General:
DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements
Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities.
Developer > Support > Certificates covers some important policy issues
Entitlements documentation
TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series.
WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing
Certificate Signing Requests Explained DevForums post
--deep Considered Harmful DevForums post
Don’t Run App Store Distribution-Signed Code DevForums post
Resolving errSecInternalComponent errors during code signing DevForums post
Finding a Capability’s Distribution Restrictions DevForums post
Signing code with a hardware-based code-signing identity DevForums post
Mac code signing:
DevForums tag: Developer ID
Creating distribution-signed code for macOS documentation
Packaging Mac software for distribution documentation
Placing Content in a Bundle documentation
Embedding Nonstandard Code Structures in a Bundle documentation
Embedding a Command-Line Tool in a Sandboxed App documentation
Signing a Daemon with a Restricted Entitlement documentation
Defining launch environment and library constraints documentation
WWDC 2023 Session 10266 Protect your Mac app with environment constraints
TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference.
Manual Code Signing Example DevForums post
The Care and Feeding of Developer ID DevForums post
TestFlight, Provisioning Profiles, and the Mac App Store DevForums post
For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Code Signing
RSS for tagCertify that an app was created by you using Code signing, a macOS security technology.
Posts under Code Signing tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
I am using a provisioning profile with a wildcard app identifier. When I click "Distribute App" in Xcode, I encounter the following errors:
"Automatic signing cannot register bundle identifier"
"No profiles for were found."
Asset validation failed (90034)
Missing or invalid signature. The bundle 'uk.companyname.app' at bundle path 'Payload/Runner.app' is not signed using an Apple submission certificate.
Due to changes in macOS 15 Sequoia with respect to container privacy/privileges, I have observed warnings with one of my apps (non-sandboxed) when its subsidiary crash reporter process tries to access the host app's data folder.
I THINK I've worked around this issue by granting the crash reporter and the host app access to the same application group. I'm not 100% sure how all this works except that the problem went away :)
The problem is, once the problem goes away on a given system, it goes away for good! Even with subsequent attempts to open a version of the app before the fix was in place, the system warning is not presented. I've tried to reset SystemPolicyAppBundles on the app via tccutil, but it makes no difference.
Using the wisdom from one of Quinn's posts (https://developer.apple.com/forums/thread/706442) I set up a log stream invocation to try to gather clues, and I notice that when I launch my app now, I see messages like:
Found provenance data on process: TA(82542d1beaf132a6, 2), 51084
Process was already in provenance sandbox, skipping: 51084, TA(82542d1beaf132a6, 2)
I suspect this "provenance" may reflect the change in how the system treats my application.
First: I wonder if it's a bug that any change in "provenance" should retroactively apply to versions of the app before the change was made. Second, I wonder if there's some way to RESET this provenance so that I can reproduce the bug again? I might be able to reproduce it by changing the bundle ID for the app but for purposes of testing against existing, shipped versions of the app, I'd love to be able to reset things for sanity-checking.
I need signingkey, signingkeyId, TeamIdentifier and BundleIdentifier for a project (aws sns) but i want to have these in free apple developer account how can i do this, any help will be appreciated
when I trying to run my App in mac or iPhone, Xcode alert "Revoke certificate", and when I click "Revoke Certificate", it begin loading ,then become"Certificate installation failed". and if I click try again, it become "Revoke certificate" again, how to I resolve this problem.
Hello,
Do Apple root certificates AppleRootCA-G2.cer and AppleRootCA-G3.cer expire?
if yes, in how long?
thanks in advance.
I have two MAUI Mac Catalyst apps.
According to this guide https://learn.microsoft.com/en-us/dotnet/maui/mac-catalyst/deployment/publish-outside-app-store?view=net-maui-8.0#publish-using-the-command-line
I created certificates, signed Release versions of applications, packed them with pkgbuild and productbuild which I also signed with created certificate
They are both signed with same Code Signing key, have same team id. I had set up NSUpdateSecurityPolicy https://developer.apple.com/documentation/bundleresources/information_property_list/nsupdatesecuritypolicy
like this:
Using codesign -dv I cheked that updater, old and new versions of app share same Team Id and have correct bundle identifiers
After update, updater wants to overwrite old app contents, but it always receives UnathorizedAccessException when touching any file located in application
If my updater app has "App Managment" or "Full disk access" permission in System settings, everything works fine, but user needs to set up it manualy, that is not comfortable, so how can I request this permission? Also according to what I know, application don't need this permission if it's Team ID set up in NSUpdateSecurityPolicy
Maybe I incorrectly set up NSUpdateSecurityPolicy, but I can't notice anything wrong. Also, can it be because I overwrite application using MAUI and C#? Thanks a lot for any answer!
