Hi guys, Is there any good up-to-date tutorial about publishing a Python based app on Apple Store? Now, I have developed a standalone Python app from PyCharm, and it's using Pyside6 for UI and some major Python libraries. It's a productivity app with a little A.I. features. I used PyInstaller to prepare the app. Currently, I am stuck at the stage of codesign and Apple Review process, because I am manually doing codesign and building the package from command-line. Without using Xcode, things can get messy or miss easily. It would be nice to follow a up-to-date tutorial about how to complete the codesign and Apple Review process for a Python based app. For example, what to do, how to do, what to be careful during the Apple Review process, etc. Thanks!

I've been trying to understand what kind of UX is available if my app is using the default-dialer capability. I have found https://developer.apple.com/documentation/livecommunicationkit/preparing-your-app-to-be-the-default-dialer-app and I am in the EU. On android I built the UX I want and it's quite neat, so now I'm trying to work. out what I can get on iOS. Because the product is kind of worthless with just android. I have built a simple dialer ux with a numberpad, contact lookup etc. Then when the user presses the Call button does it have to pop up the system prompt "Call number"? Does it have to swap over to the system ui for the actual call? So there's no way to show information about the call, during the call? Or am I using the frameworks incorrectly? I am very new to iOS development. TrueCaller and others show validation, but as I understand it they pre-fetch all the data, I can't do that.

I’m creating my first DriverKit extension and I ran into an entitlement issue when trying to load my driver. Error 0x0 8397 7 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] App.Dext: Unsatisfied entitlements: com.apple.developer.driverkit.transport.usb I have already registered the entitlement com.apple.developer.driverkit.transport.usb with my vendor ID in the Apple Developer portal. However, when I download the provisioning profile, it doesn’t include the idVendor value. Screenshot from the developer portal (provisioning profile without idVendor) ? <key>com.apple.developer.driverkit.transport.usb</key> <array> <dict> <key>idVendor</key> <integer>1356</integer> </dict> </array> -Is this error caused by me registering the vendor ID incorrectly? -Or is there an issue with how the entitlement is reflected in the provisioning profile? Any guidance would be appreciated.

I have an app with lots of networking calls that are currently done through URLSession. We would like to implement the new carried constrained entitlements and begin moving data through the ultra constrained network path for core features of our application. I have successfully implemented the NWPathMonitor to identify when the current network path is ultra constrained and I have been consistently on a physical device in a real world environment. I'm aware that we will not be able to use URLSession to do this from other posts in this forum like this one. Because of this problem with URLSession I am attempting to fallback to using NWConnection when the current path is ultra constrained. I have setup a NWConnection with the NWParameters.allowUltraConstrainedPaths set to true. The request works perfectly when connected to wifi or cellular. However, it does not work at all when the current path is ultra constrained. When attempting this request through my NWConnection I receive an error that says: The operation couldn’t be completed. (Network.NWError error 50 - Network is down) Is this expected? I have confirmed my physical device is connecting to carrier provided satellite and I have been able to load data in other ios apps from Apple like the music app while on this carrier constrained connection. If this is not the correct way to move data when the path is ultra constrained what is the correct way?

Hello, I am trying to utilize the Critical Messaging API to allow my user to message 1 or multiple pre registered contacts automatically. An issue I am having with this in testing is that when the application attempts to fire off texts to the phone numbers the success rate changes from trial to trial, with no variable changing. Sometimes I can send a Critical Message to multiple phone numbers in rapid succession, sometimes the message is only sent to 1 contact, and sometimes I get no successes. Each failure always returns the MSCriticalMessaging.notSupported error. The API documentation states, "The send(_:to:) method only works if the app is backgrounded, if it’s called from foreground the framework returns a MSCriticalMessagingError.notSupported error." If my app is always backgrounded in these tests, what other issues may cause this notSupported error return, and why does the outcomes success rate vary?

