Hi everyone, I applied for CarPlay Entitlements on [Date 04. 26, 2024] using CarPlay is Case ID "13045151". I haven't received any updates or responses regarding my application yet. It's been 7 days since the application. My service requires CarPlay integration with a Black Box device. The primary purpose of this integration is to allow users to configure device settings through CarPlay. Furthermore, we plan to utilize the "Communication" category of Entitlements to notify users of parking incidents detected by the Black Box device while parked. This functionality is crucial for alerting drivers to potential issues affecting their vehicles. Could anyone share their experience with the typical turnaround time for CarPlay Entitlements, especially for applications involving device integration and the "Communication" category? Is this delay normal? Is there any way to check the application status or contact the appropriate team to inquire about its progress? Thank you for any insights or advice you can provide! Sincerely,

Hi all, I've submitted multiple notarization requests for an Electron app using notarytool since (april 12) at 6:30. All are stuck in the "In Progress" state Successfully received submission history. history -------------------------------------------------- createdDate: 2025-04-13T12:38:56.866Z id: 51897340-9547-4172-bad4-ae15f78e1ab0 name: theAIParalegal.zip status: In Progress -------------------------------------------------- createdDate: 2025-04-13T12:38:55.790Z id: ebcd8a15-613c-41e0-b8cc-6895a0a6785a name: theAIParalegal.zip status: In Progress -------------------------------------------------- createdDate: 2025-04-13T12:14:33.553Z id: 59a078dc-e613-4933-b440-8695e2204eac name: theAIParalegal.zip status: In Progress -------------------------------------------------- createdDate: 2025-04-13T12:14:32.108Z id: 987879aa-db15-405b-bd1d-76db31218f49 name: theAIParalegal.zip status: In Progress -------------------------------------------------- createdDate: 2025-04-12T22:06:30.869Z id: b1f4231c-6d13-4292-88f0-e8ce53cb0141 name: theAIParalegal.zip status: In Progress nicolasserna@Mac ~ %

I've been using /usr/bin/shortcuts for various tasks (eg. Quicksilver uses it to list and run shortcuts), and after updating from 14.7.4 to 14.7.5 the tool gets killed on startup. Eg. here is what it looks like in my shell: ❯ shortcuts list zsh: killed shortcuts list (And this is regardless of whether I have "full disk access" or "developer tools" toggled on or off for iTerm.) Looking at system logs it seems like the binary is missing an entitlement, which causes MACF / Gatekeeper to throw a fit: 2025-04-12 18:38:48.847576 kernel: mac_vnode_check_signature: /usr/bin/shortcuts: code signature validation failed fatally: When validating /usr/bin/shortcuts: in-kernel: com.apple.shortcuts.ShortcutsCommandLine disallowed without com.apple.private.security.restricted-application-groups 2025-04-12 18:38:48.847582 kernel: validation of code signature failed through MACF policy: 1 2025-04-12 18:38:48.847583 kernel: check_signature[pid: 2475]: error = 1 2025-04-12 18:38:48.847587 kernel: proc 95761: load code signature error 4 for file "shortcuts" 2025-04-12 18:38:48.847613 kernel: exec_mach_imgact: not running binary "shortcuts" built against preview arm64e ABI 2025-04-12 18:38:48.855481 syspolicyd: (Security) SecTrustEvaluateIfNecessary 2025-04-12 18:38:48.857970 syspolicyd: [com.apple.syspolicy.exec:default] GK evaluateScanResult: 2, PST: (path: /usr/bin/shortcuts), (team: (null)), (id: (null)), (bundle_id: (null)), 0, 0, 1, 0, 1, 1, 0evaluateScanResult: 2, PST: (path: /usr/bin/shortcuts), (team: (null)), (id: (null)), (bundle_id: (null)), 0, 0, 1, 0, 1, 1, 0 I used Time Machine to compare the binary's entitlements between 14.7.4 and 14.7.5, and looks like in 14.7.5 /usr/bin/shortcuts indeed is missing the com.apple.private.security.restricted-application-groups entitlement that 14.7.4 had. The old binary had these two entitlements that the new one doesn't: [Key] com.apple.private.security.restricted-application-groups [Value] [Array] [String] group.com.apple.shortcuts [String] group.is.workflow.my.app [String] group.is.workflow.shortcuts [Key] com.apple.security.application-groups [Value] [Array] [String] group.com.apple.shortcuts [String] group.is.workflow.my.app [String] group.is.workflow.shortcuts Is there a sensible workaround for this (and by "sensible" I mean something that'd allow me to keep using the tool)? (I already asked this on the support forums but I figured I might as well ask here too)

