General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Note: This failure occurs even when running on the same machine that performed the build, signing, and notarization steps. We are developing a command-line Endpoint Security (ES) client for macOS, distributed to customers as part of an enterprise security suite. We have a valid Apple Developer Team ID (redacted for privacy) and have requested and received the Endpoint Security entitlement for our account. What We’ve Done Built a universal (x86_64/arm64) CLI ES client using Xcode on macOS Sonoma. Signed with a Developer ID Application certificate (matching our Team ID). Applied the entitlement: com.apple.developer.endpoint-security.client. Notarized the binary via notarytool after receiving Apple’s confirmation that the entitlement was “assigned to our account.” Distributed and unzipped the notarized ZIP (with com.apple.quarantine xattr intact). What Happens: When we run the binary (as root, via sudo) on any test Mac—including the original build/notarization machine—the process is killed immediately at launch. Kernel log (log stream --predicate 'eventMessage CONTAINS "AMFI"' --info) shows: AMFI: code signature validation failed. AMFI: bailing out because of restricted entitlements. AMFI: When validating /path/to/fidelisevents: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: What We’ve Verified: codesign -dvvv --entitlements :- ./fidelisevents shows the correct entitlement, team identifier, and certificate. xattr ./fidelisevents shows both com.apple.provenance and com.apple.quarantine. spctl -a -vv ./fidelisevents returns: rejected (the code is valid but does not seem to be an app) origin=Developer ID Application: [REDACTED] The process is killed even if run on the same Mac where build/sign/notarization occurred. Other Details The entitlement approval email from Apple simply says it is “assigned to your account” and does not mention “production” or “distribution.” We have rebuilt, re-signed, and re-notarized after receiving the email. This occurs on both Apple Silicon and Intel Macs, with recent macOS versions (Sonoma, Ventura). Question Is it possible that Apple only assigned the development Endpoint Security entitlement, and not the production entitlement required for distributing/running notarized ES clients outside of development? Is there any way to verify the level of entitlement (dev vs. production) associated with our Team ID? What additional steps, if any, are needed to enable the production entitlement so that our binaries can run on customer endpoints without being killed by AMFI? Any advice, experience, or official documentation about production ES entitlement rollout, approval, or troubleshooting would be greatly appreciated! Thanks in advance!

I spent 20 minutes trying to figure out why codesigning was failing -- I had the pf block set up correctly, my keychains were unlocked, and then, eventually, it occurred to me, hey, maybe an IP address changed, so I disabled IPv6 except for link local, and then amazingly, it went back to working. I filed FB13706261 over a year ago. This is ridiculous.

I am having an issue with signing and provisioning a Vision OS app. I have an iOS app and a VisionOS app. Everything works fine on the iOS but having issues with the VisionOS. First, I am having issues with xcodebuild -exportArchive. When I run it on an archive of my VisionOS app I get ** EXPORT FAILED ** error: exportArchive No Accounts error: exportArchive No profiles for 'X' were found Where X is my bundle ID. Meanwhile the iOS app succeeds. This is on a CI machine but I confirmed the distribution provision profile for the vision OS app is installed on the machine. Even if I change the value of the -exportOptionsPlist to the one I used for the iOS project I get this error. Is the issue in the archive itself? The archives are generated from building in Unity and archiving the xcodeproject with xcodebuild archive Second, as a workaround I archived a debug ipa on my machine and uploaded this ipa to my CI machine which has the credentials to sign for distribution. I use this script as an example as how to resign the IPA: https://gist.github.com/lodalo/754a35b48d382ae99b25 I remove the CodeSignatures and codesign both .app and UnityFramework.framework. Using this resigned IPA I get this error when I try to upload to app store connect (via Transporter app and altool) errors: Validation failed (409) Missing or invalid signature. The bundle 'X' at bundle path 'Payload/Y.app' is not signed using an Apple submission certificate. To verify the signing I used codesign -dvvv --entitlements - On both the iOS and VisionOS app and they have the same values under all the Authority fields. Different profiles, of course. So the certificate I used is eligible to upload the iOS app successfully but doesn't work on the VisionOS ipa? Any help on solving any of these issues would be great so I can upload the vision OS app. Thank you!

