I'm attempting to use Cloud Signing to export the Release version of 3 different apps for App Store, as described in https://developer.apple.com/videos/play/wwdc2021/10204/ The process completes successfully, and appears to be signed correctly, with a newly-created certificate in the developer portal of type "Distribution Managed". When I upload to App Store Connect however, I see the following error for several third-party Swift packages, distributed as frameworks: Validation failed (409) Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “MyApp.app/Frameworks/MyFramework.framework/MyFramework” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing. If I have a manually created Distribution certificate installed in the keychain at the point of export, the same archive is signed with that certificate, and is accepted by App Store Connect without issue. The xcodebuild command I am using (roughly): xcodebuild -exportArchive \ -archivePath "$ARCHIVE_PATH" \ -exportPath "$EXPORT_PATH" \ -exportOptionsPlist "$EXPORT_OPTIONS" \ -authenticationKeyPath "$API_KEY" \ -authenticationKeyID "$API_KEY_ID" \ -authenticationKeyIssuerID "$API_KEY_ISSUER" \ -allowProvisioningUpdates The plist: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>"> <plist version="1.0"> <dict> <key>method</key> <string>app-store-connect</string> <key>teamID</key> <string>$TEAM</string> <key>uploadSymbols</key> <true/> <key>signingStyle</key> <string>automatic</string> </dict> </plist> Is what I’m trying to do supported? Is this a bug?

When completing signing on Xcode, it shows the following error message "No certificate for team '' matching 'Developer ID Application' found" I have already followed the steps to generate a certificate from keychain and made a new certificate on developer portal, along with its associated provisioning profile. Viewing "Manage Certificate" window shows the newly created certificate, but Xcode seems to not be able to locate it.

I’m building a macOS app with a DNS Proxy system extension for Developer ID + notarization, deployed via MDM, and Xcode fails the Developer ID Release build with a provisioning profile mismatch for com.apple.developer.networking.networkextension. Environment macOS: Sequoia (15.7.2) Xcode: 26.2 Distribution: Developer ID + notarization, deployed via MDM Host bundle ID: com.mydns.agent.MyDNSMacProxy DNS Proxy system extension bundle ID: com.mydns.agent.MyDNSMacProxy.dnsProxy Host entitlements (Release): File: MyDNSMacProxy/MyDNSMacProxyRelease.entitlements: "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>B234657989.com.mydns.agent.MyDNSMacProxy</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>dns-proxy</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>B234657989</string> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.com.mydns.MyDNSmac</string> </array> <key>keychain-access-groups</key> <array> <string>B234657989.*</string> </array> </dict> </plist> xcodebuild -showBuildSettings -scheme MyDNSMacProxy -configuration Release : PROVISIONING_PROFILE_SPECIFIER = main MyDNSMacProxy5 CODE_SIGN_IDENTITY = Developer ID Application Host Developer ID profile main_MyDNSMacProxy5.provisionprofile (via security cms -D): "Entitlements" => { "com.apple.application-identifier" => "B234657989.com.mydns.agent.MyDNSMacProxy" "com.apple.developer.team-identifier" => "B234657989" "com.apple.security.application-groups" => [ "group.com.mydns.MyDNSmac", ..., "B234657989.*" ] "keychain-access-groups" => [ "B234657989.*" ] "com.apple.developer.system-extension.install" => 1 "com.apple.developer.networking.networkextension" => [ "packet-tunnel-provider-systemextension", "app-proxy-provider-systemextension", "content-filter-provider-systemextension", "dns-proxy-systemextension", "dns-settings", "relay", "url-filter-provider", "hotspot-provider" ] } So: App ID, team ID, keychain and system‑extension.install match. The profile’s com.apple.developer.networking.networkextension is a superset of what I request in the host entitlements (dns-proxy only). System extension (for context) DNS Proxy system extension target: NSExtensionPointIdentifier = com.apple.dns-proxy NetworkExtension → NEProviderClasses → com.apple.networkextension.dns-proxy → my provider class Entitlements: com.apple.developer.networking.networkextension = ["dns-proxy-systemextension"] This target uses a separate Developer ID profile and builds successfully. Xcode error Release build of the host fails with: …MyDNSMacProxy.xcodeproj: error: Provisioning profile "main MyDNSMacProxy5" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. (in target 'MyDNSMacProxy' from project 'MyDNSMacProxy') Xcode UI also says: Entitlements: 6 Included, 1 Missing Includes com.apple.developer.team-identifier, com.apple.application-identifier, keychain-access-groups, com.apple.developer.system-extension.install, and com.apple.security.application-groups. Doesn’t match entitlements file value for com.apple.developer.networking.networkextension. Because of this, the app bundle isn’t produced and I can’t inspect the final signed entitlements. Questions: For com.apple.developer.networking.networkextension, should Xcode accept a subset of values in the entitlements (here just dns-proxy) as long as that value is allowed by the Developer ID profile, or does it currently require a stricter match? Is the following configuration valid for Developer ID + MDM with a DNS Proxy system extension: Host entitlements: ["dns-proxy"] System extension entitlements: ["dns-proxy-systemextension"] Host profile’s NE array includes the DNS Proxy system extension types. If this is a known limitation or bug in how Xcode validates NE entitlements for Developer ID, is there a recommended workaround? Thanks for any guidance.

