General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I'm getting this error when uploading a build of my macOS app to App Store Connect. It has always worked before, and nothing changed about my use of app groups, and the iOS build uploaded without any problems. Cleaning the build folder and derived data folder doesn't help. I'm using automatically managed signing in Xcode. Invalid code signing entitlements. Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “[group.]” value for the com.apple.security.application-groups key in “.pkg/Payload/.app/Contents/MacOS/” isn’t supported. This value should be a string or an array of strings, where each string is the “group” value or your Team ID, followed by a dot (“.”), followed by the group name. If you're using the “group” prefix, verify that the provisioning profile used to sign the app contains the com.apple.security.application-groups entitlement and its associated value(s).

Hello, We're developing endpoint security software using the Endpoint Security framework, and we've encountered challenges with the behavior change in macOS 15 regarding provisioning UDIDs in cloned VMs. The Change Prior to macOS 15, cloning a VM preserved its UDID (format: 0000FE00-9C4ED9F68BBDC72D). Starting with macOS 15, cloned VMs receive a new UDID generated from the host's Secure Enclave (format: b043d27202c7ac37ca3c6b82673302225485cae9), making each clone effectively a new device. Our Workflow We maintain a clean base VM image and clone it for each test run. We add the base VM's UDID to our provisioning profile once, then create clones which (previously) retained that same UDID, allowing us to start new testing cycles without re-registering devices. This is essential because our product involves low-level system integration through the Endpoint Security framework, and if something goes wrong during development, it has the potential to affect system stability. To prevent any cascading issues between test runs or different product versions, we need each test to start from a known clean state rather than reusing the same VM. The Challenge With each VM clone generating a new UDID, we're hitting Apple's device registration limits quickly. This particularly impacts: New team members who spin up VMs for the first time and can't run signed builds Our CI/CD pipeline where multiple test environments need provisioning profiles Developers testing different branches who need separate clean environments Current Workaround We've found that VMs created on macOS 14 and upgraded to macOS 15+ retain their original UDID format. However, we're concerned this workaround may stop working in future macOS versions, which would leave us without a viable path forward. If the workaround stops working, our fallback would be signing each CI build with a Developer ID signature to allow running on any device. However, we'd prefer to avoid this as it would significantly increase load on Apple's signing infrastructure for what are essentially internal test builds. We completely understand the security reasoning behind tying UDIDs to the host's Secure Enclave for Apple Account support. However, for development workflows that don't require Apple Account features in VMs but do require clean, isolated test environments, the previous behavior was quite valuable. Question Is there a recommended approach for teams in our situation? We're happy to explore alternative workflows if there's a pattern we're missing, or we'd be glad to provide more context if this is a use case Apple is considering for future updates. Thanks for any guidance you can provide! Feedback case: FB21389730

Starting a few hours ago (roughly 2:45PM Eastern time) we began experiencing elevated latency with the Developer ID Notary Service. There is nothing listed on the developer system status page about degraded performance or a service outage. Operations that usually take ~15 minutes, are stacking up for hours. The oldest pending entry we have was created at 2:45PM Eastern: createdDate: 2025-06-24T18:45:22.539Z id: 5209a4d2-eae4-4714-aa8e-6961677ff2e We currently have 27 pending builds in the notary service since we are required to notarize internal builds to ensure we satisfy our requirements so this is creating an issue for us.

I am using Automatically Manage Signing And I have registered my Mac UUID in developer account, but it is still giving me these errors - Device My Mac is not registered to your team Ai Glider Inc. Devices must be registered in order to run your code, but you do not have permission to register them. Please check with your team's admin. No profiles for 'com.aiexample.sebexample' were found Xcode couldn't find any Mac App Development provisioning profiles matching 'com.aiexample.sebexample'.

I can't upload my macOS app to app store connect. Each time i try to upload, i see this message: Provisioning profile failed qualification Profile doesn't support App Groups. An empty app without an app group uploads fine, but if i add an app group to it, it does not upload.

