General: DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained DevForums post --deep Considered Harmful DevForums post Don’t Run App Store Distribution-Signed Code DevForums post Resolving errSecInternalComponent errors during code signing DevForums post Finding a Capability’s Distribution Restrictions DevForums post Signing code with a hardware-based code-signing identity DevForums post Mac code signing: DevForums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding Nonstandard Code Structures in a Bundle documentation Embedding a Command-Line Tool in a Sandboxed App documentation Signing a Daemon with a Restricted Entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example DevForums post The Care and Feeding of Developer ID DevForums post TestFlight, Provisioning Profiles, and the Mac App Store DevForums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

our app has a helper to perform privileged operations. previously that helper was installed via SMJobBless() into the /Library/LaunchDaemons/ and /Library/PrivilegedHelperTools/ we also had a script that would install the helper from the command-line, which was essential for enterprise users that could not manually install the helper on all their employee's Macs. the script would copy the files to their install location and would use launchctl bootstrap system as the CLI alternative to SMJobBless(). the full script is here: https://pastebin.com/FkzuAWwV due to various issues with the old SMJobBless() approach we have ported to helper to the new SMAppService API where the helpers do not need to be installed but remain within the app bundle ( [[SMAppService daemonServiceWithPlistName:HELPER_PLIST_NAME] registerAndReturnError:&err] ) however, we are having trouble writing a (remote-capable) CLI script to bootstrap the new helper for those users that need to install the helper on many Macs at once. running the trivial sudo launchctl bootstrap system /Applications/MacUpdater.app/Contents/Library/LaunchDaemons/com.corecode.MacUpdaterPrivilegedInstallHelperTool2.plist would just result in a non-informative: Bootstrap failed: 5: Input/output error various other tries with launchctl bootstrap/kickstart/enable yielded nothing promising. so, whats the command-line way to install a SMAppService based helper daemon? obviously 'installing' means both 'registering' (which we do with registerAndReturnError in the GUI app) and 'approving' (which a GUI user needs to manually do by clicking on the notification or by going into System Settings). thanks in advance! p.s. we wanted to submit this as a DTS TSI, but those are no longer available without spending another day on a reduced sample projects. words fail me. p.p.s. bonus points for a CLI way to give FDA permissions to the app!

The product archive package's signature is invalid. Ensure that it is signed with your "3rd Party Mac Developer Installer" certificate. (90237) I'm receiving this error, despite the fact that I'm using this certificate when creating the pkg (with electron-forge) My configuration is shown below - note the 3rd Party Mac Developer Installer identity when using new MakerPKG. const config: ForgeConfig = { packagerConfig: { asar: true, name: 'Deep Focus', icon: 'resources/icon.icns', osxSign: { identity: 'Apple Distribution: Timeo Williams (3Y4F3KTSJA)', type: 'distribution', provisioningProfile: '/Users/timeo/Desktop/Deep Focus/deepWork/distribution.provisionprofile', preAutoEntitlements: false, // eslint-disable-next-line @typescript-eslint/explicit-function-return-type optionsForFile() { return { entitlements: 'build/entitlements.mas.plist' } } }, extendInfo: 'build/info.plist', osxUniversal: { mergeASARs: true }, appCategoryType: 'public.app-category.productivity', appBundleId: 'com.electron.deepfocus', extraResource: [ 'resources/.env', 'resources/icon.icns', ] }, rebuildConfig: {}, makers: [ new MakerSquirrel({}), new MakerZIP({}), new MakerRpm({}), new MakerDeb({}), new MakerDMG({ appPath: './out/Deep Focus-darwin-arm64/Deep Focus.app', name: 'Deep Focus', icon: './resources/icon.icns', format: 'ULFO', overwrite: true, contents: (opts) => [ { x: 130, y: 220, type: 'file', path: opts.appPath }, { x: 410, y: 220, type: 'link', path: '/Applications' } ] }), new MakerPKG({ name: 'Deep Focus', identity: '3rd Party Mac Developer Installer: Timeo Williams (3Y4F3KTSJA)' }) ], plugins: [ new VitePlugin({ build: [ { entry: 'src/main.ts', config: 'vite.main.config.ts', target: 'main' }, { entry: 'src/preload.ts', config: 'vite.preload.config.ts', target: 'preload' } ], renderer: [ { name: 'main_window', config: 'vite.renderer.config.mts' // Path to Vite config for renderer process } ] }), new FusesPlugin({ version: FuseVersion.V1, [FuseV1Options.RunAsNode]: false, [FuseV1Options.EnableCookieEncryption]: true, [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, [FuseV1Options.EnableNodeCliInspectArguments]: false, [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true, [FuseV1Options.OnlyLoadAppFromAsar]: true }) ] } Yet, I'm getting the error from Transporter that it's invalid?

