You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

I tried to create a new IOS provisioning profile and re-apply it to the app using Xcode to build it, but I got into trouble. The build is good, but it bounces when running the app. I would appreciate it if you could let me know what to do.

General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

This issue keeps cropping up on the forums and so I decided to write up a single post with all the details. If you have questions or comments: If you were referred here from an existing thread, reply on that thread. If not, feel free to start a new thread. Use whatever topic and subtopic is appropriate for your question, but also add the Entitlements tag so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Determining if an entitlement is real In recent months there’s been a spate of forums threads involving ‘hallucinated’ entitlements. This typically pans out as follows: The developer, or an agent working on behalf of the developer, changes their .entitlements file to claim an entitlement that’s not real. That is, the entitlement key is a value that is not, and never has been, supported in any way. Xcode’s code signing machinery tries to find or create a provisioning profile to authorise this claim. That’s impossible, because the entitlement isn’t a real entitlement. Xcode reports this as a code signing error. The developer misinterprets that error [1] in one of two ways: As a generic Xcode code signing failure, and so they start a forums thread asking about how to fix that problem. As an indication that the entitlement is managed — that is, requires authorisation from Apple to use — and so they start a forums thread asking how to request such authorisation. The fundamental problem is step 1. Once you start claiming entitlements that aren’t real, you’re on a path to confusion. Note If you’re curious about how provisioning profiles authorise entitlement claims, read TN3125 Inside Code Signing: Provisioning Profiles. There are a couple of ways to check whether an entitlement is real. My preferred option is to create a new test project and use Xcode’s Signing & Capabilities editor to add the corresponding capability to it. Then look at what Xcode did. You might find that Xcode claimed a different entitlement, or added an Info.plist key, or did nothing at all. IMPORTANT If you can’t find the correct capability in the Signing & Capabilities editor, it’s likely that this feature is available to all apps, that is, it’s not gated by an entitlement or anything else. Another thing you can do is search the documentation. The vast majority of real entitlements are documented in Bundle Resources > Entitlements. IMPORTANT When you search for documentation, focus on the Apple documentation. If, for example, you search the Apple Developer Forums, you might be mislead by other folks who are similarly confused. If you find that you’re mistakenly trying to claim a hallucinated entitlement, the fix is trivial: Remove it from your .entitlements file so that your app starts to build again. Then add the capability using Xcode’s Signing & Capabilities editor. This will do the right thing. If you continue to have problems, feel free to ask for help here on the forums. See the top of this post for advice on how to do that. [1] Xcode 26.2, currently being seeded as Release Candidate, is much better about this (r. 155327166). Give it a whirl! Commonly Hallucinated Entitlements This section lists some of the more commonly hallucinated entitlements: com.apple.developer.push-notifications — The correct entitlement is aps-environment (com.apple.developer.aps-environment on macOS), documented here. There’s also the remote-notification value in the UIBackgroundModes property. com.apple.developer.in-app-purchase — There’s no entitlement for in-app purchase. Rather, in-app purchase is available to all apps with an explicit App ID (as opposed to a wildcard App ID). com.apple.InAppPurchase — Likewise. com.apple.developer.storekit — Likewise. com.apple.developer.in-app-purchase.non-consumable — Likewise. com.apple.developer.in-app-purchase.subscription — Likewise. com.apple.developer.app-groups — The correct entitlement is com.apple.security.application-groups, documented here. And if you’re working on the Mac, see App Groups: macOS vs iOS: Working Towards Harmony. com.apple.developer.background-modes — Background modes are controlled by the UIBackgroundModes key in your Info.plist, documented here. UIBackgroundModes — See the previous point. com.apple.developer.voip-push-notification — There’s no entitlement for this. VoIP is gated by the voip value in the UIBackgroundModes property. com.apple.developer.family-controls.user-authorization — The correct entitlement is com.apple.developer.family-controls, documented here. IMPORTANT As explained in the docs, this entitlement is available to all developers during development but you must request authorisation for distribution. com.apple.developer.device-activity — The DeviceActivity framework has the same restrictions as Family Controls. com.apple.developer.managed-settings — If you’re trying to use the ManagedSettings framework, that has the same restrictions as Family Controls. If you’re trying to use the ManagedApp framework, that’s not gated by an entitlement. com.apple.developer.callkit.call-directory — There’s no entitlement for the Call Directory app extension feature. com.apple.developer.nearby-interaction — There’s no entitlement for the Nearby interaction framework. com.apple.developer.secure-enclave — On iOS and its child platforms, there’s no entitlement required to use the Secure Enclave. For macOS specifically, any program that has access to the data protection keychain also has access to the Secure Enclave [1]. See TN3137 On Mac keychain APIs and implementations for more about the data protection keychain. com.apple.developer.networking.configuration — If you’re trying to configure the Wi-Fi network on iOS, the correct entitlement is com.apple.developer.networking.HotspotConfiguration, documented here. com.apple.developer.musickit — There is no MusicKit capability. Rather, enable MusicKit via the App Services column in the App ID editor, accessible from Developer > Certificates, Identifiers, and Profiles > Identifiers. com.apple.mail.extension — Creating an app extension based on the MailKit framework does not require any specific entitlement. com.apple.security.accessibility — There’s no entitlement that gates access to the Accessibility APIs on macOS. Rather, this is controlled by the user in System Settings > Privacy & Security. Note that sandboxed apps can’t use these APIs. See the Review functionality that is incompatible with App Sandbox section of Protecting user data with App Sandbox. com.apple.developer.adservices — Using the AdServices framework does not require any specific entitlement. [1] While technically these are different features, they are closely associated and it turns out that, if you have access to the data protection keychain, you also have access to the SE. Revision History 2025-12-09 Updated the Xcode footnote to mention the improvements in Xcode 26.2rc. 2025-11-03 Added com.apple.developer.adservices to the common hallucinations list. 2025-10-30 Added com.apple.security.accessibility to the common hallucinations list. 2025-10-22 Added com.apple.mail.extension to the common hallucinations list. Also added two new in-app purchase hallucinations. 2025-09-26 Added com.apple.developer.musickit to the common hallucinations list. 2025-09-22 Added com.apple.developer.storekit to the common hallucinations list. 2025-09-05 Added com.apple.developer.device-activity to the common hallucinations list. 2025-09-02 First posted.