Hi, I am reaching out to seek assistance with a persistent code signing issue that is preventing our team from installing our iOS app, "Scoopz" (https://apps.apple.com/us/app/scoopz-real-life-real-video/id6449206831) on physical devices. We suspect there may be an issue with our Apple Developer account, as we have exhausted all standard troubleshooting steps without success. Below, I’ve provided details about the issue, the error logs, and the steps we’ve taken. Issue Description: When attempting to install the app on an iPhone using Xcode, we encounter the following error: Unable to Install “Scoopz: Debug” Domain: IXUserPresentableErrorDomain Code: 14 Recovery Suggestion: Failed to verify code signature of /[REDACTED_PATH]/OurApp.app : 0xe8008018 (The identity used to sign the executable is no longer valid.) The app builds successfully to the iOS Simulator and can be released to the App Store without issues, but it fails to debug on physical devices. Steps Taken: Our team has attempted the following troubleshooting steps without resolving the issue: Verified that our Apple Developer account is active and our team membership is valid. Checked certificates in Keychain Access and the Apple Developer Portal, ensuring they are not expired or revoked. We created and installed new Apple Development certificates. Confirmed that the provisioning profile includes the target device’s UDID, is associated with a valid certificate, and is not expired. We regenerated and reinstalled the profile. We tried both xcode managed and manually installed profiles. Cleaned the Xcode build folder, deleted the app from the device, and rebuilt the project. Despite these efforts, the issue persists across our entire development team, leading us to believe there may be a problem with our Apple Developer account or its associated certificates/profiles. Request for Assistance: We kindly request your help to: Investigate any potential issues with our Apple Developer account that could be causing this code signing error. Verify the status of our certificates and provisioning profiles on Apple’s servers. Provide guidance on any additional steps or configurations needed to resolve the error. If necessary, suggest how we can escalate this issue for further investigation. Full error log: Unable to Install “Scoopz: Debug” Domain: IXUserPresentableErrorDomain Code: 14 Recovery Suggestion: Failed to verify code signature of /[REDACTED_PATH]/OurApp.app : 0xe8008018 (The identity used to sign the executable is no longer valid.) Please ensure that the certificates used to sign your app have not expired. If this issue persists, please attach an IPA of your app when sending a report to Apple. User Info: { DVTErrorCreationDateKey = "2025-08-20 23:50:11 +0000"; IDERunOperationFailingWorker = IDEInstallCoreDeviceWorker; } Failed to install the app on the device. Domain: com.apple.dt.CoreDeviceError Code: 3002 User Info: { *** } Unable to Install “Scoopz: Debug” Domain: IXUserPresentableErrorDomain Code: 14 Failure Reason: This app cannot be installed because its integrity could not be verified. Recovery Suggestion: Failed to verify code signature of /[REDACTED_PATH]/OurApp.app : 0xe8008018 (The identity used to sign the executable is no longer valid.) Failed to verify code signature of /[REDACTED_PATH]/OurApp.app : 0xe8008018 (The identity used to sign the executable is no longer valid.) Domain: MIInstallerErrorDomain Code: 13 User Info: { FunctionName = "+[MICodeSigningVerifier _validateSignatureAndCopyInfoForURL:withOptions:error:]"; LegacyErrorString = ApplicationVerificationFailed; LibMISErrorNumber = "-402620392"; SourceFileLine = 78; } Event Metadata: com.apple.dt.IDERunOperationWorkerFinished : { "device_identifier" = "-*********"; "device_isCoreDevice" = 1; "device_model" = "iPhone16,2"; "device_osBuild" = "17.1 (21B80)"; "device_platform" = "com.apple.platform.iphoneos"; "device_thinningType" = "iPhone16,2"; "dvt_coredevice_version" = "397.21"; "dvt_coresimulator_version" = 987; "dvt_mobiledevice_version" = "1784.101.1"; "launchSession_schemeCommand" = Run; "launchSession_state" = 1; "launchSession_targetArch" = arm64; "operation_duration_ms" = 4926; "operation_errorCode" = 14; "operation_errorDomain" = IXUserPresentableErrorDomain; "operation_errorWorker" = IDEInstallCoreDeviceWorker; "operation_name" = IDERunOperationWorkerGroup; "param_debugger_attachToExtensions" = 0; "param_debugger_attachToXPC" = 1; "param_debugger_type" = 3; "param_destination_isProxy" = 0; "param_destination_platform" = "com.apple.platform.iphoneos"; "param_diag_113575882_enable" = 0; "param_diag_MainThreadChecker_stopOnIssue" = 0; "param_diag_MallocStackLogging_enableDuringAttach" = 0; "param_diag_MallocStackLogging_enableForXPC" = 1; "param_diag_allowLocationSimulation" = 1; "param_diag_checker_tpc_enable" = 1; "param_diag_gpu_frameCapture_enable" = 0; "param_diag_gpu_shaderValidation_enable" = 0; "param_diag_gpu_validation_enable" = 0; "param_diag_guardMalloc_enable" = 0; "param_diag_memoryGraphOnResourceException" = 0; "param_diag_mtc_enable" = 1; "param_diag_queueDebugging_enable" = 1; "param_diag_runtimeProfile_generate" = 0; "param_diag_sanitizer_asan_enable" = 0; "param_diag_sanitizer_tsan_enable" = 0; "param_diag_sanitizer_tsan_stopOnIssue" = 0; "param_diag_sanitizer_ubsan_enable" = 0; "param_diag_sanitizer_ubsan_stopOnIssue" = 0; "param_diag_showNonLocalizedStrings" = 0; "param_diag_viewDebugging_enabled" = 1; "param_diag_viewDebugging_insertDylibOnLaunch" = 1; "param_install_style" = 2; "param_launcher_UID" = 2; "param_launcher_allowDeviceSensorReplayData" = 0; "param_launcher_kind" = 0; "param_launcher_style" = 99; "param_launcher_substyle" = 0; "param_runnable_appExtensionHostRunMode" = 0; "param_runnable_productType" = "com.apple.product-type.application"; "param_structuredConsoleMode" = 1; "param_testing_launchedForTesting" = 0; "param_testing_suppressSimulatorApp" = 0; "param_testing_usingCLI" = 0; "sdk_canonicalName" = "iphoneos18.0"; "sdk_osVersion" = "18.0"; "sdk_variant" = iphoneos; } System Information macOS Version 15.4.1 (Build 24E263) Xcode 16.0 (23051) (Build 16A242d) Timestamp: 2025-08-20T16:50:11-07:00