Hi,
If anyone can please advise -- If signing a framework inside a XCFramework is recommended/mandatory?
I'm trying to install from Xcode (15.4) to my physical device (iPhone SE 3rd gen, iOS 17.5.1) but I get the following error.
My provisioning profile is from a 3rd party organization, but I have confirmed my device UUID is added to their account and that the profile does contain the beta-reports-active flag. I have also checked that this is added to the entitlements file.
It works fine it I deploy and install via TestFlight, but for obvious reasons I would prefer not to have to do that for each and every build.
Can anyone suggest how to resolve this, either with local config or by asking the account admin to modify the provisioning profiles?
Unable to Install “[redacted]”
Domain: IXUserPresentableErrorDomain
Code: 14
Recovery Suggestion: Failed to install embedded profile for [redacted] : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)
User Info: {
DVTErrorCreationDateKey = "2024-07-03 12:47:34 +0000";
IDERunOperationFailingWorker = IDEInstallCoreDeviceWorker;
}
--
Unable to Install “[redacted]”
Domain: IXUserPresentableErrorDomain
Code: 14
Recovery Suggestion: Failed to install embedded profile for [redacted] : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)
User Info: {
IDERunOperationFailingWorker = IDEInstallCoreDeviceWorker;
}
--
Failed to install the app on the device.
Domain: com.apple.dt.CoreDeviceError
Code: 3002
User Info: {
NSURL = "file:///Users/dan/Library/Developer/Xcode/DerivedData/iosApp-gxsprezneuyftnhbmfyfssbeojgd/Build/Products/Debug%20development-iphoneos/[redacted].app/";
}
--
Unable to Install “[redacted]”
Domain: IXUserPresentableErrorDomain
Code: 14
Failure Reason: This app cannot be installed because its integrity could not be verified.
Recovery Suggestion: Failed to install embedded profile for [redacted] : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)
--
Failed to install embedded profile for [redacted] : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)
Domain: MIInstallerErrorDomain
Code: 13
User Info: {
FunctionName = "-[MIInstallableBundle _installEmbeddedProfilesWithError:]";
LegacyErrorString = ApplicationVerificationFailed;
LibMISErrorNumber = "-402620385";
SourceFileLine = 308;
}
--
Event Metadata: com.apple.dt.IDERunOperationWorkerFinished : {
"device_isCoreDevice" = 1;
"device_model" = "iPhone14,6";
"device_osBuild" = "17.5.1 (21F90)";
"device_platform" = "com.apple.platform.iphoneos";
"dvt_coredevice_version" = "355.28";
"dvt_mobiledevice_version" = "1643.100.60";
"launchSession_schemeCommand" = Run;
"launchSession_state" = 1;
"launchSession_targetArch" = arm64;
"operation_duration_ms" = 3497;
"operation_errorCode" = 14;
"operation_errorDomain" = IXUserPresentableErrorDomain;
"operation_errorWorker" = IDEInstallCoreDeviceWorker;
"operation_name" = IDERunOperationWorkerGroup;
"param_debugger_attachToExtensions" = 0;
"param_debugger_attachToXPC" = 1;
"param_debugger_type" = 3;
"param_destination_isProxy" = 0;
"param_destination_platform" = "com.apple.platform.iphoneos";
"param_diag_MainThreadChecker_stopOnIssue" = 0;
"param_diag_MallocStackLogging_enableDuringAttach" = 0;
"param_diag_MallocStackLogging_enableForXPC" = 1;
"param_diag_allowLocationSimulation" = 1;
"param_diag_checker_tpc_enable" = 1;
"param_diag_gpu_frameCapture_enable" = 0;
"param_diag_gpu_shaderValidation_enable" = 0;
"param_diag_gpu_validation_enable" = 0;
"param_diag_memoryGraphOnResourceException" = 0;
"param_diag_queueDebugging_enable" = 1;
"param_diag_runtimeProfile_generate" = 0;
"param_diag_sanitizer_asan_enable" = 0;
"param_diag_sanitizer_tsan_enable" = 0;
"param_diag_sanitizer_tsan_stopOnIssue" = 0;
"param_diag_sanitizer_ubsan_stopOnIssue" = 0;
"param_diag_showNonLocalizedStrings" = 0;
"param_diag_viewDebugging_enabled" = 1;
"param_diag_viewDebugging_insertDylibOnLaunch" = 1;
"param_install_style" = 0;
"param_launcher_UID" = 2;
"param_launcher_allowDeviceSensorReplayData" = 0;
"param_launcher_kind" = 0;
"param_launcher_style" = 99;
"param_launcher_substyle" = 8192;
"param_runnable_appExtensionHostRunMode" = 0;
"param_runnable_productType" = "com.apple.product-type.application";
"param_structuredConsoleMode" = 1;
"param_testing_launchedForTesting" = 0;
"param_testing_suppressSimulatorApp" = 0;
"param_testing_usingCLI" = 0;
"sdk_canonicalName" = "iphoneos17.5";
"sdk_osVersion" = "17.5";
"sdk_variant" = iphoneos;
}
--
System Information
macOS Version 14.3 (Build 23D56)
Xcode 15.4 (22622) (Build 15F31d)