i was complete my program, and export a mac app already it work ok in my macmini, but if i want send it to app store, that i have no way now i still do not know how to make this app perfect like, when i use pyinstaller to build this app, is there any info or elements need make with? i can sign my app now, even i use codesign -dvvv my.app to check the sign, it is also ok, there no any feedback said it anything wrong. so, any master know fix app sign or any infoplist please tech me... help

急需一个企业开发者证书，有意者可联系tg:@moonkf2025

I help a lot of developers with macOS trusted execution problems. For example, they might have an app being blocked by Gatekeeper, or an app that crashes on launch with a code signing error. If you encounter a problem that’s not explained here, start a new thread with the details. Put it in the Code Signing > General subtopic and tag it with relevant tags like Gatekeeper, Code Signing, and Notarization — so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Resolving Trusted Execution Problems macOS supports three software distribution channels: The user downloads an app from the App Store. The user gets a Developer ID-signed program directly from its developer. The user builds programs locally using Apple or third-party developer tools. The trusted execution system aims to protect users from malicious code. It’s comprised of a number of different subsystems. For example, Gatekeeper strives to ensure that only trusted software runs on a user’s Mac, while XProtect is the platform’s built-in anti-malware technology. Note To learn more about these technologies, see Apple Platform Security. If you’re developing software for macOS your goal is to avoid trusted execution entanglements. You want users to install and use your product without taking any special steps. If, for example, you ship an app that’s blocked by Gatekeeper, you’re likely to lose a lot of customers, and your users’ hard-won trust. Trusted execution problems are rare with Mac App Store apps because the Mac App Store validation process tends to catch things early. This post is primarily focused on Developer ID-signed programs. Developers who use Xcode encounter fewer trusted execution problems because Xcode takes care of many code signing and packaging chores. If you’re not using Xcode, consider making the switch. If you can’t, consult the following for information on how to structure, sign, and package your code: Placing content in a bundle Embedding nonstandard code structures in a bundle Embedding a command-line tool in a sandboxed app Creating distribution-signed code for macOS Packaging Mac software for distribution Gatekeeper Basics User-level apps on macOS implement a quarantine system for new downloads. For example, if Safari downloads a zip archive, it quarantines that archive. This involves setting the com.apple.quarantine extended attribute on the file. Note The com.apple.quarantine extended attribute is not documented as API. If you need to add, check, or remove quarantine from a file programmatically, use the quarantinePropertiesKey property. User-level unarchiving tools preserve quarantine. To continue the above example, if you double click the quarantined zip archive in the Finder, Archive Utility will unpack the archive and quarantine the resulting files. If you launch a quarantined app, the system invokes Gatekeeper. Gatekeeper checks the app for problems. If it finds no problems, it asks the user to confirm the launch, just to be sure. If it finds a problem, it displays an alert to the user and prevents them from launching it. The exact wording of this alert varies depending on the specific problem, and from release to release of macOS, but it generally looks like the ones shown in Apple > Support > Safely open apps on your Mac. The system may run Gatekeeper at other times as well. The exact circumstances under which it runs Gatekeeper is not documented and changes over time. However, running a quarantined app always invokes Gatekeeper. Unix-y networking tools, like curl and scp, don’t quarantine the files they download. Unix-y unarchiving tools, like tar and unzip, don’t propagate quarantine to the unarchived files. Confirm the Problem Trusted execution problems can be tricky to reproduce: You may encounter false negatives, that is, you have a trusted execution problem but you don’t see it