Hi everyone, After I recently changed my Apple ID (iCloud) password, my Developer ID certificate stopped working for signing macOS apps. Symptoms: Signing fails with the Developer ID certificate that was previously working fine. I tried re-downloading the certificate from my Apple Developer account and importing it into the Keychain, but the issue persists. It seems that the Developer ID identity is no longer trusted or properly linked to my system since the password change. Attempts: Re-downloaded and installed the certificate from the developer portal. Verified that the private key is present and linked. Checked keychain access and code-signing identity — everything appears normal, but the signed apps are rejected or the signing process fails. Blocking issue: I am unable to delete or revoke the Developer ID certificate on my account (Apple Support says it's not possible). Also, I can't create a new one due to the certificate limit. Questions: Is it expected for a Developer ID certificate to become invalid after changing the Apple ID password? Is there a recommended way to refresh or restore the certificate trust on macOS? How can I invalidate the current certificate and generate a new one if I'm stuck? Any insights or official guidance would be really appreciated. Thanks in advance!

I am a developer working on iOS apps. I would like to report an issue occurring in iOS 26 beta 2. Our company has Enterprise account, and we are developing apps. When we distribute these apps, and install them on a device running iOS 26 beta2, apps install successfully, but apps crashed immediately after being launched. MDM Install Application When I install the app via Xcode and trust it, apps will run. Launchd job spawn failed This issue does not occur on versions prior to iOS 26. I would like to know if this is a problem that will be resolved in future updates, or if it is a policy change.

In xcode, the signing&capabilities TAB for ios says: Automatic signing failed Xcode failed to provision this target. Please file a bug report at https://feedbackassistant.apple.com and include the Update Signing report from the Report navigator. Provisioning profile "iOS Team Provisioning Profile: com.kikk.morsecode" doesn't include the com.apple.developer.in-app-purchase entitlement. Even though I've already configured the corresponding Certificates, Identifiers & Profiles in developer Does anyone have the same problem? My Version of xcode is Version 15.4 (15F31d), running on m2pro.

We recently had an external pentest for one of our company's macOS applications and they brought up the topic of library validation. Our app has hardened runtime enabled and passes notarization. The codesign verification output includes: flags=0x10000(runtime) The pentesters brought up that both validation and runtime should be present, so I discovered that you could also add library validation by augmenting our flags with: OTHER_CODE_SIGN_FLAGS = --timestamp -o library which changes the flags to: flags=0x12000(library-validation,runtime) The pentesters insist that both options are necessary, especially to avoid library injection when SIP is off, but Apple's docs say that hardened runtime already implies library validation (see here ) My question is: does explicitly specifying library validation provide something that hardened runtime does not already? Or is it correct that hardened runtime already imply library validation? For what it's worth, I did a quick scan of some of the apps on my system, interesting some of the Apple system apps have only library validation (e.g. Safari, Photos), some have both (e.g. Podcasts), some have only hardened runtime (e.g. Mail). So that didn't help answer the question. Thank you!

I came across your contact on the Apple Developer Forums. I'm encountering an unusual issue during the notarization process. The error message states: "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions." Any guidance you could provide would be greatly appreciated. Here are the error details for reference: json { "logFormatVersion": 1, "jobId": "b6023a7c-dc85-4fa5-91dd-fba92c9ed831", "status": "Rejected", "statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.", "statusCode": 7000, "archiveFilename": "Bytemonk.dmg", "uploadDate": "2025-07-02T07:07:07.945Z", "sha256": "b9494170cc040a76045ed263de22e6b89a5455142af16ce502530e1c1ee72ddf", "ticketContents": null, "issues": null }

Hi, I am using Xcode 16.4, and my test device is Iphone 16 pro max. Everything was working fine until today when I get an error that I cannot install the app on the device. The error I get is: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.cRjyg7/extracted/[myapp].app : 0xe8008015 (A valid provisioning profile for this executable was not found.) Please ensure sure that your app is signed by a valid provisioning profile. Creating a new project and installing it to the mobile works fine. Please can someone from Apple or the community respond? there are many posts with this error but none were solved. Troubleshooting attempts included: Resetting all certificates. delete the app from the device unpairing device codesigning via cli reloading older git code commit Nothing is working. thanks