Timestamp: 2024-07-03T13:47:34+01:00
I am working with a compiler that produces native binaries, It's really meant for servers so it's not integrated with Xcode or the Xcode build system. As such the output binaries get the default ad-hoc signatures the linker makes.
After (re)compiling such a binary, there is a delay whilst running it. This is because macOS notices it's an unknown binary and goes off to ask notarization servers/Xprotect if it's known malware. Fine, I understand the need for this and why it happens.
From the logs it's clear that macOS is now tracking the "provenance" of binaries. This means where they came from. This raises the question of whether it could know that my local dev binaries are coming from this compiler, if it was in turn properly signed and notarized. And if so, whether there is some security policy I could set to say "if binary X produces binary Y, then trust Y".
Yes I know this would be a security exploit if it were done that way by default, but I am willing to take the risk of special malware that compiles itself first using this special compiler that isn't installed by default then runs the output, as presumably any such malware would be so targeted Xprotect/notarization wouldn't know about it anyway.
The provenance mechanism is some internal security thing and isn't documented, but I'm curious if anyone knows more about it and whether it's usable for this? Or alternatively if there's a way to stop macOS doing these slow checks for certain binaries e.g. under specific paths?
I have signed and notarized a single executable file command line tool developed outside Xcode, and distributed outside of the App store by way of a download from a website as follows below, but nevertheless gatekeeper blocks running the tool with the usual message, just like without signing or notarization.
If I remove the com.apple.quarantine xattr, the tool runs as it should without gatekeeper interference, as expected.
I have browsed countless posts here, with similar issues, but in the end I can't find what's wrong with the process.
From what I gather, as long as the target Mac is connected to the Internet, stapling should not be required (I do understand I can't staple a single file executable command line tool), although Gatekeeper would be expected to complain in the case of the first run being done without Internet connection.
The certificate is a "Developer Id Application" certificate, installed and valid on the machine doing the signing.
It is unclear to me what the distinction is between "Developer Id Application" and "Developer Id Installer" certificates, but it's confusing that using -t install with spctl will actually accept the app.
The app is open source and available on GitHub (although the full distribution packaging is done in a separate build environment with some additional logic). The app used below as the target for signing and notarization is available to download from https://www.axantum.com/ in a .tar.gz archive.
Here follows a log of commands and output:
XecretsCli.plist: (This was necessary to add to the signing to avoid corruption of the executable by the code signing)
codesign -s GCXRMT5SQC -f --timestamp -s 0CF6800E595AA6DE9EBB905066619A9BFDD17A77 --entitlements XecretsCli.plist -o runtime XecretsCli
codesign -d -vvv --entitlements :- XecretsCli
Executable=/Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli
Identifier=XecretsCli
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=271478 flags=0x10000(runtime) hashes=8473+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2
CandidateCDHashFull sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a
Hash choices=sha256
CMSDigest=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a
CMSDigestType=2
CDHash=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2
Signature size=8987
Authority=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jun 20, 2024 at 13:26:05
Info.plist=not bound
TeamIdentifier=GCXRMT5SQC
Runtime Version=13.1.0
Sealed Resources=none
Internal requirements count=1 size=172
Warning: Specifying ':' in the path is deprecated and will not work in a future release
codesign -v -vvv --strict --deep XecretsCli
XecretsCli: valid on disk
XecretsCli: satisfies its Designated Requirement
zip XecretsCli.zip XecretsCli
adding: XecretsCli (deflated 63%)
xcrun notarytool submit "XecretsCli.zip" --keychain-profile "Notarize" --wait
Conducting pre-submission checks for XecretsCli.zip and initiating connection to the Apple notary service...
