To learn how to develop/distribute a DriverKit driver (DEXT) and a UserClient app correctly, I am trying to run the following sample dext and app. https://developer.apple.com/documentation/driverkit/communicating-between-a-driverkit-extension-and-a-client-app?language=objc I walked throught steps in README.md included in the project and faced issues. First, I referred the "Configure the Sample Code Project" section in the README.md and configured the sample code project to build with automatic signing. I could run the app and activate the dext successfully and made sure the app could communicate with the dext. Next, I tried the manual signing. I followed steps described in the "Configure the Sample Code Project" section carefully. The following entitlements has already been assigned to my team account. DriverKit Allow Any UserClient Access DriverKit USB Transport - VendorID DriverKit I could build both app and dext and could run the app. However, when I clicked the "Install Dext" button to activate the dext, I got the following error: sysex didFailWithError: extension category returned error Am I missing something? I would also like to know detailed steps to publicly distribute my dext and app using our Developer ID Application Certificate, as README.md only shows how to configure the project for development. Xcode version: 16.3 (16E140) Development OS: macOS 15.5 (24F74) Target OS: macOS 15.5 (24F74)

I am facing this error on every flutter project build. Although it runs ok. The error happens on the codesign command What do I need to fix ? I have validated that every *.plist file is ok using plutil -lint ERROR MESSAGE /usr/bin/codesign --force --sign MY_SHA_CODE --verbose /Users/macbookair/workspace/flutter_application_1/build/ios/Release-iphoneos/Runner.app/Frameworks/libswiftCore.dylib)` exited with status 0. The command's output was: /Users/macbookair/workspace/flutter_application_1/build/ios/Release-iphoneos/Runner.app/Frameworks/libswiftCore.dylib: a required plist file or resource is malformed Info.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CFBundleDevelopmentRegion</key> <string>$(DEVELOPMENT_LANGUAGE)</string> <key>CFBundleDisplayName</key> <string>Flutter Application 1</string> <key>CFBundleExecutable</key> <string>$(EXECUTABLE_NAME)</string> <key>CFBundleIdentifier</key> <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>flutter_application_1</string> <key>CFBundlePackageType</key> <string>APPL</string> <key>CFBundleShortVersionString</key> <string>$(FLUTTER_BUILD_NAME)</string> <key>CFBundleSignature</key> <string>????</string> <key>CFBundleVersion</key> <string>$(FLUTTER_BUILD_NUMBER)</string> <key>LSRequiresIPhoneOS</key> <true/> <key>UILaunchStoryboardName</key> <string>LaunchScreen</string> <key>UIMainStoryboardFile</key> <string>Main</string> <key>UISupportedInterfaceOrientations</key> <array> <string>UIInterfaceOrientationPortrait</string> <string>UIInterfaceOrientationLandscapeLeft</string> <string>UIInterfaceOrientationLandscapeRight</string> </array> <key>UISupportedInterfaceOrientations~ipad</key> <array> <string>UIInterfaceOrientationPortrait</string> <string>UIInterfaceOrientationPortraitUpsideDown</string> <string>UIInterfaceOrientationLandscapeLeft</string> <string>UIInterfaceOrientationLandscapeRight</string> </array> <key>CADisableMinimumFrameDurationOnPhone</key> <true/> <key>UIApplicationSupportsIndirectInputEvents</key> <true/></dict> </plist> Please help.

Can you please revoke my developer id application and installer certs? So i may recreate. I deleted the private key by mistake before realizing i cannot recreate everything using the developer website portal. I dont have macos backup or did i backup my certs with attached pkey. I just did not realize this was important until now. Please help as Im now blocked. I opened a case too but i have not yet got a response. its been 3 days now. case id: 20000093632858

I keep getting this error when trying to install Audio app extension. Everything is reviewed from certificates to profiles, for some reason CreatingCustomAudioEffects sample is deployed correctly but when Creating new Project (Audio Extension App) from new project Option, it doesn't work at all. If I remove Extension from Frameworks and deploy app, then no problem but then App crashes as extension is missing. Something wrong with Xcode? I am pretty sure it used to build new projects but not anymore. Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.0k1RXy/extracted/AudioUnitsAppExtensionTest.app : 0xe8008015 (A valid provisioning profile for this executable was not found.) Please ensure sure that your app is signed by a valid provisioning profile. If this issue persists, please attach the following when sending a report to Apple: A sysdiagnose from this Mac A sysdiagnose from the device failing installation An IPA of the app failing installation