Hey folks, Looking for some assistance with using an API key with xcodebuild commands to archive/export builds on our Enterprise developer account. The goal here is to allow Xcode to completely manage signing/certificates with our cloud distribution certificate, since these builds are happening in CI and we don't want to be manually handling user sessions/certificates on these machines. This is working great with our App Store account, but with our Enterprise account we're getting errors both archiving and exporting the builds. Here's an example of an export command that is giving errors: xcodebuild -exportArchive -exportOptionsPlist /path/to/exportOptions.plist -archivePath /path/to/archive.xcarchive -exportPath /path/to/export -authenticationKeyID *** -authenticationKeyIssuerID *** -authenticationKeyPath /path/to/key.p8 -allowProvisioningUpdates I've put some example values there, but we've double/triple checked the real values when this is actually running. These are the errors we're getting: 2026-02-02 12:30:04.022 xcodebuild[59722:1854348] DVTServices: Received response for 0794248F-E534-474D-ABBF-40C1375B6590 @ <https://appstoreconnect.apple.com/xcbuild/QH65B2/listTeams.action?clientId=XABBG36SBA>. Error = Error Domain=DVTPortalResponseErrorDomain Code=0 "Communication with Apple failed" UserInfo={NSLocalizedDescription=Communication with Apple failed, NSLocalizedRecoverySuggestion=A non-HTTP 200 response was received (401) for URL https://appstoreconnect.apple.com/xcbuild/QH65B2/listTeams.action?clientId=XABBG36SBA} 2026-02-02 12:30:04.173 xcodebuild[59722:1854348] DVTServices: Received response for 1D51FCD1-1876-4881-BE89-DD44E78EA776 @ <https://appstoreconnect.apple.com/xcbuild/QH65B2/listTeams.action?clientId=XABBG36SBA>. Error = Error Domain=DVTPortalResponseErrorDomain Code=0 "Communication with Apple failed" UserInfo={NSLocalizedDescription=Communication with Apple failed, NSLocalizedRecoverySuggestion=A non-HTTP 200 response was received (401) for URL https://appstoreconnect.apple.com/xcbuild/QH65B2/listTeams.action?clientId=XABBG36SBA} 2026-02-02 12:30:04.322 xcodebuild[59722:1854344] DVTServices: Received response for 25D7983F-1153-47C9-AE8A-03A8D10B6453 @ <https://appstoreconnect.apple.com/xcbuild/QH65B2/listTeams.action?clientId=XABBG36SBA>. Error = Error Domain=DVTPortalResponseErrorDomain Code=0 "Communication with Apple failed" UserInfo={NSLocalizedDescription=Communication with Apple failed, NSLocalizedRecoverySuggestion=A non-HTTP 200 response was received (401) for URL https://appstoreconnect.apple.com/xcbuild/QH65B2/listTeams.action?clientId=XABBG36SBA} 2026-02-02 12:30:04.483 xcodebuild[59722:1854344] DVTServices: Received response for 8A56C98B-E786-4878-856F-4D7E3D381DEA @ <https://appstoreconnect.apple.com/xcbuild/QH65B2/listTeams.action?clientId=XABBG36SBA>. Error = Error Domain=DVTPortalResponseErrorDomain Code=0 "Communication with Apple failed" UserInfo={NSLocalizedDescription=Communication with Apple failed, NSLocalizedRecoverySuggestion=A non-HTTP 200 response was received (401) for URL https://appstoreconnect.apple.com/xcbuild/QH65B2/listTeams.action?clientId=XABBG36SBA} error: exportArchive Communication with Apple failed error: exportArchive No signing certificate "iOS Distribution" found We get very similar errors when archiving as well. Are we doing something incorrect here? Is API key usage with xcodebuild not supported for Enterprise builds? Appreciate any help y'all can provide!

