General:
DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements
Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities.
Developer > Support > Certificates covers some important policy issues
Entitlements documentation
TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series.
WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing
Certificate Signing Requests Explained DevForums post
--deep Considered Harmful DevForums post
Don’t Run App Store Distribution-Signed Code DevForums post
Resolving errSecInternalComponent errors during code signing DevForums post
Finding a Capability’s Distribution Restrictions DevForums post
Signing code with a hardware-based code-signing identity DevForums post
Mac code signing:
DevForums tag: Developer ID
Creating distribution-signed code for macOS documentation
Packaging Mac software for distribution documentation
Placing Content in a Bundle documentation
Embedding Nonstandard Code Structures in a Bundle documentation
Embedding a Command-Line Tool in a Sandboxed App documentation
Signing a Daemon with a Restricted Entitlement documentation
Defining launch environment and library constraints documentation
WWDC 2023 Session 10266 Protect your Mac app with environment constraints
TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference.
Manual Code Signing Example DevForums post
The Care and Feeding of Developer ID DevForums post
TestFlight, Provisioning Profiles, and the Mac App Store DevForums post
For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Entitlements
RSS for tagEntitlements allow specific capabilities or security permissions for your apps.
Posts under Entitlements tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
I've been developing an MacOS app for a while and everything was going smoothly until one of the testers reported that the app was crashing on launch.
After investigation, we discovered that he had System Integrity Protection disabled. I could reproduce the error by disabling SIP:
Library not loaded: @rpath/myframework.framework/myframework
Referenced from: <4C129258-1BF8-3D30-9AFE-BF4206D0A767> /Applications/MyApp.app/Contents/MacOS/MyApp
Reason: , (security policy does not allow @ path expansion)
(terminated at launch; ignore backtrace)
The app launches normally if I reenable SIP.
I can't find information about "security policy does not allow @ path expansion".
I'll appreciate if someone can point me in the right direction.
My App has several resources that I'd like to spring open through App Intents. For example a series of Dictionaries. These resources however in the app are behind a log in (for security) and are entitlements that are purchased. They may own 4 of 7 dictionaries.
If I want to have an intent that says, "Open Dictionary: (Dict Name)" how do I best handle situations where the user may no longer be logged in or have the entitlement for that specific dictionary?
Thanks
We have requested an additional capability called "User Assigned Device Name" for my application to Apple and got approved the same on for debug/adhoc/release environments . Since then we are facing issues on code signing. We are always getting the compiler error "* Provisioning profile "xxxxxxxxxxx" doesn't support the User Assigned Device Name capability." on both Debug and Release environment.
There is another capability "contacts notes entitlements" that we got approved long back when it was not apart of Apple ID(additional capabilities) rather we got approved as a part of our provisioning profile.
Suppose we removed "contacts notes entitlements" from the profile and deleted it from the entitlement folder the project compiled without any error. So we are strongly believes the conflicts on the "contacts notes entitlements" is the root cause.
We are about to release the version and which is blocked due to this error. So kindly look in to this issue and do the needful asap.
STEPS TO REPRODUCE
Added user assigned device name capability from Signing & Capability Tab in project in settings.
Added the team, valid provisioning profiles and try to sign in manually.
Getting the error “Provisioning profile xxxxxxxxxxxx" doesn't support the User Assigned Device Name capability."
Note: Already got approval for the “user assigned device name” . Which is listed under the app id.
Hi, we are a Carrier company (Utility provider) and working on a feature to display real-time Wifi Signal strength of customer devices (connected to Router Gateway) to help customers identify low and high signal areas, and possibly install extenders to improve signal strength at weak points. This feature requires NEHotspotHelper entitlement approval to access signalStrength property. We went through this Apple documentation too and we're open to other recommendations from Apple https://developer.apple.com/forums/thread/721067 .
Since we currently don't have direct point of contact with Apple to discuss this requirement, hence wanted to check it here. Kindly advise. Thanks !
In enterprise environments it can be tricky to develop innovative applications leveraging the full value of the hardware. The code signing capabilities on iOS are much more restrictive compared to macOS, and has been for years. Is it really too much to ask for more control over the applications we can use in development environments.
For bespoke applications being able to have control over hardware is something that has been missing for a long time. The ability to sign with com.apple.security.iokit-user-client-class and com.apple.security.temporary-exception.sbpl in development and enterprise solutions would allow for far greater integration with the devices.
What reasons are there to avoid allowing this on iOS when macOS has much less restrictive control, the lack of continuity between the systems does not help the "level playing field".
