Xcode 16.2 Framework Signing Issues with Cloud Managed Developer ID in Automated Builds Issue Description After upgrading from Xcode 15.4 to 16.2, our macOS app's frameworks are failing notarization with the error "The binary is not signed with a valid Developer ID certificate" for embedded frameworks when building through fastlane. This worked correctly in Xcode 15.4. Importantly, manually archiving and notarizing through the Xcode GUI still works correctly - the issue only occurs during automated builds. Build Configuration We use fastlane to build and notarize our macOS app: build_mac_app( scheme: 'Runner', export_method: "developer-id", xcargs: '-allowProvisioningUpdates' ) This generates the following xcodebuild commands: Archive: xcodebuild -workspace ./Runner.xcworkspace -scheme Runner -destination 'generic/platform=macOS' -archivePath /path/to/archive -allowProvisioningUpdates archive Export with plist: xcrun -exportArchive -exportOptionsPlist '/path/to/plist' -archivePath /path/to/archive -exportPath '/output/path' -allowProvisioningUpdates Export options plist contents: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>installerSigningCertificate</key> <string>Developer ID Installer: Company Inc (1234567891)</string> <key>method</key> <string>developer-id</string> <key>signingStyle</key> <string>automatic</string> </dict> </plist> Notarization: ditto -c -k --rsrc --keepParent "My App.app" "My App.app.zip" xcrun notarytool submit "My App.app.zip" --output-format json --wait --key /path/to/key --key-id ABCDEFGHIJ --issuer 12345678-abcd-1234-5678-fc2d96b1735a Error Output Notarization fails with the following errors: { "severity": "error", "code": null, "path": "My App.app.zip/My App.app/Contents/Frameworks/some_package.framework/Versions/A/some_package", "message": "The binary is not signed with a valid Developer ID certificate.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "arm64" } Key Details Using Xcode Cloud managed Developer ID certificates (not local certificates) ✅ Building, archiving, and notarizing through Xcode GUI works correctly Automatic signing is enabled Expected Behavior Frameworks should be automatically signed with the cloud managed Developer ID certificate during the export process, as they were in Xcode 15.4. Has there been a change in how framework signing is handled with cloud managed certificates in Xcode 16.2's command line tools? Any guidance on how to ensure frameworks are properly signed during automated builds when using automatic signing with cloud managed Developer ID certificates would be appreciated.

I am developing and distributing an XCFramework, and I want to ensure that it remains valid for as long as possible. I have some questions regarding certificate expiration and revocation: I understand that if an XCFramework is signed with a timestamp, it remains valid even after the signing certificate expires. However, if the signing certificate is revoked, the XCFramework immediately becomes unusable. As far as I know, Apple allows a maximum of two active distribution certificates at the same time. I assume that once a certificate expires, it will eventually need to be revoked in order to issue a third certificate. Is this correct? If an expired certificate is later revoked, will the XCFrameworks signed with that certificate also become invalid, even though they were timestamped? I want to ensure that released XCFrameworks remain valid for as long as possible. What is the best approach to achieve this? If anyone has insights or official documentation references on how to manage signing certificates for long-term XCFramework validity, I would appreciate your guidance. Thank you!

We’re encountering a strange issue with our app submission to the App Review Team. It’s a paid macOS app with no in-app purchases. The App Review Team reports that the app fails to launch, displaying an “App is Damaged” dialog. In the Console app, they see the app exiting with code 173. We don’t have any receipt validation code. I’ve double-checked our code and dependencies, and I don’t see exit(173) being called anywhere. The same builds distributed through TestFlight work fine. Our builds are generated using Xcode Cloud, and the last build was successfully tested by the App Review Team. The only difference between this build and the last successfully tested build is a one-line bug fix—none of the settings or dependencies have changed. Both builds were created and submitted using Xcode Cloud. We’re completely stumped. Has anyone seen this behavior or have suggestions for further debugging? The problem is we can’t seem to reproduce this behaviour anywhere.

I'm using libxpc in a C server and Swift client. I set up a code-signing requirement in the server using xpc_connection_set_peer_code_signing_requirement(). However, when the client doesn't meet the requirement, the server just closes the connection, and I get XPC_ERROR_CONNECTION_INTERRUPTED on the client side instead of XPC_ERROR_PEER_CODE_SIGNING_REQUIREMENT, making debugging harder. What I want: To receive XPC_ERROR_PEER_CODE_SIGNING_REQUIREMENT on the client when code-signing fails, for better debugging. What I’ve tried: Using xpc_connection_set_peer_code_signing_requirement(), but it causes the connection to be dropped immediately. Questions: Why does the server close the connection without sending the expected error? How can I receive the correct error on the client side? Are there any other methods for debugging code-signing failures with libxpc? Thanks for any insights!