After upgrading the virtual machines used for building and testing our macOS application, it seems that something new in Sequoia is preventing virtual machines from running anything signed with a Mac Development certificate. At first glance the issue seems very similar to this thread, but it could be unrelated. We are using the tart toolset to build and run our VMs. People seem to be having related issues there with Sequoia in particular. I have added the VM's hardware UUID to the Devices list of our account. I have included that device in the devices list of our Mac Development provisioning profile. I have re-downloaded the profile, ensured that it is properly getting built into the app, and ensured that the hardware UUID of the VM matches the embedded provisioning profile: Virtual-Machine App.app/Contents % system_profiler SPHardwareDataType | grep UUID Hardware UUID: 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 Virtual-Machine App.app/Contents % grep 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 ../../App.app/Contents/embedded.provisionprofile Binary file ../../App.app/Contents/embedded.provisionprofile matches However, when I try to run the application, it fails, and while I have searched the system logs to find a more informative error message, the only thing I can find is that the profile doesn't match the device somehow: Virtual-Machine App.app/Contents % open ../../App.app The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x6000039440f0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}} Virtual-Machine App.app/Contents % log show --info --debug --signpost --last 3m | grep -i embedded.provisionprofile 2025-01-21 16:33:32.369829+0000 0x65ba Error 0x0 2872 7 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] embedded provisioning profile not valid: file:///private/tmp/builds/app/.caches/Xcode/DerivedData/Build/Products/Debug/App.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.} I don't understand why the provisioning profile wouldn't allow the device if the hardware UUID matches. I have also attempted to add the Provisioning UDID in the devices list instead, but the form rejects that value because it's a different format (the form specifically requests a hardware UUID for macOS development, and a provisioning UDID for everything else). If there is any debugging tool that lets me check a provisioning profile against the running hardware and print a more verbose reason for why it's not allowed on the device, please let me know. Otherwise I'd have to conclude that, since I haven't experienced this issue before on an earlier OS, it has something to do with virtual machines running macOS Sequoia. (The same Mac Development-signed application runs just fine on my MacBook Pro running 15.2, as well as the VM host, which is also running 15.2.) I have also tried resetting the VM's hardware UUID and adding that one to the devices list, to no effect. This is obviously seriously impacting our CI/CD pipelines to allow for proper UI testing of our application. If anyone is aware of any workarounds, I would love to hear them!

