Hello, Quinn! I finally managed to solve this puzzle, all thanks to you. All I did is that I found 2 certificates (Apple Root CA - G2 and Apple Root CA - G3) with overridden defaults for trust settings. I think sometime in the past I changed the trust setting for those 2 certificates to "Always Trust" for some reason I can't even remember. All I did is change those settings back to Use System Defaults. Now stapling works all the time. Thank you again from the bottom of my heart for guiding me through this maze!

I got some trust settings from 2 first commands and I do not know why. 😣 Here is my full output: trusted-settings.txt

I created 2 new users. One with icloud and all other settings and one super simple without setting up icloud and everything. And I get same Error 65 on both of them. So I guess its Mac issue, not account specific.

the other strange thing for me is that when I try to copy the stapled pkg to my home m3 mac (where stapling is not working) via airdrop or telegram, I get strange results: trying to run this pkg resulting in a window with: "VIVIDTIME.pkg" Not Opened Apple could not verify "VIVIDTIME.pkg" is free of malware that may harm you Mac or compomise your privacy. With Done and Move to Trash buttons checking this copied .pkg is showing something strange: xcrun stapler validate -v "dist/stapled/VIVIDTIME 2.pkg" Processing: /Users/innrvoice/Documents/GitHub/vividtime-macos/app/electron/dist/stapled/VIVIDTIME 2.pkg Properties are { NSURLIsDirectoryKey = 0; NSURLIsPackageKey = 0; NSURLIsSymbolicLinkKey = 0; NSURLLocalizedTypeDescriptionKey = "Installer flat package"; NSURLTypeIdentifierKey = "com.apple.installer-package-archive"; "_NSURLIsApplicationKey" = 0; } Sig Type is RSA. Length is 3 Sig Type is CMS. Length is 3 Package VIVIDTIME 2.pkg uses a checksum of size 20 Terminator Trailer size must be 0, not 2283 {magic: t8lr, version: 1, type: 2, length: 2283} Found expected ticket at 210507512 with length of 2283 I tried 2 times. Everytime I checked on my M1 Mac and it always says "The validate action worked!" now. But after copying via airdrop or telegram to my m3 home mac, I get the results I described above. I do not understand what is happening and what I am doing wrong. Can you please help with this too?

and here is the other check result: spctl --assess --type install --verbose=4 VIVIDTIME.pkg VIVIDTIME.pkg: accepted source=Notarized Developer ID

Thank you very much again for you help! Its amazing but seems like it worked on other mac without problem. stapler.txt Now its bugging me, what is the problem with my other mac? All I can say that they are on the same network and that one is m1 and the other is m3. what can cause stapler to always fail on my home m3 macbook pro? can it be related to some installed software or some misconfiguration?

and I see that cdhash you mentioned is present in stapler staple -v result here: JSON Data is { records = ( { recordName = "2/1/e5df4a77845f8a931674280e3b1bfd9e86c6004b"; } ); }

I am again sorry for multiple posts. It is very hard to search for WHAT exactly is SENSITIVE information in a post, because all you see is a general warning.

Downloaded ticket has been stored at file:///var/folders/c3/622zwf656yz6h_v79t4_h8k40000gn/T/f1a6400c-7e79-423d-9638-d20092132813.ticket. Could not validate ticket for /Users/innrvoice/Documents/GitHub/vividtime-macos/app/electron/dist/VIVIDTIME.pkg The staple and validate action failed! Error 65.

modified = { deviceID = 2; timestamp = ...; userRecordName = "SOME SENSITIVE VALUE HERE"; }; pluginFields = { }; recordChangeTag = ....; recordName = "....."; recordType = DeveloperIDTicket; } ); }

deleted = 0; fields = { signedTicket = { type = BYTES; value = "VERY LONG VALUE HERE"; }; };

JSON Response is: { records = ( { created = { deviceID = 2; timestamp = 1739891....; userRecordName = "SOME SAME VALUE HERE."; };

"access-control-expose-headers" = ( "X-Apple-Request-UUID,X-Responding-Instance,Via" ); "x-apple-user-partition" = ( 63 ); } } Size of data is 3657

Via = ( "xrail:LONG VALUE HERE" ); "X-Apple-CloudKit-Version" = ( "1.0" ); "X-Apple-Edge-Response-Time" = ( 104 ); "X-Apple-Request-UUID" = ( "f1a6400c-7e79-423d-9638-d20092132813" ); "X-Responding-Instance" = ( **"ckdatabasews:LONG VALUE HERE"** );

and here is what I get with -v: xcrun stapler staple -v "dist/VIVIDTIME.pkg" Processing: /Users/innrvoice/Documents/GitHub/vividtime-macos/app/electron/dist/VIVIDTIME.pkg Properties are { NSURLIsDirectoryKey = 0; NSURLIsPackageKey = 0; NSURLIsSymbolicLinkKey = 0; NSURLLocalizedTypeDescriptionKey = "Installer flat package"; NSURLTypeIdentifierKey = "com.apple.installer-package-archive"; "_NSURLIsApplicationKey" = 0; } Sig Type is RSA. Length is 3 Sig Type is CMS. Length is 3 Package VIVIDTIME.pkg uses a checksum of size 20 JSON Data is { records = ( { recordName = "2/1/e5df4a77845f8a931674280e3b1bfd9e86c6004b"; } ); } Headers: { "Content-Type" = "application/json"; } Domain is api.apple-cloudkit.com Response is <NSHTTPURLResponse: 0x14da041c0> { URL: https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup } { Status Code: 200, Headers { Connection = ( "keep-alive" ); "Content-Encoding" = ( gzip ); "Content-Type" = ( "application/json; charset=UTF-8" ); Date = ( "Wed, 19 Feb 2025 14:21:16 GMT" ); Server = ( "AppleHttpServer/d2dcc6a0a5e3" ); "Strict-Transport-Security" = ( "max-age=31536000; includeSubDomains;" ); "Transfer-Encoding" = ( Identity );