I have developed a sample app following the example found Updating your app package installer to use the new Service Management API and referring this discussion on XPC Security. The app is working fine, I have used Swift NSXPCConnection in favour of xpc_connection_create_mach_service used in the example. (I am running app directly from Xcode) I am trying to set up security requirements for the client connection using setCodeSigningRequirement on the connection instance. But it fails for even basic requirement connection.setCodeSigningRequirement("anchor apple"). Error is as follows. cannot open file at line 46986 of [554764a6e7] os_unix.c:46986: (0) open(/private/var/db/DetachedSignatures) - Undefined error: 0 xpc_support_check_token: anchor apple error: Error Domain=NSOSStatusErrorDomain Code=-67050 "(null)" status: -67050 I have used codesign -d --verbose=4 /path/to/executable to check the attributes I do get them in the terminal. Other way round, I have tried XPC service provider sending back process id (pid) with each request, and I am probing this id to get attributes using this code which gives all the details. func inspectCodeSignature(ofPIDString pidString: String) { guard let pid = pid_t(pidString) else { print("Invalid PID string: \(pidString)") return } let attributes = [kSecGuestAttributePid: pid] as CFDictionary var codeRef: SecCode? let status = SecCodeCopyGuestWithAttributes(nil, attributes, [], &codeRef) guard status == errSecSuccess, let code = codeRef else { print("Failed to get SecCode for PID \(pid) (status: \(status))") return } var staticCode: SecStaticCode? let staticStatus = SecCodeCopyStaticCode(code, [], &staticCode) guard staticStatus == errSecSuccess, let staticCodeRef = staticCode else { print("Failed to get SecStaticCode (status: \(staticStatus))") return } var infoDict: CFDictionary? if SecCodeCopySigningInformation(staticCodeRef, SecCSFlags(rawValue: kSecCSSigningInformation), &infoDict) == errSecSuccess, let info = infoDict as? [String: Any] { print("🔍 Code Signing Info for PID \(pid):") print("• Identifier: \(info["identifier"] ?? "N/A")") print("• Team ID: \(info["teamid"] ?? "N/A")") if let entitlements = info["entitlements-dict"] as? [String: Any] { print("• Entitlements:") for (key, value) in entitlements { print(" - \(key): \(value)") } } } else { print("Failed to retrieve signing information.") } var requirement: SecRequirement? if SecRequirementCreateWithString("anchor apple" as CFString, [], &requirement) == errSecSuccess, let req = requirement { let result = SecStaticCodeCheckValidity(staticCodeRef, [], req) if result == errSecSuccess { print("Signature is trusted (anchor apple)") } else { print("Signature is NOT trusted by Apple (failed anchor check)") } } var infoDict1: CFDictionary? let signingStatus = SecCodeCopySigningInformation(staticCodeRef, SecCSFlags(rawValue: kSecCSSigningInformation), &infoDict1) guard signingStatus == errSecSuccess, let info = infoDict1 as? [String: Any] else { print("Failed to retrieve signing information.") return } print("🔍 Signing Info for PID \(pid):") for (key, value) in info.sorted(by: { $0.key < $1.key }) { print("• \(key): \(value)") } } If connection.setCodeSigningRequirement does not works I plan to use above logic as backup. Q: Please advise is there some setting required to be enabled or I have to sign code with some flags enabled. Note: My app is not running in a Sandbox or Hardened Runtime, which I want.

