General:
DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements
Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities.
Developer > Support > Certificates covers some important policy issues
Entitlements documentation
TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series.
WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing
Certificate Signing Requests Explained DevForums post
--deep Considered Harmful DevForums post
Don’t Run App Store Distribution-Signed Code DevForums post
Resolving errSecInternalComponent errors during code signing DevForums post
Finding a Capability’s Distribution Restrictions DevForums post
Signing code with a hardware-based code-signing identity DevForums post
Mac code signing:
DevForums tag: Developer ID
Creating distribution-signed code for macOS documentation
Packaging Mac software for distribution documentation
Placing Content in a Bundle documentation
Embedding Nonstandard Code Structures in a Bundle documentation
Embedding a Command-Line Tool in a Sandboxed App documentation
Signing a Daemon with a Restricted Entitlement documentation
Defining launch environment and library constraints documentation
WWDC 2023 Session 10266 Protect your Mac app with environment constraints
TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference.
Manual Code Signing Example DevForums post
The Care and Feeding of Developer ID DevForums post
TestFlight, Provisioning Profiles, and the Mac App Store DevForums post
For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Entitlements
RSS for tagEntitlements allow specific capabilities or security permissions for your apps.
Posts under Entitlements tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
I have added 2 command line tools in my swiftUI app for macOS, it was working fine locally, but it gives error when i try to make archive of it. I am not sure about the reason, but it was related to sandboxing the command line tools, after this i have tried multiple solutions but i am unable to resolve this issue, how should i handle the helper command line tools
I noticed the time sensitive entitlement says it's only for iOS and macOS. But without the entitlement, the time sensitive toggle doesn't show in my app's notification settings on visionOS.
When I archive my visionOS app for App Store Connect, the entitlement seems to be taken out as it doesn't show in my entitlement list for the build in App Store Connect.
I'm confused at this point if the entitlement is really necessary, since it seems to be needed to debug on the simulator at least. I don't have a physical device to test it on unfortunately.
I can't upload my macOS app to app store connect.
Each time i try to upload, i see this message:
Provisioning profile failed qualification
Profile doesn't support App Groups.
An empty app without an app group uploads fine, but if i add an app group to it, it does not upload.
I'm getting this error when uploading a build of my macOS app to App Store Connect. It has always worked before, and nothing changed about my use of app groups, and the iOS build uploaded without any problems. Cleaning the build folder and derived data folder doesn't help. I'm using automatically managed signing in Xcode.
Invalid code signing entitlements. Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “[group.]” value for the com.apple.security.application-groups key in “.pkg/Payload/.app/Contents/MacOS/” isn’t supported. This value should be a string or an array of strings, where each string is the “group” value or your Team ID, followed by a dot (“.”), followed by the group name. If you're using the “group” prefix, verify that the provisioning profile used to sign the app contains the com.apple.security.application-groups entitlement and its associated value(s).
I use shared UserDefaults in my Swift FileProvider extension app suite. I share data between the containing app and the extension via User Defaults initialized with init(suiteName:).
Everything was working fine before macOS 15 (Sequoia).
I know that Sequoia changed the way the app group should be configured. My app group is know set to "$(TeamIdentifierPrefix)com.my-company.my-app".
But the containing (UI) app and the Extension read and write from and to different plist locations although the same app-group is specified for both targets in XCode.
The containing app reads and writes to "~/Library/Preferences/$(TeamIdentifierPrefix)com.my-company.my-app.plist"
The Extension reads and writes to "~/Library/Containers/com.my-company.my-app.provider/Data/Library/Preferences$(TeamIdentifierPrefix)com.my-company.my-app.plist"
Both of these locations seem completely illogical for shared UserDefaults.
I checked the value returned by FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: "$(TeamIdentifierPrefix)com.my-company.my-app" in both the containing app and the Extension and the value in both of them is the same but has nothing to do with the actual paths where the data is stored as provided above. (The value is as expected - "~/Library/Group Containers/$(TeamIdentifierPrefix)com.my-company.my-app/"
P.S. Of course, $(TeamIdentifierPrefix), my-company and my-app here are placeholders for my actual values.
In an expo managed project which utilizes custom expo plugins, we're having trouble getting the keychain-access-groups entitlement inserted to our provisioningprofile for signing.