Hi there,
My app detects connected BlackMagic devices on a user's machine and this is done using the DeckLink SDK which first tries to load /Library/Frameworks/DeckLinkAPI.framework using CFBundleCreate. I have not been able to create a notarized app which successfully detects the devices. Either the DeckLinkAPI works or the app starts up without showing "the developer cannot be verified" on my test computer but never both.
This is what I've tried so far:
signed app: DeckLinkAPI available
hardened runtime: DeckLinkAPI not available
hardened runtime + com.apple.security.cs.disable-library-validation: DeckLinkAPI available, notarization succeeds yet the "the developer cannot be verified"
I've also tried to use weak linking to DeckLinkAPI.framework instead of including the SDK's CFBundleCreate code but that made no difference: I still needed the com.apple.security.cs.disable-library-validation entitlement for that to work which caused "the developer cannot be verified".
DeckLinkAPI.framework is notarized:
> codesign --test-requirement="=notarized" --verify --verbose /Library/Frameworks/DeckLinkAPI.framework
/Library/Frameworks/DeckLinkAPI.framework: valid on disk
/Library/Frameworks/DeckLinkAPI.framework: satisfies its Designated Requirement
/Library/Frameworks/DeckLinkAPI.framework: explicit requirement satisfied
Is there any way to successfully notarize an app to use the DeckLink SDK or any other thirdparty notarized framework which is distributed seperately?
Hello,
For educational purpose, I try to use a POSIX semaphore sem_t instead of a dispatch_semaphore_t in a sandbox macOS Obj-C app.
When using sandbox, the semaphore code creation :
sem_t * _unixSemaphore;
char nameSemaphore[64] = {0};
snprintf(nameSemaphore, 22, "/UnixSemaphore_sample");
_unixSemaphore = sem_open(nameSemaphore, O_CREAT, 0644, 0);
fails, receiving SEM_FAILED and the errno is 78 (not implemented)
However, the sem_t _unixSemaphore is created and works fine when I disable sandbox I my entitlements.
Is there a way to fix this?
Thank you in advance
Jean Marie
Hi,
Can a single domain serve a /.well-known/apple-app-site-association file for multiple apps from different developers?
We currently have our own domain, let's say example.com,
which serves https://example.com/.well-known/apple-app-site-association
which lists our app, let's say "ABCDEFG.com.example.AppA" for path "/app/a".
We're talking with another developer who has another app on the store.
Can we add their app, "MNOPQR.com.different.AppB" on our site, https://example.com/.well-known/apple-app-site-association, add their app ID for path "/app/b",
ask them to add our example.com domain in their associated-domains entitlement,
and would it work?
I mean would https://example.com/app/a open our app "ABCDEFG.com.example.AppA" and https://example.com/app/b open their app "MNOPQR.com.different.AppB" ?
We want to open https://example.com/redirect/app redirect to either /app/a or /app/b depending on the query parameters and launch our or their app.
Thanks in advance!
Is there a simple way to get the value of the APS Environment setting in the Entitlements file from within a SwiftUI app? As others have noted, when the app is run from Xcode, this value is set to "development" but when run from Archive'd TestFlight version, it is set to something else (presumably "production"). I need to know which environment the app should use for registering its device token for notifications.
HI!
I am developing an application that should utilize ScriptingBridge.framework to interact with another process. Firstly, I created a separate test application for which I have added Apple Events entitlements via "Signing & Capabilities" section in Xcode and updated its Info.plist to have "Privacy - AppleEvents Sending Usage Description". While the test app works fine (I see an automation request popup and the process executes as expected) the main application where I want to integrate this functionality gets closed immediately after reaching the code interacting with Scripting Bridge.
On its launch, I see the following error message from tccd in Console:
Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=<app bundleID>, ..., binary_path=<path to the app's binary>}
I had no such issues with the test app. Moreover, I should mention that the bundle I want to have with such functionality is stored in another bundle, both main and inner bundles aren't sandboxed, and the target app has Application is agent (UIElement) key set in Info.plist.
Can you suggest any ideas as to why processes behave so differently despite having pretty much the same build configurations?
I have tried everything and still I am getting this. Just for a test I created a new app (Master-Detail template Xcode 11.5) I have created an entry in the iTunes Connect to receive the app upon archiving and uploading. I regenerated all new certificates for iOS Development and Distribution. I created all new Provisioning profiles.
The Dev profile builds deploys and runs on my device
The Dist profile builds but when I select the distribution profile I get the "Profile doesn't include the com.apple.application-identifier entitlement." error.
When I download the profile within Xcode all looks good for the distribution profile:
App ID: matches correctly
Certificated: 1 Included includes the new signing certificate "iPhone Distribution...."