This issue keeps cropping up on the forums and so I decided to write up a single post with all the details. If you have questions or comments: If you were referred here from an existing thread, reply on that thread. If not, feel free to start a new thread. Use whatever topic and subtopic is appropriate for your question, but also add the Entitlements tag so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Determining if an entitlement is real In recent months there’s been a spate of forums threads involving ‘hallucinated’ entitlements. This typically pans out as follows: The developer, or an agent working on behalf of the developer, changes their .entitlements file to claim an entitlement that’s not real. That is, the entitlement key is a value that is not, and never has been, supported in any way. Xcode’s code signing machinery tries to find or create a provisioning profile to authorise this claim. That’s impossible, because the entitlement isn’t a real entitlement. Xcode reports this as a code signing error. The developer misinterprets that error [1] in one of two ways: As a generic Xcode code signing failure, and so they start a forums thread asking about how to fix that problem. As an indication that the entitlement is managed — that is, requires authorisation from Apple to use — and so they start a forums thread asking how to request such authorisation. The fundamental problem is step 1. Once you start claiming entitlements that aren’t real, you’re on a path to confusion. Note If you’re curious about how provisioning profiles authorise entitlement claims, read TN3125 Inside Code Signing: Provisioning Profiles. There are a couple of ways to check whether an entitlement is real. My preferred option is to create a new test project and use Xcode’s Signing & Capabilities editor to add the corresponding capability to it. Then look at what Xcode did. You might find that Xcode claimed a different entitlement, or added an Info.plist key, or did nothing at all. IMPORTANT If you can’t find the correct capability in the Signing & Capabilities editor, it’s likely that this feature is available to all apps, that is, it’s not gated by an entitlement or anything else. Another thing you can do is search the documentation. The vast majority of real entitlements are documented in Bundle Resources > Entitlements. IMPORTANT When you search for documentation, focus on the Apple documentation. If, for example, you search the Apple Developer Forums, you might be mislead by other folks who are similarly confused. If you find that you’re mistakenly trying to claim a hallucinated entitlement, the fix is trivial: Remove it from your .entitlements file so that your app starts to build again. Then add the capability using Xcode’s Signing & Capabilities editor. This will do the right thing. If you continue to have problems, feel free to ask for help here on the forums. See the top of this post for advice on how to do that. [1] Xcode 26.2, currently being seeded as Release Candidate, is much better about this (r. 155327166). Give it a whirl! Commonly Hallucinated Entitlements This section lists some of the more commonly hallucinated entitlements: com.apple.developer.push-notifications — The correct entitlement is aps-environment (com.apple.developer.aps-environment on macOS), documented here. There’s also the remote-notification value in the UIBackgroundModes property. com.apple.developer.in-app-purchase — There’s no entitlement for in-app purchase. Rather, in-app purchase is available to all apps with an explicit App ID (as opposed to a wildcard App ID). com.apple.InAppPurchase — Likewise. com.apple.developer.storekit — Likewise. com.apple.developer.in-app-purchase.non-consumable — Likewise. com.apple.developer.in-app-purchase.subscription — Likewise. com.apple.developer.app-groups — The correct entitlement is com.apple.security.application-groups, documented here. And if you’re working on the Mac, see App Groups: macOS vs iOS: Working Towards Harmony. com.apple.developer.background-modes — Background modes are controlled by the UIBackgroundModes key in your Info.plist, documented here. UIBackgroundModes — See the previous point. com.apple.developer.voip-push-notification — There’s no entitlement for this. VoIP is gated by the voip value in the UIBackgroundModes property. com.apple.developer.family-controls.user-authorization — The correct entitlement is com.apple.developer.family-controls, documented here. IMPORTANT As explained in the docs, this entitlement is available to all developers during development but you must request authorisation for distribution. com.apple.developer.device-activity — The DeviceActivity framework has the same restrictions as Family Controls. com.apple.developer.managed-settings — If you’re trying to use the ManagedSettings framework, that has the same restrictions as Family Controls. If you’re trying to use the ManagedApp framework, that’s not gated by an entitlement. com.apple.developer.callkit.call-directory — There’s no entitlement for the Call Directory app extension feature. com.apple.developer.nearby-interaction — There’s no entitlement for the Nearby interaction framework. com.apple.developer.secure-enclave — On iOS and its child platforms, there’s no entitlement required to use the Secure Enclave. For macOS specifically, any program that has access to the data protection keychain also has access to the Secure Enclave [1]. See TN3137 On Mac keychain APIs and implementations for more about the data protection keychain. com.apple.developer.networking.configuration — If you’re trying to configure the Wi-Fi network on iOS, the correct entitlement is com.apple.developer.networking.HotspotConfiguration, documented here. com.apple.developer.musickit — There is no MusicKit capability. Rather, enable MusicKit via the App Services column in the App ID editor, accessible from Developer > Certificates, Identifiers, and Profiles > Identifiers. These app services are tied to your App ID on the server side, meaning that they have no presence in your code signature. com.apple.developer.shazamkit — There is no ShazamKit capability. Like MusicKit, this is an app service. com.apple.mail.extension — Creating an app extension based on the MailKit framework does not require any specific entitlement. com.apple.security.accessibility — There’s no entitlement that gates access to the Accessibility APIs on macOS. Rather, this is controlled by the user in System Settings > Privacy & Security. Note that sandboxed apps can’t use these APIs. See the Review functionality that is incompatible with App Sandbox section of Protecting user data with App Sandbox. com.apple.developer.adservices — Using the AdServices framework does not require any specific entitlement. com.apple.security.device.audio-input-monitoring — The com.apple.security.device.microphone entitlement is what restricts microphone access on macOS. [1] While technically these are different features, they are closely associated and it turns out that, if you have access to the data protection keychain, you also have access to the SE. Revision History 2026-05-28 Added com.apple.security.device.audio-input-monitoring to the common hallucinations list (Kevin) 2026-04-23 Added com.apple.developer.shazamkit to the common hallucinations list. Added a little more info about app services. 2025-12-09 Updated the Xcode footnote to mention the improvements in Xcode 26.2rc. 2025-11-03 Added com.apple.developer.adservices to the common hallucinations list. 2025-10-30 Added com.apple.security.accessibility to the common hallucinations list. 2025-10-22 Added com.apple.mail.extension to the common hallucinations list. Also added two new in-app purchase hallucinations. 2025-09-26 Added com.apple.developer.musickit to the common hallucinations list. 2025-09-22 Added com.apple.developer.storekit to the common hallucinations list. 2025-09-05 Added com.apple.developer.device-activity to the common hallucinations list. 2025-09-02 First posted.