The provisioning profile we download from apple dev portal contains:
<key>keychain-access-groups</key>
<array>
<string>56APMZ7FZY.*</string>
<string>com.apple.token</string>
</array>
and this is not recognized by xcode for signing; an error is thrown:
Provisioning profile "ccpp" doesn't include the com.apple.developer.keychain-access-groups entitlement.
A matching error is thrown during EAS build.
So we need to find a way to modify the ccpp.mobileprovision locally and then sign the build using the modified ccpp.mobileprovision.
Or, we need guidance on the proper way to resolve this situation.
Questions:
why does the downloaded mobileprovision file have the keychain-access-groups key, and not com.apple.developer.keychain-access-groups? Both Xcode and EAS appear to demand the latter keyname.
when I use expo prebuild, I am able to see the following in the .entitlements file:
<key>com.apple.developer.keychain-access-groups</key>
<array>
<string>$(AppIdentifierPrefix)com.myapp</string>
</array>
I am adding this entitlement using a custom expo plugin. However, the mobileprovision file downloaded from apple developer portal has no knowledge of this setting which is only applied through expo prebuild.
So what I am left with at the end is an entitlements file generated by my expo prebuild which has the correct setting, and a provisioningprofile downloaded from dev portal with an incorrect setting, and I don't know how to mend the downloaded provisioningprofile (incorrect setting) with my local entitlements file (correct setting).
I'm at my wit's end here with an iOS app I'm developing. I've applied for the Family Controls entitlement, and while my extensions (like Device Monitor) have been accepted, the main target entitlement for my app still hasn't been approved.
Here's the timeline:
Extensions (Device Monitor etc.): Accepted about a month ago. Main App Entitlement: Still pending - it's been over 6 weeks now. I'm looking for:
Anyone who has gone through this process and can share how long it took for their main app entitlement to get approved after the extensions were. Any tips on what might speed up the process or what I might be doing wrong. Experiences with contacting Apple Developer Support regarding this issue.
If you've been through a similar ordeal or have any advice, I'd really appreciate it. Thanks for any help or insight you can offer!
My app is a Safari extension. When trying to validate the app, I get the following error:
App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "app.rango.Rango.pkg/Payload/Rango for Safari.app/Contents/MacOS/Rango for Safari" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app.
I don't know why this is happening. I have app sandbox enabled in both the app and the extension target. I have both entitlement files. When executing codesign -d --entitlements :- /path/to/binary I get the following:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.files.user-selected.read-only</key><true/><key>com.apple.security.get-task-allow</key><true/><key>com.apple.security.network.client</key><true/></dict></plist>
If I check on Activity Monitor, on the sandbox column it shows true. I have no idea why I keep getting this error when all indicates that the app is actually sandboxed.
Hi there,
I am planning an app that requires use of the Family Controls Entitlement to access data on the user's screen time.
I understand that this has to be requested from Apple before it can be used in production.
I have found the following form to request approval, but it requires an App and bundle ID, which suggests that approval can only be requested after the app has been developed.
https://developer.apple.com/contact/request/family-controls-distribution
I'd like to avoid the situation where I spend a lot of time on developing the app, only to find out that the Family Controls Entitlement will not be granted for my use case.
Is there any way that I can request provisional pre-approval for my app? Perhaps based on an app description and some mockups? Or, at least some idea of whether my particular use case is likely to be approved?
Thanks.
Hello, why is apple won’t adding Just-In-Time compiler to ”Emulators” in the app store. And/or hypervisor for newer devices.
i feel like UTM (which is a PC Emulator) or other Apps that emulate need JIT to work properly, and will consume significantly less battery to emulate/virtualize, And will have a noticeably better performance than just not enabling JIT, and by the way jit is already being used on iPadOS/iOS 18.3/18.3.1 and newer/older version of that so being enabled by the choice of the developer of the App is more convenient than doing it with tools.
and by the why apple wont let emulators on iPads and newer iPhones do hypervisor, it’s better than JIT but requires a good cpu, like making it available to people with newer/powerful devices, hypervisor is better than JIT by a lot and removing it in iPadOS/iOS 18.4 was an unnecessary choice?, becuase it had a better potential in virtualization instead of emulating, and I feel like enabling it In M1-M2 iPads and A14-18pro and newer devices is just better from having it disabled, to unlock the fullest potential of the iPad it needs to have a app or something to do instead of just running high graphics games/or Apps.
