General: DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained DevForums post --deep Considered Harmful DevForums post Don’t Run App Store Distribution-Signed Code DevForums post Resolving errSecInternalComponent errors during code signing DevForums post Finding a Capability’s Distribution Restrictions DevForums post Signing code with a hardware-based code-signing identity DevForums post Mac code signing: DevForums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding Nonstandard Code Structures in a Bundle documentation Embedding a Command-Line Tool in a Sandboxed App documentation Signing a Daemon with a Restricted Entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example DevForums post The Care and Feeding of Developer ID DevForums post TestFlight, Provisioning Profiles, and the Mac App Store DevForums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello everyone can you help me, i have requested main camera access API Enterprise and have got the license to, and i have setting up the project main camera access demo from apple with my new license and have create app bundle and identifier for it but when i tried to deploy it test flight i got some error say "Profile doesn't support Main Camera Access" and "Profile doesn't include the com.apple.developer.arkit.main-camera-access.alow entitlement, even have do it it app Certificates, Identifiers & Profiles and add the additional capability Main Camera Access. can you help me fixing this so that i can use Main Camera Access Entitlement

Is it possible for an iOS app to programmatically detect if its built for TestFlight/App Store distribution versus built for development? The motivation for doing this is so that the app can detect if a push server should send pushes using the Apple production server or the sandbox server - when the app sends the push token to the server, I'd like it to additionally send an indicator to the server so the server knows which of the Apple servers to use. Is there a way to achieve this? TIA

Hello, I’m facing an issue with enabling In-App Purchases (IAP) for my iOS app, and it’s causing provisioning errors during the build process. Issue: • In Apple Developer Portal → Certificates, Identifiers & Profiles, the In-App Purchase capability is checked but grayed out, so I can’t modify it. • In Xcode, under Signing & Capabilities, I don’t see In-App Purchase listed. • When trying to build, I get the following error: Provisioning profile “BillionMines_Dev_Profile” doesn’t include the com.apple.developer.in-app-purchase entitlement. • Automatic signing in Xcode fails with: Xcode failed to provision this target. What I Have Tried: 1. Verified that my App ID is explicitly defined (not a wildcard ID). 2. Regenerated and downloaded a new Provisioning Profile, ensuring it matches my app. 3. Confirmed that In-App Purchase is enabled in App Store Connect under Features. 4. Cleaned the build folder and restarted Xcode. 5. Manually added com.apple.developer.in-app-purchase to my .entitlements file. Questions: • Why is the In-App Purchase option grayed out in Certificates, Identifiers & Profiles? • How can I ensure my provisioning profile includes the com.apple.developer.in-app-purchase entitlement? • Are there additional steps required to fully activate In-App Purchases? Any help would be greatly appreciated! Thanks in advance.

As of this morning, I get the following error message when trying to build on any of my Macs (including my desktop, as well as my CI/CD systems): Provisioning profile "Mac Team Provisioning Profile: com.stairwell.Inception.Forwarder" doesn't support the App Groups capability. When I check the identifier in the developer portal, it does show the "App Groups" capability, and the same group is selected as has been there before. We have to build this project with Xcode 15, because we have another issue with provisioning profiles on Xcode 16, that I haven't gotten resolved yet. To be clear - I built, notarized, and released a Developer ID build of this same project last night, and today it just fails to build. I should have never switched to "Xcode managed Profile", I guess. Manually configuring all of this was annoying, but at least it worked. I assume at this point, I'm just going to be regenerating provisioning profiles until the issue randomly goes away...

I am trying to build/deploy app to my phone however I get this message: "provisioning profile doesn't include the currently selected device" My developer account is pretty old one and used to be one the paid-version one. My understanding is that I should be able to deploy apps using free account but I don't see where I can add or delete devices....stuck in the loop over here! :-) I've created support request via email but I don't know if that is being worked or not...four days since I put it in. I suppose my other options are new apple-id or pay $99 and hope apple pays attention then? Any other suggestions?

I am managing provisioning profiles manually, including the one for my Notification Service Extension. I am wondering what happens if the provisioning profile for the Notification Service Extension expires. I have two types of apps: An App Store-distributed app An Enterprise-distributed app Can someone clarify how the expiration of the Notification Service Extension's provisioning profile affects both cases? Will the extension stop functioning, or will it continue to work normally?

Howdy, I thought this would be an easy question, but it turns out it's really not! In fact, it flies in the face of how the Apple ecosystem is set up. That said, I still need an answer to be able to inform our customers of what their app update options are. The question: Does app store provisioning ever expire? Based on the very limited information I can find, it either expires in one year, two years, or never. Anecdotal evidence seems to indicate that the answer could be never, but I need to confirm this. The use case: Some of our customers are very old school. They tend to find a technical solution and stick with it. As such, they do not update apps regularly on their field iPads. They generally only update when they are forced to. They use MDM to deploy the app, and would set the MDM not to pull updated apps from the app store when available, essentially keeping the same version of the app in use for as much as 3 years or more. If this were to happen, I need to know if the provisioning for the old version of the app will ever expire if they get it from the app store. I know with an enterprise deployment of .ipa files via MDM, the app provisioning/certificate will expire after 1 or 2 years (can't remember which atm), but I can't find an answer about app store provisioning. Hopefully someone can provide me with an answer on this forum. Thanks in advance, Mapguy