Original Problem We use codesign and notarytool in a scripted environment to build and distribute binaries daily. We also do manual builds by logging into the build server using SSH. This has been working for many years, but after updating to a new "Developer ID Application" certificate, codesign was failing with errSecInternalComponent and the console logs showed errSecInteractionNotAllowed. Summary of Resolution Attempting to fix the problem resulted in multiple copies of the same Certificate which were NOT shown by Keychain Access. I had to run security delete-identity multiple times to clear out the redundant Identities and then imported the certificate using the security CLI tool. Details I originally followed these instructions for requesting and installing a new certificate: https://developer.apple.com/help/account/certificates/create-developer-id-certificates/ Tip: Use the security tool intead These instructions fail to mention two critical points: 1) they assume the machine you generate the request on is the same machine you will be using to perform signatures, and 2) KeyChain Access does not allow you to set permissions for applications like codesign. I made the mistake of following the instructions on my workstation, and then tried to import the certificate to the build machine by double clicking on the .cer file. When that did not work, I followed various forum suggestions and eventually realized I need to export the private key as a .p12 file from the workstation, and import it into the build machine. Tip: The term "Certificate" often refers to a public certificate by itself, while "Identity" to refers to the combination of a public certificate and private key. At this point, I could use codesign, but only within Terminal.app while logged into the build machine's console. I tried various security commands to reimport the Identity, set a key partition list, and unlock the keychain, but none of them allowed codesign to work from within SSH or cron scripts. Eventually I stumbled upon this: sudo security find-identity -v Password: 1) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 2) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 3) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 4) EA377…96DD "Developer ID Application: Data Expedition, Inc. (VK…8X)" 5) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 6) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 7) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 8) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 9) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 10) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 10 valid identities found Keychain Access only showed one copy of the Identity in each keychain, but with security I could see there were actually 9. Tip: Keychain Access does not accurately display keychain contents. If it shows no contents at all, type a letter in the search box. Identities are distinguished from lone Certificates by a drop-down caret to the left of the certificate name. Clicking that shows the key. To fix the redundant Identities, I had to run this command four times to delete the nine copies: security delete-identity -Z 3C255…1560 I repeated this until the identity (I used the SHA1 hash of the certificate) no longer showed up in security find-identity -v. I then re-imported the certificate and key using security import, which is what I should have done from the begininng. The Correct Way Here are the commands I used to get things going after I deleted all the problem certificates: security import mycertificate.cer -k /Library/Keychains/System.keychain -T /usr/bin/codesign This next command I ran in Terminal.app on the console so it could display a password prompt: security import ImportThisKey.p12 -k /Library/Keychains/System.keychain -T /usr/bin/codesign After this, I used security find-identity -v to verify that there was only one copy of the Identity. I then verified that codesign could be used from SSH and cron-scripts even while logged out of the console. I suspect that a lot of mysterious certificate problems might be caused by duplicate certificates, each with different permissions. As far as I can tell, there is no way to uniquely identify a certificate/identity or the permissions attached to them. The system just searches based on hash, or team-id, or other non-unique property and seems to just arbitrarily pick one. I hope this helps someone else stuck with errSecInternalComponent errors!