I am working on task to add WKWebView to Autofill extension. This web view presents web content that can access camera feed. As an example here is a simple html: I have added Camera permission entitlements to both main app and autofill extension Info.plist Camera feed is accessed properly from the main app. However, doing the same in the Autofill extension does not show Camera stream in the web content. I am receiving camera permissions alert and am allowing permissions. It just stucks on the black screen and in console I see these logs: 16000a00 - GPUProcessProxy::didClose: 0x116000a00 - GPUProcessProxy::gpuProcessExited: reason=Crash 0x1150180c0 - [PID=1 523] WebProcessProxy::gpuProcessExited: reason=Crash Error acquiring assertion: <Error Domain=RBSServiceErrorDomain Code=1 "target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit" UserInfo={NSLocalizedFailureReason=target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit}> 0x115020360 - ProcessAssertion::acquireSync Failed to acquire RBS assertion 'GPUProcess Background Assertion' for process with PID=1 524, error: Error Domain=RBSServiceErrorDomain Code=1 "target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit" UserInfo={NSLocalizedFailureReason=target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit} 0x1160012a0 - GPUProcessProxy::didClose: 0x1160012a0 - GPUProcessProxy::gpuProcessExited: reason=Crash 0x1150180c0 - [PID=1 523] WebProcessProxy::gpuProcessExited: reason=Crash Error acquiring assertion: <Error Domain=RBSServiceErrorDomain Code=1 "target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit" UserInfo={NSLocalizedFailureReason=target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit}> 0x115020300 - ProcessAssertion::acquireSync Failed to acquire RBS assertion 'GPUProcess Background Assertion' for process with PID=1 525, error: Error Domain=RBSServiceErrorDomain Code=1 "target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit" UserInfo={NSLocalizedFailureReason=target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit} Looks like WKWebView crashes. Here are my configurations for the WKWebView: let webConfiguration = WKWebViewConfiguration() webConfiguration.allowsInlineMediaPlayback = true webConfiguration.mediaTypesRequiringUserActionForPlayback = [] let webView = WKWebView(frame: .zero, configuration: webConfiguration) webView.navigationDelegate = self webView.uiDelegate = self webView.scrollView.isScrollEnabled = false webView.contentMode = .scaleAspectFit view.addSubview(webView) Does anyone know what might be the problem? Is it even possible to access Camera from web content in Autofill extension?

I am trying to add WeatherKit support to a commandline app to fetch historical data. I've configured an app ID with the WeatherKit entitlement, but WeatherKit does not appear in the Capabilities list to add. When I try to access weather data, it fails with Code=4097 "connection to service named com.apple.weatherkit.authservice" suggesting it's not authorized. How do I add the WeatherKit entitlement to a commandline Swift app?

Hello, I can see this option in my certificate on the developer.apple.com platform. The entitlements file is updated with: com.apple.developer.proximity-reader.payment.acceptance code-block I’ve created a new profile for development and App Store, but in Release mode, my profile is not recognized… What configuration might be missing?

Hi, I am part of a team working to incorporate vehicle crash detection using SafetyKit. However, I am unable to know more details about this entitlement since the details page (https://developer.apple.com/contact/request/vehicular-crash-events/) is showing an unauthorised message as shown in the image below. All the latest licenses have been reviewed and agreed to. Please let me know what can be done to access this link and know the details of this entitlement.

How can I show my VoIP calling app in the same list as Facetime and Whatsapp as shown in the image? My app implements VoIP calls and is integrated with CallKit. Any tip would be appreciated!

I have an existing Xcode project that I am trying to add MusicKit to, but for some reason I am unable to. I have logged into my developer account, and ticked off the MusicKit checkbox under the Services tab of my app in the Certificates, Identifiers & Profiles section. In Xcode I have Automatically manage signing set to true. But MusicKit does not show up as a Capability, neither in the list of capabilities in my app, nor when trying to add it with the +Capability button. I have done this successfully before with Game Center, so I really do not understand why this does not work with MusicKit. Any ideas as to how this can be solved?

I have a werid case that shouldn't happen according to https://forums.developer.apple.com/forums/thread/706390 I have an audio unit which runs in FCP and I want it to launch a sandboxed app as a child process. If I sign the child app with just "com.apple.security.app-sandbox" entitlement it crashes with SYSCALL_SET_PROFILE error. According to the article referenced above: "This indicates that the process tried to setup its sandbox profile but that failed, in this case because it already has a sandbox profile." This makes sense because audio units run in a sandboxed environment (in AUHostingService process). So I added "com.apple.security.inherit" to the entitlements plist and now I get "Process is not in an inherited sandbox." error. According to the article referenced above: "Another cause of a trap within _libsecinit_appsandbox is when a nonsandboxed process runs another program as a child process and that other program’s executable has the com.apple.security.app-sandbox and com.apple.security.inherit entitlements. That is, the child process wants to inherit its sandbox from its parent but there’s nothing to inherit." And this doesn't make sense at all. The first error indicates the child process is trying to create a sandboxed environment within a parent sandboxed environment while the second error indicates there's no a parent sandboxed environment... I specifically checked the child process has "com.apple.security.app-sandbox" and "com.apple.security.inherit" entitlements only. If I remove all entitlements from the child process it launches and runs fine from the audio unit plugin. And if I remove "com.apple.security.inherit" but leave "com.apple.security.app-sandbox" I can successfully launch the app in standalone mode (in Finder). For the testing puroses I use a simple Hello World desktop application generated by XCode (Obj-C). Does anybody have an idea what can be the reason for such a weird behavior?

