Hello, I have a multi-platform app that is split across two organizations: One is on iOS, and is distributed using the App Store with bundle ID X with team ID A. One is on macOS, and is distributed using Developer ID with bundle ID Y with team ID B. Once again, these are in two separate organizations. To consolidate these accounts we'd like to transfer ownership of Y to team ID A. However, according to the app transfer criteria, it appears that that's not possible: Both the transferor and recipient accounts can’t be in a pending or changing state, and the latest version of their paid and free agreements must be accepted. [...] The app must have had at least one version that's been approved for distribution. Given the context from the rest of the page, it seems valid to assume (and I've confirmed this through speaking with technical support) that apps are only eligible for transfer if they've been submitted to the App Store, so I'm considering looking into it just for the purposes of this transfer. This app has a fairly large user base and if possible we want to avoid any user disruption (and any cost inflicted on our API) as a result of a forced logout due to losing access to the previous keychain. As a bonus, it would be nice, though not necessary, if the macOS app could ship under the same entry as the iOS app. As I understand it, this would require changing the macOS app to use bundle ID X. Before going down this road, I'd like to confirm if the following plan is a sane one for accomplishing a complete app transfer that satisfies the above requirements: Distribute the app on the macOS App Store under team ID B. Transfer the app, and continue distribution on the macOS App Store under team ID A. Obtain a new Developer ID certificate for using bundle ID Y with team ID B. Resume distribution of the Developer-ID-signed app with team ID B, without loss of keychain access. If loss of keychain access is not possible, can someone confirm if it is at least possible to keep the same bundle ID after performing the steps above? Many thanks in advance for your help - there is much conflicting information online and in this forum, and little documentation when it comes to Developer ID transfers. I've even spoken to several Apple employees who have directed me here.

Hi Team, Need your help on solving the errSecInternalComponent error which is getting generated while doing a xcode archive command from jenkins jobs. Currently using Sonoma-14.4, Xcode-15.2, in local it's working well both build and archive but in case of jenkins i am unable to get that, i already given security-unlock commands also before the archive stage but no use, Commands passed: security unlock-keychain -p xxxx /Users/ec2-user/Library/Keychains/login.keychain-db; \ security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k xxxxx Please let me know if i have missed any configuration thing. Error Signing Identity: "iPhone Distribution: " Provisioning Profile: "Notification Content Dist Profile" (ffb7be92-3e65-4be4-b161-07c7f75723f0) /usr/bin/codesign --force --sign 1FD10D04940E92C7A212E4A27C1E11D5C3DB12E9 --preserve-metadata\=identifier,entitlements,flags --generate-entitlement-der /Users/ec2-user/Library/Developer/Xcode/DerivedData/ReferenceApp-CardAppSDK-bwgchbllhpzevwgvnuwqvjywfeju/Build/Intermediates.noindex/ArchiveIntermediates/ReferenceApp-CardAppSDK/IntermediateBuildFilesPath/UninstalledProducts/iphoneos/NotificationContentExtension.appex/Frameworks/PushNotificationExtensions.framework Warning: unable to build chain to self-signed root for signer "iPhone Distribution: " /Users/ec2-user/Library/Developer/Xcode/DerivedData/ReferenceApp-CardAppSDK-bwgchbllhpzevwgvnuwqvjywfeju/Build/Intermediates.noindex/ArchiveIntermediates/ReferenceApp-CardAppSDK/IntermediateBuildFilesPath/UninstalledProducts/iphoneos/NotificationContentExtension.appex/Frameworks/PushNotificationExtensions.framework: errSecInternalComponent please help on this ASAP

Hi, I'm wondering if we'd want to improve the clarity of the Apple Platform Security guide (dated 2022) on the iOS app security model (page 99), as edits might have lost the intended structure of the sentence (although I might be reading it wrong). Current text: At runtime, code signature checks that all executable memory pages are made as they are loaded to help ensure that an app hasn’t been modified since it was installed or last updated. Possible rephrasing: At runtime, iOS checks code signature on all executable memory pages as they are loaded to help ensure that an app hasn’t been modified since it was installed or last updated.

