Context: large platform-agnostic CLI tool built as a handcrafted bundle (not via an Xcode project) that has been successfully codesigned, stapled, and zipped; macOS 14.7.5 syspolicy_check reports App passed all pre-distribution checks and is ready for distribution. However, running the executable in the Terminal produces a "cannot be opened because the developer cannot be verified" popup. The executable does succeed after manually clearing its quarantine attribute. Having worked through Resolving Gatekeeper Problems, the only detail logged in the Console is Adding Gatekeeper denial breadcrumb (direct): ... bundle_id: NOT_A_BUNDLE. Experimental observations: a minimized trivial CLI executable with a similar bundle layout and name successfully executes without being rejected, and oddly, renaming the original bundle from "name" to "name.suffix" allows it to be successfully executed. It's unclear why the bundle name would affect Gatekeeper only in some circumstances, and we'd greatly prefer not to rename the bundle for compatibility reasons, so it would be good if there were some way to get further diagnostic detail leading to a workaround - thank you.

Hi, I've code-signed my app and notarized it, and created a DMG, and when I slacked it or airdropped it to someone for testing the FIRST time they open it, they get a warning that it was Slacked or airdropped to them and do they want to open it. if they say yes everything is fine. So looking through here someone said I need to sign the app and then make a dmg and sign the dmg and then send that for notorization and then staple that. So I did, and I still get a warning the first tie someone try's to run it. What am I doing wrong? I know I can buy software and not get a warning from apple. so how do I get my app to work correctly like that?

I am using the xcrun notarytool submit --apple-id xxxxx@gmail.com --password xxxxx--team-id xxxxxx --output-format json --wait --no-progress /my/dmg/file to notarize my DMG file. But it always gives me back the error, Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired. I did log in my developer account and found no place to sign any agreement. Actually in the morning when I logged in the developer account, it indeed pop up the agreement for me to sign and I did sign it. But now it seems I don't have any more agreements to sign. So, any ideas about what I should do?

Notarization Rejects Valid Developer ID Certificates - Apple Infrastructure Issue? Environment macOS: 15.6.1 Xcode: 26.0.1 Architecture: arm64 (Apple Silicon) Team ID: W---------- Certificate Status: Valid until 2030 (verified on developer.apple.com) Problem Apple's notarization service consistently rejected properly signed packages with error: "The binary is not signed with a valid Developer ID certificate." Despite: ✅ Valid certificates on developer.apple.com ✅ Local signing succeeds (codesign --verify passes) ✅ Proper certificate/key pairing verified ✅ Package structure correct Failed Submission IDs September 2025: adeeed3d-4732-49c6-a33c-724da43f9a4a 5a910f51-dc6d-4a5e-a1c7-b07f32376079 3930147e-daf6-4849-8b0a-26774fd92c3c b7fc8e4e-e03c-44e1-a68e-98b0db38aa39 d7dee4a1-68e8-44b5-85e9-05654425e044 da6fa563-ba21-4f9e-b677-80769bd23340 What I've Tried Re-downloaded fresh certificates from Apple Developer Portal Verified certificate chain locally Tested with multiple different builds Confirmed Team ID matches across all configurations Verified no unsigned nested components Waited 3 months for potential propagation delays Verified all agreements are current and accepted Re-tested with minimal test package - same error persists Local Verification # Certificates present and valid security find-identity -v -p codesigning | grep "Developer ID" 1) XXXXXXXXXX "Developer ID Application: <<REDACTED>> (W----------)" 2) XXXXXXXXXX "Developer ID Installer: <<REDACTED>> (W----------)" # Signing succeeds codesign --verify --deep --strict --verbose=2 [app] → Success Question This appears similar to thread #784184. After 3 months and ensuring all agreements are signed, the issue persists with identical error. The certificates work for local signing but Apple's notarization service rejects them. Could this be: Backend infrastructure issue with Team ID W----------? Certificate not properly registered in Apple's notarization database? Known issue requiring Apple Support intervention? Has anyone else experienced valid Developer ID certificates being rejected specifically by the notarization service while working locally?

I have two certificates in my Accounts>Manage Certificates section. One is active, the other is greyed out with a status of "Not in Keychain". I only have ONE certificate in the developer account online. Timeline: Had an issue with fastlane codesigning and was trying to resolve that. In that attempt I deleted my related Certificates from my keychain Xcode showed them as disabled (greyed out) and not in Keychain. Look up how to resolve, need to revoke certificates in Developer account online. I go and revoke those certificates. Nothing changes I create new certificate and try to add it to xcode>account>certificate managment>"Apple Development". Get an error saying I can't add a new can't do that because a certificate is already pending. I waited a day because I assumed like somethings with apple, updates are not immediate. I come back the next day and am able to add a new certificate. However, the previous one that is greyed out and reads "Not in Keychain" under Status, is still there. How do I remove that "Not in Keychain" certificate? I emailed developer support and they directed me here.