Hi I have a question about In app Provisioning for Apple Pay. I'm a developer in company which makes application for one of banks. They want to have ability to add cards to Wallet by their app not by Wallet application. I know which functions and documentation i need to use but I have a problem with testing it. We are third party developer, have seperate teams, bank also has 3 apps for their testing environments. Bank sign agreements with Apple so they could have entitlements to check integration. And that is a question. Is there any change to check our implementation before checking it in production app? I've seen sandbox account feature: https://developer.apple.com/apple-pay/sandbox-testing/ but I can' open In App provisioning window without entitlements. In Apple documentation we have statement that Apple is giving this entitlement only for production applications. So how to test it and check implementation before getting to production or without "mocking" application as production (changing id).

I want to use the com.apple.vm.networking entitlement which has a note: This entitlement is restricted to developers of virtualization software. To request this entitlement, contact your Apple representative. https://developer.apple.com/support/technical/ says: « Request entitlements using entitlement forms and ask for status updates in the resulting email thread. » but I haven't been able to find these "entitlement forms". Does anyone know what the right process is to request an entitlement?

We have a DriverKit entitlement for our USB driver. We now wish to use this same driver with a variant of our existing application. Of course this application has its own separate App ID and will be published in the App Store alongside our existing application. Will we need to go back to the well and ask Apple for another entitlement?

Hi After I added iCloud container and iCloud documents my UITests can't run anymore what is this problem and how can I solve it? Thanks!

While reading the developer documentation article Adopting SwiftData for a Core Data App, one particular line piqued my interest. For apps that evolve from a version that doesn’t have any app group container to a version that has one, SwiftData copies the existing store to the app group container. Given how troublesome it has been to migrate the Core Data persistent store to an app group container, I decided to try this out myself. I created an Xcode project using the default Core Data template. I then added a few Item objects with timestamps. There, I had what we would consider a regular Core Data app. I then created a widget extension for this app since this is one of the most common uses for adopting an app group in an Xcode project. After that, I linked the main target with the widget extension using an app group. In the widget extension, I tried to fetch the Item objects. I utilized the SwiftData code in the sample project associated with the article above. struct Provider: TimelineProvider { private let modelContainer: ModelContainer init() { let appGroupContainerID = "group.com.genebogdanovich.CoreDataSwiftDataAppGroup" guard let appGroupContainer = FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: appGroupContainerID) else { fatalError("Shared file container could not be created.") } let url = appGroupContainer.appendingPathComponent("CoreDataSwiftDataAppGroup.sqlite") print("\(url)") do { modelContainer = try ModelContainer(for: Item.self, configurations: ModelConfiguration(url: url)) } catch { fatalError("Failed to create the model container: \(error)") } } } func getTimeline(in context: Context, completion: @escaping (Timeline<Entry>) -> ()) { Task { @MainActor in let fetchDescriptor = FetchDescriptor<Item>() let items: [Item] = try! modelContainer.mainContext.fetch(fetchDescriptor) print(items) let entry = SimpleEntry(date: .now, emoji: "😀", count: items.count) let timeline = Timeline(entries: [entry], policy: .never) completion(timeline) } } The fetch yielded no results. However, as I explored the app group directory in the file system, I found a .sqlite file. That is interesting because SwiftData creates .store files by default. So, I am guessing that SwiftData did copy something. Or the ModelContainer initializer just created another empty SQLite file since the fetch returned zero results. I would highly appreciate someone elaborating on that quote from the documentation.