during development. You may also encounter false positives, that is, things fail on one specific Mac but otherwise work. To avoid chasing your own tail, test your product on a fresh Mac, one that’s never seen your product before. The best way to do this is using a VM, restoring to a snapshot between runs. For a concrete example of this, see Testing a Notarised Product. The most common cause of problems is a Gatekeeper alert saying that it’s blocked your product from running. However, that’s not the only possibility. Before going further, confirm that Gatekeeper is the problem by running your product without quarantine. That is, repeat the steps in Testing a Notarised Product except, in step 2, download your product in a way that doesn’t set quarantine. Then try launching your app. If that launch fails then Gatekeeper is not the problem, or it’s not the only problem! Note The easiest way to download your app to your test environment without setting quarantine is curl or scp. Alternatively, use xattr to remove the com.apple.quarantine extended attribute from the download before you unpack it. For more information about the xattr tool, see the xattr man page. Trusted execution problems come in all shapes and sizes. Later sections of this post address the most common ones. But first, let’s see if there’s an easy answer. Run a System Policy Check macOS has a syspolicy_check tool that can diagnose many common trusted execution issues. To check an app, run the distribution subcommand against it: % syspolicy_check distribution MyApp.app App passed all pre-distribution checks and is ready for distribution. If there’s a problem, the tool prints information about that problem. For example, here’s what you’ll see if you run it against an app that’s notarised but not stapled: % syspolicy_check distribution MyApp.app App has failed one or more pre-distribution checks. --------------------------------------------------------------- Notary Ticket Missing File: MyApp.app Severity: Fatal Full Error: A Notarization ticket is not stapled to this application. Type: Distribution Error … Note In reality, stapling isn’t always required, so this error isn’t really Fatal (r. 151446728 ). For more about that, see The Pros and Cons of Stapling forums. And here’s what you’ll see if there’s a problem with the app’s code signature: % syspolicy_check distribution MyApp.app App has failed one or more pre-distribution checks. --------------------------------------------------------------- Codesign Error File: MyApp.app/Contents/Resources/added.txt Severity: Fatal Full Error: File added after outer app bundle was codesigned. Type: Notary Error … The syspolicy_check isn’t perfect. There are a few issues it can’t diagnose (r. 136954554, 151446550). However, it should always be your first step because, if it does work, it’ll save you a lot of time. Note syspolicy_check was introduced in macOS 14. If you’re seeing a problem on an older system, first check your app with syspolicy_check on macOS 14 or later. If you can’t run the syspolicy_check tool, or it doesn’t report anything actionable, continue your investigation using the instructions in the following sections. App Blocked by Gatekeeper If your product is an app and it works correctly when not quarantined but is blocked by Gatekeeper when it is, you have a Gatekeeper problem. For advice on how to investigate such issues, see Resolving Gatekeeper Problems. App Can’t Be Opened Not all failures to launch are Gatekeeper errors. In some cases the app is just broken. For example: The app’s executable might be missing the x bit set in its file permissions. The app’s executable might be subtly incompatible with the current system. A classic example of this is trying to run a third-party app that contains arm64e code on systems prior to macOS 26 beta. macOS 26 beta supports arm64e apps directly. Prior to that, third-party products (except kernel extensions) were limited to arm64, except for the purposes of testing. The app’s executable might claim restricted entitlements that aren’t authorised by a provisioning profile. Or the app might have some other code signing problem. Note For more information about provisioning profiles, see TN3125 Inside Code Signing: Provisioning Profiles. In such cases the system displays an alert saying: The application “NoExec” can’t be opened. [[OK]] Note