Hi,
We have an app that is a default mail client, so it has this entry in its entitlements file: com.apple.developer.mail-client. This seems to create issues with ad-hoc distribution.
We can distribute the app on App Store Connect without any issues and have been doing so for a while.
We wanted to try using Xcode Cloud to manage our releases. The app export works fine for both App Store Distribution and Development Distribution.
However, the ad-hoc distribution step fails. (We don't need ad-hoc distribution, but Xcode Cloud seems to prevent us from removing this step.)
I tried building and releasing the app locally for ad-hoc distribution and encountered the same error as on Xcode Cloud.
When Xcode tries to generate the profile, it outputs the following error:
Provisioning profile "iOS Team Ad Hoc Provisioning Profile: com.infomaniak.mail" failed qualification checks:
Profile doesn't support Default Mail App.
Profile doesn't include the com.apple.developer.mail-client entitlement.
Is it something broken with our config ? What are we missing ?
Local error in Xcode Organizer:
Remote error on Xcode cloud:
I've successfully obtained Distribution entitlements for Family Controls. However, this seems to only apply to the main target/identifier and not the extensions, like DeviceActivityMonitor, ShieldConfigurationDataSource, or ShieldActionExtension.
Did I perhaps fill out the form with the wrong bundle ID? If I go to "Certificates, Identifiers & Profiles", my main identifier for the app has the Distribution entitlement. But the extensions and the wildcard don't. This means that trying to create an archive results in the following two errors, each repeated twice:
Provisioning profile failed qualification (Profile doesn't support Family Controls (Development))
Provisioning profile failed qualification (Profile doesn't include the com.apple.developer.family-controls entitlement)
Note that my entitlement files are set up correctly.
Do I need to fill out the form with a wildcard instead? Or am I doing something wrong? Thank you.
Hi Folks,
We are reading the USB device data from our app using libusb/iokit libraries.
Before updating the MacOS to the 15.3 we never faced any issue but after updating OS to 15.3 Sequoia we started facing issue to access the USB device's information.
We are not getting the device endpoints for the matching service and fails with below error-
Error:Failed to create IOUSBHostObject. with reason: IOServiceOpen failed.
Respective code snippet-
service = IOServiceGetMatchingService(kIOMasterPortDefault, matchingDictionary);
IOUSBHostInterface* interface = [[IOUSBHostInterface alloc] initWithIOService:service
options:IOUSBHostObjectInitOptionsDeviceCapture
queue:*queue
error:&error
interestHandler:nil];
We get the denial message during accessing the IOService
error 23:17:30.691934-0800 kernel 41 duplicate reports for Sandbox: spotlightknowledged(1399) deny(1) mach-lookup com.apple.diagnosticd
error 23:17:30.691945-0800 kernel System Policy: com.prograde.pgdrefreshpro.helpe(70515) deny(1) iokit-open-service IOUSBHostInterface
Also when we checked the IOUSBHOST logs we can see pipes are stalled while running the RefreshPro app as below-
2025-02-05 22:06:31.838141-0800 0x25913e Error 0x0 0 0 kernel: (IOUSBHostFamily) AppleUSBIORequest: AppleUSBIORequest::complete: device 8 (SD PG05.5@08210000) endpoint 0x00: status 0xe0005000 (pipe stalled): 0 bytes transferred
We need an assistance here to know what exactly could be the cause and how can we elevate the permissions to access the USB device on MacOS15.3.
Do we need other entitlements? As we never faced such issue with our certificate and Identifier on any MacOS versions and with the current entitlements we have.
Do we need to include any entitlement in the code?
Thanks.
Hey everyone,
I wanted to check if anyone else has faced extreme delays when requesting access to Apple Pay Wallet APIs. It was Oct 11 2024 a year ago since we first applied to enable in-app provisioning for virtual cards in our app and we made 1% progress.
For context, we already got access from Google for Google Wallet—it was smooth, professional, and timely. But with Apple… it’s been nothing but an endless cycle of waiting.
We followed every step, submitted everything correctly, and even called Apple Developer Support multiple times. Their response? "We've escalated it." Again and again. But there’s no real progress. We’re rerouted, ignored, and left in limbo.
At this point, I don’t even know if anyone is actually reviewing these requests. If a business like ours—fully compliant and ready to integrate—can’t even get a response in 150 day, how is this process supposed to work?
