General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

In Xcode's (version 16.1) "Devices and Simulators" window pressing the device's context menu item "Show Provisioning Profiles..." does nothing: no new window, no message, nothing. How can I fix this?

Is it possible for an iOS app to programmatically detect if its built for TestFlight/App Store distribution versus built for development? The motivation for doing this is so that the app can detect if a push server should send pushes using the Apple production server or the sandbox server - when the app sends the push token to the server, I'd like it to additionally send an indicator to the server so the server knows which of the Apple servers to use. Is there a way to achieve this? TIA

Hello, I would like to clarify how link association and app-opening preferences work in iOS, specifically when a user opens a URL in a browser that can be handled by an installed application. I have noticed the following behavior: When a user taps a URL that can be opened by an app, iOS sometimes asks whether to open the link in the app or continue in the browser. After choosing an option once (for example, "Open in App" or "Stay in Browser"), it seems that this preference becomes persistent. Even after deleting the application and reinstalling it, the browser (Safari or third-party browsers) sometimes continues to open the link directly in the browser without asking the user again. In some cases, it appears impossible to reset or clear this association, and the user is not prompted again to choose how the link should be opened. My questions are: How exactly does iOS store link-handling preferences between apps and browsers? Are these preferences saved on the system level, inside Safari, or associated with the app installation itself? Is there a way for a user to manually reset or clear these link-opening associations? Should deleting and reinstalling the app reset these preferences, or is the behavior expected to persist? Is this behavior different for Universal Links, App Clips, or for regular URL scheme associations? This situation is important for us because it affects user experience, and at the moment it is difficult to understand or reproduce the internal logic behind these link associations. Thank you in advance for your clarification.

I need to post an app so how do you do it

We got an app for iPad which has two targets one for the App itself (MainApp target ) and another one for the Driver ( Driver Target ) using DriverKit. The app works fine in Development, but I'm trying to distribute it with adhoc. I've requested the Distribution Entitlement to Apple, after getting it, the App Id for the Driver has the following Capabilities: DriverKit, DriverKit (development), DriverKit USB Transport (development), DriverKit USB Transport - VendorID, In-App Purchase Now in the profile section, I've created a adhoc profile for the Driver AppId (Identifier). Obviously I've also created an Adhoc profile for the Main AppId Finally in the Signing & Capabilities Section I set up the profiles for MainApp target, int the Debug one I set up the Development one and int the Release one I set up the adhoc one. I do the same in the Driver Target, but when I set up the Adhoc one in the Release, I've got a warning: Xcode 14 and later requires a DriverKit development profile enabled for iOS and macOS. Visit the developer website to create or download a DriverKit profile Also interestingly the Signing Certificate section says: None I also set up the Capabilities for the Driver Target: DriverKit USB Transport - VendorID DriverKit USB Transport ( Development ) Inside these capabilities I set up the vendor ID as dictionary The problem is, if I try to Archive the app I will get the previous Warning message as error: Xcode 14 and later requires a DriverKit development profile enabled for iOS and macOS. Visit the developer website to create or download a DriverKit profile. Any idea what I'm missing? Thanks

We have NFC capabilties enabled for our app ID - com.uob.mightyvn but our minimum deployment target is 15.0. We do not have an option deselect PACE from provisioning profile. Hence, the validation is failed for IPA. Invalid entitlement for core nfc framework. The sdk version '18.2' and min OS version '15.0' are not compatible for the entitlement 'com.apple.developer.nfc.readersession.formats' because 'NDEF is disallowed'

Hi, I am developing a iOS app with Packet Tunnel Provider Network Extension. I manage signing manually. I created a distribution provisioning profile. Then when I archive and click "validate" I get this error: Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value 'url-filter-provider' for key 'com.apple.developer.networking.networkextension' So I run security cms -D -i profiles/vpn_distribution.mobileprovision and I see there <key>Entitlements</key> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider</string> <string>content-filter-provider</string> <string>packet-tunnel-provider</string> <string>dns-proxy</string> <string>dns-settings</string> <string>relay</string> <string>url-filter-provider</string> <string>hotspot-provider</string> </array> Where are those coming from. My entitlement file has <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> </array> <key>com.apple.security.application-groups</key> <array> <string>group.my-app-group</string> </array> </dict> </plist> What is happening here. How can I get a provisioning profile that only has the entitlements that I actually need?

According to the thread at https://developer.apple.com/forums/thread/787500?answerId=863361022#863361022, we should now be able to set VMs provisioning identifiers to run developer builds. However, the identifier check seems to be case-sensitive. I have an identifier from an old VM that was input (automatically via Xcode) to the portal as all-caps. However, now it's showing up as all lower-case (on the device). When I try to launch my application, the system logs report that the provisioning identifer doesn't match, so my application will not launch: # Error log error 13:41:36.173151-0600 taskgated-helper embedded provisioning profile not valid: file:///Applications/my-app.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.} # Device's identifier $ system_profiler SPHardwareDataType Hardware: ... Provisioning UDID: 9d136dc4ae3ce80124756cc5bcb40cd1117c04b6 # Embedded provision (from developer portal) $ security cms -D -i /Applications/my-app.app/Contents/embedded.provisionprofile <key>ProvisionedDevices</key> <array> <string>9D136DC4AE3CE80124756CC5BCB40CD1117C04B6</string> </array> I have tried disabling the previous record and adding it again (with lower-case) on the developer portal - but all that does is reenable the previous (all-caps) record. Either the check needs to be case-insensitive, or there needs to be a way to change the registration on the developer portal to properly match.