Capabilities: 3 Included Includes Game Center, In-App Purchase, and Keychain Sharing
Entitlements: 5 Included Includes application-identifier, keychain-access-groups, beta-reports-active, get-task-allow, and com.apple.developer.team-identifier.
Im not sure what is going on. This is a standard process I have performed for quite a while. As a matter of fact I just submitted 3 applications last Sunday.
Thank you for any suggestions.
Is there possible to record audio during application in kill/terminate state?
I am working with application where I have to record microphone voice for some process so I can it during application in foreground and background state, I have no idea about application kill state.
I am creating a new macOS application that requires access to files outside of the sandbox. It needs to be docked in a silent state and packaged using the Electron Builder application. I have configured the relevant permissions as com.apple.security.memory-exception.files.absolute path.read-only,
It can be accessed normally in the local version of mas dev. The configuration parameters are as follows:
<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
<array>
<string>/Volumes/NO NAME/</string>
<string>/Volumes/NO NAME 1/</string>
<string>/Volumes/NO NAME 2/</string>
</array>
But during the review period of the app store, some people said it was not of legal value. The following is the original statement:
Your application is not properly sandboxed, or it contains one or more rights with invalid values. Before resubmitting the new binary file, please review the included rights and sandbox documentation and resolve this issue.
com.apple.security.temporary-exception.files.absolute-path.read-only True
If there is a com.apple.security.memory-exception.files.absolute path.read-only authorization, will the app store accept it? What do I need to do to access it?
I'm creating an App that can accepted PDFs from a shared context.
I am using iOS, Swift, and UIKit with IOS 17.1+
The logic is:
get the context
see who is sending in (this is always unknown)
see if I can open in place (in case I want to save later)
send the URL off to open the (PDF) document and
load it into PDFKit's pdfView.document
I have no trouble loading PDF docs with the file picker.
And everything works as expected for shares from apps like Messages, email, etc... (in which case URLContexts.first.options.openInPlace == False)
The problem is with opening (sharing) a PDF that is sent from the Files App. (openInPlace == True)
If the PDF is in the App's Document Folder, I need the Security scoped resource, to access the URL from the File's App so that I can copy the PDF's data to the PDFViewer.document. I get Security scoped resource access granted each time I get the File App's context URL.
But, when I call fileCoordinator.coordinate and try to access a file outside of the App's document folder using the newUrl, I get an error.
FYI - The newUrl (byAccessor) and context url (readingItemAt) paths are always same for the Files App URL share context.
I can, however, copy the file to a new location in my apps directory and then open it from there and load in the data. But I really do not want to do that.
. . . . .
Questions:
Am I missing something in my pList or are there other parameters specific to sharing a file from the Files App?
I'd appreciate if someone shed some light on this?
. . . . .
Here are the parts of my code related to this with some print statements...
. . . . .
SceneDelegate
func scene(_ scene: UIScene, openURLContexts URLContexts: Set<UIOpenURLContext>) {
// nothing to see here, move along
guard let urlContext = URLContexts.first else {
print("No URLContext found")
return
}
// let's get the URL (it will be a PDF)
let url = urlContext.url
let openInPlace = urlContext.options.openInPlace
let bundleID = urlContext.options.sourceApplication
print("Triggered with URL: \(url)")
print("Can Open In Place?: \(openInPlace)")
print("For Bundle ID: \(bundleID ?? "None")")
// get my Root ViewController from window
if let rootViewController = self.window?.rootViewController {
// currently using just the view
if let targetViewController = rootViewController as? ViewController {
targetViewController.prepareToLoadSharedPDFDocument(at: url)
}
// I might use a UINavigationController in the future
else if let navigationController = rootViewController as? UINavigationController,
let targetViewController = navigationController.viewControllers.first as? ViewController {
targetViewController.prepareToLoadSharedPDFDocument(at: url)
}
}
}
. . . .
ViewController function
I broke out the if statement for accessingScope just to make it easier for me the debug and play around with the code in accessingScope == True
func loadPDF(fromUrl url: URL) {
// If using the File Picker / don't use this
// If going through a Share.... we pass the URL and have three outcomes (1, 2a, 2b)
// 1. Security scoped resource access NOT needed if from a Share Like Messages or EMail
// 2. Security scoped resource access granted/needed from 'Files' App
// a. success if in the App's doc directory
// b. fail if NOT in the App's doc directory
// Set the securty scope variable
var accessingScope = false
// Log the URLs for debugging
print("URL String: \(url.absoluteString)")
print("URL Path: \(url.path())")
// Check if the URL requires security scoped resource access
if url.startAccessingSecurityScopedResource() {
accessingScope = true
print("Security scoped resource access granted.")