I have an Xcode project (generated from Qt) which is signed by a post-processing script. It uses the invocation: codesign -o runtime --sign "$(CODE_SIGN_IDENTITY)" CODE_SIGN_IDENTITY is set to "Apple Development" in the Build Settings for the target. The signing step fails with this complaint Apple Development: ambiguous (matches "Apple Development: <my name> (an ID)" and "Apple Development: <my company email> (another ID)" in login.keychain-db) It is true, I do have two Apple Development certificates. I thought one is for personal development (when you pick the personal team) and the other for company development (when I pick the company team). I have other Xcode projects (built "by hand") which have CODE_SIGN_IDENTITY set to "Apple Development" and with Automatic signing turned on, and they build just fine, even though I have two certificates with common names beginning "Apple Development". However, when I look at the build log of those regular Xcode projects, which are signed by Xcode rather than in a post-processing script, the Signing step logs this: Signing Identity: Apple Development: (an ID) not simply "Apple Development". Xcode seems to have resolved the ambiguity all on its own before calling codesign. It then calls codesign using the hash of the certificate as its identifier. How can I emulate Xcode's behavior here? The postprocessing script runs on different developer's machines - they all have multiple "Apple Development" certificates, and they are all different from one another.

I started the notarization process last night with the following command xcrun notarytool submit --wait --keychain-profile "Developer ID Application: ..." --verbose Open\ Interface.zip When I check its status, it still shows as it's in progress over 16 hours later xcrun notarytool history --keychain-profile "Developer ID Application: ..." Successfully received submission history. history -------------------------------------------------- createdDate: 2024-04-09T03:49:07.620Z id: 8fcf8111-c18c-4941-acb6-f447d86735a2 name: Open Interface.zip status: In Progress -------------------------------------------------- createdDate: 2024-04-09T03:23:58.816Z id: 93461030-f230-4225-b9f2-5d9472904858 name: Open Interface.zip status: In Progress Does anyone know what might be going wrong? My .zip file is available here: https://github.com/AmberSahdev/Open-Interface/releases/download/0.5.0/Open-Interface-v0.5.0-MacOS.zip Thanks!

I am not enrolled in the Apple developer program and need to create a small Safari app extension helper that will be shared with my colleagues within the company. Is it somehow possible for me to distribute the app in some way without forcing everyone to disable a gatekeeper?

Hello guys, I've been dealing with one error in my xcode cloud configuration. I want to auto-deploy the app version to Testflight on something is merged to main branch. Of course if I do at my local environment it works perfect. But when I try to execute it at XCode Cloud I've got this error. I really don't have any idea about how to fix it. Thanks a lot for your time 😊 Invalid Signature. The main app bundle SyncTion at path SyncTion.app has following signing error(s): valid on disk SyncTion.app: does not satisfy its designated Requirement SyncTion.app: explicit requirement satisfied . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information.

I have recently upgraded to macOS 14 and Xcode 15. I gather codesign --deep no longer works. Do I have to explicitly codesign every file in my .app? There are several hundreds of them. Also, I am able to successfully codesign my executable (MyApp.app/Contents/MacOS/MyExecutable), but when I upload for Notarization, it fails with "The signature of the binary is invalid.", identifying the executable specifically. This used to work fine. Why is it failing now?

What are the file differences between the IPA I created with Xcode, uploaded to the App Store, and the one downloaded to the end user's phone? Does any process other than encryption, re-signing, and app thinning cause changes in these files?

Hello, I'm create an app using QT on MacOs with Generate to Xcode, when submitting it to the App Store the upload process was successful but I got email feedback with the message containing the following: ITMS-90238: Invalid Signature - The main app bundle Tren at path Tren.app has following signing error(s): a sealed resource is missing or invalid . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple .com/library/mac/technotes/tn2206/_index.html for more information. ITMS-90296: App sandbox not enabled - The following executables must include the 'com.apple.security.app-sandbox' entitlement with a Boolean value of true in the entitlements property list: [[Tren.app/Contents/MacOS/Tren ]] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. I've done the methods available in the community, but it still doesn't work. I hope someone will provide a solution, thank you

We're distributing an XCFramework to a customer to create their own apps. With the new XCFramework signing requirements, we have a question with regards the way how to implement it. We're using a few of the frameworks on the list https://developer.apple.com/support/third-party-SDK-requirements/ including [AFNetworking], as a dependencies for our framework. We are building those frameworks from source code and not using any binaries provided by any third-party. We also modify the open source code, so that it is different from the original open source code in a way so that it won't lead to runtime conflicts in case the customers is including similar frameworks in their application. We're using those derivatives of the open source frameworks as a statically linked libraries to our SDK. Questions: Do we need to sign the third party frameworks of which we have cloned source code and using it within our SDK Framework? Is it required that the XCFramework built this way is signed when it is delivered to a third party and they use it in their app?