My Apple developer certificates(4 certificates) expire soon. I'm developing an application for iOS but the application is not yet released in the App Store, only Testflight releases for private testing. Is it necessary to create 4 new certificates or can I edit the current certificates so that they don't expire soon?

Anyone know how long it takes to get Apple to respond to a request for provisioning for endpoint security?

I have added an in-app purchase function into my app, and have enabled in-app purchase profile in developer portal(it's on by default and is marked gray in developer portal, I don't know if that's how it supposed to look like). I have issued the agreements and tried signing the app both manually and automatically, but neither of that worked. App can be built successfully in simulator but does not show the simulation window, but cannot build on real device or archive. Errors: Missing com.apple.developer.in-app-purchase, com.apple.developer.in-app-purchase.non-consumable, and com.apple.developer.in-app-purchase.subscription entitlements. Automatic signing failed Xcode failed to provision this target.

I have added an in-app purchase function into my app, and have enabled in-app purchase profile in developer portal(it's on by default and is marked gray in developer portal, I don't know if that's how it supposed to look like). I have issued the agreements and tried signing the app both manually and automatically, but neither of that worked. App can be built successfully in simulator but does not show the simulation window, but cannot build on real device or archive. Errors: Missing com.apple.developer.in-app-purchase, com.apple.developer.in-app-purchase.non-consumable, and com.apple.developer.in-app-purchase.subscription entitlements. Automatic signing failed Xcode failed to provision this target.

Our app (Bundle ID: org.grapplermobileapp) has the In-App Purchase capability enabled in the Apple Developer portal (checkbox is grayed out and checked). However, any new App Store provisioning profile we create for this App ID is missing the entitlement: com.apple.developer.in-app-purchase We confirmed this by inspecting the .mobileprovision file directly. As a result, all iOS builds fail with the error: Provisioning profile doesn't include the com.apple.developer.in-app-purchase entitlement Steps we've already taken: Deleted and re-created provisioning profiles (both automatic via Expo/EAS and manual in Developer portal). Uploaded the profile manually into EAS and rebuilt. Verified the entitlement is missing by searching the .mobileprovision file. Opened a support case (#102688824691). Apple Developer Support escalated, but then replied that In-App Purchase is a capability and not an entitlement, and directed me to the forums. So we’re stuck. The App ID shows IAP enabled, but profiles never include the entitlement, and builds cannot proceed. Has anyone seen this issue where Apple’s system fails to embed com.apple.developer.in-app-purchase into profiles? If so, how was it resolved?

I tried to create a new IOS provisioning profile and re-apply it to the app using Xcode to build it, but I got into trouble. The build is good, but it bounces when running the app. I would appreciate it if you could let me know what to do.

I am trying to sign a enterprise app with provisioning profile which shows the tap to pay entitlement on Dev portal, but when downloaded on Xcode, it says the profile is missing the tap to pay capability and entitlement The capability was enabled by apple already, it was working fine until the provisioning profile got renewed.

Hi, I'm trying to integrate with Tap to Pay feature under Stripe. For this reason i need to add com.apple.developer.proximity-reader.payment.acceptance entitlement to my Identifier. I can see it under Provisioning Profile -> Enabled Capabilities. But after downloading this profile in Xcode I don't see this entitlement. What could be the reason for this discrapency?

Hi, I just released a new version of an app that was transferred from another developer account. The previous version of this app used the App Groups feature to store some important data, and I would like to retrieve that data. In the new version, I’m using the same bundle identifier and the same App Group ID (which has already been deleted from the original developer account). I also added the App Groups entitlement in the project settings and set the same App Group ID. However, I still cannot access the data in the App Group. From the documentation and issues I’ve found, it seems that an app should still have permission to access the same App Group after being transferred. Did I miss something? Thanks!

I have two certificates in my Accounts>Manage Certificates section. One is active, the other is greyed out with a status of "Not in Keychain". I only have ONE certificate in the developer account online. Timeline: Had an issue with fastlane codesigning and was trying to resolve that. In that attempt I deleted my related Certificates from my keychain Xcode showed them as disabled (greyed out) and not in Keychain. Look up how to resolve, need to revoke certificates in Developer account online. I go and revoke those certificates. Nothing changes I create new certificate and try to add it to xcode>account>certificate managment>"Apple Development". Get an error saying I can't add a new can't do that because a certificate is already pending. I waited a day because I assumed like somethings with apple, updates are not immediate. I come back the next day and am able to add a new certificate. However, the previous one that is greyed out and reads "Not in Keychain" under Status, is still there. How do I remove that "Not in Keychain" certificate? I emailed developer support and they directed me here.

Hi, My understanding from this information: " https://developer.apple.com/support/certificates/ iOS Distribution Certificate (in-house, internal-use apps) Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate. " is that even if I re-sign the app with a new Provisioning Profile based on a new Distribution Certificate the apps will stop working. I need to re-build my apps with a new Distribution certificate+Provisioning profile, when distributing in-house, right? I can see that the apps continue to function when I re-sign them with a new Provisioning Profile, but according to the information above they will stop working the day (day after) the Distribution certificate they were built with expires. /Rikard

Totally noob programmer here, forgive me if this is a basic user error. But there seems to be a mismatch between my apple id identifier and my team identifier. It has been automatically configured, and worked until today, but while trying to run a new app on my iphone i all of a sudden got "Failed to install embedded profile for com.kylland.formattingtest : 0xe800801a (This provisioning profile does not have a valid signature (or it has a valid, but untrusted signature).)". Now it does not work on any apps. Went through what chatgpt had to give me, trying to log in and out, made sure automatic signing is enabled and tried to delete the key from keychain. Still comes up with two different keys.