure out how to create a singing cert for my iOS app. Launch Keychain Access located in /Applications/Utilities. This doesnt seem to exist in Mac OS Sequoia 15.5 https://developer.apple.com/help/account/certificates/create-a-certificate-signing-request

I am experiencing a persistent issue when trying to sign my application, PhotoKiosk.app, using codesign. The process consistently fails with the error errSecInternalComponent, and my troubleshooting indicates the problem is with how the system accesses or validates my certificate's trust chain, rather than the certificate itself. Error Details and Configuration: codesign command executed: codesign --force --verbose --options=runtime --entitlements /Users/sergiomordente/Documents/ProjetosPhotocolor/PhotoKiosk-4M/entitlements.plist --sign "Developer ID Application: Sérgio Mordente (G75SJ6S9NC)" /Users/sergiomordente/Documents/ProjetosPhotocolor/PhotoKiosk-4M/dist/PhotoKiosk.app Error message received: Warning: unable to build chain to self-signed root for signer "(null)" /Users/sergiomordente/Documents/ProjetosPhotocolor/PhotoKiosk-4M/dist/PhotoKiosk.app: errSecInternalComponent Diagnostic Tests and Verifications Performed: Code Signing Identity Validation: I ran the command security find-identity -v -p codesigning, which successfully confirmed the presence and validity of my certificate in the Keychain. The command output correctly lists my identity: D8FB11D4C14FEC9BF17E699E833B23980AF7E64F "Developer ID Application: Sérgio Mordente (G75SJ6S9NC)" This suggests that the certificate and its associated private key are present and functional for the system. Keychain Certificate Verification: The "Apple Root CA - G3 Root" certificate is present in the System Roots keychain. The "Apple Worldwide Developer Relations Certification Authority (G6)" certificate is present and shown as valid. The trust setting for my "Developer ID Application" certificate is set to "Use System Defaults". Attempted Certificate Export via security: To further diagnose the problem, I attempted to export the certificate using the security find-certificate command with the exact name of my identity. Command executed (using double quotes): security find-certificate -c -p "Developer ID Application: Sérgio Mordente (G75SJ6S9NC)" > mycert.pem Error message: security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain. The same error occurred when I tried with single quotes. This result is contradictory to the output of find-identity, which successfully located the certificate. This suggests an internal inconsistency in the Keychain database, where the certificate is recognized as a valid signing identity but cannot be located via a simple certificate search. Additional Troubleshooting Attempts: I have already recreated the "Developer ID Application" certificate 4 times (I am at the limit of 5), and the issue persists with all of them. The application has been rebuilt, and the codesign command was run on a clean binary. Conclusion: The problem appears to be an internal macOS failure to build the trust chain for the certificate, as indicated by the errSecInternalComponent error. Although the certificate is present and recognized as a valid signing identity by find-identity, the codesign tool cannot complete the signature. The failure to find the certificate with find-certificate further supports the suspicion of an inconsistency within the keychain system that goes beyond a simple certificate configuration issue. I would appreciate any guidance on how to resolve this, especially given that I am at my developer certificate limit and cannot simply generate a new one.

Hello, I'm developing a feature for my app, that allows users to challenge their friends. The friend request functionality is built using Universal Links, but I've run into a significant issue. The Universal Links are correctly deep-linking into the app. However, once the app opens, nothing happens—the friend request acceptance or rejection flow does not occur. This prevents users from completing friend requests and building their friend list. Here are examples of the Universal Links I'm generating: https://www.strike-force.app/invite?type=invite&userID=... https://www.strike-force.app/invite?type=invite&friendRequestID=... https://www.strike-force.app/profile?userID=... I've recently updated my cloudflare-worker.js to serve a paths array of ["*"] in the AASA file, so I believe the links themselves should be valid. Technical Details & Error Logs In the console, I am consistently seeing the following error message: Cannot issue sandbox extension for URL:https://www.strike-force.app/invite?token=7EF1E439-090B-4DF2-BE64-9904F50A3F8B Received port for identifier response: <(null)> with error:Error Domain=RBSServiceErrorDomain Code=1 "Client not entitled" UserInfo={RBSEntitlement=com.apple.runningboard.process-state, NSLocalizedFailureReason=Client not entitled, RBSPermanent=false} elapsedCPUTimeForFrontBoard couldn't generate a task port This error appears to be related to entitlements and process state, but I am not sure if it's the root cause of the Universal Link issue or a separate problem. The 'Client not entitled' error on line 3 has had me chasing down entitlements issues. But, I've added the Associated Domains entitlement with the proper applink URLs and verified this in my Developer Portal. I've regenerated my provisioning profile, manually installed it, and selected/de-selected Automatically Manage Signing. As well I've verified my AASA file and it's correctly being served via HTTPS and returning a 200. curl -i https://strike-force.app/.well-known/apple-app-site-association curl -i https://www.strike-force.app/.well-known/apple-app-site-association I am looking for guidance on why the friend request flow is not being triggered after a successful deep-link and how I can fix the related error. Any insights or suggestions would be greatly appreciated.

