Hello, We are currently using Apple Notarization (notarytool) for distributing a macOS app, and we are experiencing very long notarization times for large app bundles. [Issue] For apps with large binary sizes, notarization consistently takes around 3.5 to 4.5 hours from submission to completion. This delay is causing practical issues in our release pipeline, especially when: A hotfix or urgent update is required Multiple builds must be notarized in a short time CI/CD-based distribution is expected to complete within a predictable timeframe [Environment] Platform: macOS Notarization method: notarytool Distribution: Outside Mac App Store App size: 100 GB~ (compressed ZIP) Signing: Hardened Runtime enabled, codesigned correctly Submission status: Successfully accepted, but processing time is very long [What we have confirmed] The notarization eventually succeeds (no failures) Re-submitting the same build shows similar processing times Network upload itself completes normally; the delay is in Apple-side processing Smaller apps complete notarization much faster [Questions] Is a 3–4+ hour notarization time expected behavior for large macOS apps? Are there recommended best practices to reduce notarization processing time for large binaries? For example, splitting components, adjusting packaging, or specific signing strategies Is there any official guidance or limitation regarding notarization queueing or processing based on app size? Are there known service-side delays or regional differences that could affect processing time? Any insight or confirmation would be greatly appreciated, as this directly impacts our production release workflow. Thank you.

i am creating a app on "appmysite" while it runs its build test an error message pops up saying build failed. "it seems your app build has encountered an issue. the certificate used to generate the uploaded provisioning profile does not match the uploaded certificate." I understand why its saying it because the uploaded certificate had to be uploaded as ".p12". The certificate in the provisioning profile is made of ".cert". I am using a apple mac book and a xenovo windows computer. Im simply trying to figure out how to put the ".p12" certificate into the provisioning profile? whenever i go to my developer account and try to create a new provisioning account with the new ".p12" certificate. The only options that pop up for me to select are only the certificates that are in ".cert" form. I've tried exporting through "key access" and they show up in my files but no way to transfer to my developer account to combine it with a provisioning account. Any help is greatly appreciated, this is literally the only thing keeping my app from being ready for submission to review. ive been stuck on this for 3 days.

Hi everyone, Has anyone seen notarization behave like this? We have one specific app (let’s call it App A) with a Network Extension system extension. Whenever we submit App A for notarization: • Its submission stays “In Progress” indefinitely • The provisioning profile for its system extension becomes Invalid on its own • All our other apps suddenly fail notarization • And the whole team immediately gets: StatusCode 7000 – “Team is not yet configured for notarization.” Apple Support restored notarization once(Case 102738171569), and we confirmed other apps notarize fine — until we submit App A again, which instantly triggers the same team-wide block. This cycle has repeated twice. We verified: • Hardened runtime • Proper system extension signing • No private API usage • No get-task-allow • No ATS violations What’s confusing is that this doesn’t look like a normal notarization rejection. Normal failures don’t invalidate provisioning profiles or disable notarization for the entire team. It feels more like an automated security heuristic or misclassification. My questions: 1. Can a single app or system extension trigger an automated team-wide notarization disable? 2. Can an entitlement or NE configuration issue cause StatusCode 7000 instead of a standard rejection? 3. If this could be a false positive, is there a specific team at Apple who can manually review/clear it? Any insight would be greatly appreciated.