After I upgraded to macOS 15.3, all of my current Xcode project have the signing issue, I spent half day and I didn't make any progress, I tried two projects, one is Swift AppKit App calling one C++ dylib, another one is a pure Swift AppKit app, when I build, there will be error: Warning: unable to build chain to self-signed root for signer "Apple Development: Steven Tang (XXXXX)" /Volumes/TwoTSSD/steventang/Library/Developer/Xcode/DerivedData/ImageEnhancement-ddbilgyraofrdyfeljyuknusunza/Build/Products/Release/ImageEnhancement.app: errSecInternalComponent I tried remove account, add account back in Xcode, none of it worked, also tried ChatGPT's WWDR updating and it won't help.

MacOS Version: 14.7.2 macOS SDKs: macOS 14.5 -sdk macosx14.5 I am working on a sample program for validation Against: Team Identifier Developer ID I started with validating Team Identifier, but my validation is not working and it is allowing to launch programs which are not matching the team identifier in the signature. Below is my code: func verifyExecutableWithLCR(executablePath: String, arguments: [String]) -> Bool { let task = Process() task.launchPath = executablePath task.arguments = arguments if #available(macOS 14.4, *) { print("launchRequirementData is available on this system.") do { let req = try OnDiskCodeRequirement.allOf { TeamIdentifier("ABCDEFGHI") //SigningIdentifier("com.***.client.***-Client.****") } let encoder = PropertyListEncoder() encoder.outputFormat = .xml let requirementData = try encoder.encode(req) task.launchRequirementData = requirementData print("launchRequirementData is set.") try task.run() print("[SUCCESS] Executable passed the code signature verification.") return true } catch { print("[ERROR] Code signature verification failed: \(error.localizedDescription)") return false } } else { print("[WARNING] launchRequirement is not available on this macOS version.") return false } } Could you please help me in identifying whay am I doing wrong here?

I have created a XPC server and client using C APIs. I want to ensure that I trust the client, so I want to have a codesigning requirement on the server side, something like - xpc_connection_set_peer_code_signing_requirement(listener, "anchor apple generic and certificate leaf[subject.OU] = \"1234567\"") This checks if the client code was signed by a code-signing-identity issued by Apple and that the teamID in the leaf certificate is 1234567. My questions are- Is using teamID as a signing requirement enough? What else can I add to this requirement to make it more secure? How does xpc_connection_set_peer_code_signing_requirement work internally? Does it do any cryptographic operations to verify the clients signature or does it simply do string matching on the teamID? Is there a way actually verify the clients signature(cryptographically) before establishing a connection with the server? (so we know the client is who he claims to be)

I've noticed that NSTaks has this property as of macOS 14.4 @property (nullable, copy) NSData *launchRequirementData API_AVAILABLE(macos(14.4)) API_UNAVAILABLE(ios, watchos, tvos, visionos); It has no documentation whatsoever. Even google search has no clue. Does this have anything to do with code signature requirements validation? Any explanations and examples would be appreciated!

In the macOS 14.0 SDK, environment and library constraints were introduced, which made defense against common attack vectors relatively simple (especially with the LightWeightCodeRequirements framework added in 14.4). Now, the application I'm working on must support macOS 13.0 too, so I was looking into alternatives that do work for those operating systems as well. What I found myself is that the SecCode/SecStaticCode APIs in the Security Framework do offer very similar fashion checks as the LightWeightCodeRequirements framework does: SecCodeCopySigningInformation can return values like signing identifier, team identifier, code requirement string and so on. SecStaticCodeCreateWithPath can return a SecStaticCode object to an executable/app bundle on the file system. Let's say, I would want to protect myself against launchd executable swap. From macOS 14.0 onward, I would use a Spawn Constraint for this, directly in the launchd.plist file. Before macOS 14.0, I would create a SecStaticCode object for the executable path found in the launchd.plist, and then examine its SecCodeCopySigningInformation dictionary. If the expectations are met, only then would I execute the launchd.plist-defined executable or connect to it via XPC. Are these two equivalent? If not, what are the differences?