Hello, I'm developing a feature for my app, that allows users to challenge their friends. The friend request functionality is built using Universal Links, but I've run into a significant issue. The Universal Links are correctly deep-linking into the app. However, once the app opens, nothing happens—the friend request acceptance or rejection flow does not occur. This prevents users from completing friend requests and building their friend list. Here are examples of the Universal Links I'm generating: https://www.strike-force.app/invite?type=invite&amp;amp;userID=... https://www.strike-force.app/invite?type=invite&amp;amp;friendRequestID=... https://www.strike-force.app/profile?userID=... I've recently updated my cloudflare-worker.js to serve a paths array of ["*"] in the AASA file, so I believe the links themselves should be valid. Technical Details &amp;amp; Error Logs In the console, I am consistently seeing the following error message: Cannot issue sandbox extension for URL:https://www.strike-force.app/invite?token=7EF1E439-090B-4DF2-BE64-9904F50A3F8B Received port for identifier response: &amp;lt;(null)&amp;gt; with error:Error Domain=RBSServiceErrorDomain Code=1 "Client not entitled" UserInfo={RBSEntitlement=com.apple.runningboard.process-state, NSLocalizedFailureReason=Client not entitled, RBSPermanent=false} elapsedCPUTimeForFrontBoard couldn't generate a task port This error appears to be related to entitlements and process state, but I am not sure if it's the root cause of the Universal Link issue or a separate problem. The 'Client not entitled' error on line 3 has had me chasing down entitlements issues. But, I've added the Associated Domains entitlement with the proper applink URLs and verified this in my Developer Portal. I've regenerated my provisioning profile, manually installed it, and selected/de-selected Automatically Manage Signing. As well I've verified my AASA file and it's correctly being served via HTTPS and returning a 200. curl -i https://strike-force.app/.well-known/apple-app-site-association curl -i https://www.strike-force.app/.well-known/apple-app-site-association I am looking for guidance on why the friend request flow is not being triggered after a successful deep-link and how I can fix the related error. Any insights or suggestions would be greatly appreciated.

Hello! Trying to find any info about how to add In-App Purchase with application Entitlements.plist file manually (NOT with XCode). Is there any reference within keys and description? What need to be in this file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>key-for-in-app-purchase</key> <string>value</string> </dict> </plist>

An open-source app that I bundle for macOS needs to use the disable-library-validation entitlement. In spite of TN3125: Inside Code Signing: Provisioning Profiles | Apple Developer Documentation#Entitlements-on-macOS claiming that hardened runtime entitlements don't need provisioning profiles and the app successfully notarizing, trying to run the app fails with the error "Disallowing because no eligible provisioning profiles found". So I created a provisioning profile, but when creating the App ID the only selection that seemed relevant was Hardened Runtime. That turns out not to include disable-library-validation so now launching fails with "Unsatisfied entitlements: >com.apple.security.cs.disable-library-validation" What's the right capability?

