Hello, we are currently encountering a similar issue. We need to inject our capabilities into a third-party app by re-signing it (not a full re-signing process—just requiring the provisioning profile and certificate to match). However, this seems to affect the functionality of universal links. We've found that this issue only occurs on iOS 18. We noticed that when re-signing the app, the entitlements related to associated domains are changed to a wildcard: [Key] com.apple.developer.associated-domains [Value] [Array] [String] * However, this doesn’t cause any issues on iOS 17. Through further testing, we discovered that in order for universal links to work properly, we need to restore the original value of com.apple.developer.associated-domains and use a provisioning profile that matches the app's bundle ID. This means our previous re-signing approach using a certificate and provisioning profile from another bundle will no longer work. We’d like to ask: is this a new restriction introduced in iOS 18? If we manually restore the original com.apple.developer.associated-domains entitlement and use a provisioning profile that matches the app’s bundle ID, will universal links function correctly going forward?

你好，是这样的，目的我使用的是mac mini进行软件测试，我目前测试的软件会通过本地回环地址127.0.0.1进行数据传输，这种数据传输不是网络请求，所以用网络抓包的手段，没法测试。所以，我目前的想法是修改您macOS的本地回环地址优先级，定向到我自己的代理服务器，进行数据测试和请求检测。我对liunx系统的作比较了解，但是对于macos上面这方面设置的修改不太清楚。 希望您可以解答！

Hi, I am facing an issue with login persistence using firebase, but basically, it seems that I need to ensure I enable the Keychain Sharing within the Identities capabilities, the problem is, it is not even on the list. Thank you much

Hello Apple Developer Community, We're implementing the PushToTalk framework as recommended. According to Apple engineers in previous forum responses : the framework allows your app to continue receiving push notifications even after your app is terminated or the device is rebooted. Implementation: We've properly implemented: Early initialization of PTChannelManager via channelManager(delegate:restorationDelegate:completionHandler:) Channel joining with requestJoinChannel(channelUUID:descriptor:) when foregrounded All required delegate methods Issue After a user force quits our app, PushToTalk functionality works briefly but fails after some time (minutes to hours). The system logs show: AudioSessionServerImpCommon.mm:105 { "action":"cm_session_begin_interruption", "error":"translating CM session error", "session":{"ID":"0x72289","name":"getcha(2958)"}, "details":{ "calling_line":997, "error_code":-12988, "error_string":"Missing entitlement" } } We suspect that entitlement after force-quitting the app, there's a permission cache that temporarily allows functionality, but once this cache is cleared, the features stop working. Without this entitlement, both audio playback and recording fail, completely breaking the PTT functionality. Questions Which specific entitlement is missing according to this error? Is there a permission caching mechanism that expires after force quit? How can we ensure reliable PTT operation after force quit as stated in documentation? This behavior contradicts Apple's guidance that PushToTalk should work reliably after termination. Any insights would be greatly appreciated. Thank you!

I'm trying to launch a command line app from my objective C application (sandboxed) using NSTask and I keep getting "launch path not accessible" Here is the path: [task setLaunchPath:@"/usr/local/bin/codeview"]; I have set the appropriate attributes for codeview and it is working perfectly when I use it from the command line and /usr/local/bin IS in the $PATH I know I have NSTask configured correctly because this WILL work: [task setLaunchPath:@"/usr/bin/hexdump"]; With the exception being that I'm using a command already in /usr/bin. But I can't copy codeview into /usr/bin due to SIPS. I've tried moving codeview to various other non-SIPS protected locations all to no avail. Must all NSTask commands come from /usr/bin? Where might I put codeview so that it can be launched. Today I'm going to use an older computer and disable SIPS to put my command in /usr/bin and see if that works. If it does. I will do it on my main machine.