My app is a Safari extension. When trying to validate the app, I get the following error: App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "app.rango.Rango.pkg/Payload/Rango for Safari.app/Contents/MacOS/Rango for Safari" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. I don't know why this is happening. I have app sandbox enabled in both the app and the extension target. I have both entitlement files. When executing codesign -d --entitlements :- /path/to/binary I get the following: <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.files.user-selected.read-only</key><true/><key>com.apple.security.get-task-allow</key><true/><key>com.apple.security.network.client</key><true/></dict></plist> If I check on Activity Monitor, on the sandbox column it shows true. I have no idea why I keep getting this error when all indicates that the app is actually sandboxed.

Hi everyone! I've send my .dmg file for notarization, it has been accepted on March 5. Since then there weren't any updates, it hasn't changed its status. What might be the problem? Info about submission: createdDate: 2025-03-05T12:13:18.802Z id: 202d877d-d0c4-4211-bba4-6ebdb169a843 status: Accepted

We have a MacOS application that we plan on distributing standalone (it'll be installed through MDM or directly, not through the app store). We utilize endpoint security and full disk access for this (enterprise) app. I have a makefile that uses codesign to sign the app inside-out. All that appears to work (i.e., when I try to run the app directly it functions as I expect it to). What's the recommended way to allow the developers in my team to also sign the app for local development so it functions as close as possible to production? My first thought is to distribute the developer identity to their machines using MDM. However, ideally i'd like to rule out the ability for a developer who has the MDM profile assigned to export the keys. That really only leaves a centralized solution in place or disabling SIP on their system (which I don't want to do). Alternatively, would creating a separate identity for production make more sense, so that in the case the developer certificate is revoked, the production releases continue to function as normal (however, I assume this would also require creating two different profiles for the endpoint security entitlement--one for each certificate). Thanks! Derek

We have a command line script that runs xcodebuild to make an archive, then runs xcodebuild again to export the archive to make an ipa, and then runs "altool --validate-app" to check that everything will be fine for a subsequent upload to the app store. This has been working fine for a few years but recently stopped working and we cannot figure out why. The validation fails with this error: ERROR: [altool.105912F20] Validation failed (409) Invalid Provisioning Profile. The provisioning profile included in the com. bundle [Payload/.app] is invalid. [Missing code-signing certificate]. A distribution provisioning profile should be used when uploading apps to App Store Connect. (ID: ) The project is configured with 'Automatically manage signing' unchecked, and the profile was created on developer.apple.com/account/resources/profiles and the matching profile magically appears in the "Provisioning Profile" drop down in Xcode. The profile was created with two certificates checked, but examining the embedded.mobileprovision profile that ends up in the compiled ipa payload it appears to contain 19 certificates (probably all of them for this org?). Is there a way to find out which certificate is missing exactly? And once identified is it a case of adding it to the profile used during compilation to fix this? Ancillary question: why does the embedded.mobileprovision file contain so many certificates, and how does xcodebuild decide which ones it includes there?

I created an MadOS app with xcode 16.5 with a developer id certificate. I've been trying to install a distribution certificate for over a week with several co-workers. I can add a distribution certificate to my key chain, and created a provisioning profile. I've tried every combination but none work. I put xcode in automatic signing but can only see my developer id, if I put it in manual with and without a provisioning profile but if I give the app binary, other users can't run the app because the certificate isn't working. I need support to work with me to look the developer portal and my system to figure this out.