Hi everyone, I am struggling with a persistent issue regarding my Developer Program membership and Xcode syncing. Even though the Apple Developer Portal shows that my developer license is active and I have full access to App Store Connect, it is unfortunately not possible to sign applications with this account. It behaves as if the license wasn't active. The Symptoms: -Portal status: Active (Account Holder/Admin), -Xcode Settings: When I navigate to Settings > Accounts and select my team, there is a Red X displayed next to "Certificates, Identifiers & Profiles.", Xcode suggests there is an issue accessing these resources and I cannot sign any binaries. Confirmed the membership is active in the web portal. Everything seems configured correctly on the web side, but the account simply doesn't work locally in Xcode. Has anyone faced this specific "Red X" issue despite a valid membership? Is there a specific cache I need to clear or a way to force Xcode to re-fetch the correct status? Any advice on how to resolve this loop would be greatly appreciated. Thanks! :)

I am curious as to know if i calculate the checksum of an ipa file and upload the same to app store, and then after installing the app on my device, if i extract the ipa file and compare the checksum will it match? or will it vary from device to device, because of bitcode and app thinning slicing? Some banks have been showing ipa file checksums on their websites, and even inside their apps and showing messages like checksum matches! i was just curious as to know how would one go about validating this!? Or is this even possible, what about the checksum of the executable at runtime? Can we check this? will it match?

How do you renew a "Developer ID Application" certificate? Should there be a "renew" button on the expiration date? Or can you renew it sooner? Or are you required to create a new certificate? Does this count against your limit of five Developer ID Application certificates? I thought there was a way to renew it, but I don't see that option. I also couldn't find any Apple documentation about how to renew, only how to create and how there's a limit to how many you can create.

On our public Apple account we have distribution certificates that work for all Apple platforms. On our Enterprise account it will only generate iOS distribution certificates. Apple support did not provide any concrete solutions, only pointing us to the general docs. Any suggestions?

Made a notarization request a few hours ago and woke up to check the history and it's no longer available. Not rejected/accepted just not found. I have gone ahead to make another request but I have no confidence because I expect the same thing to happen again. Any guidance? See logs below: daramfon@MacBook-Pro-3 frontend % xcrun notarytool history --apple-id "$APPLE_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --team-id "$APPLE_TEAM_ID" Successfully received submission history. history -------------------------------------------------- createdDate: 2026-02-20T23:53:14.066Z id: 6f2fadc0-2e8f-4331-a253-68f81334ebc6 name: Speakeasy AI-0.1.0-arm64.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-20T23:47:12.897Z id: 435aec4f-5356-49a5-898d-48aaafb7949f name: Speakeasy AI.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-20T22:35:23.947Z id: 95896757-873a-4e54-a527-03dc767c9cb5 name: Speakeasy AI.zip status: In Progress daramfon@MacBook-Pro-3 frontend % xcrun notarytool history --apple-id "$APPLE_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --team-id "$APPLE_TEAM_ID" No submission history. daramfon@MacBook-Pro-3 frontend % xcrun notarytool info 6f2fadc0-2e8f-4331-a253-68f81334ebc6 --apple-id "$APPLE_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --team-id "$APPLE_TEAM_ID" Submission does not exist or does not belong to your team. id: 6f2fadc0-2e8f-4331-a253-68f81334ebc6

Le build iOS via EAS échoue systématiquement lors de la phase Xcode. Bien que les capacités Family Controls et App Groups soient activées sur le portail Apple Developer et configurées dans le app.json, les profils de provisionnement générés par EAS sont rejetés par Xcode car ils ne contiendraient pas les droits nécessaires. Configuration du projet : Targets (4) : App principale + 3 extensions (ShieldConfiguration, ShieldAction, ActivityMonitorExtension). Capabilities requises : Family Controls (Development), App Groups. EAS CLI Version : 18.0.6 (et versions antérieures testées). Erreur Xcode récurrente : error: Provisioning profile "[expo] com.*****.*** AdHoc 177230..." doesn't support the Family Controls (Development) capability.. error: Provisioning profile "... AdHoc ..." doesn't include the com.apple.developer.family-controls entitlement.. Ce qui a déjà été tenté (sans succès) : Configuration app.json : Ajout manuel des entitlements pour le bundle principal et configuration du plugin react-native-device-activity. Nettoyage Credentials : Suppression totale des profils et des identifiants sur le site Expo.dev ET sur le portail Apple Developer. +1 Forçage Sync : Utilisation de eas build --clear-cache et réponse "No" à la réutilisation des profils existants. Observation étrange : Le terminal indique souvent ✔ Synced capabilities: No updates, alors que les droits viennent d'être modifiés sur le portail Apple. Sur le portail Apple, les profils affichent pourtant bien "Family Controls (Development)" dans les capacités activées. Je met en piece jointe un des profiles.