Hi there, I am using Core NFC and I established the connection with the card, but after sending the command 'tag.sendCommand()' I receive this message: -[NFCTagReaderSession _connectTag:error:]:748 Error Domain=NFCError Code=2 "Missing required entitlement" UserInfo={NSLocalizedDescription=Missing required entitlement}. The version of XCode I am using is 16.3, and the iPhone version is iOS 18.4 Here is my entitlements file: com.apple.developer.nfc.readersession.formats NDEF TAG And my info.plist: NFCReaderUsageDescription NFC com.apple.developer.nfc.readersession.iso7816.select-identifiers A000112233445566 Signing & Capabilities‌ has added Near Field Communication Tag Reading‌.

Hi everyone, I applied for CarPlay Entitlements on [Date 04. 26, 2024] using CarPlay is Case ID "13045151". I haven't received any updates or responses regarding my application yet. It's been 7 days since the application. My service requires CarPlay integration with a Black Box device. The primary purpose of this integration is to allow users to configure device settings through CarPlay. Furthermore, we plan to utilize the "Communication" category of Entitlements to notify users of parking incidents detected by the Black Box device while parked. This functionality is crucial for alerting drivers to potential issues affecting their vehicles. Could anyone share their experience with the typical turnaround time for CarPlay Entitlements, especially for applications involving device integration and the "Communication" category? Is this delay normal? Is there any way to check the application status or contact the appropriate team to inquire about its progress? Thank you for any insights or advice you can provide! Sincerely,

I am currently creating a MacOS app that uses NetworkExtension and SystemExtension without going through the Store. Using entitlements, I manually codesign and create a pkg Installer, but when I run it I get an error message saying "No matching profile found." Below is the log /Applications/Runetale.app/Contents/MacOS/Runetale not valid: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=file:///Applications/Runetale.app/, unsatisfiedEntitlements=<CFArray 0x71c040fa0 [0x1f7bec120]>{type = immutable, count = 3, values ​​= ( 0 : <CFString 0x71c04f340 [0x1f7bec120]>{contents = "com.apple.developer.system-extension.install"} 1 : <CFString 0x71c1ccaf0 [0x1f7bec120]>{contents = "com.apple.developer.networking.networkextension"} 2 : <CFString 0x71c04fc00 [0x1f7bec120]>{contents = "com.apple.developer.team-identifier"} )}, NSLocalizedDescription=No matching profile found} I looked into it myself and found that if you want to install the app without going through the Store, you need to use packet-tunnel-provider-systemextension instead of packet-tunnel-provider. here However, simply changing to packet-tunnel-provider-systemextension does not allow the build to pass. I use a build method that changes the value of entitlements only during codesign in order to pass the build. SYSEXT="$APP_BUNDLE/Contents/Library/SystemExtensions/com.runetale.desktop.PacketTunnel.systemextension" if [ -d "$SYSEXT" ]; then echo "Signing PacketTunnel system extension with entitlements..." cp macos/PacketTunnel/PacketTunnelRelease.entitlements macos/PacketTunnel/PacketTunnelRelease-sign.entitlements sed -i '' 's/packet-tunnel-provider/packet-tunnel-provider-systemextension/' macos/PacketTunnel/PacketTunnelRelease-sign.entitlements codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_FILE" --sign "$DEV_ID_APP_CERT" "$SYSEXT" fi # 3. Sign the entire .app bundle (deep sign by signing the outer app after inner ones) echo "Signing Runetale App with entitlements..." cp macos/Runner/Release.entitlements macos/PacketTunnel/Release-sign.entitlements sed -i '' 's/packet-tunnel-provider/packet-tunnel-provider-systemextension/' macos/PacketTunnel/Release-sign.entitlementsmacos/PacketTunnel/Release-sign.entitlements codesign --force --options runtime --timestamp --entitlements "$APP_ENTITLEMENTS_FILE" --sign "$DEV_ID_APP_CERT" "$APP_BUNDLE" Is this build method wrong? The next solution I'm thinking of is as follows. Is there a way to write packet-tunnel-provider-systemextension directly to entitlments and pass the build? (provisioning profile?) Apply to forum and get permission to use packet-tunnel-provider-systemextension Thank you.