Dear Apple Developer Technical Support, I am encountering an issue with notarizing and stapling both PKG and DMG installers for our Electron-based macOS application COSGrid. Despite receiving successful notarization submission responses via notarytool, the stapling process fails with Error 65. Environment: App Name: COSGrid Bundle Identifier: com.cosgrid.pkg.COSGrid Developer ID Team ID: YB8S2XZ98K macOS Version: macOS [15.1] Xcode Version: [16.0 (16A242d)] Workflow Summary: For PKG: Build via yarn build (Vite + Electron Builder) Package with pkgbuild Sign using productsign Submit for notarization: xcrun notarytool submit COSGridMZA-2.1.10-arm64.pkg --apple-id "..." --team-id YB8S2XZ98K --password "..." --wait Conducting pre-submission checks for COSGridMZA-2.1.10-arm64.pkg and initiating connection to the Apple notary service... Submission ID received id: a8ff8e09-1ab4-49ed-9f6b-4afb9f09e53a Upload progress: 100.00% (235 MB of 235 MB) Successfully uploaded file id: a8ff8e09-1ab4-49ed-9f6b-4afb9f09e53a path: /Users/murugavel/Documents/MZA/mza/release/2.1.10/COSGridMZA-2.1.10-arm64.pkg Waiting for processing to complete. Current status: Accepted..................... Processing complete id: a8ff8e09-1ab4-49ed-9f6b-4afb9f09e53a status: Accepted Receive notarization success Stapling fails: xcrun stapler staple COSGridMZA-2.1.10-arm64.pkg Could not validate ticket... The staple and validate action failed! Error 65. For DMG: Sign via codesign Submit to notarization — success Attempt to staple: xcrun stapler staple -v COSGrid-2.1.10-arm64.dmg Could not validate ticket... The staple and validate action failed! Error 65. Additional Verification: I verified the DMG’s code signature integrity: Command: codesign --verify --verbose=4 COSGrid-2.1.10-arm64.dmg Output: COSGrid-2.1.10-arm64.dmg: valid on disk COSGrid-2.1.10-arm64.dmg: satisfies its Designated Requirement Command: codesign -dvv COSGrid-2.1.10-arm64.dmg Output: Executable=/Users/murugavel/Documents/MZA/mza/release/2.1.10/COSGrid-2.1.10-arm64.dmg Identifier=COSGrid-2.1.10-arm64 Format=disk image CodeDirectory v=20200 size=308 flags=0x0(none) hashes=1+6 location=embedded Signature size=9013 Authority=Developer ID Application: COSGrid Systems Private Limited (YB8S2XZ98K) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=1 Jul 2025 at 11:34:05 AM Info.plist=not bound TeamIdentifier=YB8S2XZ98K Sealed Resources=none Internal requirements count=1 size=180 **Verified Signature for .pkg ** pkgutil --check-signature COSGridMZA-2.1.10-arm64.pkg Package "COSGridMZA-2.1.10-arm64.pkg": Status: signed by a developer certificate issued by Apple for distribution Signed with a trusted timestamp on: 2025-06-30 13:57:19 +0000 Certificate Chain: 1. Developer ID Installer: COSGrid Systems Private Limited (teamID) Expires: 2027-02-01 22:12:15 +0000 2. Developer ID Certification Authority Expires: 2027-02-01 22:12:15 +0000 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 Diagnostic Logs Attached: Stapler verbose logs for both PKG and DMG codesign verification output for both PKG and DMG Notarytool submission logs Ticket JSON response from Apple API API request/response headers Effective electron-builder.yaml config Key Observations: codesign verification passes successfully for both artifacts Notarization submission reports success via notarytool Stapler fails with Error 65 for both PKG and DMG Ticket JSON fetched from CloudKit API appears valid No provisioning profile used (Developer ID distribution only) Request: Could you please help investigate: Why is the stapler unable to validate or attach the ticket even though notarization completes successfully? Are there any known issues, entitlements, or workflow adjustments recommended in this case? Is any special handling required for Electron apps’ PKG/DMG packages or Hardened Runtime configurations during stapling? I can provide the signed DMG/PKG and full notarization logs upon request. Thank you very much for your assistance — looking forward to your guidance. Best regards, Murugavel COSGrid Systems Private Limited

I have a valid Developer ID Certificate, I've used it to sign an app locally and send the app to other machines of my colleagues to make sure it works and does not get triggered by GateKeeper Now I want to automate the process of signing and notarization on github actions and so I want to export my certificate and upload it there. Initially I tried uploading both the Developer ID Certificate and the G2 CA both as .cer files encoded in base64. But apparently I need my certificate to be in .p12 format When I try to export it from keychain access the option to export as .p12 is disabled. So how can I do it ?

