General: DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained DevForums post --deep Considered Harmful DevForums post Don’t Run App Store Distribution-Signed Code DevForums post Resolving errSecInternalComponent errors during code signing DevForums post Finding a Capability’s Distribution Restrictions DevForums post Signing code with a hardware-based code-signing identity DevForums post Mac code signing: DevForums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding Nonstandard Code Structures in a Bundle documentation Embedding a Command-Line Tool in a Sandboxed App documentation Signing a Daemon with a Restricted Entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example DevForums post The Care and Feeding of Developer ID DevForums post TestFlight, Provisioning Profiles, and the Mac App Store DevForums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I would like to code sign an app or installer with an RSA 4096-bit code signing certificate. I created a CSR using RSA4096bit and ECC in Mac Keychain Access, but I was unable to use that CSR to create a code signing certificate on the Apple Developer site. How do I issue an RSA4096-bit or ECC code signing certificate?

we are trying to build MacOS Desktop app using electron code sign-in and notarization has completed basically it is angular application but still unable to open the desktop app getting below error pop-up : screenshot of it. CrashReporter Key: XXXX-XXXX-XXXX-XXXX-XXXX Hardware Model: MacBook Pro (Obfuscated) Process: xnode [5798] Path: /Applications/[App Path]/Contents/MacOS/xnode Identifier: ai.xnode.xnode Version: 1.0.0 (1.0.0.43313) Code Type: X86-64 (Native) Role: Default Parent Process: launchd [1] Coalition: ai.xnode.xnode [5056] Date/Time: [Redacted for Privacy] OS Version: macOS 14.6.1 (23G93) Release Type: User Report Version: 104 Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: CODESIGNING 1 Taskgated Invalid Signature Triggered by Thread: 0 Thread 0 Crashed: 0 dyld_path_missing 0x10dbb4010 _dyld_start + 0 1 main_executable_path_missing 0x10b395000 ??? Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000 rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ff7b4b6abf8 rip: 0x000000010dbb4010

It has been 3 days and it is still in progress. As you can see in the history, I retried a few hours after the initial attempt, both are stuck. For what it's worth, this is my first notary attempt on this Apple Developer Account, I am aware that first-time submission can take longer. What should I do at this point? Wait another few days? Is there a human in the loop that needs to manually allow my submission? I have seen posts about this for the last 2 years. Seems like Apple is not going to do anything about it, xcrun notarytool history --keychain-profile '[redacted]' Successfully received submission history. history -------------------------------------------------- createdDate: 2024-11-30T01:59:08.408Z id: 3de4f35a-a950-4b34-8a74-21252b3e49a4 name: Notes.ai.zip status: In Progress -------------------------------------------------- createdDate: 2024-11-29T20:49:53.437Z id: 268e5416-640c-419f-b22a-efe55212b50a name: Notes.ai.zip status: In Progress

We have an enterprise app for which one of the Users is facing the below error. Unable to verify app Internet connection is required to verify trust of the developer "<Enterprise_distribution_Profile>". This app will not be available until verified. What could be the reason behind this error as only one user is facing the issue. Is there a way to fix it.

Hi After I added iCloud container and iCloud documents my UITests can't run anymore what is this problem and how can I solve it? Thanks!

As of Nov 25, 2024, Xcode 16.1 won't recognize an App Store provisional profile as Eligible so you cannot select the provisional profile for signing. Which means you cannot archive it for upload to Apple. Setting it to manual or automatic signing does not help. Even going to the dev site and making new, fresh provisional profiles did not work. rebooting xcode did not work. rebooting the computer did not work.

I recently added a new target for Apple Watch, which works fine on the simulator. However, I wasn't able to run it on real Apple watches. First, I don't see it in the list of devices, even after I click "trust" and connect to my Mac over charging cable. Second, I've always used automatic code signing, and everything seems OK here. Third, I also tried distributing it over TestFlight, but that build doesn't appear in the TF. I restarted my phone and relaunched the TF app. So, when I install the app to my iPhone over the cable, the watch app doesn't appear on Apple watches. Then, If I go to watch app and install my app manual (I see it at the bottom with the "install" button), it fails with the error "This app cannot be installed because its integrity could not be verified.". Also, there's an icon on the Apple watch, but it shows the same error when I click it. I unpaired and paired it again, but it didn't help. Also, I tried another pair of phones, and the same thing happened. I use an AppStore account (not enterprise), and the main app works fine. Is there a way how to fix it?