I've been using /usr/bin/shortcuts for various tasks (eg. Quicksilver uses it to list and run shortcuts), and after updating from 14.7.4 to 14.7.5 the tool gets killed on startup. Eg. here is what it looks like in my shell: ❯ shortcuts list zsh: killed shortcuts list (And this is regardless of whether I have "full disk access" or "developer tools" toggled on or off for iTerm.) Looking at system logs it seems like the binary is missing an entitlement, which causes MACF / Gatekeeper to throw a fit: 2025-04-12 18:38:48.847576 kernel: mac_vnode_check_signature: /usr/bin/shortcuts: code signature validation failed fatally: When validating /usr/bin/shortcuts: in-kernel: com.apple.shortcuts.ShortcutsCommandLine disallowed without com.apple.private.security.restricted-application-groups 2025-04-12 18:38:48.847582 kernel: validation of code signature failed through MACF policy: 1 2025-04-12 18:38:48.847583 kernel: check_signature[pid: 2475]: error = 1 2025-04-12 18:38:48.847587 kernel: proc 95761: load code signature error 4 for file "shortcuts" 2025-04-12 18:38:48.847613 kernel: exec_mach_imgact: not running binary "shortcuts" built against preview arm64e ABI 2025-04-12 18:38:48.855481 syspolicyd: (Security) SecTrustEvaluateIfNecessary 2025-04-12 18:38:48.857970 syspolicyd: [com.apple.syspolicy.exec:default] GK evaluateScanResult: 2, PST: (path: /usr/bin/shortcuts), (team: (null)), (id: (null)), (bundle_id: (null)), 0, 0, 1, 0, 1, 1, 0evaluateScanResult: 2, PST: (path: /usr/bin/shortcuts), (team: (null)), (id: (null)), (bundle_id: (null)), 0, 0, 1, 0, 1, 1, 0 I used Time Machine to compare the binary's entitlements between 14.7.4 and 14.7.5, and looks like in 14.7.5 /usr/bin/shortcuts indeed is missing the com.apple.private.security.restricted-application-groups entitlement that 14.7.4 had. The old binary had these two entitlements that the new one doesn't: [Key] com.apple.private.security.restricted-application-groups [Value] [Array] [String] group.com.apple.shortcuts [String] group.is.workflow.my.app [String] group.is.workflow.shortcuts [Key] com.apple.security.application-groups [Value] [Array] [String] group.com.apple.shortcuts [String] group.is.workflow.my.app [String] group.is.workflow.shortcuts Is there a sensible workaround for this (and by "sensible" I mean something that'd allow me to keep using the tool)? (I already asked this on the support forums but I figured I might as well ask here too)

Hey All, Seem to be in a loop and unable to proceed. New app specific for iOS being built on xCode. Project is configured only to deploy and use iOS, not macOS or anything else. Trying to create a new App iD always see it default to all platforms which means "Background Modes" is not visible or available. Automatic signing etc in xcode can't seem to get around this and just continues to flag I'm missing the entitlement for locations.background. Not sure what I am missing as I cannot manually configure the ID for iOS only and xcode is also generating new ID's with the same platform structure and constraints. Any thoughts or insights here please?

Hello Apple Developer Community, I have an existing Family Controls entitlement approved for my main app. My app includes the following extensions: AppLimitMonitorExtension ShieldConfigurationExtension ShieldActionExtension I am seeking clarification on whether my existing Family Controls entitlement for the main app automatically covers these extensions, or if I must submit separate entitlement requests for each extension. Because when I try to distribute app on App Store Connect it give me error "Provisioning profile failed qualification". Many developers appear to be facing this issue, and it seems that Apple has not clearly documented this. is information anywhere.

Hi all, I'm working on a use case where a customer checks in at a point of service (e.g., a cafeteria or restaurant) using their Apple Wallet pass (e.g., a digital employee badge). In this scenario, we would like to use an iPhone (with a custom iOS app) as the NFC terminal to read the pass directly from the customer's iPhone over NFC. I’m aware that "Tap to Pay on iPhone" allows NFC-based payment acceptance, but it’s unclear if similar functionality is available or permitted for reading access-type passes from another iPhone via NFC. Key questions: Is it technically possible for an iPhone to act as an NFC reader for a Wallet pass on another iPhone? If not, is this restricted due to Secure Element isolation or protocol limitations? Is there any Apple-supported path for building such a solution — or is certified external hardware (e.g., HID, Wavelynx) the only option? I’ve reviewed the Core NFC and PassKit documentation but couldn't find a definitive answer. Thanks in advance for your clarification!