Hi, I'm having a really hard time figuring out why I cannot perform cloud signing via Developer ID with xcodebuild. I have a macOS application, which I can perfectly cloud sign the following way: Sign into Xcode with my Admin + Account Holder Apple ID. Delete my Developer ID Application certificate from Keychain Access. In Xcode, click Archive. When archived, click "Distribute App" in Xcode Organizer. The app is cloud signed. I prove this by extracting the certificate codesign --extract-certificates -- /path/to/app.app then locate the 1.2.840.113635.100.6.1.32 bit mentioned by Quinn in this post. I however do it by simply opening the certifiacte with Keychain Access, where I can investigate the content of the certificate, rather than use that tool he does. Then, I do the following to attempt to cloud sign via xcodebuild: Create an API Key for the whole team in Users and Access > Integrations > App Store Connect with the "Admin" role selected. Download the private key .p8 file to ~/Downloads. Sign out of my Apple ID in Xcode by removing the account in Settings > Accounts. Create an archive: xcodebuild archive -scheme "<redacted scheme name>" -archivePath ~/Downloads/archive.xcarchive -authenticationKeyIssuerID <redacted issuer id> -authenticationKeyID <redacted key id> -authenticationKeyPath ~/Downloads/AuthKey_<redacted key id>.p8 -allowProvisioningUpdates The archive is successfully created, with a new "Apple Development: Created via API (TEAM ID)" naming. Export the archive: xcodebuild -exportArchive -archivePath ~/Downloads/archive.xcarchive -authenticationKeyIssuerID <redacted issuer id> -authenticationKeyID <redacted key id> -authenticationKeyPath ~/Downloads/AuthKey_<redacted key id>.p8 -allowProvisioningUpdates -exportOptionsPlist ~/Downloads/exportOptions.plist -exportPath ~/Downloads which then fails: 2025-03-07 10:27:58.706 xcodebuild[2152:40704] [MT] IDEDistribution: -[IDEDistributionLogging _createLoggingBundleAtPath:]: Created bundle at path "/var/folders/tn/yy7ynz3d0yb4p3sd_5q_wl0h0000gn/T/<redacted app name> macOS_2025-03-07_10-27-58.706.xcdistributionlogs". error: exportArchive Cloud signing permission error error: exportArchive No signing certificate "Developer ID Application" found ** EXPORT FAILED ** Opening the distribution logs, I find this in the Provisioning Log: 2025-03-07 09:09:58 +0000 2025-03-07 09:09:58 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:58 +0000 IDEProvisioningRepair(<redacted app name>.app): Sending request 84E57539-BC1D-407A-8402-7BCE9F2FD100 to <https://appstoreconnect.apple.com/xcbuild/v1/certificates> for session DVTServicesTeamBasedSession <issuer: <redacted issuer id>; key identifier: <redacted key id>>. Method: POST Headers: { Accept = "application/vnd.api+json"; "Accept-Encoding" = "gzip, deflate"; Authorization = "Bearer <redacted bearer token>"; "Content-Length" = 116; "Content-Type" = "application/vnd.api+json"; "User-Agent" = Xcode; "X-HTTP-Method-Override" = GET; "X-Xcode-Version" = "16.2 (16C5032a)"; } Payload: {"urlEncodedQueryParams":"teamId=<redacted team id>&filter%5BcertificateType%5D=DEVELOPER_ID_APPLICATION_MANAGED&limit=200"} 2025-03-07 09:09:59 +0000 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): Received response for 84E57539-BC1D-407A-8402-7BCE9F2FD100 @ <https://appstoreconnect.apple.com/xcbuild/v1/certificates>. Code = 0 2025-03-07 09:09:59 +0000 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): Response payload: { "errors" : [ { "id" : "3d09690a-e26f-497f-b576-25104064387e", "status" : "403", "code" : "FORBIDDEN_ERROR", "title" : "This request is forbidden for security reasons", "resultCode" : 7495, "detail" : "You haven't been given access to cloud-managed distribution certificates. Please contact your team's Account Holder or an Admin to give you access. If you need further assistance, contact Apple Developer Program Support at https://developer.apple.com/contact/." } ] } Which is really weird, since I am using an API key with Admin rights. If I create a new key, and use it only for this command, App Store Connect does show the "Last Used" date as today after running the command. I thought some time might need to pass, but the issue has been persisting since yesterday. What could be wrong here? I do have a managed Developer ID Application certificate showing in my account but I still can't retrieve it with an Admin right imbued API key.