This is a continuation of my own old post that became inactive to regain traction. I am trying to resolve issues that arise when distributing a macOS app with a SysExt Network Extension (Packet Tunnel) outside the App Store using a Developer ID Certificate. To directly distribute the app, I start with exporting the .app via Archive in Xcode. After that, I create a new Developer ID provisioning profile for both the app and sysext and replace the embedded ones in the .app package. After I have replaced the provisioning profiles and the have the entitlements files ready, I start signing the frameworks, sysext and parent app. codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>"<app>.app/Contents/Library/SystemExtensions/<sysext>.systemextension/Contents/Frameworks/<fw>.framework/Versions/A/<fw> codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/Frameworks/<fw>.framework/ codesign --force --options runtime --entitlements dist-vpn.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/Library/SystemExtensions/<sysext>.systemextension/Contents/MacOS/<sysext> codesign --force --options runtime --entitlements dist.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app After validation is successful with codesign --verify --deep --strict --verbose=4 <app>.app I zip the package, notarize and staple it ditto -c -k --keepParent "<app>.app" "<app>..zip" xcrun notarytool submit <app>.zip --keychain-profile “”<credents> --wait xcrun stapler staple <app>.app After that I finish creating signed and notarized .dmg/.pkg. hdiutil create -volname “<app>” -srcfolder “<app>.app/" -ov -format UDZO ./<app>.dmg codesign --force --sign "Developer ID Application: <name>" <app>.dmg xcrun notarytool submit <app>.dmg --keychain-profile "<credentials>" --wait xcrun stapler staple <app>.dmg Then when I move the .dmg to a clean system, open the .dmg, move the .app to the Applications folder, the attempt to run it fails with “The application “” can’t be opened.”. When I look into the console, the gatekeeper disallows the launch job with the message:
 86127 debug ProvisioningProfiles taskgated-helper ConfigurationProfiles entitlements: { "com.apple.developer.networking.networkextension" = ( "packet-tunnel-provider-systemextension" ); "com.apple.developer.system-extension.install" = 1; "com.apple.developer.team-identifier" = <teamid>; "keychain-access-groups" = ( “<teamid>.<app>.AppGroup" ); } com.apple.ManagedClient
<app>: Unsatisfied entitlements: com.apple.developer.networking.networkextension, keychain-access-groups, com.apple.developer.system-extension.install, com.apple.developer.team-identifier LAUNCH: Runningboard launch of <app> <private> returned RBSRequestErrorFailed, error Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600001a25830 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}, so returning -10810

 I went through all possible formats (macOS-Style and iOS-Style App Group IDs) and combinations of appgroups according to the post “App Groups: macOS vs iOS: Working Towards Harmony”. But none of those work for me. The weird part is that when I try the same steps on different developer account, I am able to get the app running. What can be wrong?

Is it possible to directly distribute a macOS app with a Developer ID Certificate that belongs to a different team? I am trying to resolve issues that arise when distributing a macOS app with a Network Extension (Packet Tunnel) outside the App Store using a Developer ID Certificate from a different team than the app’s provisioning profiles and entitlements. I started by attempting Direct Distribution in Xcode with automatic signing. However, it fails with the following message: Provisioning profile "Mac Team Direct Provisioning Profile: ” failed qualification checks: Profile doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. I suspect the issue is that the provisioning profile allows "packet-tunnel-provider-systemextension", whereas the entitlements generated by Xcode contain "packet-tunnel-provider". When I manually modify the .entitlements file to include the -systemextension suffix, the project fails to build because Xcode does not recognize the modified entitlement. If there is a workaround for this issue, please let me know. Due to these issues, I resorted to manually creating a signed and notarized app. My process is as follows: Export the .app from the Xcode archive. Since the exported .app does not contain the necessary entitlements or provisioning profile for direct distribution, I replace Contents/embedded.provisioningprofile in both the .app and the .appex network extension. Sign the app and its components in the following order: codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/Frameworks/<fw>.framework/ codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>"<app>.app/Contents/PlugIns/<netext>.appex/Contents/Frameworks/<fw>.framework/Versions/A/<fw> codesign --force --options runtime --entitlements dist-vpn.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/PlugIns/<netext>.appex/ codesign --force --options runtime --entitlements dist.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app Verify the code signature: codesign --verify --deep --strict --verbose=4 <app>.app - <app>.app: valid on disk - <app>.app: satisfies its Designated Requirement Create a ZIP archive using: ditto -c -k --sequesterRsrc --keepParent <app>.app <app>.zip Notarize the app with notarytool and staple it. The notarization completes successfully with errors: nil. Package the notarized app into a DMG, notarize, and staple the DMG. The app runs successfully on the development machine. However, when moved to another machine and placed in /Applications, it fails to open. Inspecting Console.app reveals Gatekeeper is blocking the launch:
 taskgated-helper <bundleid>: Unsatisfied entitlements: com.apple.developer.networking.networkextension, com.apple.developer.team-identifier taskgated-helper entitlements: { "com.apple.developer.networking.networkextension" = ("packet-tunnel-provider-systemextension"); "com.apple.developer.team-identifier" = <teamid>; } As mentioned earlier, the Developer ID Certificate used for signing belongs to a different team. We are a third-party developer and do not have access to the Developer ID Certificate of the team assigned as the team-identifier. When I changed the bundle identifier (app ID), team, entitlements, and provisioning profiles to match the team associated with the Developer ID Certificate, the app worked. My question is:
 Is this failure caused by using a Developer ID Certificate from a different team, or should it still work if the provisioning profiles and entitlements are correctly set? Could there be an issue elsewhere in the provisioning profiles or entitlements for the original app ID?