In macOS 11 this alert was: You do not have permission to open the application “NoExec”. Contact your computer or network administrator for assistance. [[OK]] which was much more confusing. A good diagnostic here is to run the app’s executable from Terminal. For example, an app with a missing x bit will fail to run like so: % NoExec.app/Contents/MacOS/NoExec zsh: permission denied: NoExec.app/Contents/MacOS/NoExec And an app with unauthorised entitlements will be killed by the trusted execution system: % OverClaim.app/Contents/MacOS/OverClaim zsh: killed OverClaim.app/Contents/MacOS/OverClaim In some cases running the executable from Terminal will reveal useful diagnostics. For example, if the app references a library that’s not available, the dynamic linker will print a helpful diagnostic: % MissingLibrary.app/Contents/MacOS/MissingLibrary dyld[88394]: Library not loaded: @rpath/CoreWaffleVarnishing.framework/Versions/A/CoreWaffleVarnishing … zsh: abort MissingLibrary.app/Contents/MacOS/MissingLibrary Code Signing Crashes on Launch A code signing crash has the following exception information: Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) The most common such crash is a crash on launch. To confirm that, look at the thread backtraces: Backtrace not available For steps to debug this, see Resolving Code Signing Crashes on Launch. One common cause of this problem is running App Store distribution-signed code. Don’t do that! For details on why that’s a bad idea, see Don’t Run App Store Distribution-Signed Code. Code Signing Crashes After Launch If your program crashes due to a code signing problem after launch, you might have encountered the issue discussed in Updating Mac Software. Non-Code Signing Failures After Launch The hardened runtime enables a number of security checks within a process. Some coding techniques are incompatible with the hardened runtime. If you suspect that your code is incompatible with the hardened runtime, see Resolving Hardened Runtime Incompatibilities. App Sandbox Inheritance If you’re creating a product with the App Sandbox enabled and it crashes with a trap within _libsecinit_appsandbox, it’s likely that you’re having App Sandbox inheritance problems. For the details, see Resolving App Sandbox Inheritance Problems. Library Loading Problem Most library loading problems have an obvious cause. For example, the library might not be where you expect it, or it might be built with the wrong platform or architecture. However, some library loading problems are caused by the trusted execution system. For the details, see Resolving Library Loading Problems. Explore the System Log If none of the above resolves your issue, look in the system log for clues as to what’s gone wrong. Some good keywords to search for include: gk, for Gatekeeper xprotect syspolicy, per the syspolicyd man page cmd, for Mach-O load command oddities amfi, for Apple mobile file integrity, per the amfid man page taskgated, see its taskgated man page yara, discussed in Apple Platform Security ProvisioningProfiles You may be able to get more useful logging with this command: % sudo sysctl -w security.mac.amfi.verbose_logging=1 Here’s a log command that I often use when I’m investigating a trusted execution problem and I don’t know here to start: % log stream --predicate "sender == 'AppleMobileFileIntegrity' or sender == 'AppleSystemPolicy' or process == 'amfid' or process == 'taskgated-helper' or process == 'syspolicyd'" For general information the system log, see Your Friend the System Log. Revision History 2025-08-06 Added the Run a System Policy Check section, which talks about the syspolicy_check tool (finally!). Clarified the discussion of arm64e. Made other editorial changes. 2024-10-11 Added info about the security.mac.amfi.verbose_logging option. Updated some links to point to official documentation that replaces some older DevForums posts. 2024-01-12 Added a specific command to the Explore the System Log section. Change the syspolicy_check callout to reflect that macOS 14 is no longer in beta. Made minor editorial changes. 2023-06-14 Added a quick call-out to the new syspolicy_check tool. 2022-06-09 Added the Non-Code Signing Failures After Launch section. 2022-06-03 Added a link to Don’t Run App Store Distribution-Signed Code. Fixed the link to TN3125. 2022-05-20 First posted.