Hi folks, I'm trying to generate a provisioning profile that includes both Healthkit and MusicKit entitlements. The healthKit pieces if fine, and included in the profile. However, despite selecting Musickit under services in the ID setup, the entitlement doesn't seem to be included in the profile. Other steps taken: Setup the app in App Store Connect, generated a media ID and Key. Tried both automatic and manual signing. Are there specifics tricks to getting this one to work?

Successfully received submission history. history ...... -------------------------------------------------- createdDate: 2025-10-19T18:34:47.472Z id: d3248896-7841-421e-9470-101df9d0da21 name: ... status: In Progress -------------------------------------------------- createdDate: 2025-10-19T18:12:45.325Z id: e5822fa0-5bcf-4610-81fc-9f541e8ad189 name: ... status: In Progress

Hello, We are currently using Apple Notarization (notarytool) for distributing a macOS app, and we are experiencing very long notarization times for large app bundles. [Issue] For apps with large binary sizes, notarization consistently takes around 3.5 to 4.5 hours from submission to completion. This delay is causing practical issues in our release pipeline, especially when: A hotfix or urgent update is required Multiple builds must be notarized in a short time CI/CD-based distribution is expected to complete within a predictable timeframe [Environment] Platform: macOS Notarization method: notarytool Distribution: Outside Mac App Store App size: 100 GB~ (compressed ZIP) Signing: Hardened Runtime enabled, codesigned correctly Submission status: Successfully accepted, but processing time is very long [What we have confirmed] The notarization eventually succeeds (no failures) Re-submitting the same build shows similar processing times Network upload itself completes normally; the delay is in Apple-side processing Smaller apps complete notarization much faster [Questions] Is a 3–4+ hour notarization time expected behavior for large macOS apps? Are there recommended best practices to reduce notarization processing time for large binaries? For example, splitting components, adjusting packaging, or specific signing strategies Is there any official guidance or limitation regarding notarization queueing or processing based on app size? Are there known service-side delays or regional differences that could affect processing time? Any insight or confirmation would be greatly appreciated, as this directly impacts our production release workflow. Thank you.

I am able to sign my application when logged in to the machine, however when build is running in CI (Jenkins), I get this: "Warning: unable to build chain to self-signed root for signer.." We just renewed or certificates, so I am not sure about previous procedure, but it used to work without temporary keychain and stuff, I believe. What should be the recommended way to sign an application on CI? What keychain should we use? system? temporary? other method? Thanks, Itay

I am a complete novice and I find that I cannot restore or delete the “Apple Development” certificate (I only use it for signing). From what I understand, you need to be in a program to manage certificates, but I have no intention of distributing any applications and, from my point of view, it makes no sense to pay. Am I wrong or am I doing something wrong? Notes: This happened after I installed Tahoe on a new installation. I was able to restore it using a copy of the keychains folder I had from Sequoia. Xcode (Apple Accounts - Manage Certificates) now shows me two certificates, indicating that one is not in the keychain and cannot be deleted.

Hi, I'm running into a weird notarization issue and wanted to see if anyone else has seen something similar. I have one main macOS app that keeps doing the following: The notarization sits in "In Progress" for a few days Then it flips to "Rejected" with error code 7000 The notarytool log shows no issues and no ticket info At the same time, smaller test apps on the same Apple Developer account notarize. They do take around 2-3 days though. So it doesn't seem like an account or certificate problem. It looks like something about this specific app causes it to go into a long review and then fail with that vague 7000 error. The app is fairly large (Python + Qt, lots of bundled libraries), so I'm wondering if that triggers deeper scanning or some kind of policy check. Has anyone else seen: Multi day notarization jobs? Error 7000 that only affects one particular app? Rejections with no "issues" listed? If so, did you find a way around it? Also for context, my Apple Developer account was created recently I have contacted Apple Support already but no response yet and it's been 6 days. Thanks!