Hello Apple Support Team, We are developing a macOS application that allows users to import and view PST files (Microsoft Outlook archives). These files contain a complex, proprietary format that requires specialized parsing libraries. To achieve this, we are using Aspose Email for Java, which is currently one of the few reliable libraries that support complete PST parsing across platforms. Why we are using Java & Aspose The Aspose Email Java library provides a comprehensive API to extract mail data (including metadata, attachments, and folder structure) from .pst files. A native Swift or Objective-C alternative with full .pst parsing capability does not exist, which is why we opted for a Java-based helper module that runs in the background and communicates with the macOS app over a Unix domain socket. How we bundle it We package the AsposeEmail.jar and a custom JRE (Java Runtime Environment) created using jlink, tailored to run only our jar. This entire setup (JAR + JRE) is bundled within the Contents/Resources directory of the macOS app, and we invoke the Java runtime using standard process launch APIs from Swift. Problem during App Store Submission When we archive the app and submit it to the App Store, the validation step raises an error: ITMS-90284: Invalid Code Signing - The executable 'com.app.sample.appstore.pkg/Payload/Sample.app/Contents/Resources/custom-jre-universal/lib/cli ent/libjsig.dylib' must be signed with the certificate that is contained in the provisioning profile. ITMS-90284: Invalid Code Signing - The executable 'com.app.aample.appstore.pkg/Payload/Sample.app/Contents/Resources/custom-jre-universal/lib/cli ent/libjvm.dylib' must be signed with the certificate that is contained in the provisioning profile. When we attempt to code sign the custom JRE, especially the .dylib files inside, the runtime breaks. Java is unable to launch correctly and throws permission errors and execution failures. Alternative we thought of (On-Demand Download) To avoid the code signing issue, we decided to remove the JRE from the bundle and instead download it on demand when the user performs an action like "Import PST". However, we realized this may violate the App Store Review Guideline 2.5.2: Our use case, while not dynamically modifying features, does download and execute a Java runtime, which could be interpreted as executing new code post-installation. How can we proceed? We are looking for Apple’s guidance on the correct and compliant path forward: Is there a recommended way to bundle and codesign a custom JRE so it is accepted by the App Store? Is on-demand download of a custom runtime for a very specific parsing task permitted, assuming it doesn't modify app features but simply supports user-initiated operations? We would greatly appreciate any guidance or best practices on how to handle this situation, particularly with respect to App Store compliance. Regards, Maaz Hussain

Starting a few hours ago (roughly 2:45PM Eastern time) we began experiencing elevated latency with the Developer ID Notary Service. There is nothing listed on the developer system status page about degraded performance or a service outage. Operations that usually take ~15 minutes, are stacking up for hours. The oldest pending entry we have was created at 2:45PM Eastern: createdDate: 2025-06-24T18:45:22.539Z id: 5209a4d2-eae4-4714-aa8e-6961677ff2e We currently have 27 pending builds in the notary service since we are required to notarize internal builds to ensure we satisfy our requirements so this is creating an issue for us.