Hi, we have received an Application via App Transfer recently. I am now trying to generate a provisioning profile for App Store distribution. When we set the checkmark in Capabilities to use "iCloud Key-value storage" we cannot get "automatically manage signing" to work with an error: Provisioning profile "iOS Team Provisioning Profile: com.some.bundle.identifier" doesn't match the entitlements file's value for the com.apple.developer.ubiquity-kvstore-identifier entitlement. When a Provisioning Profile is manually generated via Developer Portal the com.apple.developer.ubiquity-kvstore-identifier entry shows the value of the previous app owner: "OLDTEAM.com.some.bundle.identifier". How can we change the com.apple.developer.ubiquity-kvstore-identifier value in our provisioning profile to get rid of the old team identifier? Help is much appreciated, thank you. FB15898983

Despite the recommendation of DTS Engineers at [https://forums.developer.apple.com/forums/thread/766500, Xcode 16.1 ](https://forums.developer.apple.com/forums/thread/766500, Xcode 16.1 ) the same behavior when automatically signing in our CI/CD environment: The operation couldn’t be completed. Unable to log in with account '<APPLE-ID>'. The login details for account '<APPLE-ID>' were rejected. error: No profiles for '<BUNDLE-ID>' were found: Xcode couldn't find any iOS App Development provisioning profiles matching '<BUNDLE-ID>' ** ARCHIVE FAILED ** In addition, we see several orphaned Xcode username entries in the local keychain / Keychain Access app that match the identifier stored in com.apple.dt.Xcode.plist under the key DVTDeveloperAccountManagerAppleIDLists - IDE.Identifiers.Prod. (Preferences read com.apple.dt.Xcode DVTDeveloperAccountManagerAppleIDLists) or we see that the DeveloperID stored in Xcode - Settings - Accounts is lost. We have reset a Mac mini (2023 / arm) to factory settings, reinstalled Sequoia in the current version and installed Xcode 16.1 (16B40). Nevertheless, we see the behavior described above. This behavior is not reproducible for us. We have opened the following tickets, but have not received a response that explains the behavior or offers a solution. Case ID: 9935876 Feedback: FB15700530

My non-cloud Developer ID certificate will expire soon, and my account also has a cloud-managed Developer ID Certificate. My Mac application build workflow uses Archiving, so the cloud cert should be fine for that. But my workflow also signs bundled apps, such as Sparkle framwork's Autodupate app, using the codesign tool. Is it correct that codesign only uses certificates from the local Keychain, and so cannot use a Cloud-managed Developer ID certificate? Before I manually renew the non-cloud Developer ID certificate, I want to make sure I'm not missing some easier method. Thanks.

I have an app Arpeggio.app which I build and then sign without errors: "electron-osx-sign dist/mac-arm64/Arpeggio.app --identity="Developer ID Application: XXXX (XXXXXX)" --hardened-runtime --no-gatekeeper-assess --entitlements=entitlements.plist". It returns "Application signed: dist/mac-arm64/Arpeggio.app". I then use "/usr/bin/ditto -c -k --sequesterRsrc --keepParent src dst" to make a zip with the same signatures. I then submit the zip for notarization: "xcrun notarytool submit dist/mac-arm64/Arpeggio.zip --apple-id XXXX etc" which returns "Waiting for processing to complete. Current status: Accepted.............. Processing complete id: ***-***-xx-xx status: Accepted". Then I staple the notarization to the app and get "The staple and validate action worked!". Now it shows all validated and that the notarization is stapled. I then run "spctl --assess --type execute -vv 'dist/mac-arm64/Arpeggio.app'" as a last check and always get this: dist/mac-arm64/Arpeggio.app: unknown error 99999=1869f Why is this happening? I can't seem to debug the issue but out notarization and signing is always successful and the app works as expected. Pleas ehelp me get to the bottom of this.

Hi there, I have a Multiplatform app with just one app target with an iPhone, iPad and Мас Destination. On the Mac my app is a developer singed App that is being distributed outside of the Mac App Store. I want to use App Groups, but as long as there are multiple destinations, Xcode only allows Group Identifiers starting with group.. However, for macOS I need to have a group ID that starts with the TeamID as explained here. So I created two separate entitlements, which are identical, but with different group IDs: With Automatic Code Signing enabled, I get this warning: Xcode still seems thinks it has to use the macOS Group ID for the iOS version. In the App Groups section, the mac Group ID is red and the iOS Group ID is not checked. The app builds and runs without issues on all platforms. The App Store Connect validation (for the iOS version) also works without any errors. Am I doing something wrong? Do I need a separate Mac target because Xcode does not support separate Group IDs for Multiplatform apps?

We get a "The application "Finder" does not have permission to open "(null)“" error message in macOS 15.1 when trying to open unsigned applications. Is this a known bug in macOS 15.1 ? If so any indications of whether it will be fixed in the future. In macOS 15.0.1 the workaround for launching unsigned applications still worked.