I'm getting this error when uploading a build of my macOS app to App Store Connect. It has always worked before, and nothing changed about my use of app groups, and the iOS build uploaded without any problems. Cleaning the build folder and derived data folder doesn't help. I'm using automatically managed signing in Xcode. Invalid code signing entitlements. Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “[group.]” value for the com.apple.security.application-groups key in “.pkg/Payload/.app/Contents/MacOS/” isn’t supported. This value should be a string or an array of strings, where each string is the “group” value or your Team ID, followed by a dot (“.”), followed by the group name. If you're using the “group” prefix, verify that the provisioning profile used to sign the app contains the com.apple.security.application-groups entitlement and its associated value(s).

On MacOS, I know that App Groups (com.apple.security.application-groups) do not require a provisioning profile. I was wondering if it's possible to sign them "ad hoc" and have it work? So maybe use a random TEAMID prefix and have it work? I would only need the app to work locally (for testing), not be distributed in that fashion, of course.

I requested the Family Controls Entitlement last week and haven’t heard back at all. I’ve submitted the request three times now, but I haven’t received a confirmation, a case number, or even an acknowledgment that it was received. I called Apple Support, but they said they have no visibility into the entitlement request process, which leaves me completely in the dark. I just want to know if my request is under consideration or not. This is especially frustrating because I’ve had strong engagement on social media around my app, and I have stakeholders waiting for updates. Right now, I can’t send the app for review, and I can’t even distribute it via TestFlight to internal testers. Honestly, I didn’t expect this kind of radio silence from Apple. Has anyone else experienced this when requesting entitlements?

I’ve been working on a Catalyst version of my iOS apps. Finally everything is working apart from the custom intents the user user to configure the widgets. The config UI loads: And changing settings at this level works. But it can’t load the options for the other settings: “No options were provided for this parameter” I see this crash in the intent: Termination Reason: Namespace DYLD, Code 1 Library missing Library not loaded: @rpath/CocoaLumberjack.framework/Versions/A/CocoaLumberjack Referenced from: <E1BF4CC5-4181-3272-828C-86B1CD1A66BF> /Applications/my.app/Contents/PlugIns/Intents.appex/Contents/MacOS/Intents Reason: , (security policy does not allow @ path expansion) (terminated at launch; ignore backtrace) I have added the Hardened Runtime Capability to the Main App Target, the Widget Target and the Intents Target. I also allowed “Disable Library Validation” just in case. What am I missing?

Hi, We have an app that is a default mail client, so it has this entry in its entitlements file: com.apple.developer.mail-client. This seems to create issues with ad-hoc distribution. We can distribute the app on App Store Connect without any issues and have been doing so for a while. We wanted to try using Xcode Cloud to manage our releases. The app export works fine for both App Store Distribution and Development Distribution. However, the ad-hoc distribution step fails. (We don't need ad-hoc distribution, but Xcode Cloud seems to prevent us from removing this step.) I tried building and releasing the app locally for ad-hoc distribution and encountered the same error as on Xcode Cloud. When Xcode tries to generate the profile, it outputs the following error: Provisioning profile "iOS Team Ad Hoc Provisioning Profile: com.infomaniak.mail" failed qualification checks: Profile doesn't support Default Mail App. Profile doesn't include the com.apple.developer.mail-client entitlement. Is it something broken with our config ? What are we missing ? Local error in Xcode Organizer: Remote error on Xcode cloud:

Hi guys, I'm developing a FinderSync Extension that extends Finder contextual menu with a couple of items doing some trivial file operations. I'm using Xcode 16.2 on macOS Sequoia 15.3.2 I could run the containing app in debug, and in System Preferences -> File Providers the flag is enabled for my app finder extension. Anyway, the contextual menu does not show in Finder, probably because the finder extension crashes immediately. Some output: pluginkit -m | grep "com\.[^a]" + com.mycompany.MyApp.MyAppFinderExtension(1.1.14) codesign -dvvv --entitlements - /Users/me/Library/Developer/Xcode/DerivedData/MyApp-dmzhnwmosboixodalsrrbwvwvmqm/Build/Products/Debug/MyApp.app/Contents/PlugIns/MyApp\ Finder\ Extension.appex Executable=/Users/me/Library/Developer/Xcode/DerivedData/MyApp-dmzhnwmosboixodalsrrbwvwvmqm/Build/Products/Debug/MyApp.app/Contents/PlugIns/MyApp Finder Extension.appex/Contents/MacOS/MyApp Finder Extension Identifier=com.mycompany.MyApp.MyAppFinderExtension Format=bundle with Mach-O thin (arm64) CodeDirectory v=20400 size=659 flags=0x2(adhoc) hashes=9+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=b59538ef9e3b6e8cf462a3e260e3bf26d050deb5 CandidateCDHashFull sha256=b59538ef9e3b6e8cf462a3e260e3bf26d050deb5e21fb27d4fa0a4fe5f3e78b7 Hash choices=sha256 CMSDigest=b59538ef9e3b6e8cf462a3e260e3bf26d050deb5e21fb27d4fa0a4fe5f3e78b7 CMSDigestType=2 CDHash=b59538ef9e3b6e8cf462a3e260e3bf26d050deb5 Signature=adhoc Info.plist entries=23 TeamIdentifier=not set Sealed Resources version=2 rules=13 files=9 Internal requirements count=0 size=12 [Dict] [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.application-groups [Value] [Array] [String] [Key] com.apple.security.assets.movies.read-write [Value] [Bool] true [Key] com.apple.security.assets.music.read-write [Value] [Bool] true [Key] com.apple.security.assets.pictures.read-write [Value] [Bool] true [Key] com.apple.security.files.documents.read-write [Value] [Bool] true [Key] com.apple.security.files.downloads.read-write [Value] [Bool] true [Key] com.apple.security.files.user-selected.read-write [Value] [Bool] true [Key] com.apple.security.get-task-allow [Value] [Bool] true [Key] com.apple.security.personal-information.location [Value] [Bool] true The log is showing something very strange: log show --predicate 'eventMessage contains "com.mycompany.MyApp" and messageType = error' --last 1h Filtering the log data using "composedMessage CONTAINS "com.mycompany.MyApp" AND logType == 16" Skipping info and debug messages, pass --info and/or --debug to include. Timestamp Thread Type Activity PID TTL 2025-03-25 10:20:48.428127+0100 0x221af Error 0x53dbe 159 0 tccd: [com.apple.TCC:access] Request message contains a target_token to accessing_process (TCCDProcess: identifier=com.mycompany.MyApp, pid=4140, auid=501, euid=501, binary_path=/Users/me/Library/Developer/Xcode/DerivedData/MyApp-dmzhnwmosboixodalsrrbwvwvmqm/Build/Products/Debug/MyApp.app/Contents/MacOS/MyApp) but TCCDProcess: identifier=com.apple.audio.coreaudiod, pid=184, auid=202, euid=202, binary_path=/usr/sbin/coreaudiod is not a TCC manager for service: kTCCServiceScreenCapture. 2025-03-25 10:20:53.166554+0100 0x22139 Error 0x67ff4 163 0 runningboardd: (RunningBoard) [com.apple.runningboard:general] RBSStateCapture remove item called for untracked item 163-158-7088 (target:[app<application.com.mycompany.MyApp.36628067.36635236.92E24CD3-97A8-4340-A46E-4493456283C7(501)>:4140]) 2025-03-25 10:20:53.166575+0100 0x22139 Error 0x67ff4 163 0 runningboardd: (RunningBoard) [com.apple.runningboard:general] RBSStateCapture remove item called for untracked item 163-158-7087 (target:[app<application.com.mycompany.MyApp.36628067.36635236.92E24CD3-97A8-4340-A46E-4493456283C7(501)>:4140]) 2025-03-25 10:20:53.166582+0100 0x22139 Error 0x67ff4 163 0 runningboardd: (RunningBoard) [com.apple.runningboard:general] RBSStateCapture remove item called for untracked item 163-158-7091 (target:[app<application.com.mycompany.MyApp.36628067.36635236.92E24CD3-97A8-4340-A46E-4493456283C7(501)>:4140]) 2025-03-25 10:20:53.166593+0100 0x22139 Error 0x67ff4 163 0 runningboardd: (RunningBoard) [com.apple.runningboard:general] RBSStateCapture remove item called for untracked item 163-132-7084 (target:[xpcservice<com.apple.finder.FinderSync.IsExtensionEnabled([app<application.com.mycompany.MyApp.36628067.36635236.92E24CD3-97A8-4340-A46E-4493456283C7(501)>:4140])(501)>{vt hash: 0}:4144:4144]) -------------------------------------------------------------------------------------------------------------------- Log - Default: 0, Info: 0, Debug: 0, Error: 13, Fault: 0 Activity - Create: 0, Transition: 0, Actions: 0 Especially the first line: MyApp is not accessing coreaudiod - neither trying to get a ScreenCapture, so ... WTF??? How is it possibile? Why is the system blocking MyApp FinderExtension, or preventing it to run? Thank you in advance _Alex