Hello We have a pkg installer whose signing certificate is expiring next month. It has a trusted timestamp on it. As per https://developer.apple.com/support/certificates/ it states Developer ID Installer Certificate (Mac applications) If your certificate expires, users can still install packages that were signed with this certificate as long as the package includes a trusted timestamp. Previously installed apps will continue to run. However, new installations won’t be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate. Wanted to check on behavior for new installations post expiration date. Since the installer has a trusted timestamp we would not need to release a new installer with new cert ?? Any guidance here would be much appreciated.

I'm distributing a macOS .pkg installer signed with Developer ID Installer and notarized via notarytool. On macOS 26.3 (Tahoe, Build 25D125), the package is rejected by Gatekeeper when downloaded from the internet. What works: pkgutil --check-signature → signed, Developer ID Installer, full chain (G2 intermediate + Apple Root CA) xcrun stapler validate → "The validate action worked!" xcrun notarytool info <id> → status: Accepted The .app inside the .pkg passes spctl -a -vvv → "accepted, source=Notarized Developer ID" What fails: spctl -a -vvv --type install mypackage.pkg → rejected, origin=Developer ID Installer Raw assessment: assessment:remote = true, assessment:verdict = false Double-clicking the downloaded .pkg shows only "Move to Trash" / "Done" (no "Open" option) syspolicyd log: meetsDeveloperIDLegacyAllowedPolicy = 0 (expected, since the cert is new), but no "notarized" match is logged Certificate details: Developer ID Installer, issued Feb 28, 2026, valid until 2031 OID 1.2.840.113635.100.6.1.14 (Developer ID Installer) — critical OID 1.2.840.113635.100.6.1.33 — timestamp 20260215000000Z Intermediate: Developer ID Certification Authority G2 (OID 1.2.840.113635.100.6.2.6) security verify-cert → certificate verification successful Build process: productbuild --distribution ... --sign <SHA1> (also tried productsign) Both produce: Warning: unable to build chain to self-signed root xcrun notarytool submit → Accepted xcrun stapler staple → worked Workaround: xattr -d com.apple.quarantine ~/Downloads/mypackage.pkg allows opening the installer. Question: Is spctl --type install assessment expected to work differently on macOS 26 Tahoe? The same signing and notarization workflow produces .app bundles that pass Gatekeeper, but .pkg installers are rejected. Is there a new requirement for .pkg distribution on macOS 26? Environment: macOS 26.3 (25D125), Xcode CLT 26.3

Hi, I'm a new Developer ID account holder submitting my first app for notarization. All submissions have been stuck "In Progress" for 72+ hours. Apple System Status has shown all services operational throughout. Team ID: 4L9YA7S99L $ xcrun notarytool history --keychain-profile "blackbox" Successfully received submission history. history -------------------------------------------------- createdDate: 2026-03-09T11:19:41.697Z id: 2c0cdf3d-a3ac-4d86-8eb0-2f601b2d09c5 name: Blackbox-0.2.0.dmg status: In Progress -------------------------------------------------- createdDate: 2026-03-07T18:11:37.660Z id: 5ab09d84-b2e2-4738-9b63-100a7dd46882 name: Blackbox-0.1.0.dmg status: In Progress -------------------------------------------------- createdDate: 2026-03-06T22:47:21.410Z id: 1c90fa3e-c52a-4468-8056-06ff5d7d3752 name: Blackbox-0.1.0.dmg status: In Progress -------------------------------------------------- createdDate: 2026-03-06T22:34:55.803Z id: 4bbd6f77-7ff6-445f-817c-21f9909dfe7a name: Blackbox-0.1.0.dmg status: In Progress -------------------------------------------------- createdDate: 2026-03-06T21:28:26.904Z id: 3c63ed16-be5d-4900-b82d-5df9557a47b4 name: Blackbox-0.1.0.dmg status: In Progress -------------------------------------------------- createdDate: 2026-03-06T21:24:14.558Z id: 76df3f18-57a1-49b7-87e2-3f2bf0e4e6d5 name: Blackbox-0.1.0.dmg status: Invalid The Invalid submission (76df3f18) was error 4000 due to unsigned binaries in a bundled framework. That's been fixed in all subsequent submissions. The app is a small macOS menu bar utility (~2 MB DMG), signed with Developer ID Application certificate, hardened runtime enabled, no restricted entitlements. codesign --verify --deep --strict and spctl --assess --type execute both pass locally. Is there a known processing delay for first-time Developer ID accounts, or could something be stuck on the backend? Thanks for any guidance.