I am trying to package a Filemaker 18 Runtime app. A week ago, I managed to get 90% of the way towards doing as much, using MS Copilot as a guide. Unfortunately, due to my confusion over the landing stage files, I decided to start the process from scratch. This time, I fell at the first stage: Code Signing my .app Bundle. The Terminal command: codesign --deep --force --verify --verbose \ --sign "Developer ID Application: ME (V********)" \ "/Users/Me/Documents/Apps/MyApp/Runtime/MyApp/My App.app" Returned the error: /Users/Me/Documents/Apps/MyApp/Runtime/MyApp/My App.app: bundle format unrecognized, invalid, or unsuitable In subcomponent: /Users/Me/Documents/Apps/MyApp/Runtime/MyApp/My App.app/Contents/Frameworks/FMWrapper.framework No matter how many separate elements within the bundle I sign, I encounter the same error message. A few days ago, the identical command worked first time. I would be obliged for any help you can provide. Thanks.

Dear Apple support, Since the last couple of days, we have some (very) long running notarization requests. Similar requests were done normally under 1 minute. This behavior is unexpected to us, and we did not see it before. The issue occurs for a small CLI tool submitted as a ZIP archive. Checking the documentation, I come across the section about "Avoid long notarization response times and size limits" (https://developer.apple.com/documentation/security/customizing-the-notarization-workflow#Avoid-long-notarization-response-times-and-size-limits). One fact is mentioned “Limit notarizations to 75 per day.” What is behavior if that limitation is reached? Is that limitation per Apple ID or per team ID? Are there some known issues about Notarization Service? Best regards, Stefan

I'm working on a build system similar to Bazel where each build action runs in a sandbox. The sandbox contains only the files that the user defined as input to ensure that the build action doesn't have any implicit dependencies. Bazel achieves this by creating a "symlink forest" to the original source files. This works, but I have observed fseventsd using significant CPU during a Bazel build, presumably because of all the symlinks that get created. Is there a way to disable file events for a directory or a volume? The "File System Events Programming Guide" in the Documentation Archive mentions placing an empty file named no_log in the .fseventsd directory at the root of the volume, but when testing on macOS 15.5 with APFS that appears to no longer work. Related, is a "symlink forest" the best way to create a sandbox like this? Or is there a different method one can use to provide a view of a subset of the files in a directory tree? I read up on the App Sandbox but that seems too coarse grained. Something like Linux's overlayfs would work well, and maybe one can achieve a similar functionality with firmlinks? Curious about folks thoughts here. Thanks in advance!

I submitted a mac app for Notarization. For the first few tries the Notarization failed with an error "Team is not yet configured for Notarization" but few days after my account started to show "ENROLL" option again even though my membership was set to expire on 2026. I am doubting my account has been suspended. I have not received any emails from apple regarding the suspension. I have contacted support but no help yet ! This was the second year, i was paying for the membership. Could you please help me to - Help me get the account unsuspended (if it is, as there is no notification or information regarding this) If the account is suspended due to my app being submitted for Notarization then help me identify the reason so that i can fix them. Mac App is Time Tracking application that runs in background and capture periodic screenshot backlsh.com (NOTE - I am doing this after taking user consent)

An open-source app that I bundle for macOS needs to use the disable-library-validation entitlement. In spite of TN3125: Inside Code Signing: Provisioning Profiles | Apple Developer Documentation#Entitlements-on-macOS claiming that hardened runtime entitlements don't need provisioning profiles and the app successfully notarizing, trying to run the app fails with the error "Disallowing because no eligible provisioning profiles found". So I created a provisioning profile, but when creating the App ID the only selection that seemed relevant was Hardened Runtime. That turns out not to include disable-library-validation so now launching fails with "Unsatisfied entitlements: >com.apple.security.cs.disable-library-validation" What's the right capability?