Is there a way to check your app signature to verify if any one has tampered with the ipa file. I want to know specifically how to determine and handle this type of situation. How can i do a check for this in code(swift).

There seems to be a problem to a specific Apple Developer Account regarding Xcode Cloud Distribution (Signing). The Xcode Cloud Error Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “XcodeCloudTest.app/XcodeCloudTest” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing. Investigation Apple Developer Forums This issue seems to be known: https://developer.apple.com/forums/thread/746210 Debugging by ourselves We setup an example Xcode project from a default iOS Xcode app template to rule out any project issues. This example project failed with the same error as stated above. In the next step we tried the same example project with a different Apple Developer Account and it successfully distributed the example App through Xcode Cloud. Conclusion It seems like there is no setup issue on developer-side, because our example project works out-of-the-box on a different Apple Developer Account. Our only hope is that Apple will have a look on our Developer Account. Maybe there is some internal setting.

Hello, we use an MDM profile that enables FDA for our program. The Identifier is set to be the path to our program. We'd like to have a profile that allows multiple CodeSignatures. Our older programs are signed with a different certificate than the current ones. We tried deploying 2 profiles (one for the 'old certificate' signed binary and the other for the 'new certificate' signed binary). But it looks like that MacOS accepts only one. I have also tried to use ProfileCreator to generate a profile with 2 entries, but it fails to do it. Manually editing the XML file and adding new entries does not work either. I'd like to know if there's a workaround for this issue.