Hi, For the purposes of iteration speed in development builds, on an iPhone in development mode, I am attempting to use hot reloaded dylibs. The goal is that the app is rarely fully restarted and small code changes can be applied quickly, drastically reducing iteration speed. For this purpose I have a socket server on my Mac that sends changed dylibs to my app on my iPhone. This works great on Mac, however on iOS i am running into codesigning problems. I am using the following to codesign the dylib: codesign -f -s XXX --timestamp=none testlibrary-ios.dylib I am placing the downloaded dylib in this folder: const char* cachedirectoryPath = [NSSearchPathForDirectoriesInDomains(NSCachesDirectory, NSUserDomainMask, YES)[0] UTF8String]; dlopen gives me the following error: dlopen(/var/mobile/Containers/Data/Application/67A3D31B-6F72-4939-9E7F-665FC78CDC61/Library/Caches/testlibrary-ios.dylib, 0x000A): tried: '/usr/lib/system/introspection/testlibrary-ios.dylib' (no such file, not in dyld cache), '/var/mobile/Containers/Data/Application/67A3D31B-6F72-4939-9E7F-665FC78CDC61/Library/Caches/testlibrary-ios.dylib' (code signature invalid in <78A101AD-D756-3526-8754-8B7F4925DE90> '/private/var/mobile/Containers/Data/Application/67A3D31B-6F72-4939-9E7F-665FC78CDC61/Library/Caches/testlibrary-ios.dylib' (errno=1) sliceOffset=0x00000000, codeBlobOffset=0x0000C2E0, codeBlobSize=0x00004990), .... Is loading a dylib like this on iPhones in development mode possible? Any idea what is going wrong with codesigning or installing the dylib? (Obviously this code is never deployed in an app that goes on the AppStore)

I'm having a problem with codesign for output from Pyinstaller The files are in ~/PycharmProjects/ALP_Document_Factory_II That folder contains the icon file, the entitlement file, and also contains a "dist" folder where Pyinstaller places the app file (ALP_Document_Factory_II.app) The generated app works and runs when I double click it. When I run codesign: codesign -s xxxxxxxx -f --entitlements entitlements.plist -o runtime dist/ALP_Document_Factory_II.app ("xxxxxxx" is where I place the hash of my credential) I get the following error message: No such file or directory Here is the Terminal copy... minus my Hash dickl45@Dicks-iMac3 ALP_Document_Factory_II % codesign -s xxxxxxxxxx -f --entitlements entitlements.plist -o runtime dist/ALP_Document_Factory_II.app dist/ALP_Document_Factory_II.app: No such file or directory Earlier I was able to use codesign and notarytool, but I must be doing something wrong that I can't see. Yours baffled MacOs 15.2

Quinn, in your post "App Groups: macOS vs iOS: Fight!", you mention that an app must meet at least one of four criteria to access an app group container without user intervention: Your app is deployed via the Mac App Store (A). Or via TestFlight when running on macOS 15.1 or later (B). Or the app group ID starts with your app’s Team ID (C). Or your app’s claim to the app group is authorised by a provisioning profile embedded in the app (D) [1]. Our app is distributed directly (Developer ID), so it doesn't meet the first two criteria. We already had the app group ID set up to match the iOS ID (without our Team ID) and changing it now would affect our users already-stored data, so criteria C isn't really an option either. That brings us to criteria D. We've added the App Groups Capability to our App ID on the Developer site and creating a Developer ID provisioning profile with this App ID. However, for some reason the App Group Capability is not included in the provisioning profile. How then do we go about satisfying criteria D ("your app’s claim to the app group is authorised by a provisioning profile embedded in the app (D)")? If this is impossible, how can we migrate our user's data away from the affected container?