I'm working on a multi-process macOS application (based on Chromium/Electron) that uses Mach ports for inter-process communication between the main app and its helper processes. Background I have an MAS build working successfully via TestFlight for internal testing. However, public TestFlight testing requires Apple review, and while waiting for that review, I wanted to provide a directly distributable build for external testers. I attempted to create a Developer ID signed build with App Sandbox enabled, expecting it to behave similarly to the MAS build. The Problem With App Sandbox enabled (com.apple.security.app-sandbox) and identical entitlements, I observe different behavior depending on the signing certificate: Apple Distribution certificate: App launches successfully, mach-register and mach-lookup work Developer ID certificate: App crashes at launch, mach-register is denied by sandbox The Console shows this sandbox violation for the Developer ID build: Sandbox: MyApp(13605) deny(1) mach-register XXXXXXXXXX.com.mycompany.myapp.MachPortRendezvousServer.13605 The crash occurs when the app calls bootstrap_check_in() to register a Mach service for child process communication. What I've tried Adding com.apple.security.temporary-exception.mach-register.global-name with wildcard pattern XXXXXXXXXX.com.mycompany.myapp.MachPortRendezvousServer.* to the main app's entitlements - this resolved the mach-register denial. However, helper processes then fail with mach-lookup denial. Adding com.apple.security.temporary-exception.mach-lookup.global-name with the same wildcard pattern to the main app's entitlements (for inheritance) does not work. Analysis of /System/Library/Sandbox/Profiles/application.sb I examined macOS's App Sandbox profile and found that mach-register.global-name supports wildcard patterns via select-mach-filter: (sandbox-array-entitlement "com.apple.security.temporary-exception.mach-register.global-name" (lambda (name) ... (let ((mach-filter (select-mach-filter name global-name-prefix global-name))) (allow mach-register mach-filter)))) But mach-lookup.global-name does not - it only accepts exact names: (sandbox-array-entitlement "com.apple.security.temporary-exception.mach-lookup.global-name" (lambda (name) (allow mach-lookup (global-name name)))) Since the Mach service name includes the PID (e.g., ...MachPortRendezvousServer.13605), it's impossible to specify exact names in entitlements. I also verified that com.apple.security.application-groups grants mach-register and mach-lookup only for service names prefixed with the group ID (e.g., group.com.mycompany.myapp.), which doesn't match the TEAMID.bundleid. prefix used by Chromium's MachPortRendezvousServer. My questions What mechanism allows Apple Distribution signed apps to use mach-register and mach-lookup for these service names without temporary exceptions? I don't see any certificate-based logic in application.sb. Is there a way to achieve the same behavior with Developer ID signing for testing purposes? Related threads https://developer.apple.com/forums/thread/747005 https://developer.apple.com/forums/thread/685601 https://developer.apple.com/forums/thread/128714 (confirms temporary-exception can be used freely for Developer ID apps) Environment macOS 15.6 (Sequoia) Xcode 16.4 Both certificates from the same Apple Developer account

I got an email with the subject "Action Needed: Developer ID Application Certificate Expires in 30 Days" But on the cert page it's not exactly clear to my how to renew the cert or generate a new one. Confused by the fact that I already have half a dozen ...somehow? Any help or guidance appreciated.

Hello, I am developing a macOS application that uses the Network Extension framework and I'm planning to distribute it outside the Mac App Store using a Developer ID certificate. I am running into a persistent provisioning error when I try to manually assign my profile in Xcode: "Provisioning profile "NetFilterCmd" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement." Here is the process I followed: 1.I added the "Network Extensions" capability in Xcode's "Signing & Capabilities" tab. This automatically created a new App ID in my Apple Developer account. 2.I went to the developer portal, confirmed the App ID had "Network Extensions" enabled, and then generated a "Developer ID" Provisioning Profile associated with this App ID. 3.I downloaded and installed this new profile ("NetFilterCmd.provisionprofile"). 4.Back in Xcode, I unchecked "Automatically manage signing" for my app target. 5.When I select the downloaded "NetFilterCmd" profile from the dropdown, the error message immediately appears. I suspect my issue might be related to the "System Extension" requirement for macOS Network Extensions, or perhaps a mismatch between the specific NE values (e.g., content-filter-provider) in the entitlements file and the App ID configuration. What is the correct, step-by-step sequence to configure a macOS app (main app + network system extension) for Developer ID distribution?