Dear Apple Support, We are experiencing a critical issue affecting some of our macOS users during application updates via DMG. In certain cases, when users attempt to update the app by dragging it from the mounted DMG to the /Applications folder (replacing the old version), the application becomes corrupted. Users receive an error indicating that the app cannot be opened. On retry, they are met with an error stating that the app cannot be overwritten. Upon inspection, the resulting application bundle is incomplete and contains only the following structure: . └── Contents └── CodeResources The only known workaround is to completely remove the existing app from /Applications before copying the new version — this resolves the issue consistently. We’ve observed this issue in the field with increasing frequency, which negatively impacts user trust. We also found similar reports from other developers (e.g., https://github.com/warpdotdev/Warp/issues/5492), suggesting a broader issue. Questions: What could be the underlying cause of this behavior on macOS (e.g., MDM, security policies, filesystem behavior)? Are there any recommended practices to prevent or mitigate this issue when updating apps via DMG? We would appreciate any guidance or clarification you can provide. Best regards, Ivan Poluianov

I've recently updated one of our CI mac mini's to Sequoia in preparation for the transition to Tahoe later this year. Most things seemed to work just fine, however I see this dialog whenever the UI Tests try to run. This application BoostBrowerUITest-Runner is auto-generated by Xcode to launch your application and then run your UI Tests. We do not have any control over it, which is why this is most surprising. I've checked the codesigning identity with codesign -d -vvvv as well as looked at it's Info.plist and indeed the usage descriptions for everything are present (again, this is autogenerated, so I'm not surprised, but just wanted to confirm the string from the dialog was coming from this app) &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;BuildMachineOSBuild&lt;/key&gt; &lt;string&gt;22A380021&lt;/string&gt; &lt;key&gt;CFBundleAllowMixedLocalizations&lt;/key&gt; &lt;true/&gt; &lt;key&gt;CFBundleDevelopmentRegion&lt;/key&gt; &lt;string&gt;en&lt;/string&gt; &lt;key&gt;CFBundleExecutable&lt;/key&gt; &lt;string&gt;BoostBrowserUITests-Runner&lt;/string&gt; &lt;key&gt;CFBundleIdentifier&lt;/key&gt; &lt;string&gt;company.thebrowser.Browser2UITests.xctrunner&lt;/string&gt; &lt;key&gt;CFBundleInfoDictionaryVersion&lt;/key&gt; &lt;string&gt;6.0&lt;/string&gt; &lt;key&gt;CFBundleName&lt;/key&gt; &lt;string&gt;BoostBrowserUITests-Runner&lt;/string&gt; &lt;key&gt;CFBundlePackageType&lt;/key&gt; &lt;string&gt;APPL&lt;/string&gt; &lt;key&gt;CFBundleShortVersionString&lt;/key&gt; &lt;string&gt;1.0&lt;/string&gt; &lt;key&gt;CFBundleSignature&lt;/key&gt; &lt;string&gt;????&lt;/string&gt; &lt;key&gt;CFBundleSupportedPlatforms&lt;/key&gt; &lt;array&gt; &lt;string&gt;MacOSX&lt;/string&gt; &lt;/array&gt; &lt;key&gt;CFBundleVersion&lt;/key&gt; &lt;string&gt;1&lt;/string&gt; &lt;key&gt;DTCompiler&lt;/key&gt; &lt;string&gt;com.apple.compilers.llvm.clang.1_0&lt;/string&gt; &lt;key&gt;DTPlatformBuild&lt;/key&gt; &lt;string&gt;24A324&lt;/string&gt; &lt;key&gt;DTPlatformName&lt;/key&gt; &lt;string&gt;macosx&lt;/string&gt; &lt;key&gt;DTPlatformVersion&lt;/key&gt; &lt;string&gt;15.0&lt;/string&gt; &lt;key&gt;DTSDKBuild&lt;/key&gt; &lt;string&gt;24A324&lt;/string&gt; &lt;key&gt;DTSDKName&lt;/key&gt; &lt;string&gt;macosx15.0.internal&lt;/string&gt; &lt;key&gt;DTXcode&lt;/key&gt; &lt;string&gt;1620&lt;/string&gt; &lt;key&gt;DTXcodeBuild&lt;/key&gt; &lt;string&gt;16C5031c&lt;/string&gt; &lt;key&gt;LSBackgroundOnly&lt;/key&gt; &lt;true/&gt; &lt;key&gt;LSMinimumSystemVersion&lt;/key&gt; &lt;string&gt;13.0&lt;/string&gt; &lt;key&gt;NSAppTransportSecurity&lt;/key&gt; &lt;dict&gt; &lt;key&gt;NSAllowsArbitraryLoads&lt;/key&gt; &lt;true/&gt; &lt;/dict&gt; &lt;key&gt;NSAppleEventsUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSBluetoothAlwaysUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSCalendarsUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSCameraUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSContactsUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSDesktopFolderUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSDocumentsFolderUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSDownloadsFolderUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSFileProviderDomainUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSFileProviderPresenceUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSLocalNetworkUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSLocationUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSMicrophoneUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSMotionUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSNetworkVolumesUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSPhotoLibraryUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSRemindersUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSRemovableVolumesUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSSpeechRecognitionUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSSystemAdministrationUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;NSSystemExtensionUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;key&gt;OSBundleUsageDescription&lt;/key&gt; &lt;string&gt;Access is necessary for automated testing.&lt;/string&gt; &lt;/dict&gt; &lt;/plist&gt; Additionally, spctl --assess --type execute BoostBrowserUITests-Runner.app return an exit code of 0 so I assume that means it can launch just fine, and applications are allowed to be run from "anywhere" in System Settings. I've found the XCUIProtectedResource.localNetwork value, but it seems to only be accessible on iOS for some reason (FB17829325). I'm trying to figure out why this is happening on this machine so I can either fix our code or fix the machine. I have an Apple script that will allow it, but it's fiddly and I'd prefer to fix this the correct way either with the machine or with fixing our testing code.