I paid for an Apple Developer membership, but can only sign 3 apps and restricted to 7 day certificates. I don't even seem to have a way to verify if I am in fact enrolled in the developer program despite being charged for it

Hey there, I'm experiencing an issue with notarization of my macOS application, which is blocking a release. We have signing/notarization hooked up to our CI process, both for prior releases as well as development builds (at the trunk tip). The notarization process has typically taken anywhere from a few minutes to a few tens of minutes, but for our most recent release, it's taking an unreasonably long time. I've compiled the submission info for each build (+ reattempted notarizations) below. What's interesting is that the oldest one was accepted- however, it timed out our CI process, so we never actually released it. Subsequent builds are more or less identical in terms of their content, however, they've been stewing in the notarization process for over 13 hours in some cases. % xcrun notarytool info 67413dae-64f5-4372-972d-e0ac158e18e3 Successfully received submission info createdDate: 2025-04-02T16:28:25.999Z id: 67413dae-64f5-4372-972d-e0ac158e18e3 name: Warp Vault.app.zip status: In Progress % xcrun notarytool info 0c72b243-4a8d-4976-a97b-75689d7e2497 Successfully received submission info createdDate: 2025-04-02T05:49:05.861Z id: 0c72b243-4a8d-4976-a97b-75689d7e2497 name: Warp Vault.app.zip status: In Progress % xcrun notarytool info 8e2edfc2-58bc-4b33-bc8e-078155759a81 Successfully received submission info createdDate: 2025-04-02T05:23:28.870Z id: 8e2edfc2-58bc-4b33-bc8e-078155759a81 name: Warp Vault.app.zip status: In Progress % xcrun notarytool info 8fb17b0c-ace4-4b6f-bef8-68d22696814d Successfully received submission info createdDate: 2025-04-02T05:07:48.187Z id: 8fb17b0c-ace4-4b6f-bef8-68d22696814d name: Warp Vault.app.zip status: Accepted At the time of checking, the UTC date was: % TZ="UTC" date Wed Apr 2 18:42:14 UTC 2025 It's interesting to me that the notarization process is taking this long. We've notarized many development builds (with debugging flags enabled) in the time between our last public release and our attempt to notarize this one. What's more, the original build for this release was notarized within the span of about 15 minutes, but subsequent submissions of the same build have hung for tens of hours. My two questions are: How can I get our pending notarizations "unstuck"?, and To prevent these types of hangs in the future, should I also routinely build/sign/notarize non-debug builds of my application during the development process? Best regards and many thanks, Charlton

I'm getting this error when uploading a build of my macOS app to App Store Connect. It has always worked before, and nothing changed about my use of app groups, and the iOS build uploaded without any problems. Cleaning the build folder and derived data folder doesn't help. I'm using automatically managed signing in Xcode. Invalid code signing entitlements. Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “[group.]” value for the com.apple.security.application-groups key in “.pkg/Payload/.app/Contents/MacOS/” isn’t supported. This value should be a string or an array of strings, where each string is the “group” value or your Team ID, followed by a dot (“.”), followed by the group name. If you're using the “group” prefix, verify that the provisioning profile used to sign the app contains the com.apple.security.application-groups entitlement and its associated value(s).