App translocation, officially known as Gatekeeper path randomisation, comes up from time-to-time. The best resource to explain it, WWDC 2016 Session 706 What’s New in Security, is no longer available from Apple so I thought I’d post some notes here (r. 105455698 ). Questions or comments? Start a new thread here on DevForums, applying the Gatekeeper tag so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" App Translocation Notes Gatekeeper path randomisation, more commonly known as app translocation, is a security feature on macOS 10.12 and later. When you run a newly downloaded app, the system executes the app from a randomised path. This prevents someone from taking an app that loads code from an app-relative path and repackaging it to load malicious code. IMPORTANT The best way to prevent your app from being tricked into loading malicious code is to enable library validation. You get this by default once you enable the hardened runtime. Do not disable library validation unless your app needs to load in-process plug-ins from other third-party developers. If you have an in-process plug-in model, consider migrating to ExtensionKit. The exact circumstances where the system translocates an app is not documented and has changed over time. It’s best to structure your app so that it works regardless of whether it’s translocated or not. App Translocation Compatibility Most apps run just fine when translocated. However, you can run into problems if you load resources relative to your app bundle. For example, consider a structure like this: MyApp.app Templates/ letter.myapp envelope.myapp birthday card.myapp Such an app might try to find the Templates directory by: Getting the path to the main bundle Navigating from that using a relative path This won’t work if the app is translocated. The best way to avoid such problems is to embed these resources inside your app (following the rules in Placing Content in a Bundle, of course). If you need to make them easily accessible to the user, add your own UI for that. For a great example of this, run Pages and choose File > New. App Translocation Limits There is no supported way to detect if your app is being run translocated. If you search the ’net you’ll find lots of snippets that do this, but they all rely on implementation details that could change. There is no supported way to determine the original (untranslocated) path of your app. Again, you’ll find lots of unsupported techniques for this out there on the ’net. Use them at your peril! If you find yourself using these unsupported techniques, it’s time to sit down and rethink your options. Your best option here is to make your app work properly when translocated, as illustrated by the example in the previous section. App Translocation in Action The following steps explain how to trigger app translocation on macOS 13.0. Keep in mind that the specifics of app translocation are not documented and have changed over time, so you might see different behaviour on older or new systems: To see app translocation in action: Use Safari to download an app that’s packaged as a zip archive. My go-to choice for such tests is NetNewsWire, but any app will work. Safari downloads the zip archive to the Downloads folder and then unpacks it (assuming your haven’t tweaked your preferences). In Finder, navigate to the Downloads folder and launch the app. When Gatekeeper presents its alert, approve the launch. In Terminal, look at the path the app was launched from: % ps xw | grep NetNewsWire … /private/var/folders/wk/bqx_nk71457_g9yry9c_2ww80000gp/T/AppTranslocation/C863FADC-A711-49DD-B4D0-6BE679EE225D/d/NetNewsWire.app/Contents/MacOS/NetNewsWire Note how the path isn’t ~/Downloads but something random. That’s why the official name for this feature is Gatekeeper path randomisation. Quit the app. Use Finder to relaunch it. Repeat step 5: % ps xw | grep NetNewsWire … /private/var/folders/wk/bqx_nk71457_g9yry9c_2ww80000gp/T/AppTranslocation/C863FADC-A711-49DD-B4D0-6BE679EE225D/d/NetNewsWire.app/Contents/MacOS/NetNewsWire The path is still randomised. Quit the app again. Use the Finder to move it to the desktop. And relaunch it. And repeat step 5 again: % ps xw | grep NetNewsWire … /Users/quinn/Desktop/NetNewsWire.app/Contents/MacOS/NetNewsWire The act of moving the app has cleared the state that triggered app translocation.