After upgrading the virtual machines used for building and testing our macOS application, it seems that something new in Sequoia is preventing virtual machines from running anything signed with a Mac Development certificate. At first glance the issue seems very similar to this thread, but it could be unrelated. We are using the tart toolset to build and run our VMs. People seem to be having related issues there with Sequoia in particular. I have added the VM's hardware UUID to the Devices list of our account. I have included that device in the devices list of our Mac Development provisioning profile. I have re-downloaded the profile, ensured that it is properly getting built into the app, and ensured that the hardware UUID of the VM matches the embedded provisioning profile: Virtual-Machine App.app/Contents % system_profiler SPHardwareDataType | grep UUID Hardware UUID: 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 Virtual-Machine App.app/Contents % grep 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 ../../App.app/Contents/embedded.provisionprofile Binary file ../../App.app/Contents/embedded.provisionprofile matches However, when I try to run the application, it fails, and while I have searched the system logs to find a more informative error message, the only thing I can find is that the profile doesn't match the device somehow: Virtual-Machine App.app/Contents % open ../../App.app The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x6000039440f0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}} Virtual-Machine App.app/Contents % log show --info --debug --signpost --last 3m | grep -i embedded.provisionprofile 2025-01-21 16:33:32.369829+0000 0x65ba Error 0x0 2872 7 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] embedded provisioning profile not valid: file:///private/tmp/builds/app/.caches/Xcode/DerivedData/Build/Products/Debug/App.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.} I don't understand why the provisioning profile wouldn't allow the device if the hardware UUID matches. I have also attempted to add the Provisioning UDID in the devices list instead, but the form rejects that value because it's a different format (the form specifically requests a hardware UUID for macOS development, and a provisioning UDID for everything else). If there is any debugging tool that lets me check a provisioning profile against the running hardware and print a more verbose reason for why it's not allowed on the device, please let me know. Otherwise I'd have to conclude that, since I haven't experienced this issue before on an earlier OS, it has something to do with virtual machines running macOS Sequoia. (The same Mac Development-signed application runs just fine on my MacBook Pro running 15.2, as well as the VM host, which is also running 15.2.) I have also tried resetting the VM's hardware UUID and adding that one to the devices list, to no effect. This is obviously seriously impacting our CI/CD pipelines to allow for proper UI testing of our application. If anyone is aware of any workarounds, I would love to hear them!

Hi, We are developing software that configures a network extension via a system extension on MacOS. The host application (run as service) enables network extension and system extension capabilities. It registers the network extension. The network extension has network extension capabilities and configures an app-group to be bundled into the service. What we have built is already working, i.e. we build, sign, notarize and ship the code (it's already running on hundreds of SIP enabled customer devices in production). But, we are currently falling back to manual profile management (i.e. download and import the profile) so that Xcode accepts the entitlements suffixed with -systemextention. Recently we are testing deployment on iOS devices. For iOS profiles we cannot overcome the issues with setting the profile manually, XCode complains about mismatching networkextension entitlements even when manually importing the profile. So I thought I get to the bottom of why automated signing is not working and hopefully overcome the issues with iOS. Upon configuring automatic signing we ran into the following problem: For a network extension that is installed via a system extension the network extension capabilities are expected to be defined with a -systemextension suffix, i.e.: <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> <string>dns-proxy-systemextension</string> <string>dns-settings</string> <string>relay</string> When using automated signing the profile in our development account reflects these settings, i.e. the profile is correctly generated with the values above. However, XCode complains that the network extension capabilities don't match. I went as far as to configuring a new application-ID so that XCode would generate a new profile in the development account. I then downloaded and decoded the generated profile. The capabilities of the development portal profile were created as expected (as above), but somehow, the locally generated profile that is generated by XCode auto-sign expects: <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider</string> <string>content-filter-provider</string> <string>packet-tunnel-provider</string> <string>dns-proxy</string> <string>dns-settings</string> <string>relay</string> What XCode auto-sign expects is not reflected in the development account profile (!). I tried to overcome this by changing the entitlements of the project to omit the -systemextension suffix. XCode auto-sign seemingly works then, but once the application is actually signed by CodeSign the signing fails because the capabilities don't match with the development account profile. I tried profile re-generation by clearing Library/Developer/Xcode/UserData/Provisioning Profiles, but it always results in the same problem - either XCode is happy and the code signing fails when building, or the other way round. Bottom Line: I think that somehow XCode evaluates the profile validity differently from CodeSign; somehow when using automatic signing XCode does not take the network extension + system extension into account, but only expects the capabilities of the network extension. If anybody know how to overcome this problem please help :)

I keep having issues with my account. I have certificates that will not revoke. I create new certificates, then I create new profiles for development, distribution and for developer ID application distribution outside of the app store as well. With my app in Xcode, I can only get the Developer profile to work to allow builds. My distribution profile builds and then fails, with an error 5. The Developer ID Application profile will not even accept the profile in XCode, sighting that there is no code signing, yet I have checked things over and over again. Ontop of this, I had developers in the past in my team and they added a whole lot of certificates for Developer ID that I just cannot use now. I also cannot revoke them. I have no active apps on the app store now, so I was wondering if Apple or someone can assist me in removing ALL the certificates, all the profiles and get a clean slate, so that I can setup everything from scratch again, because I have lost countless of hours getting nowhere and I cannot get Apple support to assist? Anyone been through this before?