We're building an SDK (let's call it MyFramework) which is distributed as an .xcframework for developers to integrate it into their own apps. Recently, we've added tvOS support by adding it as a supported destination for the SDK. Essentially, the SDK became a cross-platform framework and easy to be adopted in both iOS and tvOS apps. The .xcframework is generated fine, all builds correctly. We've tested the SDK integrated in test apps. We've also submitted an iOS archive app to the AppStore connect, just to make sure all is well with the AppStore submission. However, when I tried submitting a tvOS archive app (that integrates the same SDK) to the AppStore connect, the build was marked as invalid binary and we've got the following error message: ITMS-90562: Invalid Bundle - One of the nested bundles is built for a platform which is different from the main bundle platform. Please make sure that all bundles have correct platform specification. First, I thought that any of the modules of the framework was not correctly configured for tvOS but that was not the case. Everything compiles ok and it runs in debug as expected. It only fails when trying to submit the tvOS app that integrates the SDK. After a lot of investigating, we realised that the reason for the AppStore submission error is because we codesign the framework. We use codesign to distribute it as cryptographically signed xcframework. codesign --timestamp -v --sign "Apple Distribution: Company (xxxxxxxxxx)" "MyFramework.xcframework" As soon as we remove the above line from our CI/CD pipeline that generates the xcframework, and submit a tvOS archive app that integrates the unsigned framework, the AppStore submission error goes away and the TestFlight build can be tested. I've also tried to just strip the _CodeSignature folder from the .xcframework package but it still fails. So the only solution currently is to not codesign the xcframework to be able to upload tvOS archive apps that integrate the SDK to the AppStore connect. However, we're still puzzled as to why only the tvOS archive app gets the invalid binary error when it integrates a signed SDK. I feel like the error message is quite misleading if we have to stop signing the SDK xcframework for it to be accepted during the AppStore submission. Anyone has any idea? Or has anyone encountered a similar issue? Thanks!

Hello Apple Forum, We were testing out the following entitlements: 'Increased Memory Limit', 'Extended Virtual Addressing', 'Extended Virtual Addressing(Debug)' when we realized the maximum allocation amount of the memory dropped from our previous test of 32GB to 16GB. We were testing these on the following devices: iPad Pro 12.9(6th Gen) 18.4(Beta, 22E4232a) iPad Pro 11 M4 18.3.2 Each device has 16GB of physical RAM and because we are able to reach 16GB of allocation usage until app crashes, we believe the entitlements are applied correctly. Each test device was on charging mode and battery mode with 60, 80 100% battery. We understand allocating memory is complex and os is more optimized for battery efficiency, hence possibly limiting max usage of memory. However, through the same testing method we have done on iPadOS 18.3 and 4, we were able to allocate 31~32GB of RAM on testing done on January this year. (iPadOS 18.0, or maybe 18.1?) which make us wonder, has there been a change in core os that handles memory allocation since 18.0? And what can be the cause of this drop? The code we ran for our memory testing is as follows: private var allocatedMemory: [UnsafeMutableRawPointer] = [] public func allocate1GBMemory() { let sizeInBytes = 1024 * 1024 * 1024 if let pointer = malloc(sizeInBytes) { for i in 0..<sizeInBytes { pointer.advanced(by: i).storeBytes(of: UInt8(i % 256), as: UInt8.self) } allocatedMemory.append(pointer) logger.print("Allocated 1GB of memory. Total allocated: \(allocatedMemory.count)GB") } else { logger.print("Failed to allocate memory") } } Each functions call increases memory usage by allocating 1GB of space and we have called this function until it reaches 16GB then the app crashes.

I am developing a background program that is included in the app as an extension. I would like to include logic to check the teamID and code signature validity of the program I created to ensure that it has not been tampered with. Is this possible?

Trying to play around with Secure Enclave Protected keychain operations in a Tauri-based MacOS app and running into issues. After much digging and trial and error, here is my understanding and where I'm at: To access these keychain related APIs, the app must be codesigned, and have the following entitlements: <key>com.apple.application-identifier</key> <string>XXXXXXXXXX.com.myorg.myapp</string> <key>com.apple.developer.team-identifier</key> <string>XXXXXXXXXX</string> <key>keychain-access-groups</key> <array> <string>XXXXXXXXXX.*</string> </array> Currently using a Development cert, generated from Xcode, not a paid account I had to install the intermediate cert from https://www.apple.com/certificateauthority/ XXXXXXXXXX is the "Team ID", which can be found on my Development cert under Details > "Organizational Unit" If I build the app and run it (without signing) I get code 34018 If I sign the app and try to run it, I am no longer able to boot it, with error: The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x12a60a130 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}} Not quite sure what is missing - any help is much appreciated.