Hello all, I am attempting to notarize my newly made Mac OS application using the notarization command in VS Code. "/Users/teejgotit/Desktop/Cursor Workspace/Rust CutContour v2/cutcontour-app/src-tauri/target/release/bundle/dmg/CC Studio_0.1.0_aarch64.dmg" \ --key "/Users/teejgotit/AppleCerts/AuthKey_MATVLX3.p8" \ --key-id "MATVLX9" \ --issuer "887ba428-aa39-4fb3-a3dc-f83b9145cab0" \ --wait Only to be met with a continual "Current State: In Progress.." for what has been about 1 day and 16 hours now. Current status: In Progress........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ My app and project are rather small and was curious if this is a normal thing for this to day takes for a first time notarization? Would love any help or feedback.

Xcode is prompting I enter a codesign login password when I am archiving my project. My password seems incorrect since there is no action after I enter my password and tap allow. what could be the problem?

Hello, we are currently encountering a similar issue. We need to inject our capabilities into a third-party app by re-signing it (not a full re-signing process—just requiring the provisioning profile and certificate to match). However, this seems to affect the functionality of universal links. We've found that this issue only occurs on iOS 18. We noticed that when re-signing the app, the entitlements related to associated domains are changed to a wildcard: [Key] com.apple.developer.associated-domains [Value] [Array] [String] * However, this doesn’t cause any issues on iOS 17. Through further testing, we discovered that in order for universal links to work properly, we need to restore the original value of com.apple.developer.associated-domains and use a provisioning profile that matches the app's bundle ID. This means our previous re-signing approach using a certificate and provisioning profile from another bundle will no longer work. We’d like to ask: is this a new restriction introduced in iOS 18? If we manually restore the original com.apple.developer.associated-domains entitlement and use a provisioning profile that matches the app’s bundle ID, will universal links function correctly going forward?