Howdy, I've been developing a packet tunnel extension meant to run on iOS and MacOS. For development I'm using xcodegen + xcodebuild to assemble a bunch of swift and rust code together. I'm moving from direct TUN device management on Mac to shipping a Network Extension (appex). With that move I noticed that on some mac laptops NE fails to start completely, whilst on others everything works fine. I'm using CODE_SIGN_STYLE: Automatic, Apple IDs are within the same team, all devices are registered as dev devices. Signing dev certificates, managed by xcode. Some suspicious logs: (NetworkExtension) [com.apple.networkextension:] Signature check failed: code failed to satisfy specified code requirement(s) ... (NetworkExtension) [com.apple.networkextension:] Provider is not signed with a Developer ID certificate What could be the issue? Where those inconsistencies across devices might come from?

Hello, We are currently using Apple Notarization (notarytool) for distributing a macOS app, and we are experiencing very long notarization times for large app bundles. [Issue] For apps with large binary sizes, notarization consistently takes around 3.5 to 4.5 hours from submission to completion. This delay is causing practical issues in our release pipeline, especially when: A hotfix or urgent update is required Multiple builds must be notarized in a short time CI/CD-based distribution is expected to complete within a predictable timeframe [Environment] Platform: macOS Notarization method: notarytool Distribution: Outside Mac App Store App size: 100 GB~ (compressed ZIP) Signing: Hardened Runtime enabled, codesigned correctly Submission status: Successfully accepted, but processing time is very long [What we have confirmed] The notarization eventually succeeds (no failures) Re-submitting the same build shows similar processing times Network upload itself completes normally; the delay is in Apple-side processing Smaller apps complete notarization much faster [Questions] Is a 3–4+ hour notarization time expected behavior for large macOS apps? Are there recommended best practices to reduce notarization processing time for large binaries? For example, splitting components, adjusting packaging, or specific signing strategies Is there any official guidance or limitation regarding notarization queueing or processing based on app size? Are there known service-side delays or regional differences that could affect processing time? Any insight or confirmation would be greatly appreciated, as this directly impacts our production release workflow. Thank you.

I've seen a couple posts on reddit today but wanted to call out here because I think it may be a more widespread issue - I keep getting an error trying to open my iOS app saying "Unable to verify app - An internet connection is required to verify trust of the developer...". I have never gotten this issue before and did not change anything in my build settings from my last successful build of the app to now. The directions it gives me are to go to Settings > General > VPN and Device Management and trust my developer certificate from there, but that doesn't work either. The first time I tried this, the developer certificate wasn't there at all, then I looked at Reddit and saw people recommending to download the developer certificate to solve the issue, but doing this did not fix the error either. Just looking to see if anyone else has encountered this or what the fix might be.