Having reviewed every document, this has been going on for nearly two months. Originally, it was thought that the problem might be related to the fact I had created the developer ID signing certificate on an intel mac, and trying to import and use it on an M1 Mac-Mini. That turned out to not be the case. Completely started over with a new account (the company changed names), requested and was granted the entitlements we needed. Create a new CSR from this new m1 machine, created a Developer ID certificate, installed the certificate on this machine. But no matter what, the codesign fails. Troubleshooting Environment: Brand new Apple Developer account and Developer ID Application certificate (generated CSR on this Mac, installed cert and private key in login keychain) macOS build/signing machine, not running codesign as root Working from Terminal app in GUI session, not via SSH/cron Keychain & Certificate Chain: Verified Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ) certificate and private key are present in login keychain Verified certificate is marked as trusted and has a private key attached Developer ID Certification Authority present and trusted in System keychain (removed any extra from login) Evaluate certificate assistant shows everything is good Apple Root CA present and trusted in System keychain Set all trust settings back to System Defaults after testing with “Always Trust” No expired or duplicate Developer ID intermediates present codesign Troubleshooting: Ran: codesign --force --timestamp --options runtime --sign "Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ)" ./fidelisevents Consistently received: Warning: unable to build chain to self-signed root for signer ... errSecInternalComponent Confirmed correct identity using: security find-identity -v -p codesigning (Shows my Developer ID Application cert as valid) Keychain order confirmed with security list-keychains Tried explicit --keychain argument in codesign (no change) Additional Steps Attempted: Downloaded and re-installed all relevant Apple intermediates/root certificates from https://www.apple.com/certificateauthority/ Rebooted the Mac and killed/restarted the securityd daemon Confirmed no use of sudo or root for codesigning Verified keychain is unlocked Checked that partition list grants access to codesign (set with security set-key-partition-list -S "apple:codesign:" -s -k "" ~/Library/Keychains/login.keychain-db) Attempted to codesign a copy of /usr/bin/true (same error) Ran codesign both with and without --timestamp, both on app bundle and binary Keychain Access showing: Certificate and private key present and linked Correct trust chain System keychain containing all Apple intermediates/roots No trust warnings or red Xs Downloaded the latest Apple CA and Developer ID Root certificates and installed those. None of the forum searches have helped. AI is likewise confused.