This is my .entitlements file: Code signing: codesign --sign -vvv --timestamp --options=runtime --force --entitlements ./UES.entitlements -s "Developer ID Application: XXX. (XXXXXXX)" ./UES.app I work fine in the macOS 13.x system, but the "killed" error occurs in macOS11.x. The system log is displayed as follows: (If codesign remove the --entitlements ./UES.entitlements, it will operate normally) 2025-04-21 13:58:27.039638+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:27.039762+0800 0xd5bbf Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:27.039815+0800 0xd5bbf Default 0x0 0 0 kernel: proc 29354: load code signature error 4 for file "UES" 2025-04-21 13:58:27.040720+0800 0xd5bc0 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29354, /Applications/UES.app/Contents/MacOS/UES 2025-04-21 13:58:27.045974+0800 0xd58be Error 0x0 66405 0 CoreServicesUIAgent: [com.apple.launchservices:uiagent] handle LS launch error: {\n Action = oapp;\n AppMimimumSystemVersion = "10.13";\n AppPath = "/Applications/UES.app";\n ErrorCode = "-10826";\n} 2025-04-21 13:58:39.121619+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:39.121832+0800 0xd5e0f Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:39.121861+0800 0xd5e0f Default 0x0 0 0 kernel: proc 29415: load code signature error 4 for file "UES" 2025-04-21 13:58:39.122571+0800 0xd5e10 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29415, /Applications/UES.app/Contents/MacOS/UES 2025-04-21 13:58:46.297915+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:46.298031+0800 0xd5f85 Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:46.298072+0800 0xd5f85 Default 0x0 0 0 kernel: proc 29485: load code signature error 4 for file "UES" 2025-04-21 13:58:46.300248+0800 0xd5f86 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29485, /Applications/UES.app/Contents/MacOS/UES What causes the pattern to be narrow?

Hi everyone, I'm trying to add the Side Button Access entitlement to my voice-based conversational app following the documentation, but I'm unable to find it in Xcode. Steps I followed: Selected my app target in Xcode project navigator Went to the Signing & Capabilities tab Clicked the + Capability button Searched for "Side Button Access" Problem: The "Side Button Access" option does not appear in the capabilities list at all. Environment: I'm developing and testing in Japan (where this feature should be available) Xcode version: Xcode 26.2 beta 3 iOS deployment target: iOS 26.2 Questions: Is there any pre-registration or special approval process required from Apple before this entitlement becomes available? Are there any additional requirements or prerequisites I need to meet? Is this feature already available, or is it still in a limited beta phase? Any guidance would be greatly appreciated. Thank you!

Your development team has reached the maximum number of registered iPhone devices. I am use the free provisioning file. So how can I delete old device and use my new iPhone to develop my app. only way is use a paid account? or register a new Apple ID?

Hi, I had an issue when I notarized myapplication.dmg with Process 'xcrun notarytool submit' exited with value '132'. Do you know how to solve it? Do you have any explanation about the response value when we execute 'xcrun notarytool submit'? Thank you very much! 2025-02-25 09:36:18,182 ERROR [org.ecl.cbi.ws.mac.not.xcr.not.NotarytoolNotarizer] (macos-notarization-service-pool-thread-14) Error while parsing the output after the upload of '/tmp/macos-notarization-service/pending-files/myapplication.dmg' to the Apple notarization service: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Premature end of file. at java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204) at java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:178) at java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:400) at java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:327) at java.xml/com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(XMLScanner.java:1465) at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:1013) at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605) at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:542) at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:889) at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:825) at java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1224) at java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:637) at java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl.parse(SAXParserImpl.java:326) at java.xml/javax.xml.parsers.SAXParser.parse(SAXParser.java:197) at org.eclipse.cbi.ws.macos.notarization.xcrun.common.PListDict.fromXML(PListDict.java:134) at org.eclipse.cbi.ws.macos.notarization.xcrun.notarytool.NotarytoolNotarizer.analyzeSubmissionResult(NotarytoolNotarizer.java:39) at org.eclipse.cbi.ws.macos.notarization.xcrun.common.NotarizationTool.upload(NotarizationTool.java:50) at org.eclipse.cbi.ws.macos.notarization.xcrun.common.Notarizer.lambda$uploadFailsafe$3(Notarizer.java:65) at net.jodah.failsafe.Functions.lambda$get$0(Functions.java:48) at net.jodah.failsafe.RetryPolicyExecutor.lambda$supply$0(RetryPolicyExecutor.java:66) at net.jodah.failsafe.Execution.executeSync(Execution.java:128) at net.jodah.failsafe.FailsafeExecutor.call(FailsafeExecutor.java:379) at net.jodah.failsafe.FailsafeExecutor.get(FailsafeExecutor.java:68) at org.eclipse.cbi.ws.macos.notarization.xcrun.common.Notarizer.uploadFailsafe(Notarizer.java:65) at org.eclipse.cbi.ws.macos.notarization.NotarizationService.lambda$notarize$0(NotarizationService.java:192) at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1768) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.base/java.lang.Thread.run(Thread.java:840)