Hi everyone, I'm building an app in Xcode 16.4 with a minimum deployment target of iOS 12. The last time I built with this configuration was November 2025 — that build worked perfectly fine. I'm aware that builds from Xcode 16.4 will no longer be accepted by Apple after April 28, 2026, so I decided to push one final update before that deadline. Here's what I did: Built the app with no changes to build settings Uploaded to TestFlight Tested on iOS 12, iOS 26, and a few other versions — everything looked good Passed App Review Published to the App Store Now users on iOS 12 are reporting that the app crashes immediately on launch. Users on iOS 13-26 are unaffected. We've effectively lost a significant portion of our users overnight. We'd really like to restore functionality for them before April 28 — after that we plan to raise the minimum deployment target anyway. There are no crash logs available, as the app appears to never reach application code at all. Below are the relevant logs from Console.app: default 16:33:49.012231+0400 SpringBoard Bootstrapping MY_BUNDLE_ID with intent foreground-interactive error 16:33:49.021533+0400 SpringBoard [MY_BUNDLE_ID] Bootstrap failed with error: <NSError: 0x280f59aa0; domain: BKSProcessErrorDomain; code: 1 (bootstrap-failed); reason: "Failed to start job"> error 16:33:49.021748+0400 SpringBoard Bootstrapping failed for <FBApplicationProcess: 0x101cb4070; MY_BUNDLE_ID; pid: -1> with error: Error Domain=BKSProcessErrorDomain Code=1 "Unable to bootstrap process with bundleID MY_BUNDLE_ID" UserInfo={NSLocalizedDescription=Unable to bootstrap process with bundleID MY_BUNDLE_ID, BKSProcessExitReason=0, NSLocalizedFailureReason=Failed to start job, NSUnderlyingError=0x280f58780 {Error Domain=NSPOSIXErrorDomain Code=3 "No such process" UserInfo={NSLocalizedFailureReason=The process failed to exec, NSLocalizedRecoverySuggestion=Consult /var/log/com.apple.xpc.launchd/launchd.log for more information, NSLocalizedDescription=Unable to get valid task name port right for pid 241}}, BSErrorCodeDescription=bootstrap-failed} default 16:33:49.021934+0400 SpringBoard Adding: <FBApplicationProcess: 0x101cb4070; MY_BUNDLE_ID; pid: -1> default 16:33:49.022111+0400 SpringBoard <FBApplicationProcess: 0x101cb4070; MY_BUNDLE_ID; pid: -1> exited. default 16:33:49.023325+0400 SpringBoard Removing: <FBApplicationProcess: 0x101cb4070; MY_BUNDLE_ID; pid: -1> default 16:33:49.039576+0400 assertiond Submitting new job for "MY_BUNDLE_ID" on behalf of <BKProcess: 0x100d119f0; SpringBoard; com.apple.springboard; pid: 48; agency: SystemShell; visibility: foreground; task: running> default 16:33:49.039982+0400 assertiond Submitted job with label: UIKitApplication:MY_BUNDLE_ID[0xed03][58] error 16:33:49.040128+0400 assertiond Unable to obtain a task name port right for pid 241: (os/kern) failure (0x5) error 16:33:49.040286+0400 assertiond Failed to start job with error <NSError: 0x100c3f180; domain: NSPOSIXErrorDomain; code: 3; reason: "The process failed to exec"> { description = "Unable to get valid task name port right for pid 241"; failureReason = "The process failed to exec"; recoverySuggestion = "Consult /var/log/com.apple.xpc.launchd/launchd.log for more information"; Has anyone encountered this recently? Any help would be greatly appreciated. P.S. I tried rebuilding from scratch without any code changes and uploading a fresh build to TestFlight — but now it won't even launch from TestFlight on iOS 12.

After upgrading the virtual machines used for building and testing our macOS application, it seems that something new in Sequoia is preventing virtual machines from running anything signed with a Mac Development certificate. At first glance the issue seems very similar to this thread, but it could be unrelated. We are using the tart toolset to build and run our VMs. People seem to be having related issues there with Sequoia in particular. I have added the VM's hardware UUID to the Devices list of our account. I have included that device in the devices list of our Mac Development provisioning profile. I have re-downloaded the profile, ensured that it is properly getting built into the app, and ensured that the hardware UUID of the VM matches the embedded provisioning profile: Virtual-Machine App.app/Contents % system_profiler SPHardwareDataType | grep UUID Hardware UUID: 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 Virtual-Machine App.app/Contents % grep 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 ../../App.app/Contents/embedded.provisionprofile Binary file ../../App.app/Contents/embedded.provisionprofile matches However, when I try to run the application, it fails, and while I have searched the system logs to find a more informative error message, the only thing I can find is that the profile doesn't match the device somehow: Virtual-Machine App.app/Contents % open ../../App.app The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x6000039440f0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}} Virtual-Machine App.app/Contents % log show --info --debug --signpost --last 3m | grep -i embedded.provisionprofile 2025-01-21 16:33:32.369829+0000 0x65ba Error 0x0 2872 7 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] embedded provisioning profile not valid: file:///private/tmp/builds/app/.caches/Xcode/DerivedData/Build/Products/Debug/App.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.} I don't understand why the provisioning profile wouldn't allow the device if the hardware UUID matches. I have also attempted to add the Provisioning UDID in the devices list instead, but the form rejects that value because it's a different format (the form specifically requests a hardware UUID for macOS development, and a provisioning UDID for everything else). If there is any debugging tool that lets me check a provisioning profile against the running hardware and print a more verbose reason for why it's not allowed on the device, please let me know. Otherwise I'd have to conclude that, since I haven't experienced this issue before on an earlier OS, it has something to do with virtual machines running macOS Sequoia. (The same Mac Development-signed application runs just fine on my MacBook Pro running 15.2, as well as the VM host, which is also running 15.2.) I have also tried resetting the VM's hardware UUID and adding that one to the devices list, to no effect. This is obviously seriously impacting our CI/CD pipelines to allow for proper UI testing of our application. If anyone is aware of any workarounds, I would love to hear them!