I’m posting this here because I can’t be the only one. Has anyone else faced this? If you finally got access, how did you do it? Because right now, it feels like Apple Pay in-app provisioning is an impossible goal.
Hoping someone from Apple sees this and realizes how broken this process is. We’re just trying to innovate and offer Apple users a great experience—why is it so difficult?
Looking forward to hearing from anyone in the community who can help, Thanks! 🙏
I keep getting this error when trying to install Audio app extension.
Everything is reviewed from certificates to profiles, for some reason
CreatingCustomAudioEffects sample is deployed correctly but when Creating new Project (Audio Extension App) from new project Option, it doesn't work at all.
If I remove Extension from Frameworks and deploy app, then no problem but then App crashes as extension is missing. Something wrong with Xcode? I am pretty sure it used to build new projects but not anymore.
Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.0k1RXy/extracted/AudioUnitsAppExtensionTest.app : 0xe8008015 (A valid provisioning profile for this executable was not found.)
Please ensure sure that your app is signed by a valid provisioning profile.
If this issue persists, please attach the following when sending a report to Apple:
A sysdiagnose from this Mac
A sysdiagnose from the device failing installation
An IPA of the app failing installation
Environment: Xcode v. 16.2; Swift version 6+
Scenario: I have an .xcodeproj within an .xcsworkingspace that must follow the 'command-line' paradigm outside the sandbox.
My UnitTest (using the newer 'Swift Test' vs 'XCTest') is hitting runtime fatal errors due to sandbox violations.
Here's a typical error line from the compiler:
1 duplicate report for Sandbox: chmod(41377) deny(1) file-read-data /Users/Ric/Library/..
I've set the .entitlement to ignore sandbox:
&lt;key&gt;com.apple.security.app-sandbox&lt;/key&gt;
&lt;false/&gt;
I also created a shell script in the project build phase to access my TestData which was copied via a Build Phase:
#!/bin/bash
BUILD_DIR="${BUILT_PRODUCTS_DIR}"
TEST_DATA="${SRCROOT}/SwiftModelTest/TestData"
mkdir -p "${BUILD_DIR}/TestData"
cp -R "${TEST_DATA}/" "${BUILD_DIR}/TestData/"
What do I need to allow real-time Testing of my code without worrying about the Sandbox?
I am developing an app that can help users disable selected apps at a specified time, so that users can get away from their phones and enjoy real life.
Here is my data structure:
extension ActivityModel {
@NSManaged public var id: UUID
@NSManaged public var name: String
@NSManaged public var weeks: Data
@NSManaged public var weekDates: Data
@NSManaged public var appTokens: Data
}
Among them, weeks is of [Bool] type, indicating which weeks from Sunday to Saturday are effective; weekDates is of [[Date,Date]] type, indicating the effective time period; appTokens is of Set type, indicating the selected apps。
At the beginning, I will open a main monitor:
let deviceActivityCenter = DeviceActivityCenter()
do{
try deviceActivityCenter.startMonitoring(
DeviceActivityName(activityModel.id),
during: DeviceActivitySchedule(
intervalStart: DateComponents(hour: 0,minute: 0,second: 0),
intervalEnd: DateComponents(hour: 23,minute: 59,second: 59),
repeats: true
)
)
}catch {
return false
}
Since the time range may be different every day, I will start the sub-monitoring of the day every time the main monitoring starts:
override func intervalDidStart(for activity: DeviceActivityName) {
super.intervalDidStart(for: activity)
if activity.rawValue.hasPrefix("Sub-") {
ActivityModelManager.disableApps(
Tools.getUUIDFromString(activity.rawValue)
)
return
}
let weekIndex = Calendar.current.component(.weekday, from: .now)
let weeks = ActivityModelManager.getWeeks(activity.rawValue)
if weeks[weekIndex] {
let weekDates =
ActivityModelManager.getWeekDates(activity.rawValue)
let deviceActivityCenter = DeviceActivityCenter()
do{
try deviceActivityCenter.startMonitoring(
DeviceActivityName("Sub-" + activityModel.id),
during: DeviceActivitySchedule(
intervalStart: getHourAndMinute(weekDates[weekIndex][0]),
intervalEnd: getHourAndMinute(weekDates[weekIndex][1]),
repeats: false
)
)
}catch {
return
}
}esle {
return
}
}
I will judge whether it is main monitoring or sub monitoring based on the different activity names.