I’ve been having problems with MacOS builds. I’m making a release Appstore build and uploading it to Testflight. However when running it instantly crashes, and report screen shows the following: Current flow: I sign all files in PlugIns/ (we have a number of .bundle), and I’ve tried combinations of signing with/without --entitlements, as well as with/without --deep. After this I sign Frameworks/GameAssembly.dylib and Frameworks/UnityPlayer.dylib. Again, I’ve tried combinations of with/without --entitlements and --deep, also not signing them at all. After signing PlugIns and frameworks, I sign the .app, also tried this with/without --deep (always with --entitlements). Finally I make a .pkg and upload to Testflight. It’s not the game, as I can make an enterprise version that runs fine. We have some restricted entitlements, such as Apple Arcade. Building from an M1 mac, and architecture is Universal (Intel + ARM). Unity documentation says to use --deep, but Apple documentation highly recommend against it. So basically, my question is, how and in what order should I sign the files? Much obliged!

It'd be great if someone would give an overview of the steps to create a new app from an existing one. Can I copy my Xcode project to get started? After I copy my Xcode project, what do I need to do in Xcode? What do I need to do regarding certificate(s) and bundle id. Are there any steps where order is super important? Feel free, of course, to provide a link to an article and/or video on this as that'd be awesome if the information is current. What I've found online is typically out-of-date or more specific - not an overview.

I'm calling this command to export archive: xcodebuild -exportArchive -archivePath .build/XYZ.xcarchive -exportPath .build/XYZ.ipa -exportOptionsPlist Authenticator/ExportOptions.plist -quiet -allowProvisioningUpdates Here is my exportOptions file content &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;method&lt;/key&gt; &lt;string&gt;app-store-connect&lt;/string&gt; &lt;key&gt;signingStyle&lt;/key&gt; &lt;string&gt;automatic&lt;/string&gt; &lt;key&gt;teamID&lt;/key&gt; &lt;string&gt;ABCD&lt;/string&gt; &lt;/dict&gt; &lt;/plist&gt; Most of the time this command fail with this error: error: exportArchive No Accounts error: exportArchive No signing certificate "iOS Distribution" found What we found is that our Apple ID just disappear from Xcode and we need to add it again manually. So there are two questions here: Why Apple ID account dissapears and how I can fix this? Is there an option to not use Apple ID account in Xcode and for example to use -authenticationKeyID flags of xcodebuild? Just to mention this happens only on our CI machine and not locally.

Hey everyone, We’re running into a frustrating issue with Xcode Cloud builds submitted to App Store Review. After every build, we must manually delete all code signing certificates generated by Xcode Cloud; otherwise, the reviewers can’t open the exported App Store app. When they try to open it, they see the error: “Apple Information Security: A process was blocked from running and moved to Trash: [Our App Name]” Oddly enough, if we delete all Xcode Cloud-generated certificates and then trigger a new Xcode Cloud build, the problem temporarily disappears—until the next submission, where we have to repeat the process. Has anyone else encountered this issue? Any recommendations on how to prevent this from happening? We’d rather not keep trashing certificates after every build. Thanks!

We’re encountering a strange issue with our app submission to the App Review Team. It’s a paid macOS app with no in-app purchases. The App Review Team reports that the app fails to launch, displaying an “App is Damaged” dialog. In the Console app, they see the app exiting with code 173. We don’t have any receipt validation code. I’ve double-checked our code and dependencies, and I don’t see exit(173) being called anywhere. The same builds distributed through TestFlight work fine. Our builds are generated using Xcode Cloud, and the last build was successfully tested by the App Review Team. The only difference between this build and the last successfully tested build is a one-line bug fix—none of the settings or dependencies have changed. Both builds were created and submitted using Xcode Cloud. We’re completely stumped. Has anyone seen this behavior or have suggestions for further debugging? The problem is we can’t seem to reproduce this behaviour anywhere.