I am trying to set up code signing for my macOS/Tauri app and I’m running into a problem with my Developer ID Application certificate in Keychain Access. Steps I followed: Generated a CSR on my Mac using Keychain Access → Certificate Assistant → Request a Certificate From a Certificate Authority. Uploaded the CSR to the Apple Developer portal. Downloaded the resulting .cer file and installed it in my login Keychain. The certificate appears under All Items, but it does not show under My Certificates, and there is no private key attached. What I expected: The certificate should pair with the private key created during CSR generation and show under My Certificates, allowing me to export a .p12 file. What I’ve tried so far: Verified that the WWDR Intermediate Certificate is installed. Ensured I’m on the same Mac and same login Keychain where I created the CSR. Revoked and regenerated the certificate multiple times. Tried importing into both login and system Keychains. Problem: The certificate never links with the private key and therefore cannot be used for signing. Has anyone experienced this issue or knows why the certificate would fail to pair with the private key in Keychain Access? Any workaround or fix would be greatly appreciated.

I have an application that I have been signing, notarizing and distributing to beta testers for a year with no issues, note: I have never got stapling to work I always get a error 65 in the process. But up until yesterday that hasn't been an issue and online verification has always worked. Yesterday morning around 9am online gatekeeper verification has been failing with: APP not opened, apple cannot verify app is free of malware. etc this keeps happening, with every build I try. redownloading previously successful builds show the same behavior I know I can allow in privacy and security, but heading towards launch I dont want to have to tell users to do that. has there been a change in how gatekeeper works or issues with the service? any help with this or getting stapling working would be very appreciated!

Hello, I'm working on an app at work and we finally got to signing and notarizing the app. The app is successfully notarized and stapled, I packaged it in a .dmg using hdiutil and went ahead and notarized and stapled that as well. Now I tried to move this app to another machine through various methods. But every time I download it from another machine, open and extract the contents of the dmg and attempt to open the app, I get the "Apple could not verify my app is free of malware that may harm your Mac or compromise your privacy. When I check the extended attributes there's always the com.apple.quarantine attribute which from what I know, is the reason that this popup appears I've tried uploading it to google drive, sending through slack, onedrive, even tried our AWS servers and last but not least, I tried our Azure servers (which is what we use for distribution of the windows version of our app). I tried uploading to Azure through CloudBerry (MSP360 now), and azure-cli defining the content-type as "application/octet-stream", the content-disposition as "attachment; filename=myApp.dmg", and content-cache-control as "no-transform". None of these worked The only times where a download actually worked with no problems was when I downloaded through the terminal using curl, which obviously not a great solution especially that we're distributing to users who aren't exactly "tech savy" I want the installation experience to be as smooth as other apps outside the App Store (i.e Discord, Slack, Firefox, Chrome etc....) but I've been stuck on this for more than a week with no luck. Any help is greatly appreciated, and if you want me to clarify something further I'd be happy to do so

Notarization has been stuck for hours in "Current Status: In Progress...." Should I keep on waiting or restart the process. If I need to restart the process, how should I go about and do that?

Hi Apple DTS & community folks, I’m reaching out regarding an issue we’ve encountered with the com.apple.developer.mail-client capability for our app (bundle identifier: so.notion.Mail). We were granted this entitlement last week to allow the app to be set as a default Mail client. While everything works as expected when archiving and distributing builds locally in Xcode, we’re running into a problem when using Xcode Cloud. Specifically, Xcode Cloud attempts to archive and distribute an Ad-Hoc build, but the Ad-Hoc provisioning profile does not include this special entitlement. Since we’re using Xcode-managed profiles, we don’t have the ability to create or adjust an explicit profile ourselves. This issue only arises in Xcode Cloud—local distribution works unless we explicitly attempt an Ad-Hoc build (which is not our intent). I’ve included a screenshot of the error for reference. We found this forum post describing the same issue, where the resolution was Apple enabling the entitlement for Ad-Hoc builds. We’d like to request that Apple enable this capability for Ad-Hoc builds for the Notion Mail application so that Xcode Cloud distribution functions correctly. Thank you for your help!