} else {
print("Security scoped resource access denied or not needed.")
}
// Stop accessing the scope once everything is compeleted
defer {
if accessingScope {
url.stopAccessingSecurityScopedResource()
print("Security scoped resource access stopped.")
}
}
// Make sure the file is still there (it should be in this case)
guard FileManager.default.fileExists(atPath: url.path) else {
print("File does not exist at URL: \(url)")
return
}
// Let's see if we can open it in place
if accessingScope {
let fileCoordinator = NSFileCoordinator()
var error: NSError?
fileCoordinator.coordinate(readingItemAt: url, options: [], error: &error) { (newUrl) in
DispatchQueue.main.async {
print(url.path())
print(newUrl.path())
if let document = PDFDocument(url: newUrl) {
self.pdfView.document = document
self.documentFileName = newUrl.deletingPathExtension().lastPathComponent
self.fileLoadLocation = newUrl.path()
self.updateGUI(pdfLoaded: true)
self.setPDFScale(to: self.VM.pdfPageScale, asNewPDF: true)
} else {
print("Could not load PDF directly from url: \(newUrl)")
}
}
}
if let error = error {
PRINT("File coordination error: \(error)")
}
} else {
DispatchQueue.main.async {
if let document = PDFDocument(url: url) {
self.pdfView.document = document
self.documentFileName = url.deletingPathExtension().lastPathComponent
self.fileLoadLocation = url.path()
self.updateGUI(pdfLoaded: true)
self.setPDFScale(to: self.VM.pdfPageScale, asNewPDF: true)
} else {
PRINT("Could not load PDF from url: \(url)")
}
}
}
}
. . . .
Other relevant pList settings I've added are:
Supports opening documents in place - YES
Document types - PDFs (com.adobe.pdf)
UIDocumentBrowserRecentDocumentContentTypes - com.adobe.pdf
Application supports iTunes file sharing - YES
And iCloud is one for Entitlements with
iCloud Container Identifiers
Ubiquity Container Identifiers
. . . .
Thank you in advance!.
B
We have trying to programmatically send data to Final Cut Pro by using Apple Event as decribed in Sending Data Programmatically to Final Cut Pro :
tell application "Final Cut Pro"
activate
open POSIX file "/Users/JohnDoe/Documents/UberMAM/MyEvents.fcpxml"
end tell
This works fine in Script Editor but we run into problems when trying to do the same in our macOS app.
We found interesting information in Workflow Extensions SDK 1.0.2 Release Notes.pdf.
A) Hardened runtime has "Apple Events Enabled" checked.
B) Info.plist contains NSAppleEventsUsageDescription:
<key>NSAppleEventsUsageDescription</key>
<string>Test string</string>
C) We added following entitlements:
<key>com.apple.security.scripting-targets</key>
<dict>
<key>com.apple.FinalCut</key>
<array>
<string>com.apple.FinalCut.library.inspection</string>
</array>
<key>com.apple.FinalCutTrial</key>
<array>
<string>com.apple.FinalCut.library.inspection</string>
</array>
</dict>
<key>com.apple.security.automation.apple-events</key>
<true/>
With this configuration in place, our app is able to call AppleScript to activate Final Cut Pro application but it is unable to open the file. Following error is returned:
Error executing AppleScript: {
NSAppleScriptErrorAppName = "Final Cut Pro Trial";
NSAppleScriptErrorBriefMessage = "A privilege violation occurred.";
NSAppleScriptErrorMessage = "Final Cut Pro Trial got an error: A privilege violation occurred.";
NSAppleScriptErrorNumber = "-10004";
NSAppleScriptErrorRange = "NSRange: {56, 64}";
}
Also there is no prompt asking user to allow Automation from our app to Final Cut. I am not sure whether the prompt is to be expected when developing an application in Xcode.
Our current workaround is to add (or even replace com.apple.security.scripting-targets with): com.apple.security.temporary-exception.apple-events entitlement like this
<key>com.apple.security.temporary-exception.apple-events</key>
<array>
<key>com.apple.FinalCutTrial</key>
</array>
However while this approach might work in development we know this would probably prevent us from publishing the app to Mac App Store.