Hello, i've recently received the entitlements to access the main camera stream for a project on the Apple Vision Pro. What happens : When executing code from this WWDC tutorial , i'm getting this error when trying to use a Camera Frame Provider : ar_camera_frame_provider_t <0x300d58870>: Failed to start camera stream with error: <ar_error_t: 0x303fcc4c0 Error Domain=com.apple.arkit Code=100 "App not authorized." UserInfo={NSLocalizedFailureReason=Using camera frame provider requires an entitlement., NSLocalizedRecoverySuggestion=, NSLocalizedDescription=App not authorized.} What I've tried : I followed the instructions given by mail, by : adding the .license file at the root of my project, adding the .entitlements file by adding capabilities in the project (Main Camera Access & Passthrough in screen capture are there). I've added NSCameraDescription, NSEnterpriseMCAMUsageDescription and NSWorldSensingUsageDescription (they all have a value assigned). I've also followed those post & post advices. When checking on the Account settings, i do see the capabilities in the "additional capabilities" On first launch, I'm also getting prompted to accept the NSEnterpriseMCAMUsageDescription, so I assume the info.plist file is valid? What did i missed to get the entitlements working ? Here's the code : import ARKit import SwiftUI import Vision import RealityKit class MainCameraAccess { var arKitSession = ARKitSession() var cameraFrameProvider = CameraFrameProvider() var pixelBuffer: CVPixelBuffer? func startCameraSession() async { let formats = CameraVideoFormat.supportedVideoFormats(for: .main, cameraPositions: [.left]) // Request authorization await arKitSession.requestAuthorization(for: [.cameraAccess]) // Start the session do { try await arKitSession.run([cameraFrameProvider]) } catch { print("Failed to start ARKit session: \(error)") return } // Get camera frame updates guard let cameraFrameUpdates = cameraFrameProvider.cameraFrameUpdates(for: formats[0]) else { return } // Process frames for await cameraFrame in cameraFrameUpdates { guard let mainCameraSample = cameraFrame.sample(for: .left) else { continue } self.pixelBuffer = mainCameraSample.pixelBuffer } } func saveLatestImage() { guard let pixelBuffer = self.pixelBuffer else { print("No image available to save.") return } // Convert CVPixelBuffer to UIImage let ciImage = CIImage(cvPixelBuffer: pixelBuffer) let context = CIContext() guard let cgImage = context.createCGImage(ciImage, from: ciImage.extent) else { print("Failed to create CGImage.") return } let uiImage = UIImage(cgImage: cgImage) // Save UIImage to Photos Album UIImageWriteToSavedPhotosAlbum(uiImage, nil, nil, nil) print("Image saved to photo library.") } } Thanks in advance for the help, Jeremy

Hi all, For context, the Family Controls entitlement request (for the Personal Device Management category/individual use case) includes the question: Will your app share device or usage data beyond the individual for the individual use case, or Family Sharing for the parent/guardian use case, including through means such as screenshots, screen recordings, or server logging? I'm looking for clarification on how to interpret this. I originally answered Yes and was rejected, then later answered No and was accepted. Ideally, I would like my screen time management app to allow users to opt-in to social features. One simple example is opting into a leaderboard with your friends for who has the lowest screen time. If the user installed this app for themself and chooses to share this basic data with their friends, it sounds like an ethical and unproblematic feature but I suppose storing that data would fall under "server logging"? If anyone has any experience with this, I would appreciate a more explicit description of the requirement above. Is what I described allowed? Thanks for reading!

Hi, we have received an Application via App Transfer recently. I am now trying to generate a provisioning profile for App Store distribution. When we set the checkmark in Capabilities to use "iCloud Key-value storage" we cannot get "automatically manage signing" to work with an error: Provisioning profile "iOS Team Provisioning Profile: com.some.bundle.identifier" doesn't match the entitlements file's value for the com.apple.developer.ubiquity-kvstore-identifier entitlement. When a Provisioning Profile is manually generated via Developer Portal the com.apple.developer.ubiquity-kvstore-identifier entry shows the value of the previous app owner: "OLDTEAM.com.some.bundle.identifier". How can we change the com.apple.developer.ubiquity-kvstore-identifier value in our provisioning profile to get rid of the old team identifier? Help is much appreciated, thank you. FB15898983

I am developing a watchOS app that uses the uses the Fall Detection API. After requesting the entitlement, and receiving the entitlement and adding it to my app, I managed to implement the feature, and run the app on the simulator in Xcode and it works fine. But when I try to distribute the app to TestFlight internal testing, Xcode refuses and shows the following message: "Provisioning profile failed qualification: Profile doesn't support Fall Detection Notifications" and "Provisioning profile failed qualification: Profile doesn't include the com.apple.developer.health.fall-detection entitlement" I am using an Xcode managed provisioning profile, and when I checked the profile from "signing and capabilities", it says that the fall detection capability and the entitlement are included in the profile. When I check my app's capabilities from "Certificates, Identifiers & Profiles" in the apple developer website, it says that the fall detection capability for my app has provisioning support for Ad hoc and Development only, is this the reason why I can't upload my app to TestFlight, or am I missing something? If it is the reason, then is there a way to change the provisioning support so that I can distribute the app? Thanks in advance

We applied for Location Push Entitlement on June. It has been several months since then but we still got not any results (either passed or rejected). Can anyone tell us what's going on?

Are Administrators able to request a system extension via https://developer.apple.com/contact/request/system-extension/ or are Account Holders the only ones who can?