Submission ID received
id: e5990902-3101-42de-a1a6-b9ea40b944b8
Upload progress: 100.00% (12.4 MB of 12.4 MB)
Successfully uploaded file
id: e5990902-3101-42de-a1a6-b9ea40b944b8
path: /Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli.zip
Waiting for processing to complete.
Current status: Accepted........
Processing complete
id: e5990902-3101-42de-a1a6-b9ea40b944b8
status: Accepted
spctl -a -vvv XecretsCli
XecretsCli: rejected (the code is valid but does not seem to be an app)
origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
spctl -a -vvv -t install XecretsCli
XecretsCli: accepted
source=Notarized Developer ID
origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
Trying to run the executable:
"XecretsCli" can't be opened
because the identity of the
developer cannot be confirmed.
Your security preferences allow
installation of only apps from the App
Store and identified developers.
Chrome downloaded this file today at
10:37.
OK
Hello,
I use setCodeSigningRequirement: in sandboxed XPCService and it seems that no matter what I always get errSecCSNoSuchCode[1] when the app is signed with development certificate. The same application signed with DeveloperID is fine.
I use following CSR for development signed builds.
identifier com.example.app and anchor apple generic
and certificate 1[field.1.2.840.113635.100.6.2.1] exists
and certificate leaf[field.1.2.840.113635.100.6.1.12] exists
But also tried to simplify to identifier com.example.app or just true.
If I validated the CSR with codesign -R I get "explicit requirement satisfied".
I spotted this log line:
Sandbox: com.example.app(67058) deny(1) file-read-data /Users/(...)/example-app/build/arm64-mac/src/mac/app/Debug/Example App.app/Contents/MacOS/ExampleApp
So I disabled the sandbox for XPCService and now everything works. But then why the DeveloperID signed build works with XPCService sandboxed? ...or does it really? :)
Just for completeness the CSR which I use in production build are:
identifier com.example.app and anchor apple generic
and certificate 1[field.1.2.840.113635.100.6.2.6] exists
and certificate leaf[field.1.2.840.113635.100.6.1.13] exists
and certificate leaf[subject.OU] = EXAMPLE
I was developing an electron based app, and I want to embed a system extension in it, everything works fine with SIP disabled.
But for normal cases, I found out:
Notarization require hardened runtime enabled.
The container is an electron based app, which has JIT related feature, so it requires hardened runtime relaxation entitlements (some exception)
But System extension disallow these entitlements, this error message is captured from the log system: Hardened Runtime relaxation entitlements disallowed on System Extensions
So does this mean we can't embed a system extension in an Electron-based app?
Hello,I have released macOS version of my game before iOS Version,
after releasing macOS version, cannot run & debug my game on Xcode
getting error ;
Provisioning profile "iOS Team Provisioning Profile: com.codepad.motorush" doesn't include the com.apple.application-identifier entitlement.
please take a look to screenshot view.
Hi,
I want to resign my app with a different certificate. Is it possible to keep the entitlements (including com.apple.application-identifier)? I want to resign the whole app including the plugins and frameworks, but I saw --deep was considered harmful.
Sorry, I'm a bit confused. Any help would be appreciated.
When I build with Flutter, XCODE returns an error:error: exportArchive: "Runner.app" requires a provisioning profile with the Associated Domains and Push Notifications features.
I use the automatic management signing, and the provisioning profiles include related features. What should I do?
We have requested an additional capability called "User Assigned Device Name" for my application to Apple and got approved the same on for debug/adhoc/release environments . Since then we are facing issues on code signing. We are always getting the compiler error "* Provisioning profile "xxxxxxxxxxx" doesn't support the User Assigned Device Name capability." on both Debug and Release environment.
There is another capability "contacts notes entitlements" that we got approved long back when it was not apart of Apple ID(additional capabilities) rather we got approved as a part of our provisioning profile.