My iOS app was created with a legacy Team ID in 2011. When I try to add an AppClip to the app, the Team ID on the AppClip is the new Team ID. Xcode prevents the build from completing. The com.apple.developer.parent-application-identifiers entitlement (null) of an App Clip must match the application-identifier entitlement ('TYXXXXXP2.com.it-guy.MyApp') of its containing parent app. How can this be resolved? Can the AppClip Team ID be changed in "Identifiers" on the developer.apple.com?

I added a extension called Call Directory to an IOS app as we want to call blocking and caller id. I was able to add App Groups to both runner and CallDirectory. I cannot see of add Call Directory capability. Am I missing something. I added the extension through the Call Directory Target template. If I try to add this to CallDirectory.enitlements manually com.apple.developer.callkit.call-directory call-blocking caller-identification i recieve this signing error. Provisioning profile "iOS Team Provisioning Profile: "" doesn't include the com.apple.developer.callkit.call-directory entitlement. I cannot add Call Directory to an identifier in Apple Developer either.

I am running into this error with productbuild in github actions where the program hangs with a specific developer id. I have verified that my certification files are properly uploaded etc. and i am able to run this without the --sign command online and with --sign offline. if i sign with a "3rd party mac developer installer: ***" it will run but then crash on stapling because this isn't the actual org i want to staple and don't really need to verify that i could staple with this other license since it is my personal license and i will be leaving this job soon so setting up all my other certs is a waste of time since it doesn't solve the problem. When i use my bosses/org "Developer ID Installer: ***" productbuild just hangs. I am at a loss here... the acutal command running is productbuild --resources ./resources --distribution distribution.xml --sign "${{ secrets.DEVELOPER_ID_INSTALLER }}" --timestamp "${{ env.ARTIFACT_NAME }}.pkg" I have confirmed that my distribution file is fine etc. because I can productbuild without signing fine. Any suggestions on where to go?

Whilst waiting for the company developer account I successfully notarised an app/pkg On switching to the company account the app/pkg has been stuck in progress for over 2 days (see below) The initial submission was via Xcode and later via command line. The last one was when I updated bundle ids etc and built with Github Actions. The initial submission did coincide with a service outage, however that is marked as resolved. I would like to cancel all of them now that I have switched the signing account and the bundle ID but there seems no way to do this? Thoughts and comments welcome. Thanks Paul -------------------------------------------------- createdDate: 2025-08-14T11:03:24.837Z id: edf215d0-4d15-4075-aa6f-4755a35b3d45 name: ZenityEndpointAgent.pkg status: In Progress -------------------------------------------------- createdDate: 2025-08-12T21:36:36.345Z id: 9c98de09-d3aa-449b-ad47-7e721b0342c5 name: AIEdgeDeviceAgent.pkg status: In Progress -------------------------------------------------- createdDate: 2025-08-12T16:58:50.891Z id: 9206f9be-0fc4-4c6c-aa66-8fcbe3332155 name: AIEdgeDeviceAgent.pkg status: In Progress -------------------------------------------------- createdDate: 2025-08-12T10:37:35.624Z id: b20d1dd0-084e-441c-87a6-641fb088819e name: AIEdge Device Agent.zip status: In Progress

Hello, I have this simulator made in Unity that I want to distribute as Standalone. It consists of launcher which, when users download it, downloads the game. I've built the launcher, got Developer ID Application certificate, added entitlements from: https://docs.unity3d.com/Manual/macoscodesigning.html#signing-identity I've signed the .app of the launcher and 2 dlls chatgpt recommended to sign, zipped it, notarized .zip successfully, stapled to .app and put it on Google Drive to test. I got my other MacBook Pro, downloaded the zip, tried to open it. It did open, but there is a black loading screen saying "0% progress, 0B/0B" indicating that it isn't downloading anything - no network calling. When checked using command xattr -l path/to/file.app I get the following output: com.apple.macl: @?????I???|???? com.apple.quarantine: 0083;67bf1a22;Safari;69764595-CA94-44D2-B679-A69DC4669382 There are some specifics I think are also important to mention. I tried to code-sign it, notarize it and staple it using only Terminal and I'd like to keep it that way because I am very unfamiliar with Mac so I've avoided using Xcode as much as possible I really want to avoid putting the simulator up on the App Store, so I must have Standalone solution and Standalone solution only I believe that there might be problem with needing right entitlements, but I don't know how to check which one's are needed for users to avoid using "xattr" command in terminal to allow the launcher to run because of GateKeeper I've been banging my head against the wall with this problem for over a month and I don't see the light at the end of the tunnel.