Is it possible to directly distribute a macOS app with a Developer ID Certificate that belongs to a different team? I am trying to resolve issues that arise when distributing a macOS app with a Network Extension (Packet Tunnel) outside the App Store using a Developer ID Certificate from a different team than the app’s provisioning profiles and entitlements. I started by attempting Direct Distribution in Xcode with automatic signing. However, it fails with the following message: Provisioning profile "Mac Team Direct Provisioning Profile: ” failed qualification checks: Profile doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. I suspect the issue is that the provisioning profile allows "packet-tunnel-provider-systemextension", whereas the entitlements generated by Xcode contain "packet-tunnel-provider". When I manually modify the .entitlements file to include the -systemextension suffix, the project fails to build because Xcode does not recognize the modified entitlement. If there is a workaround for this issue, please let me know. Due to these issues, I resorted to manually creating a signed and notarized app. My process is as follows: Export the .app from the Xcode archive. Since the exported .app does not contain the necessary entitlements or provisioning profile for direct distribution, I replace Contents/embedded.provisioningprofile in both the .app and the .appex network extension. Sign the app and its components in the following order: codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/Frameworks/<fw>.framework/ codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>"<app>.app/Contents/PlugIns/<netext>.appex/Contents/Frameworks/<fw>.framework/Versions/A/<fw> codesign --force --options runtime --entitlements dist-vpn.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/PlugIns/<netext>.appex/ codesign --force --options runtime --entitlements dist.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app Verify the code signature: codesign --verify --deep --strict --verbose=4 <app>.app - <app>.app: valid on disk - <app>.app: satisfies its Designated Requirement Create a ZIP archive using: ditto -c -k --sequesterRsrc --keepParent <app>.app <app>.zip Notarize the app with notarytool and staple it. The notarization completes successfully with errors: nil. Package the notarized app into a DMG, notarize, and staple the DMG. The app runs successfully on the development machine. However, when moved to another machine and placed in /Applications, it fails to open. Inspecting Console.app reveals Gatekeeper is blocking the launch:
 taskgated-helper <bundleid>: Unsatisfied entitlements: com.apple.developer.networking.networkextension, com.apple.developer.team-identifier taskgated-helper entitlements: { "com.apple.developer.networking.networkextension" = ("packet-tunnel-provider-systemextension"); "com.apple.developer.team-identifier" = <teamid>; } As mentioned earlier, the Developer ID Certificate used for signing belongs to a different team. We are a third-party developer and do not have access to the Developer ID Certificate of the team assigned as the team-identifier. When I changed the bundle identifier (app ID), team, entitlements, and provisioning profiles to match the team associated with the Developer ID Certificate, the app worked. My question is:
 Is this failure caused by using a Developer ID Certificate from a different team, or should it still work if the provisioning profiles and entitlements are correctly set? Could there be an issue elsewhere in the provisioning profiles or entitlements for the original app ID?