When the sub-monitor starts, I will get the bound application and then disable it:
static func disableApps(_ id : UUID){
let appTokens = ActivityModelManager.getLimitAppById(id)
let name = ManagedSettingsStore.Name(id.uuidString)
let store = ManagedSettingsStore(named: name)
store.shield.applications = appTokens
return
}
When the child monitoring is finished, I resume the application:
static func enableApps(_ id : UUID){
let name = ManagedSettingsStore.Name(id.uuidString)
let store = ManagedSettingsStore(named: name)
store.shield.applications = []
}
The above is my code logic.
When using DeviceActivityMonitorExtension, I found the following problems:
intervalDidStart may be called multiple times, resulting in several sub-monitors being started.
After a period of time, the monitoring is turned off.
The static methods enableApps and disableApps are sometimes not called
Received entitlement access from Apple yesterday, but I'm getting this error when trying to check app authorization:
FinanceKit/FinanceStore+FinancialDataAuthorization.swift:27: Fatal error: Process is not entitled
Code of interest:
import Foundation
import FinanceKit
@MainActor
class FinanceService: ObservableObject {
private let store = FinanceStore.shared
@Published private(set) var authorizationStatus: AuthorizationStatus = .notDetermined
@Published private(set) var accounts: [Account] = []
@Published private(set) var transactions: [Transaction] = []
@Published private(set) var balances: [AccountBalance] = []
@Published private(set) var wallet: Wallet = Wallet()
// Authorization
func requestAuthorization() async {
do {
authorizationStatus = try await store.requestAuthorization()
} catch {
// If there's an error requesting authorization, set to denied
authorizationStatus = .denied
print("Error requesting authorization: \(error)")
}
}
func checkAuthorizationStatus() async {
do {
print("Checking authorization status")
authorizationStatus = try await store.authorizationStatus()
print("Authorization status: \(authorizationStatus)")
} catch {
// If there's an error checking status, assume not determined
authorizationStatus = .notDetermined
print("Error checking authorization status: \(error)")
}
}
}
What I've done/checked:
Info.plist is set properly, with NSFinancialDataDescription AND
NSFinanancialDataUsageDescription both set
In my entitlements, key com.apple.developer.financekit is set to financial-data
I have am targeting an actual device (min. 17.6)
I've followed the instructions here: [https://developer.apple.com/forums/thread/757973] to no avail.
Any ideas?
Hello! I'm suddenly having some difficulty debugging a Flutter-based app. When I run an app from VS Code, it launches Xcode and builds & installs the app on an iPhone running 18.1. However, once the app is installed on the phone, it disappears and in Xcode, a dialog appears with:
Failed to install embedded profile for : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)
However, when I look at the provisioning profile being used, it seems to have the correct entitlement:
I've also tried enabling automatic signing (instead of the current manual signing using match), as well as generating an adhoc profile and re-adding the device UDID in developers.apple.com. None of these have worked.
This issue appeared within the past day or so and was working fine yesterday with no code changes, so I've been stumped. All my certs are relatively new and were issued within the past few months. I've tried regenerating the provisioning profiles using match, but this gives the same thing.
What's odd is that I can run the build and upload to testflight, then download and install the app just fine through there. But this obviously makes debugging an issue.
Hello everyone,
I’ve been working on ways to implement stricter accountability systems for personal use, especially to prevent access to NSFW content in apps like Reddit and Twitter. The main challenge is that iOS sandboxing and privacy policies block apps from monitoring or interacting with other apps on the system.
While Apple’s focus on privacy is important, there’s a clear need for an opt-in exception for accountability tools. These tools could be allowed enhanced permissions under stricter oversight to help users maintain accountability and integrity without compromising safety.
Here are a few ideas I’ve been thinking about:
1. Vetted Apps with Enhanced Permissions: Allow trusted applications to bypass sandbox restrictions with user consent and close monitoring by Apple.
2. Improved Parental Controls: Add options to send notifications to moderators (like accountability partners) when restrictions are bypassed or disabled.
3. Custom Keyboard or API Access: Provide a framework for limited system-wide text monitoring for specific use cases, again with user consent.
If anyone has ideas for how to address this within current policies—or suggestions for advocating for more flexibility—I’d appreciate the input. I’m curious how others have handled similar challenges or if there are better approaches I haven’t considered.