How to implement code signing for enterprise accounts

I'm submitting an update to an app which was originally submitted in 2008. So, it has one of the "old" app id prefixes, not the Team ID prefix used by newer apps. When I try to validate this app built in Xcode 15 in organizer, I get a warning that the app id prefix in the current store app is changing from the "old" prefix to the new Team ID prefix. I didn't change anything. The App Identifier, Certificates, and Profile are the same that I used last June under Xcode 14. So, there seems to be an issue with Xcode 15. Same issue under 15.0 and 15.2. Anyone know a fix for this? This still works fine in Xcode 14. If I can't come up with a fix, I'll just submit with 14 as that's still valid until April 2024 I think. Regards, Patrick

Older internet entries say there were free accounts we could use. I'm trying to create my .ipa apple installation file without using a payable developer account. In my case, I wisht to create the file for my own personal use. Is there a way to get a free developer account? I have tried by going to https://developer.apple.com/ and for individuals, payment is required. It's been many days since I sent questions to apple and no reply has been received. What can I do?

The entire error is: "Failed retrieving request UUID for upload. You may have outstanding agreements to sign on App Store Connect." Logging into App Store Connect and the Agreements are all marked "Active". There are no account notifications on either App Store or developer.apple.com to indicate something is out of date. This is in XCode performing: Archive. Then in Archive window "Distribute App", "Developer ID", "Upload" From net searching I tried: restarting XCode, rebooting the machine, and in 'Preferences" removing and then adding in my account. Nothing worked. Any ideas? Montery 12.0.1 XCode 13.1

I am having trouble submitting the next build of my macOS app to the App Store Connect. I keep getting a variation of this error: ITMS-90238: Invalid Signature - The main app bundle MyApp at path MyApp.app has following signing error(s): code has no resources but signature indicates they must be present In subcomponent: MyApp.app/Contents/Frameworks/GoogleAppMeasurement.framework . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information. ITMS-90238: Invalid Signature - The main app bundle MyApp at path MyApp.app has following signing error(s): code has no resources but signature indicates they must be present In subcomponent: MyApp.app/Contents/Frameworks/GoogleAppMeasurementIdentitySupport.framework . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information. ITMS-90238: Invalid Signature - The main app bundle MyApp at path MyAppt.app has following signing error(s): code has no resources but signature indicates they must be present In subcomponent: MyApp.app/Contents/Frameworks/FirebaseAnalytics.framework . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information. I am using Firebase framework as a Swift package. I tried updating Swift package to the latest version and that didn't help. I also tried to revert to the last version that was successfully used on the App Store/TestFlight and that didn't help. I have no control over this framework other than not use it or choose a specific version. I also tried to export the app and use the Transporter app and that didn't help. Any suggestions?

Are mergeable libraries compatible with digital signatures and privacy manifests? If so, what happens to the privacy manifests from each merged library? Do they get merged?

I am receiving an error message trying to upload an update for my macOS app to App Store Connect that I do not understand: "Cannot be used with TestFlight because the signature for the bundle at “YourApp.app” is missing an application identifier but has an application identifier in the provisioning profile for the bundle. Bundles with application identifiers in the provisioning profile are expected to have the same identifier signed into the bundle in order to be eligible for TestFlight". I have double-checked, and the nbunde identifier in the profile matches that in the Info.plist, and I have, in addition, now passed it via "--identifier" to code sign for the app bundle as well, but the error remains. Where else would the identifier be needed, and has this changed recently? (I last uploaded this app a year ago, w/o issues, and made no relevant changes). I am using a custom toolchain and not Xcode to build the app bundle and installer. codesign -dvvv also reports the correct the bundle identifier back as expected. any suggestions?