Hello, I am experiencing an issue with the Apple Pay capability on my App ID. I have created a Merchant ID. I enabled Apple Pay in the App ID configuration and linked it to the merchant. However, sometimes when I revisit the App ID in the Apple Developer portal, the Apple Pay capability appears disabled, even though I saved it. This happens intermittently; at some times the capability is correctly shown as enabled, and other times it disappears. Context: I am using Expo Managed Workflow with EAS Build for iOS. The issue prevents the provisioning profile from including Apple Pay, which causes Stripe isPlatformPaySupported function to return false on ios devices. Attached: Screenshots of the App ID page showing Apple Pay enabled and disabled. Could you please advise why the capability is not being consistently saved, and how to ensure it stays enabled? Thank you,

Hi Apple DTS & community folks, I’m reaching out regarding an issue we’ve encountered with the com.apple.developer.mail-client capability for our app (bundle identifier: so.notion.Mail). We were granted this entitlement last week to allow the app to be set as a default Mail client. While everything works as expected when archiving and distributing builds locally in Xcode, we’re running into a problem when using Xcode Cloud. Specifically, Xcode Cloud attempts to archive and distribute an Ad-Hoc build, but the Ad-Hoc provisioning profile does not include this special entitlement. Since we’re using Xcode-managed profiles, we don’t have the ability to create or adjust an explicit profile ourselves. This issue only arises in Xcode Cloud—local distribution works unless we explicitly attempt an Ad-Hoc build (which is not our intent). I’ve included a screenshot of the error for reference. We found this forum post describing the same issue, where the resolution was Apple enabling the entitlement for Ad-Hoc builds. We’d like to request that Apple enable this capability for Ad-Hoc builds for the Notion Mail application so that Xcode Cloud distribution functions correctly. Thank you for your help!

I've alluded to this before in these posts and there are some posts from others about this, e.g. https://developer.apple.com/forums/thread/759845 and I've filed some bugs related to the behavior. FB20212935 FB19451832 FB19450508 FB19450162 FB19449747 Our company owns the USB vendor IDs X and Y . We've been granted a USB transport entitlement for both of those IDs. The crux of the problem is that I want to build a driver for USB vendor ID Y. Xcode's well-hidden auto-generated provisioning profile for my driver contains com.apple.developer.driverkit.transport.usb: { idVendor = X; } which is obviously not what I want. Xcode fails to provision the target. But I have another, much older project with an auto-generated provisioning profile containing com.apple.developer.driverkit.transport.usb: { idVendor = X; }, { idVendor = Y; } I can build a driver for idVendor Y without problems in this project. But that doesn't help me with my new project. What can I do to fix this? Do I need to request our entitlements again? I fear if I do so, something will get lost in the process. Is there a way to inspect what we have already been granted? - I can't see a "managed entitlements" section on the account portal. I can go through the motions of making a new App ID, then I can see that some Capability Request have been "Assigned", but I don't see what their values are. A second question I have is about the userclient-access entitlement. Are these tied to the bundle ID of the app which claims the access? In other words, if I have two drivers com.mycompany.app1.driver1 com.mycompany.app2.driver2 and I would like to have com.mycompany.app1 communicate with com.mycompany.app1.driver1, I would ask for the com.apple.developer.driverkit.userclient-access capability for com.mycompany.app1.driver1. But must I request that access for each specific app bundle ID that will talk to that driver, or once the entitlement is granted, can I use com.apple.developer.driverkit.userclient-access = { com.mycompany.app1.driver1 } in any of my apps?