I am a developer on a project at work. I recently got a new laptop; however, since then I have been unable to build/deploy our application. I received a copy of the Developer ID Application certificate and Developer ID Installer certificate from a fellow developer. Note, everything works on their machine with these certificates. I have gone through the steps documented here https://developer.apple.com/forums/thread/712005 When I run security find-identity -p codesigning, I have two certificates that show up. one for my User and one for the Developer ID Application that my colleague gave me. Both show up as matching and valid identities. When I try to codesign "MyTrue", as documented in the link above, using "Apple Development" works; however, the "Developer ID Application" identity does not. I get a errSecInternalComponent error. ahenderson@ahendersonmacbook [17:29:23] [~/Downloads] -> % codesign -s "Apple Development" -f MyTrue -vvv MyTrue: replacing existing signature MyTrue: signed Mach-O universal (x86_64 arm64e) [MyTrue] ahenderson@ahendersonmacbook [17:30:48] [~/Downloads] -> % codesign -s "Developer ID Application" -f MyTrue -vvv MyTrue: replacing existing signature Warning: unable to build chain to self-signed root for signer "Developer ID Application: SRS Pharmacy Systems, Inc. ([REDACTED])" MyTrue: errSecInternalComponent I have downloaded all of the intermediate certificates from the apple PKI and have them installed under my keychain in login. Having spent days on this, I am at the end of my rope. Laptop Specs: M3 Pro 36GB Ram MacOS Sequoia 15.1 It is worth noting that my colleagues laptop is not running Sequoia. Not sure if that makes any difference or not. It is also worth noting, that I can run the codesign manually with the Developer ID Application using sudo (I know I shouldn't do this, but I just wanted to see if that made any difference).

Hello, I was trying to solve the error "Command CodeSign failed with a nonzero exit code" that occurs when I try to archive and publish my app. I realized the Team IDs on the Portal (To right corner next to my name eg "Pete Park - ABC1D2E334") and my Mac Keychain Acces (eg "Pete Park - XYZ9W8V776") do not match. The number on KeyChain Access, is that's a Team ID. (clueless self learner here) If yes, do they need to match? Any suggestion for the CodeSign error? Is "errSecInternalComponent" the error? Sorry if these questions are obvious or stupid. Thanks so much for any advice.

Hi, I have been building a MacCatalyst versions of an iOS app for years using a separate build that included a specific .entitlements file that excludes the com.apple.security.device.camera. Yet when I now build with Xcode 16.1 that entitlement is included. I have double checked my signing entitlement for my MacCatalyst build it is configured properly. I have check my .entitlement file to ensusre com.apple.security.device.camera is not there. All is as it should be. I have changed nothing, my build flow is the same. App Store Review has prevented the Mac build to be release becuse the com.apple.security.device.camera is set. What can I do to correct this?

I am trying to set up a workflow where Apple Vision Pro users in my organization can install a signed enterprise .ipa file from an internal web page. The relevant link looks something like this: &amp;lt;a role="button" href="itms-services://?action=download-manifest&amp;amp;url=https://my.example.com/path/manifest.plist"&amp;gt;Click here to download&amp;lt;/a&amp;gt; After verifying that all the mime types were correct on the server and the certificate was valid, I finally attached my AVP headset to my Mac's console app and saw that the errors look like this: [com.example.myapp] Skipping due to incompatible platform: com.apple.platform.xros Could not load download manifest with underlying error: Error Domain=ASDErrorDomain Code=752 "Not compatible with this platform: com.apple.platform.xros" UserInfo={NSDebugDescription=Not compatible with this platform: com.apple.platform.xros} This manifest.plist was made by the "Distribute App" workflow in Xcode 16.0. Multipart question: Is installing VisionOS apps via manifest+ipa over a web connection a supported way of installing apps? If the issue is with com.apple.platform.xros, what should be the platform-identifier for VisonOS apps?

Creating CSR file from my Mac steps are :- Going to the Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority... Filling the required details in the field, save to desk then continue and save it desktop. Then going to the Developer account in Certification screen and creating a new certificate on click on plus icon then selecting Apple distribution > continue , Then uploading CSR file in the required box and continue. After this I have downloaded the “distribution.cer” file then double clicked on the file then going to the KeyChain Access to see the My Certificate section there is no certificate which I have installed but it showing in the Certificate section without Private key. This steps I have followed but not getting Private key in my certificate how to correct this issue System Configuration :- Mac OS- 14.5 Chip - Apple M1 Keychain Access version - Version 11.0 (55314)

Here is the situation: We are shipping an application bundle which is submitted to the notarization service for approval. The application bundle adheres to the notarization standards and is approved. Problem: We need to ship a zip file inside this application. This zip file has all the files that are signed. Most of the files are signed by us. However there are some 3P zip files which are not signed by us. We would rather not open these 3P zip files as there might be SLAs involved here. As a result we end up with a zip file which contains mixed signatures. This zip file needs to be part of that application that needs to be notarized. Question: What is the best way to do this in order for the notarization service to approve the application and ship the zip file as part of the application? Note: We don't know if all the files inside the 3P zips are correctly signed (example: With Hardened Runtime). They are all signed though Also, when the zip files contents are laid out onto the customer machine, they are all signed and validated. However, some files might not have hardened runtime. Thanks in advance.

Hi community! It is known that application designed for iOS may be launched on MacOS with arm chip. With XCode this is simple, you just choose to launch on current machine (Designed for iPad). As I can see, some magic happens: some tool wraps myproj.app into another app, which contains WrappedBundle link and Wrapper subdirectory. Does anybody know how to invoke this wrapping tool via command line? I am using CLion as IDE for my personal preferences, and I want to build app with CLion and wrap the result with external tool into a MacOS-compatible app to test if it works for MacOS as well. In other words, having the myproj.app I want to run something like "magictool -wrap /path/to/myproj.app" Best regards!