The entire 'Certificates, IDs & Profiles' section is missing from developer.apple.com portal for one of the accounts I am a developer for. The Team is also missing from the dropdowns in Xcode in Code Signing. The organization account membership is paid through July 2026, and I do not see that the Account Holder needs to sign any agreements. I am a user on other accounts, and none of them have this issue. Does anyone know what's going on?

Hi Developer Community, I'm encountering persistent code signing failures on macOS Sonoma 15.3 with a valid Developer ID Application certificate. The error occurs consistently across multiple certificate regenerations and various troubleshooting approaches. Environment macOS Version: Sonoma 15.3 Developer Account Type: Developer ID Certificate Type: Developer ID Application Certificate Details: Developer ID Application certificate valid until 2027 Using SHA-256 with RSA Encryption Certificate shows as valid in Keychain Access with associated private key Error Message Warning: unable to build chain to self-signed root for signer "Developer ID Application: [my certificate]" [filename]: errSecInternalComponent Steps to Reproduce Install certificate chain in order: Apple Root CA (System keychain) Apple WWDR CA (System keychain) Developer ID CA (System keychain) Developer ID Application certificate (Login keychain) Verify certificate installation: security find-identity -v -p codesigning Result shows valid identity. Attempt code signing with any binary: codesign -s "Developer ID Application: [my certificate]" -f --timestamp --options runtime [filename] Results in errSecInternalComponent error Troubleshooting Already Attempted Regenerated Developer ID Application certificate multiple times from Developer Portal Completely removed and reinstalled entire certificate chain Verified trust settings on all certificates (set to "Always Trust" for code signing) Tried multiple codesign command variations including --no-strict flag Verified keychain integrity Installed latest Apple CA certificates from apple.com/certificateauthority Verified certificate chain is properly recognized by security verify-cert Additional Information All certificates show as valid in Keychain Access Private key is properly associated with Developer ID Application certificate Trust settings are correctly configured for all certificates in the chain Problem persists after clean certificate installations Error occurs with any binary I try to sign Has anyone else encountered this issue on Sonoma 15.3? Any suggestions for resolving this system-level certificate trust chain issue would be greatly appreciated. Thanks in advance!

After signing and notarizing our application, the entitlement “com.apple.security.get-task-allow” is removed. However, we want this entitlement to remain and we want to be able to create a corefile when needed. Is it possible to make the “com.apple.security.get-task-allow” entitlement persistent after signing and notarizing, so that our application can create a corefile?

Hello, I am normally a windows programmer, but I am trying to get my PySide/Qt app into the app store. I'm almost there, I just have a couple of questions about the signing process. I have two laptops, one intel silicon, one mac silicon. I created 2 CSR's, one on each laptop and used them to generate 2 Mac Installer Distribution certificates and 2 Mac App Distribution certificates. When it came to downloading the provisioning profile, I selected one Mac App Distrbution Certificate on the interface at developer.apple.com, saved it and then downloaded to the appropriate laptop. I then switched the provisioning profile to the other Mac App Distribution Certificate and downloaded it to the other laptop. I then built the app and uploaded everything using xcrun altool. On the intel machine only(which has the first provisioning profile) I successfully uploaded the package but I get an email identifying lots of similar errors of the type (Lets call it error1): ITMS-90284: Invalid Code Signing - The executable XXXXX must be signed with the certificate that is contained in the provisioning profile. On the ARM machine only i get the following error (Lets call it error2): ITMS-91109: Invalid package contents - The package contains one or more files with the com.apple.quarantine extended file attribute, such as XXXXXXXX embedded.provisionprofile”. This attribute isn’t permitted in macOS apps distributed on TestFlight or the App Store. Please remove the attribute from all files within your app and upload again. On both I get the following error lets call it error3: ITMS-90886: 'Cannot be used with TestFlight because the signature for the bundle at XXXXX is missing an application identifier but has an application identifier in the provisioning profile for the bundle. Bundles with application identifiers in the provisioning profile are expected to have the same identifier signed into the bundle in order to be eligible for TestFlight.' My first inclination is that all the error1's are coming from having two sets of CSRs, Mac Distribution certificates, provisioning profiles etc. Should I have only used one CSR and made one each of the Certificates? I don't know why I have error2. I don't know where the quarantine attribute is coming from and why it would affect the mac silicon and not the intel. Any ideas? my entitlements file has the following: <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.device.bluetooth</key> Error3 is the one where I need to try a few things but knowing what is expected will help. In the provisioning profile when viewed at developer.apple.com it has the APP ID listed as the 10 digit id followed by the bundle ID but I sometimes see just the 10 digit app ID being used and sometimes the bundle ID. I know that it's up to me to figure out how to get it into the build, but knowing what it should be would be helpful. On the other hand the text "Bundles with application identifiers in the provisioning profile ..." indicates that if the application identifier was not in the provisioning profile i might get away with it, but this might be grasping at straws. If you have made it this far, thank you for reading.