I was trying to put my game to test flight. I would test features like ads and in-app-purchases, then put on the Appstore(release). The game already works on Ipad. For test flight, the "automatically manage signing" option was enabled. Then I pressed the "archive" button. Built succeeded. Then I clicked the distribute button. That time, I had an error. "Upload failed, Invalid signature, App is not properly signed". I researched, and found special characters in name, team name and address can make errors. My name, address and team name have special characters(turkish). If it will be resolved, I want to re-write(fix) my name, team name and address. I already tried to change my name, team name and address from apple developer website but failed. They are asking a document of my identity of my new name but I didn't changed my name and address. Overall, there aren't any other facts that cause this issue as I know. If I send my current, unchanged identity and home address, could they allow to change(fix) them? On Console Log: DangerNo.app/DangerNo: ID : 6cfa13a9-685c-4df9-86dd-7506d67be8c5 DangerNo.app/Frameworks/UnityFramework.framework/UnityFramework: ID : 2b63aacc-9caf-453c-913f-bae0db14d363 My App ID : 6744022885 Error : Invalid Binary rejection email indicating a corrupted code signature was detected. Explanation : Invalid Signature - Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose "Clean All" in Xcode, delete the "build" directory in the Finder, and rebuild your release target.

Hi, I'm getting error 65 upon stapling and I am suspecting that non-default trust settings may be the reason as outlined here: Unfortunately whatever I do, I can't seem to reset the trust settings to their default values (removing the blue/white "+"), I'm not being asked for credentials upon closing the certificate window. I have also tried to unlock the System Roots key chain, to no avail. Also, when running security dump-trust-settings -d I get Number of trust settings : 0 for all certificates. Any ideas as to what I may be doing wrong? Is there any other setting that may be involved? Thanks!

I have built my application for arm and x64 so I have two files called DeepSkyStacker.app in different directories. I have followed the instructions to notarise the arm version of the app, but an concerned about what I should do to notarise the other one - do I just zip that up and then run: xcrun notarytool submit "DeepSkyStacker.zip" --keychain-profile "Notary Profile for DeepSkyStacker" --wait xcrun stapler staple DeepSkyStacker.app again or will that mess everything up? Related to that can I use the Notary Profile I created for DeepSkyStacker to notarise other apps that are part of the same product (DeepSkyStackerLive and DeepSkyStackerCL)?? Thanks David

This is .entitlements file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.endpoint-security.client</key> <true/> </dict> </plist> Code signing: codesign --sign -vvv --timestamp --options=runtime --force --entitlements ./UES.entitlements -s "Developer ID Application: XXXX Ltd. (XXXXXX)" ./UES.app When I run it on macOS 13.x, it works fine. If I run the system on macOS 11.x, it reports a "killed" error (if codesign remove --entitlements ./UES.entitlements, Then the startup will not report an error, but the endpoint security rights cannot be used) System log: 2025-04-21 13:58:27.039638+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:27.039762+0800 0xd5bbf Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:27.039815+0800 0xd5bbf Default 0x0 0 0 kernel: proc 29354: load code signature error 4 for file "UES" 2025-04-21 13:58:27.040720+0800 0xd5bc0 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29354, /Applications/UES.app/Contents/MacOS/UES 2025-04-21 13:58:27.045974+0800 0xd58be Error 0x0 66405 0 CoreServicesUIAgent: [com.apple.launchservices:uiagent] handle LS launch error: {\n Action = oapp;\n AppMimimumSystemVersion = "10.13";\n AppPath = "/Applications/UES.app";\n ErrorCode = "-10826";\n} 2025-04-21 13:58:39.121619+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:39.121832+0800 0xd5e0f Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:39.121861+0800 0xd5e0f Default 0x0 0 0 kernel: proc 29415: load code signature error 4 for file "UES" 2025-04-21 13:58:39.122571+0800 0xd5e10 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29415, /Applications/UES.app/Contents/MacOS/UES 2025-04-21 13:58:46.297915+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:46.298031+0800 0xd5f85 Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:46.298072+0800 0xd5f85 Default 0x0 0 0 kernel: proc 29485: load code signature error 4 for file "UES" 2025-04-21 13:58:46.300248+0800 0xd5f86 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29485, /Applications/UES.app/Contents/MacOS/UES May I ask what the reason is?