On macOS 15.7.1 I'm trying to install an XPC service outside the app (Developer ID). It mostly seems to go ok, but when I set Launch Constraints on Responsible, AMFI complains of a violation, saying the service is responsible for itself, and fails to launch. Removing that constraint (or adding the service itself to the constraint) works fine. The service is an optional download, and installed to /Users/Shared with a LaunchAgent specifying the MachService. The service is correctly launched and seems to pass all codesigning, notarization, and other checks, but the Responsible isn't set to the "calling" app. Is this broken, or working as intended?

I've been away for a period of time and coming back to development I want to clean up my account resources. It appears as though I have 3 Developer ID Application certificates. I've never released code using any of them, and 2 of them have the exact same expiration date. I assume I created these while under the impression they could be revoked and deleted by myself. But this isn't the case. The fact that I can only use the expiration date to disambiguate between some them, and also that 2 of them can't be disambiguated is problematic if I were to ever notarise code with them. How can I get some of these certificates revoked and deleted?

We've been creating iOS apps for a few years now, but when I tried last month, I got an error in my XCode that says: No profiles for 'com.os.hub.mth2' were found Xcode couldn't find any iOS App Development provisioning profiles matching 'xxx.xxx.xxx.xxx'. I'm not sure if it's the cause or not, but when I look at the signing certificates, the Developer ID Application Certificate says: Missing Private Key The weird part of that is that I see a private key with this name in my Keychain access, so I'm not sure what's wrong. There has been a significant time gap between now and the last time we created a mobile app, so I'm not sure if something changed in XCode/MacOS to cause this issue, or if something expired. I'd appreciate any advice.

Hey, Just recently I realized something I have been overlooking in my build pipelines. I thought that by adding the the "hardened runtime", I disable 3rd-party library injection (I do not have the disable-library-validation entitlement added). However, I was using some checks on my code and I noticed that the "library validation" code signature check fails on my applications (e.g. adding the .libraryValidation requirement via the LightweightCodeRequirements framework) - with codesign -dvvvv /path/to/app I can check it doesn't have the CS_REQUIRE_LV flag: [...] CodeDirectory v=20500 size=937 flags=0x10000(runtime) hashes=18+7 location=embedded [...] then I used in Xcode the "Other Code Signing Flags" setting and added the -o library option, which added the flag: [...] CodeDirectory v=20500 size=937 flags=0x12000(library-validation,runtime) hashes=18+7 location=embedded [...] Is this flag something I should be explicitly setting? Because I was under the impression enabling hardened runtime would be enough. Popular Developer ID distributed applications (e.g. Google Chrome, Parallels Desktop, Slack) all have this flag set.

I want to export Mac OS application out side App Store and I need to have Developer Id installer certificate to do the same. When I go to certificate section in developer portal - I only see option of Mac App Distribution Mac Installer Distribution Developer ID Application Does anyone know where I can check the Developer ID installer part. Developer ID application doesn't work for signing the app manually.

The problem is described in full with log output in #16844 We are having an issue with TCC prompting users for access to the app group container despite signing with entitlements following all guidelines. This is a regression from the Feb 2025 Changes discussed in App Groups: macOS vs iOS: Working Towards Harmony The problem can only be reproduced with Xcode 16.0 and later. The entitlements for the app include access for the group container with [Key] com.apple.security.application-groups [Value] [Array] [String] G69SCX94XU.duck The documentation notes the group name can be arbitrary, e.g. <team identifier>.<group name>. Cyberduck uses G69SCX94XU.duck by default. Interestingly enough the alert is not shown when a group name matching the bundle identifier is used, e.g. G69SCX94XU.ch.sudo.cyberduck.

I have two certificates in my Accounts>Manage Certificates section. One is active, the other is greyed out with a status of "Not in Keychain". I only have ONE certificate in the developer account online. Timeline: Had an issue with fastlane codesigning and was trying to resolve that. In that attempt I deleted my related Certificates from my keychain Xcode showed them as disabled (greyed out) and not in Keychain. Look up how to resolve, need to revoke certificates in Developer account online. I go and revoke those certificates. Nothing changes I create new certificate and try to add it to xcode>account>certificate managment>"Apple Development". Get an error saying I can't add a new can't do that because a certificate is already pending. I waited a day because I assumed like somethings with apple, updates are not immediate. I come back the next day and am able to add a new certificate. However, the previous one that is greyed out and reads "Not in Keychain" under Status, is still there. How do I remove that "Not in Keychain" certificate? I emailed developer support and they directed me here.