As it has already been reported elsewehere, I also face the problem of endless waiting time for my submissions to be notarized. This prevents me from shipping a new release. A waiting/processing time of multiple days is simply unacceptable. I kindly request to fix this.

I've seen a couple posts on reddit today but wanted to call out here because I think it may be a more widespread issue - I keep getting an error trying to open my iOS app saying "Unable to verify app - An internet connection is required to verify trust of the developer...". I have never gotten this issue before and did not change anything in my build settings from my last successful build of the app to now. The directions it gives me are to go to Settings > General > VPN and Device Management and trust my developer certificate from there, but that doesn't work either. The first time I tried this, the developer certificate wasn't there at all, then I looked at Reddit and saw people recommending to download the developer certificate to solve the issue, but doing this did not fix the error either. Just looking to see if anyone else has encountered this or what the fix might be.

I have an app for iOS already on the AppStore and I'm trying to add a macOS version of it. The AppID prefix for this app is different than my Team ID. This mismatch was always fine for submitting my iOS app. However for some reason, the macOS version gets rejected when I upload it. It tells me the AppID prefix must match my Team ID. I do not control my TeamID and I do not control my AppID prefix, they are both given to me by Apple. Yet the error message tells me they must match. How do I get past this? Here is the error message: Validation failed Invalid code signing entitlements. Your application bundle's signature contains code signing entitlements that aren't supported on macOS. Specifically, the "APPID_PREFIX.MY_BUNDLE_ID" value for the com.apple.application-identifier key in "MY_PACKAGE" isn't supported. This value should be a string that starts with your Team ID, followed by a dot ('"), followed by the bundle ID. (ID: 930b77ae-099f-4798-a14a-2803f2a9be9e) Thanks in advance for any pointer.

All of my notarization submissions have been stuck at "In Progress" for up to 10 days. I have 6 submissions spanning from March 4 to March 11, 2026, and none of them have completed or returned any errors. Affected submissions: dbf20b57-0073-444a-b09a-ac6747b7398e (submitted Mar 4) — In Progress d5886683-be64-455c-805d-cd8b12bbcd35 (submitted Mar 4) — In Progress 10bfa709-da17-49cf-9c89-63f93b5fb756 (submitted Mar 4) — In Progress e8d0866e-43f8-4a18-8129-64e6c5d3895a (submitted Mar 9) — In Progress f9526f25-5650-4c45-98ae-d778c58a2ffa (submitted Mar 9) — In Progress 82ec211f-9179-41fd-afe0-937c9b2c2750 (submitted Mar 11) — In Progress Running `notarytool log` returns "Submission log is not yet available." Team ID: CB4U5M6U9H It is an Electron-based app built with electron-builder. Steps taken to ensure compliance: Signed with a valid Developer ID Application certificate Hardened runtime enabled (hardenedRuntime: true) Proper entitlements configured (com.apple.security.cs.allow-jit, com.apple.security.cs.allow-unsigned-executable-memory, com.apple.security.cs.disable-library-validation) Entitlements inherited for child processes via entitlements.mac.inherit.plist Electron Fuses configured to disable Node.js CLI flags in production (resetAdHocDarwinSignature enabled) App submitted as a zip archive via notarytool submit I've tried resubmitting multiple times across different builds, but all submissions remain stuck. I also have an open support case (102836201208) that was escalated to Senior Advisors on March 11, but have not received any update. Could someone from the notarization team please investigate?

In my application I validate the authenticity of my own binaries by checking that the Team Identifier in the code signature matches a predefined value. Currently I do not perform a full signature validation that verifies the certificate chain up to Apple’s root CA. When attempting to do this using SecStaticCodeCheckValidityWithErrors (or validateWithRequirement), the operation sometimes takes several minutes. During that time the calling thread appears blocked, and the system logs show: trustd: [com.apple.securityd:SecError] Malformed anchor records, not an array Because of this delay, I decided to rely only on the Team Identifier. My question is: Can it be assumed that if a Mach-O binary contains a Team Identifier in its code signature, then it must have been signed with a valid Apple Developer certificate? Or are there cases where a binary could contain a Team ID but still not be signed by Apple’s trust chain? Thanks for the help !