Hello Apple Forum, We were testing out the following entitlements: 'Increased Memory Limit', 'Extended Virtual Addressing', 'Extended Virtual Addressing(Debug)' when we realized the maximum allocation amount of the memory dropped from our previous test of 32GB to 16GB. We were testing these on the following devices: iPad Pro 12.9(6th Gen) 18.4(Beta, 22E4232a) iPad Pro 11 M4 18.3.2 Each device has 16GB of physical RAM and because we are able to reach 16GB of allocation usage until app crashes, we believe the entitlements are applied correctly. Each test device was on charging mode and battery mode with 60, 80 100% battery. We understand allocating memory is complex and os is more optimized for battery efficiency, hence possibly limiting max usage of memory. However, through the same testing method we have done on iPadOS 18.3 and 4, we were able to allocate 31~32GB of RAM on testing done on January this year. (iPadOS 18.0, or maybe 18.1?) which make us wonder, has there been a change in core os that handles memory allocation since 18.0? And what can be the cause of this drop? The code we ran for our memory testing is as follows: private var allocatedMemory: [UnsafeMutableRawPointer] = [] public func allocate1GBMemory() { let sizeInBytes = 1024 * 1024 * 1024 if let pointer = malloc(sizeInBytes) { for i in 0..<sizeInBytes { pointer.advanced(by: i).storeBytes(of: UInt8(i % 256), as: UInt8.self) } allocatedMemory.append(pointer) logger.print("Allocated 1GB of memory. Total allocated: \(allocatedMemory.count)GB") } else { logger.print("Failed to allocate memory") } } Each functions call increases memory usage by allocating 1GB of space and we have called this function until it reaches 16GB then the app crashes.

We requested the com.apple.developer.passkit.pass-presentation-suppression entitlement in our app to suppress the Apple Pay popup when our app is near a reader. This entitlement was approved by Apple and successfully suppresses Apple Pay popups when approaching readers. Currently, we have another use case in the same app: presenting a PKPass (our door key pass) by calling the Wallet from our code using passLibrary.present(pass.secureElementPass!). This should take us to the Wallet and display our pass. This functionality works perfectly in other environments where this entitlement is not in place. We now understand that this entitlement suppresses all passes from our app. Our questions are: How can we suppress the Apple Pay popup while displaying our app key against a reader and also present the pass in the Wallet? Both requirements are essentially the same but implemented in two different ways, and we need both functionalities. Presenting the pass through a URL is not a viable option for us according to our standards. (https://developer.apple.com/forums/content/attachment/c2542a51-fd2c-42ce-88a2-207689b31159)