I think we are missing something obvious. Could you help? :-)
Hello everyone,
I am encountering an issue with the iOS Autofill framework where the app saves the password with only the main domain (company.com) instead of the full subdomain (xyz.company.com) that I have specified. Here are the details of my configuration:
Entitlements.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:xyz.company.com</string>
<string>webcredentials:xyz.company.com</string>
</array>
<key>keychain-access-groups</key>
<array>
<string>$(AppIdentifierPrefix)com.company</string>
</array>
</dict>
</plist>
apple-app-site-association file:
{
"applinks": {
"details": [
{
"appIDs": ["ABCDEFGHIJ.com.company"]
}
]
},
"webcredentials": {
"apps": ["ABCDEFGHIJ.com.company"]
}
}
Issue Description:
I have configured the Entitlements.plist and the apple-app-site-association file to use a subdomain (xyz.company.com). However, when the app saves the password, it only saves it under company.com rather than the full subdomain xyz.company.com.
Steps Taken:
Verified that the Entitlements.plist contains the correct entries for applinks and webcredentials.
Checked the apple-app-site-association file to ensure it includes the correct app IDs and details.
Confirmed that the subdomain xyz.company.com is correctly set up and accessible.
Expected Behavior:
The Autofill framework should save passwords with the full subdomain xyz.company.com as specified in the configuration.
Actual Behavior:
Passwords are being saved with only the main domain company.com, ignoring the specified subdomain.
Questions:
Is there a specific configuration or step that I might be missing to ensure that the Autofill framework recognizes the full subdomain?
Are there any known issues or limitations with using subdomains in the applinks and webcredentials settings?
Any insights or suggestions on how to resolve this issue would be greatly appreciated. Thank you in advance for your help!
Best regards,
Andy
Hi,
I wanted to use Siri Capability for a WatchOS app, however in xcode on a WatchOS project, the option to add Siri is not present.
In an IOS project this is visible but if you are not part of the ADP or ADEP you do not have access to it, this message appears in red if you try to select it as a personal team.
I am considering paying to join the ADP but I am unsure if it will unlock the ability to use Siri capability on WatchOS. It looks like it is completely unsupported as it cannot be even selected from the capabilities section in xcode , even though Apple states it is supported under ADP and ADEP on their website. I am a little confused.
Does anyone else have this issue, or is Siri present under capabilities for you in a WatchOS project?
I am developing a suite of apps/helpers that get built into an installer package for deployment (outside The App Store). We have that release process ± working, except that most of the development team members are not admins/privileged on the team. They don't really need to publish on behalf of the team, and so we don't want to have debug builds also depend on being signed as "Developer ID Application". But that is running into problems…
If I select instead "Sign to Run Locally" this results in an error for some of the build products along the lines of:
[Build Target] requires a provisioning profile. Enable development signing and select a provisioning profile in the Signing & Capabilities editor.
If I select "Apple Development" as the Code Signing Identity it leaves me with basically the same error as "Developer ID Application" does:
Provisioning profile [Name of App/Helper] doesn't include signing certificate "Apple Development: [Name of Developer] ([TEAMID])"
And finally, if simply set the Debug value for Provisioning Profile to "None" for the problematic products I get errors like:
"[Name of app]" requires a provisioning profile. Select a provisioning profile in the Signing & Capabilities editor.
I believe perhaps because some of the targets have an entitlements file granting access to various things (their own XPC services, their own shared preferences, as well as Outgoing Network Connections and com.apple.security.smartcard access…).
In older versions of Xcode and/or macOS we didn't have trouble like this, local development could be done by basically any team member. Now it seems like maybe all developers need to have release-signing privileges to test/debug even on their own machines? Or is there a combination I'm missing, that would allow anyone on the team (or perhaps not even on the team) to build and debug the code locally, while still limiting who is able to actually sign notarized release builds on behalf of the team?
After updating to Xcode 15.3 and Sonoma, I started getting an error when packaging my app:
Provisioning profile failed qualification
Profile doesn't include the com.apple.developer.mail-client entitlement.
There is no indication in the documentation that this has anything to do with the provisioning profile, and there is no capacility that needs to be added.
I was given the "com.apple.developer.mail-client" entitlement from Apple over a year ago as documented in: https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_mail-client, and it worked fine until now.
On our CI (GitHub Actions) we are signing our .ipa with codesign and after that uploads the resulting .ipa with altool to TestFligt.
The problem is that the entitlements added by codesign no longer appear when we view the build on TestFlight.
The app requires entitlements for push notification and for associated domains.
codesign -s Distribution prod.entitlements prod.ipa
Immediately after we do a
codesign --verbose --display --entitlements -
and the entitlements show fine.
Next command is
xcrun altool --upload-app --type ios -f prod.ipa --apiKey $api_key_id --apiIssuer $appstore_api_key_issuer
To us it seems like altool strips the entitlements from the .ipa.
What are we doing wrong?