Hello, At work, we want to release a new version of our cross-platform desktop application this week. Unfortunately, I've had issues getting the dmg signed by the Apple notary service, which will delay the release until it's successful. However, I remade and successfully signed the previously released version (also dmg) with the same credentials, so I know it's not a problem with the file format or my account. I have tried the following to no avail: Lots of Googling Running xcrun notarytool submit with the -v option (verbose) to see more error messages Going to the URL given (appstoreconnect.apple.com/notary/v2/submissions/{submission_id}) and examining the file it downloaded (not much info, let alone helpful info) Contacting Apple developer support over the phone (they couldn't help with this particular issue, since it's "code-level support") The only big change we made this time was switching to Maven for our build tool and dependency management (we previously used Ant with manual dependency management). Does anyone here have any insight? Is there a list of known issues or dependencies that will cause a submission to be invalidated? Or, even better, any way to see why the submission is invalid? Thanks.

I have a macOS VPN app with a Network Extension (packet tunnel provider) distributed outside the App Store via Developer ID. Everything works perfectly when running from Xcode. After archiving and exporting for Developer ID distribution, the extension launches but immediately gets killed by nesessionmanager. The error: Signature check failed: code failed to satisfy specified code requirement(s) followed by: started with PID 0 status changed to disconnected, last stop reason Plugin failed What makes this interesting: the extension process does launch. AMFI approves it, taskgated-helper validates the provisioning profile and says allowing entitlement(s) due to provisioning profile, the sandbox is applied, PacketTunnelProvider is created — but then Apple's Security framework internally fails the designated requirement check and nesessionmanager kills the session. Key log sequence: taskgated-helper: Checking profile: Developer ID - MacOS WireGuardExtension taskgated-helper: allowing entitlement(s) for com.xx.xx.WireGuardNetworkExtension due to provisioning profile (isUPP: 1) WireGuardNetworkExtensionMac: AppSandbox request successful WireGuardNetworkExtensionMac: creating principle object: PacketTunnelProvider WireGuardNetworkExtensionMac: Signature check failed: code failed to satisfy specified code requirement(s) nesessionmanager: started with PID 0 error (null) nesessionmanager: status changed to disconnected, last stop reason Plugin failed Setup: macOS 15, Xcode 16 Developer ID Application certificate Manual code signing, Developer ID provisioning profiles with Network Extensions capability Extension in Contents/PlugIns/ (standard appex, not System Extension) Extension entitlement: packet-tunnel-provider-systemextension NSExtensionPointIdentifier: com.apple.networkextension.packet-tunnel codesign --verify --deep --strict PASSES on the exported app Hardened runtime enabled on all targets What I've verified: Both app and extension have matching TeamIdentifier Both are signed with the same Developer ID Application certificate The designated requirement correctly references the cert's OIDs The provisioning profiles are valid and taskgated-helper explicitly approves them No custom signature validation code exists in the extension — the "Signature check failed" comes from Apple's Security framework What I've tried (all produce the same error): Normal Xcode archive + export (Direct Distribution) Manual build + sign script (bypassing Xcode export entirely) Stripping all signatures and re-signing from scratch Different provisioning profiles (freshly generated) Comparison with official WireGuard app: I noticed the official WireGuard macOS app (which works with Developer ID) uses packet-tunnel-provider (without -systemextension suffix) in its entitlements. My app uses packet-tunnel-provider-systemextension. However, I cannot switch to the non-systemextension variant because the provisioning profiles from Apple Developer portal always include the -systemextension variants when "Network Extensions" capability is enabled, and AMFI rejects the mismatch. Questions: Is there a known issue with packet-tunnel-provider-systemextension entitlement + PlugIn-based Network Extension + Developer ID signing? Should the extension be using packet-tunnel-provider (without -systemextension) for Developer ID distribution? If so, how do I get a provisioning profile that allows it? The "Signature check failed" happens after taskgated-helper approves the profile — what additional code requirement check is the NE framework performing, and how can I satisfy it? Any guidance would be appreciated. I've exhausted all signing approaches I can think of.