I am working on a macos application that uses NetworkExtension and works fine in the debug environment. However, when I use the Release package, I am always prompted that my description file does not contain NetworkExtension. I am sure that my description file does contain NetworkExtension. How to solve this problem

We have a macOS app that has a Photos Extension, which shares documents with the app via an app group container. Historically we used to have an iOS-style group identifier (group.${TeamIdentifier}${groupName}), because we were lead by the web interface in the developer portal to believe this to be the right way to name groups. Later with the first macOS 15 betas last year there was a bug with the operating system warning users, our app would access data from different apps, but it was our own app group container directory. Therefore we added a macOS-style group identifier (${TeamIdentifier}${groupName}) and wrote a migration of documents to the new group container directory. So basically we need to have access to these two app group containers for the foreseeable future. Now with the introduction of iOS-style group identifiers for macOS, Xcode Cloud no longer archives our app for TestFlight or AppStore, because it complains: ITMS-90286: Invalid code signing entitlements - Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “[group.${TeamIdentifier}${groupName}, ${TeamIdentifier}${groupName}]” value for the com.apple.security.application-groups key in isn’t supported. This value should be a string or an array of strings, where each string is the “group” value or your Team ID, followed by a dot (“.”), followed by the group name. If you're using the “group” prefix, verify that the provisioning profile used to sign the app contains the com.apple.security.application-groups entitlement and its associated value(s). We have included the iOS-style group identifier in the provisioning profile, generated automatically, but can't do the same for the macOS-style group identifier, because the web interface only accepts identifiers starting with "group". How can we get Xcode Cloud to archive our app again using both group identifiers? Thanks in advance

Hello, We use automatic signing and Fastlane on our CI. Fastlane uses xcodebuild to create an archive. xcodebuild -workspace ourApp.xcworkspace -scheme app-dev -destination generic/platform=iOS -archivePath app-dev.xcarchive -skipPackagePluginValidation -allowProvisioningUpdates -authenticationKeyID OurAppStoreConnectAuthKey -authenticationKeyIssuerID OurAppStoreConnectAuthKeyIssuerId -authenticationKeyPath /path/to/OurAppStoreConnectKey.p8 clean archive All works fine, but .... Why does Xcode 16 log out logged Apple ID and create a new every build? As a result, we have more and more Unknown Apple IDs in Xcode, and for each of them an error appears in log. Error: xcodebuild[3174:1804334] DVTDeveloperAccountManager: Failed to load credentials for 0A1DF15C-ETC-ETC: Error Domain=DVTDeveloperAccountCredentialsError Code=0 "Invalid credentials in keychain for 0A1DF15C-ETC-ETC, missing Xcode-Username" UserInfo={NSLocalizedDescription=Invalid credentials in keychain for 0A1DF15C-ETC-ETC, missing Xcode-Username} Of course, the originally logged-in Apple ID has an error corresponding to his non-logged-in state. xcodebuild[3174:1804334] DVTDeveloperAccountManager: Failed to load credentials for originally_logged-in_user: Error Domain=DVTDeveloperAccountCredentialsError Code=0 "Invalid credentials in keychain for originally_logged-in_user, missing Xcode-Token" UserInfo={NSLocalizedDescription=Invalid credentials in keychain for originally_logged-in_user, missing Xcode-Token} Why does this happen and how can it be fixed? Why does Xcode 16 log out its logged Apple ID?

Hey all, I'm experiencing an error, when trying to upload my app to the App Store using Transporter. I build my app with fvm flutter build ipa --release. When I try to upload this, I get the following error: I have already done a rebuild and checked my Provision Profile and certificate