Hey there, I'm experiencing an issue with notarization of my macOS application, which is blocking a release. We have signing/notarization hooked up to our CI process, both for prior releases as well as development builds (at the trunk tip). The notarization process has typically taken anywhere from a few minutes to a few tens of minutes, but for our most recent release, it's taking an unreasonably long time. I've compiled the submission info for each build (+ reattempted notarizations) below. What's interesting is that the oldest one was accepted- however, it timed out our CI process, so we never actually released it. Subsequent builds are more or less identical in terms of their content, however, they've been stewing in the notarization process for over 13 hours in some cases. % xcrun notarytool info 67413dae-64f5-4372-972d-e0ac158e18e3 Successfully received submission info createdDate: 2025-04-02T16:28:25.999Z id: 67413dae-64f5-4372-972d-e0ac158e18e3 name: Warp Vault.app.zip status: In Progress % xcrun notarytool info 0c72b243-4a8d-4976-a97b-75689d7e2497 Successfully received submission info createdDate: 2025-04-02T05:49:05.861Z id: 0c72b243-4a8d-4976-a97b-75689d7e2497 name: Warp Vault.app.zip status: In Progress % xcrun notarytool info 8e2edfc2-58bc-4b33-bc8e-078155759a81 Successfully received submission info createdDate: 2025-04-02T05:23:28.870Z id: 8e2edfc2-58bc-4b33-bc8e-078155759a81 name: Warp Vault.app.zip status: In Progress % xcrun notarytool info 8fb17b0c-ace4-4b6f-bef8-68d22696814d Successfully received submission info createdDate: 2025-04-02T05:07:48.187Z id: 8fb17b0c-ace4-4b6f-bef8-68d22696814d name: Warp Vault.app.zip status: Accepted At the time of checking, the UTC date was: % TZ="UTC" date Wed Apr 2 18:42:14 UTC 2025 It's interesting to me that the notarization process is taking this long. We've notarized many development builds (with debugging flags enabled) in the time between our last public release and our attempt to notarize this one. What's more, the original build for this release was notarized within the span of about 15 minutes, but subsequent submissions of the same build have hung for tens of hours. My two questions are: How can I get our pending notarizations "unstuck"?, and To prevent these types of hangs in the future, should I also routinely build/sign/notarize non-debug builds of my application during the development process? Best regards and many thanks, Charlton

We have NFC capabilties enabled for our app ID - com.uob.mightyvn but our minimum deployment target is 15.0. We do not have an option deselect PACE from provisioning profile. Hence, the validation is failed for IPA. Invalid entitlement for core nfc framework. The sdk version '18.2' and min OS version '15.0' are not compatible for the entitlement 'com.apple.developer.nfc.readersession.formats' because 'NDEF is disallowed'

I have a valid dev certificate and created a valid provisioning Profile. I have added the Device UDID too , which I can see in provisioning Profile too. In XCode-16 both certificate and provisioning Profile looks good and no issue here with the expiration date too. Issue - While running the app on my iPhone connected to Mac.its shows the build is successful but shows the followinf errors . An IPA of APP failing the installation. Unable to install the App `A valid provisioning profile for this executable was not found. Domain: com.apple.dt.MobileDeviceErrorDomain`

Hello guys, I currently have a problem with Xcode cloud. When I setup a simple workflow in my Xcode project that just archives it and builds the project for TestFlight Internal testing, it will fail and give the following error: Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “DropIn.app/DropIn” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing. I've already been searching for solutions and double checked the documentation. My Xcode project is a simple iOS app with the app target and two other targets for tests and UI tests. I made sure the checkbox "Automatically manage signing" is ticked in all targets. The workflow has only one action "Archive - iOS" with TestFlight (Internal Testing Only) and a post-action "TestFlight Internal Testing - iOS" with an internal testing group assigned. I've seen people having similar problems where it turned out they had a non roman character in their name? This would also affect me if that's the case, since my name includes "ö". I also checked on app store connect and already deleted xcode cloud data, removed all certificates recreated the workflow, but it still gives this error. Any ideas on how to fix this?