Hi, I am experiencing an issue where Xcode displays a "Provisioning profile doesn't support the capability" error for the User Assigned Device Name capability, despite it being approved by Apple and visible in our provisioning profile on the Developer Portal. Background We have completed and submitted the required capability request form to Apple for the User Assigned Device Name capability and received approval. The capability appears correctly in our provisioning profile on the Apple Developer Portal and shows among the enabled capabilities alongside other standard capabilities like In-App Purchase and Push Notifications. Issue However, Xcode consistently displays the error message when trying to enable the User Assigned Device Name capability in our project settings, preventing successful builds with this functionality. Troubleshooting Steps Attempted We have tried multiple troubleshooting steps including: Regenerating provisioning profiles Performing clean builds Clearing DerivedData Manually installing profiles Adding the com.apple.developer.device-information.user-assigned-device-name entitlement manually to our entitlements file Toggling automatic signing on and off Environment Details Xcode Version: 16.4 (16F6) iOS Deployment Target: iOS 13 Profile Type: Distribution provisioning profile Capability: User Assigned Device Name Despite the capability being approved by Apple and visible in our provisioning profile, Xcode does not recognize it. This appears to be a synchronization issue between the Apple Developer Portal and Xcode's capability validation system. Has anyone encountered similar issues with recently approved capabilities, specifically the User Assigned Device Name capability? Could you please provide guidance on how to resolve this capability recognition issue? Any suggestions for resolving this discrepancy between the Developer Portal and Xcode would be greatly appreciated.

Can someone tell me the applications requirements for using the secure enclave on MacOS? Does the application need to be signed with the secure-enclave entitlement in order to use it? Since this is a restricted entitlement, does my App ID need approval to use it from Apple? Currently I'm building in XCode 16 on Sequoia (15.5) using developer signing. My application is a C/C++ daemon running as plist out of /Library/LaunchDaemons. I have also built it as an application using the instructions here but this has not lead to a solution: https://developer.apple.com/documentation/xcode/signing-a-daemon-with-a-restricted-entitlement/ When I run my application from the command line via sudo signed but without the secure-enclave entitlement enabled in my entitlements file it runs. The first call to: SecAccessControlRef access = SecAccessControlCreateWithFlags( kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, kSecAccessControlPrivateKeyUsage, &error); succeeds without error. The call to create the key using: SecKeyRef privateKey = SecKeyCreateRandomKey(attributes, &error); then fails with error: (OSStatus error -50 - Failed to generate keypair) Here are the setup attributes (keySize = 256): CFDictionarySetValue(attributes, kSecAttrKeyType, kSecAttrKeyTypeECSECPrimeRandom); CFDictionarySetValue(attributes, kSecAttrKeySizeInBits, keySize); CFDictionarySetValue(attributes, kSecAttrLabel, keyName); CFDictionarySetValue(attributes, kSecAttrApplicationTag, keyLabel); CFDictionarySetValue(attributes, kSecAttrTokenID, kSecAttrTokenIDSecureEnclave); // Store in the Secure Enclave CFDictionarySetValue(attributes, kSecAttrKeyClass, kSecAttrKeyClassPrivate); CFDictionarySetValue(attributes, kSecAttrAccessControl, access); CFDictionarySetValue(attributes, kSecAttrIsPermanent, kCFBooleanTrue); // persist key across app restarts and reboots CFDictionarySetValue(attributes, kSecAttrCanEncrypt, kCFBooleanTrue); CFDictionarySetValue(attributes, kSecAttrCanDecrypt, kCFBooleanTrue); CFDictionarySetValue(attributes, kSecAttrAccessible, kSecAttrAccessibleWhenUnlockedThisDeviceOnly); CFDictionarySetValue(attributes, kSecReturnPersistentRef, kCFBooleanTrue); When I run the application signed and include the "com.apple.developer.secure-enclave" in my entitlements file it crashes at startup. I believe this is to be expected based on above. How do I proceed such that my application can use the secure enclave correctly?

I spent 20 minutes trying to figure out why codesigning was failing -- I had the pf block set up correctly, my keychains were unlocked, and then, eventually, it occurred to me, hey, maybe an IP address changed, so I disabled IPv6 except for link local, and then amazingly, it went back to working. I filed FB13706261 over a year ago. This is ridiculous.