I have certificates in my xcode>settings>account>manage certificates that I cannot get rid of. I know that they are linked to certificates in developer.apple.com but I've removed them from there and they persist in xcode. I have one that says "Not in Keychain", which is true. I deleted all the keychains related to these accounts in an attempt to fix something. I also have ones that say things like "Missing Private key" Our setup is that we have one main account "Company Inc." which I am setup to be an Admin in. I created a certificate under my credentials and added it to my keychain and showed up properly in xcode but I still have the other ones. HOW DO I REMOVE THEM :sob:

Hello, My project fails to build/run on a physical device or archive, due to a persistent provisioning error. Exact Error: Provisioning profile "iOS Team Provisioning Profile: com.huiwan.Ohra-Journal" doesn't include the BGTaskSchedulerPermittedIdentifiers entitlement. I have already performed extensive troubleshooting, and all local configurations appear to be correct: Capabilities: "Background Modes" with the "Background processing" option is enabled in the target's "Signing & Capabilities" tab. Info.plist: The Permitted background task scheduler identifiers key is present in the target's Info.plist, and it contains the correct task identifier (com.huiwan.ohra-journal.refresh). Entitlements File: The .entitlements file is correctly configured by Xcode. Full Reset: I have tried a complete reset procedure, including deleting ~/Library/Developer/Xcode/DerivedData and ~/Library/MobileDevice/Provisioning Profiles/, restarting Xcode, and letting the automatic signing system regenerate the profile from scratch. The issue persists. Despite all these correct local settings, the provisioning profile automatically generated by Xcode is consistently missing the required entitlement. This strongly suggests a server-side issue with the provisioning service for my App ID (com.huiwan.Ohra-Journal). I filed a bug report on the Feedback Assistant (FB20268285) a week ago but have not received a response. This issue is completely blocking my development and ability to submit the app. Could you please investigate the status of my App ID and the provisioning services associated with it? Thank you.

My post-build script takes the "developeridexport" archive export, zips it up and uses notarytool to notarize it. I then add the .zip to a .dmg disk image. The next step is to codesign the disk image before notarizing that too. The issue is my Developer ID Application certificate is not accessible to the build host. (When I was doing this in Microsoft AppCenter (now defunct), it had a copy of my Developer ID Application certificate.) What steps do I need to take to get the disk image signed for notarization? Thanks! Lance

I am trying to set up code signing for my macOS/Tauri app and I’m running into a problem with my Developer ID Application certificate in Keychain Access. Steps I followed: Generated a CSR on my Mac using Keychain Access → Certificate Assistant → Request a Certificate From a Certificate Authority. Uploaded the CSR to the Apple Developer portal. Downloaded the resulting .cer file and installed it in my login Keychain. The certificate appears under All Items, but it does not show under My Certificates, and there is no private key attached. What I expected: The certificate should pair with the private key created during CSR generation and show under My Certificates, allowing me to export a .p12 file. What I’ve tried so far: Verified that the WWDR Intermediate Certificate is installed. Ensured I’m on the same Mac and same login Keychain where I created the CSR. Revoked and regenerated the certificate multiple times. Tried importing into both login and system Keychains. Problem: The certificate never links with the private key and therefore cannot be used for signing. Has anyone experienced this issue or knows why the certificate would fail to pair with the private key in Keychain Access? Any workaround or fix would be greatly appreciated.