Hello everyone, I’ve been stuck for weeks on an issue with Family Controls + Device Activity entitlements in my iOS app, and Apple Developer Support has not provided a solution so far. I’m hoping someone here who has successfully implemented Family Controls + Device Activity can point me in the right direction. About the App • The app is a Digital Wellbeing app called Breakloop. • It lets users select apps they want to block, requires them to complete a positive affirmation before opening those apps, and can re-block apps after a set time (e.g., 10 minutes). • This functionality exactly matches the purpose of Family Controls and Device Activity APIs. What Works So Far • Family Controls capability is enabled in the main app target in Xcode. • We have valid Apple Developer certificates (Apple Development) and a team account. • The main app builds and runs fine when using Family Controls alone. • We have App IDs for: • bl.Breakloop (main app) • bl.Breakloop.BreakloopMonitorExtension • bl.Breakloop.BreakloopShieldConfigurationExtension The Problem The provisioning profiles for the extension targets (BreakloopMonitorExtension and BreakloopShieldConfigurationExtension) do not include the com.apple.developer.device-activity entitlement even though: • The App IDs in the Developer Portal have Family Controls (Development) enabled. • The extensions have the correct entitlements file with both: com.apple.developer.family-controls com.apple.developer.device-activity • Xcode Signing & Capabilities points to the correct provisioning profile + certificate. Because the provisioning profiles don’t include the entitlement, the build fails with: Provisioning profile doesn't include the com.apple.developer.device-activity entitlement. What Apple Support Said Apple Support told me: • “Family Controls grants access to Device Activity.” • They cannot enable it manually or guarantee that profiles will include the entitlement. • They sent links to the documentation but no further assistance. What I Need Help With 1. Has anyone successfully built extensions using Family Controls + Device Activity? 2. Do I need to request any additional approval for Device Activity, or should it appear automatically once Family Controls is enabled? 3. Is there a known Xcode or Apple Developer Portal configuration issue that causes the entitlement to be missing in provisioning profiles? 4. Any working example of a project setup that uses Family Controls + Device Activity in extensions would be extremely helpful. Extra Info • We use the latest Xcode + iOS SDK. • Tried recreating certificates, profiles, and App IDs multiple times. • Followed Apple’s docs for Family Controls + Device Activity exactly. I would greatly appreciate any guidance, especially from someone who has this working with iOS app extensions. Thank you!

Hello Having trouble getting associated domain to work in our project. It was working when we used Branch, but our company wants to host the domain ourselves. This is a multi-scheme project, using .xcconfig files to define the correct entitlement per Build. The relevant entitlement file has: com.apple.developer.associated-domains applinks:bm.ddcas.ai in the ....{other irrelevant test associated domains....} The project Team and App ID are taken from the Identifiers screen where the Identifier capabilities has 'associated domains' ticked on. I've also checked elsewhere on AppleDeveloper/Connect to be sure. When we used Branch with domain key app links: bmstores.app.link this worked fine. With https://bm.ddcas.ai (our own host) which is publicly available and has an aasa file in both the main directory and /.well-known, typing this in safari or anything just doesn't attempt to link to the App. The iPhone is in developer mode, and using the developer menu associated domains diagnostic tool, typing https://bm.ddcas.ai results in the diagnostic saying 'The url is a Universal Link for the app with identifier **********.***etc (the app is installed on real iPhone 12, iOS 18.6.2 and my Xcode is 16.4) However, it just doesn't work if we type in https://bm.ddcas.ai and results in a Safari message of '400 not found' and the 'nginx' shows. We have read innumerable Apple Dev posts and StackOverflow posts, as well as several step by step 'how to's' online but this just isn't working. The aasa file is at https://bm.ddcas.ai/apple-app-site-association and is setup as follows: { "applinks": { "apps": [], "details": [ { "appID": "{my Team ID}.{my App ID}", "paths": [ "*" ], "components": [ { "/": "/verification", "?": { "verification_code": "[A-Za-z0-9]{6}" }, "comment": "Matches verification code path" } ] } ] } } Our Server guys say the website (bm.ddcas.ai) is public and hosted, it just doesn't have a /verification path as they say it should redirect before reaching that. Also, our Android redirect works using this site, so this appears to be something specific Apple code is looking for. What, please, are we likely to be missing as it does not seem obvious from the Apple documentation or any of the resources I have checked online. Normally we can figure anything out, but getting nowhere here so the help is appreciated.

We are currently using Live Activities in our app and supporting both of the following use cases: Starting a Live Activity directly from the app using ActivityKit APIs. Starting a Live Activity from the backend using the start token. In the first case (initiated from the app), the OS generates an update token, and we are able to continuously update the Live Activity via our backend—even if the user has not explicitly provided "Allow" or "Always Allow" consent from the lock screen. This works as expected. In the second case (initiated from the backend), if the user does provide consent ("Allow" or "Always Allow") from the lock screen, we receive the update token and can continue updating the Live Activity. However, if the user does not provide consent, the OS does not provide the update token, and we are unable to send further updates. Question: Is it possible to receive the update token from the OS when the Live Activity is started from the backend, without the user explicitly providing "Allow" or "Always Allow" consent from the lock screen? We would appreciate any clarification or official documentation related to this behavior. Thank you!