hey, trying to notarize my mac app rn. maybe servers are down. earlier today super fast but now slow and i need to ship. anyone having similar issue?

My Developer ID certificate will expire in few days, so I downloaded and installed new certificate in login keychain. However my key is still linked to my old certificate. I have my .p12 but even if I delete the old certificate from login keychain and reinstall the .12 file, my old certificate reappears in the login keychain. I tried to select the new certificate in the login keychain and choose Files > Export Items (in Keychain Access) but in the Save dialog under File Format the "Personal Information Exchange (.p12)" option is grayed out. How can I generate a key/.p12 file that will be linked to my new certificate?

we have organization account I'm the admin of team. and i have additional resources: Additional Resources Access to Reports Access to Certificates, Identifiers & Profiles. Access to Cloud Managed Distribution Certificate Create Apps Generate Individual API Keys Issues: i can't find my team certificate in Xcode I don't have access to https://developer.apple.com/account/resources/

Hello, I had a successful attempt at notarization earlier today in my build pipeline. I've been using the same system for building my macOS application for over a year now. However, subsequent builds seemed to fail. I found a couple similar topics which makes this seem not not an isolated incident: https://developer.apple.com/forums/thread/782950 https://developer.apple.com/forums/thread/783347 https://developer.apple.com/forums/thread/783283 In my case I use the following command to submit the notarization: xcrun notarytool submit FilePath.dmg --apple-id "myappleid@gmail.com" --password "redacted_obviously" --team-id "my-team-id" --wait I left a previous run go for over an hour and the "Current status: In Progress.................. etc" filled the whole terminal. I manually checked the progress of the submissions using the command below: xcrun notarytool log --apple-id "myappleid@gmail.com" --password "redacted_obviously_again" --team-id "my-team-id" [run id] And they all result in the following output: Submission log is not yet available or submissionId does not exist Is anyone else experiencing this? Are there any possible solutions?

Hi All, I am building my own MDM server. It seems that in order for the MDM commands to function an MDM Push Certificate for the APNS framework. And in order to get the MDM Push Certificate from the Apple Push Certificates Portal (https://identity.apple.com/pushcert/) you need to upload your CSR usually provided and sign by the MDM Vendor of your choosing. I am familiar with this process. But now that I am the MDM Vendor, I am not sure where to get this MDM Vendor CSR Signing Certificate. I've already submitted a formal request via the "contact us" form. Apple's response pointed me to the documentation on Setting Up Push Notifications and the MDM Vendor CSR Signing Certificate help page (which I had already reviewed): https://developer.apple.com/documentation/devicemanagement/setting-up-push-notifications-for-your-mdm-customers https://developer.apple.com/help/account/certificates/mdm-vendor-csr-signing-certificate/ The issue is that these documents describe using the signing certificate, but not the process for obtaining it as a new, independent vendor. So does anyone know of a portal or method of generating this “MDM Vendor Certificate”? or maybe I'm going about this all wrong and there is a simpler way… the again, its apple, so I’m probably on the right path just beed a little direction please. (I am not sure where to get this MDM Vendor CSR Signing Certificate.)