productsign Command Appears to Succeed but Package has No Valid Signature Category: Security, macOS, Code Signing Question: productsign command, when signing a PKG created with productbuild, appears to succeed with a success message (Wrote signed product archive to ...) but spctl verification results in rejected, source=no usable signature, indicating that the signature was not actually applied. Details: Goal: To sign a distribution package created with productbuild using a Developer ID Installer certificate. Certificate Used: Developer ID Installer: [Company Name] ([Team ID]) This certificate was issued by Previous Sub-CA and is not the latest G2 Sub-CA recommended by Apple. We cannot create a new G2 Sub-CA certificate as we have reached the limit of 5. productsign Command: productsign --sign "Developer ID Installer: [Company Name] ([Team ID])" [input.pkg] [output.pkg] productsign Output: Wrote signed product archive to [output.pkg] (Appears as a success message). spctl Signature Verification: spctl -a -vv [output.pkg] Result: rejected, source=no usable signature Notarization Service Results (Behavioral difference between Macs): On Mac A, the submission status was Accepted. On Mac B, the status was Invalid, with the notarization log message being The binary is not signed.. Troubleshooting Steps Taken: We attempted to sign both component and distribution packages with productsign, and in both cases, the signature was not recognized by the system. We skipped productsign and relied on the notarization service's auto-signing, but the notarization log still reported The binary is not signed., and the notarization failed. We have confirmed that the certificate and private key are properly associated in Keychain Access. My Questions: Given that we are using an older Previous Sub-CA certificate and cannot create a new one, why does productsign appear to succeed when the signature is not being applied? What could cause the behavioral difference where notarization is Accepted on Mac A but Invalid on Mac B? Is this a known issue with Apple's tools, or is it possibly caused by the specific structure of our PKG? What is the recommended workflow or debugging method to successfully sign and notarize a PKG under these circumstances? Thank you for your assistance

I'm trying to distribute a sandboxed macOS app with a PacketTunnelProvider (system extension) via direct distribution (outside of AppStore). The app and the extension both use the same app group, using the new group.com.XXXX.YYYY format detailed here for 10.15+ https://developer.apple.com/forums/thread/721701 I've also followed the instructions below to get around the quirk of not being able to directly process it via XCode: https://developer.apple.com/forums/thread/737894 I've re-signed with Developer ID certificate, all that is smooth and successfully notarized. However upon running the app I get: "My.app" would like to access data from other apps. Checking ~/Library/Containers ~/Library/Group Containers I see the correct files folders have been created before I select Don't Allow and Allow. My app does not access any files or folders outside of the sandboxed directories. How can I prevent this from happening? In order to diagnose further, how to diagnose exactly which files/folder the app is trying to access that is causing this problem?

I am responsible for the mobile app and thus also of the apple developer and app store connect accounts of a company. An external freelancer developed a software package for us which we aim to offer for installation and use on macOS systems of our customers; distributed exclusively outside of the Apple App Store. The software package has nothing to do with the mobile app. MacOS' Gatekeeper currently warns or even prevents our customers regarding the installation of the package on their device; pretty much as described here: https://developer.apple.com/developer-id/. According to a previous talk with Apple's Support, the software package (.app) the Freelancer developed must be signed with one of our own certificates. As we cannot grant selective app store connect access to third persons (only for the concerned certificates), we prefer to not provide access to our entire apple developer account to the freelancer, for the sole reason of the certificate & signing process. According to previous attempts with Apples' support regarding the most feasible solution in this case, they recommended me to manage the signing of the package of the freelancer, and simply request the package from the freelancer. I've thus generated an according Developer ID Certificate, but regarding the signing process, I'm confused. I know how signing works with mobile apps in XCode, but regarding software that is not distributed throughout the App Store on macOS, I'm unsure about the process. Also, as far as I know, the entitlements of the application are involved in the signing process. So my concern is that simply having the software package (.app) from the freelancer is not really enough to complete the signing + notarization process? Won't I need further information about the app's entitlements etc.? I would like to have a clear solution about the procedure that is required in these cases, as online documentations and / or forums as well as previous talks with your non-technical support from Apple did not resolve the issue.