Today, I used xcrun notarytool submit to upload my packaged Electron app for macOS—once as a .zip file and once as a .dmg—for Apple notarization. However, both submissions have been stuck at "Current status: In Progress" for several hours now. I’ve also checked the status using xcrun notarytool info, and it keeps returning status: In Progress. Could someone please help me understand what might be going wrong? This is quite urgent—if a technical support engineer or anyone from the team could take a look, I’d be glad to provide the UUIDs of my notarization requests.

Hi, I'm currently at 19 hours waiting for notarization. My dev account is new and this is the first time I'm submitting anything to be notarized. I've gathered from my research that this is normal (unfortunately). I figure the only thing I can do is wait, but is there any way for me to know if I'm waiting for a human to manually review it? I was going to file a support request, but I saw that they won't be responding to any support requests until after their Thanksgiving break, and I assume nobody is manually reviewing notary submissions for the next week+. I attached the submission below, thanks! createdDate: 2025-11-21T21:17:10.082Z id: c9746d42-1dc7-4641-aec1-62c6cedff1a2 name: ***********.zip status: In Progress

I got an email with the subject "Action Needed: Developer ID Application Certificate Expires in 30 Days" But on the cert page it's not exactly clear to my how to renew the cert or generate a new one. Confused by the fact that I already have half a dozen ...somehow? Any help or guidance appreciated.

mac .cer证书不能导出.p12证书 不知道那个步骤出错

Hello, In our Account we have an iOS app with an explicit identifier "ABC123.com.some.app" that is using non-team prefix which is DEF456. It has also explicit identifiers for Widgets bundle and Notification Service. Due to non-team prefix, it can't access e.g. shared keychain and data put there by our other apps. Since we are working on features that require these capabilities, we would like to update the app identifier, so it is prefixed with our team id DEF456. Initially, we thought that the process would require steps like: Create new app, team-prefixed identifier(s) for app and all things that need them Recreate the provisioning profiles with new App Identifier Roll out the app using with new profiles via App Store but when trying to create the new identifier with com.some.app and team id prefix DEF456 we are getting following error: An App ID with Identifier com.some.app is not available. Please enter a different string. Can anybody advise us how to correctly perform such change and what steps are required from our end? We would like to keep our existing App Store entry, ratings and smoothly switch users. We are aware that this kind of migration results in loss of Keychain access. Thanks for any advice on that!

Hi everyone, I'm following up on this post I made earlier about an issue I'm having with FamilyControls and the DeviceActivityMonitor extension not working for external TestFlight testers. To briefly recap: I have official Apple approval for the com.apple.developer.family-controls entitlement (distribution) The entitlement is added to both my main app and the DeviceActivityMonitor extension The App Group is correctly configured for both targets On internal TestFlight builds, everything works as expected: app blocking works, the extension runs, and selected apps are shielded. On external TestFlight builds, users get the Screen Time permission prompt, can select apps to block, but nothing is blocked. Since that post, I submitted a Code Level Support request, and Apple asked me to file a bug report via Feedback Assistant. I did that almost a month ago. The only reply I’ve received since is that they can’t give a timeframe or guarantee it will be resolved. I'm stuck in limbo with no updates and no fix. This feature is critical to my app and I cannot launch without it. I’ve reached out to other developers who use app blocking, and none of them have run into this issue. My setup seems correct, and Apple has not said otherwise. If anyone has experienced something similar, found a workaround, or knows how to get real movement on a bug report like this, I would really appreciate any help. It’s been weeks, and I just want to launch my app. Thanks so much.