When connected to the company's internal network without accessing the Internet, can an IPA installation package be generated if the certificate files are imported in advance?

We are trying to get much more serious about our ability to audit signed code and trace it back to a signing event. We have a signing service that includes a bit of client code that provides a CryptoTokenKit extension to expose the signing certificate to codesign and Xcode. The private keys are held by the signing service and access is strictly controlled. The CTK extension is given a message/digest to sign, and from reading TN 3126, I believe this is representative of the code directory. For an audit trail, we can record some metadata about the signing request, such as Git repository, branch, commit SHA, etc., but the only value linked to the thing being signed is this blob. Later, if we have an app and want to link it back to the signing event, I can't figure out how to find this blob. It's not the CDHash or any other value I see in the output of codesign -d -vvvvvv. is there a way to recreate that blob given a signed artifact?

After updating Xcode my app stoped running on real device

Unable to distribute the App via Intune, When tried to install the App on Intune enrolled device. Gets error: Unable to install “App Name”. This app cannot be installed because its integrity could not be verified. Verified Bundle ID is getting updated and Sign-in shows successful. Mac OS Build - 13.7.2 (22H313) XCode Version: 15.1 (15C65) Provisioning Profile renewed this week Distribution Certificate Valid till 2027

I’m trying to fix an issue with a pipeline that automatically distributes an app to the App Store (TestFlight). Unfortunately, universal links don’t work because the .entitlements file in the build doesn’t include the specified associated domains, even though they are defined. I’ve double-checked the certificates, provisioning profiles, and Xcode settings — everything seems correct. Therefore, I assume the issue lies in the build commands, which are as follows: Create Archive xcodebuild -workspace ios/ClientDomain.xcworkspace -scheme ClientDomain archive -sdk iphoneos -configuration ClientDomain -archivePath ios/ClientDomain.xcarchive CODE_SIGN_STYLE=Manual CODE_SIGN_IDENTITY="Apple Distribution: Company Name (XXXXXXXXXX)" PROVISIONING_PROFILE=xxxxx-xxxxx-xxxxx-xxxxx-xxxxx CODE_SIGNING_ALLOWED=No Export Archive xcodebuild -exportArchive -archivePath ios/ClientDomain.xcarchive -exportPath ios -exportOptionsPlist ios/exportOptions.plist I also want to provide files I use, in order to make sure I don't have any mistakes: ClientDomain.entitlements &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;com.apple.developer.associated-domains&lt;/key&gt; &lt;array&gt; &lt;string&gt;applinks:www.site.com&lt;/string&gt; &lt;string&gt;webcredentials:www.site.com&lt;/string&gt; &lt;/array&gt; &lt;/dict&gt; &lt;/plist&gt; exportOptions.plist &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;destination&lt;/key&gt; &lt;string&gt;export&lt;/string&gt; &lt;key&gt;generateAppStoreInformation&lt;/key&gt; &lt;false/&gt; &lt;key&gt;manageAppVersionAndBuildNumber&lt;/key&gt; &lt;true/&gt; &lt;key&gt;method&lt;/key&gt; &lt;string&gt;app-store-connect&lt;/string&gt; &lt;key&gt;provisioningProfiles&lt;/key&gt; &lt;dict&gt; &lt;key&gt;com.bundle.app&lt;/key&gt; &lt;string&gt;xxxxx-xxxxx-xxxxx-xxxxx-xxxxx&lt;/string&gt; &lt;/dict&gt; &lt;key&gt;signingCertificate&lt;/key&gt; &lt;string&gt;Apple Distribution: Company Name (XXXXXXXXXX)&lt;/string&gt; &lt;key&gt;signingStyle&lt;/key&gt; &lt;string&gt;manual&lt;/string&gt; &lt;key&gt;stripSwiftSymbols&lt;/key&gt; &lt;true/&gt; &lt;key&gt;teamID&lt;/key&gt; &lt;string&gt;XXXXXXXXXX&lt;/string&gt; &lt;key&gt;testFlightInternalTestingOnly&lt;/key&gt; &lt;false/&gt; &lt;key&gt;uploadSymbols&lt;/key&gt; &lt;true/&gt; &lt;/dict&gt; &lt;/plist&gt; I'm curious, how people usually distribute their apps to App Store. What if I do something wrong?