Suppose we removed "contacts notes entitlements" from the profile and deleted it from the entitlement folder the project compiled without any error. So we are strongly believes the conflicts on the "contacts notes entitlements" is the root cause.
We are about to release the version and which is blocked due to this error. So kindly look in to this issue and do the needful asap.
STEPS TO REPRODUCE
Added user assigned device name capability from Signing & Capability Tab in project in settings.
Added the team, valid provisioning profiles and try to sign in manually.
Getting the error “Provisioning profile xxxxxxxxxxxx" doesn't support the User Assigned Device Name capability."
Note: Already got approval for the “user assigned device name” . Which is listed under the app id.
Hello, I've developed an application using ElectronNET with C# and Blazor Server. I have managed to deploy to both Windows and the web but having trouble deploying the application to my Mac users.
It's my first time deploying an application for Mac but feel like I'm stuck at the last hurdle and out of ideas so I'm reaching out for help.
My application is successfully signing but during the build and when my Notarize.js is running it seems to get stuck indefinitely.
I can check and see the status of the Notarize attempts but they seem to be stuck "In Progress". Here are the logs.
Successfully received submission history.
history
--------------------------------------------------
createdDate: 2024-06-12T22:16:35.362Z
id: 26192605-001b-46ae-b622-9a79c20e1e93
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T18:51:21.772Z
id: 6a34501c-8f48-4986-ae5e-82a99320dcbc
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T15:13:44.722Z
id: ea5cd928-8207-4d25-b74a-45b04960dbe0
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T14:24:48.776Z
id: 00ccd1f9-daa4-4bba-9a86-9f577c51f26b
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T14:07:43.116Z
id: bf5dfa9c-9702-413b-8fbb-94017e930bcf
name: CustomerSupportDashboard.zip
status: In Progress
These have been running for over 6hours now and it's my understanding it should take minutes, correct me if I'm wrong?
Here is my Notarize script if it helps diagnose what might be happening. Although the requests seem to be going through ok so it doesn't seem likely.
const { join } = require('path');
const fs = require('fs-extra');
exports.default = async function notarizing(context) {
const { electronPlatformName, appOutDir } = context;
if (electronPlatformName !== 'darwin') {
console.log("Not a macOS platform, skipping notarization.");
return;
}
const appName = context.packager.appInfo.productFilename;
const appPath = `${appOutDir}/${appName}.app`;
const zipPath = `${appOutDir}/${appName}.zip`;
console.log(`Zipping the app at path: ${appPath} to: ${zipPath}`);
// Zip the app
await new Promise((resolve, reject) => {
execFile('zip', ['-r', zipPath, appPath], (error, stdout, stderr) => {
if (error) {
console.error(`Failed to zip app: ${stderr || stdout}`);
reject(new Error(`Failed to zip app: ${stderr || stdout}`));
} else {
console.log(`Successfully zipped app: ${stdout}`);
resolve();
}
});
});
console.log(`Notarizing the app with Apple ID: *************.*****@*******.****`);
await new Promise((resolve, reject) => {
execFile('xcrun', [
'notarytool',
'submit',
zipPath,
'--apple-id', '*************.*****@*******.****',
'--password', '****-****-****-****',
'--team-id', '**********',
'--wait',
'--output-format', 'json'
], (error, stdout, stderr) => {
if (error) {
console.error(`Notarization failed: ${stderr || stdout}`);
reject(new Error(`Notarization failed: ${stderr || stdout}`));
} else {
console.log(`Successfully notarized: ${stdout}`);
resolve();
}
});
});
}; ```
When I trusted my certificate in 'Setting'->'VPN & Device Management', my device reboot automatically.
After reboot, it showed that "developer of My Team is not trusted in this iPhone", but the app is "verified" in the second column.
The UI looks like:
iOS18 beta:
First Col: Trust "My Team"
Second Col: MyApp Verified
Other versions:
First Col: Delete App
Second Col: MyApp Verified
What's more, my app has plugins(extensions), my app can run normally while the extension is not able to be pulled up on iOS18 beta.
No Proxy for Xcode 15:
_with Xcode 14
You can modify this file : /Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/java/conf/net.properties
and set the following property to true ( false by default ) java.net.useSystemProxies=true_
With Xcode 15, I don't found any solution
**Utilisation of environment variables http_proxy and https_proxy it's useless because it's ignored
#** how I can define a proxy in order to sign with Xcode command lines ?