I’m running into an issue where the com.apple.developer.storekit entitlement is not being included in provisioning profiles, even though my App ID is properly configured for In-App Purchase. Entitlements file: explicitly includes <key>com.apple.developer.storekit</key> <true/> Capability: In-App Purchase is enabled in the Apple Developer Portal and shows as “Enabled.” What I’ve tried: Automatic signing in Xcode → profiles generated, but missing com.apple.developer.storekit Manual signing → deleted and recreated provisioning profiles multiple times; entitlement still missing. Waited several hours for possible propagation. Verified that my in-app purchase products are set up correctly. Error message: Provisioning profile "iOS Team Provisioning Profile: zu.inniu" doesn't include the com.apple.developer.storekit entitlement Question: Has anyone else encountered this? Is there a step I might be missing to get StoreKit entitlements included in provisioning profiles, or could this be a backend issue that needs escalation through Apple DTS? This is blocking me from building my app for physical devices, so any guidance would be greatly appreciated. Thanks in advance!

The problem is described in full with log output in #16844 We are having an issue with TCC prompting users for access to the app group container despite signing with entitlements following all guidelines. This is a regression from the Feb 2025 Changes discussed in App Groups: macOS vs iOS: Working Towards Harmony The problem can only be reproduced with Xcode 16.0 and later. The entitlements for the app include access for the group container with [Key] com.apple.security.application-groups [Value] [Array] [String] G69SCX94XU.duck The documentation notes the group name can be arbitrary, e.g. <team identifier>.<group name>. Cyberduck uses G69SCX94XU.duck by default. Interestingly enough the alert is not shown when a group name matching the bundle identifier is used, e.g. G69SCX94XU.ch.sudo.cyberduck.

Hi, I just released a new version of an app that was transferred from another developer account. The previous version of this app used the App Groups feature to store some important data, and I would like to retrieve that data. In the new version, I’m using the same bundle identifier and the same App Group ID (which has already been deleted from the original developer account). I also added the App Groups entitlement in the project settings and set the same App Group ID. However, I still cannot access the data in the App Group. From the documentation and issues I’ve found, it seems that an app should still have permission to access the same App Group after being transferred. Did I miss something? Thanks!

Hi - appreciate your help in advance! Building a simple habit tracking app. I got approval for FamilyControls distribution. After creating a new provisioning profile with those capabilities enabled, when I try and build in xcode (16.4) using that Profile I get an error stating: "Provisioning profile "CreateMoreFamilyControlsv2" doesn't include the com.apple.developer.deviceactivity and com.apple.developer.deviceactivity.reporting entitlements" I've confirmed bundle identifier matches, Team etc Similarly when i do automatic signing see 3rd screenshot. Not sure what to do at this point, I've heard deviceActivity is automatically applied when family controls is approved but still running into this issue.

My Mac Catalyst app fails with a "MissingEntitlement" error when accessing keychain/secure storage, while the same code works perfectly on iOS. I have tested this extensively on macOS using Visual Studio Code on a MacBook, trying both automatic and manual provisioning approaches - both result in the same MissingEntitlement error during keychain operations. Error Message: "An error occurred during OTP verification: Error adding record: MissingEntitlement" Environment : Platform: Mac Catalyst (.NET 9.0) Issue: Keychain access fails on macOS, works on iOS Development: Using .NET MAUI What I've Tried : Entitlements Configuration Added keychain-access-groups to Entitlements.plist: xml <key>keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)com.example.myapp</string> </array> Project Signing Setup (.csproj configuration) : <PropertyGroup Condition="'$(TargetFramework)'=='net9.0-maccatalyst'"> <EnableCodeSigning>true</EnableCodeSigning> <ProvisioningType>manual</ProvisioningType> <DevelopmentTeam>TEAM_ID</DevelopmentTeam> <CodesignKey>Apple Development: Name (XXXXXXXXXX)</CodesignKey> <ProvisioningProfile>PROVISIONING_PROFILE_UUID</ProvisioningProfile> <CodesignEntitlements>Platforms/MacCatalyst/Entitlements.plist</CodesignEntitlements> <UseHardenedRuntime>true</UseHardenedRuntime> </PropertyGroup> Has anyone encountered similar issues with Mac Catalyst keychain access? Any insights on proper entitlement configuration would be greatly appreciated!