In an expo managed project which utilizes custom expo plugins, we're having trouble getting the keychain-access-groups entitlement inserted to our provisioningprofile for signing. The provisioning profile we download from apple dev portal contains: <key>keychain-access-groups</key> <array> <string>56APMZ7FZY.*</string> <string>com.apple.token</string> </array> and this is not recognized by xcode for signing; an error is thrown: Provisioning profile "ccpp" doesn't include the com.apple.developer.keychain-access-groups entitlement. A matching error is thrown during EAS build. So we need to find a way to modify the ccpp.mobileprovision locally and then sign the build using the modified ccpp.mobileprovision. Or, we need guidance on the proper way to resolve this situation. Questions: why does the downloaded mobileprovision file have the keychain-access-groups key, and not com.apple.developer.keychain-access-groups? Both Xcode and EAS appear to demand the latter keyname. when I use expo prebuild, I am able to see the following in the .entitlements file: <key>com.apple.developer.keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)com.myapp</string> </array> I am adding this entitlement using a custom expo plugin. However, the mobileprovision file downloaded from apple developer portal has no knowledge of this setting which is only applied through expo prebuild. So what I am left with at the end is an entitlements file generated by my expo prebuild which has the correct setting, and a provisioningprofile downloaded from dev portal with an incorrect setting, and I don't know how to mend the downloaded provisioningprofile (incorrect setting) with my local entitlements file (correct setting).

Hello! I'm suddenly having some difficulty debugging a Flutter-based app. When I run an app from VS Code, it launches Xcode and builds & installs the app on an iPhone running 18.1. However, once the app is installed on the phone, it disappears and in Xcode, a dialog appears with: Failed to install embedded profile for : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.) However, when I look at the provisioning profile being used, it seems to have the correct entitlement: I've also tried enabling automatic signing (instead of the current manual signing using match), as well as generating an adhoc profile and re-adding the device UDID in developers.apple.com. None of these have worked. This issue appeared within the past day or so and was working fine yesterday with no code changes, so I've been stumped. All my certs are relatively new and were issued within the past few months. I've tried regenerating the provisioning profiles using match, but this gives the same thing. What's odd is that I can run the build and upload to testflight, then download and install the app just fine through there. But this obviously makes debugging an issue.

After upgrading the virtual machines used for building and testing our macOS application, it seems that something new in Sequoia is preventing virtual machines from running anything signed with a Mac Development certificate. At first glance the issue seems very similar to this thread, but it could be unrelated. We are using the tart toolset to build and run our VMs. People seem to be having related issues there with Sequoia in particular. I have added the VM's hardware UUID to the Devices list of our account. I have included that device in the devices list of our Mac Development provisioning profile. I have re-downloaded the profile, ensured that it is properly getting built into the app, and ensured that the hardware UUID of the VM matches the embedded provisioning profile: Virtual-Machine App.app/Contents % system_profiler SPHardwareDataType | grep UUID Hardware UUID: 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 Virtual-Machine App.app/Contents % grep 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 ../../App.app/Contents/embedded.provisionprofile Binary file ../../App.app/Contents/embedded.provisionprofile matches However, when I try to run the application, it fails, and while I have searched the system logs to find a more informative error message, the only thing I can find is that the profile doesn't match the device somehow: Virtual-Machine App.app/Contents % open ../../App.app The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x6000039440f0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}} Virtual-Machine App.app/Contents % log show --info --debug --signpost --last 3m | grep -i embedded.provisionprofile 2025-01-21 16:33:32.369829+0000 0x65ba Error 0x0 2872 7 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] embedded provisioning profile not valid: file:///private/tmp/builds/app/.caches/Xcode/DerivedData/Build/Products/Debug/App.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.} I don't understand why the provisioning profile wouldn't allow the device if the hardware UUID matches. I have also attempted to add the Provisioning UDID in the devices list instead, but the form rejects that value because it's a different format (the form specifically requests a hardware UUID for macOS development, and a provisioning UDID for everything else). If there is any debugging tool that lets me check a provisioning profile against the running hardware and print a more verbose reason for why it's not allowed on the device, please let me know. Otherwise I'd have to conclude that, since I haven't experienced this issue before on an earlier OS, it has something to do with virtual machines running macOS Sequoia. (The same Mac Development-signed application runs just fine on my MacBook Pro running 15.2, as well as the VM host, which is also running 15.2.) I have also tried resetting the VM's hardware UUID and adding that one to the devices list, to no effect. This is obviously seriously impacting our CI/CD pipelines to allow for proper UI testing of our application. If anyone is aware of any workarounds, I would love to hear them!

Hi, We are developing software that configures a network extension via a system extension on MacOS. The host application (run as service) enables network extension and system extension capabilities. It registers the network extension. The network extension has network extension capabilities and configures an app-group to be bundled into the service. What we have built is already working, i.e. we build, sign, notarize and ship the code (it's already running on hundreds of SIP enabled customer devices in production). But, we are currently falling back to manual profile management (i.e. download and import the profile) so that Xcode accepts the entitlements suffixed with -systemextention. Recently we are testing deployment on iOS devices. For iOS profiles we cannot overcome the issues with setting the profile manually, XCode complains about mismatching networkextension entitlements even when manually importing the profile. So I thought I get to the bottom of why automated signing is not working and hopefully overcome the issues with iOS. Upon configuring automatic signing we ran into the following problem: For a network extension that is installed via a system extension the network extension capabilities are expected to be defined with a -systemextension suffix, i.e.: <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> <string>dns-proxy-systemextension</string> <string>dns-settings</string> <string>relay</string> When using automated signing the profile in our development account reflects these settings, i.e. the profile is correctly generated with the values above. However, XCode complains that the network extension capabilities don't match. I went as far as to configuring a new application-ID so that XCode would generate a new profile in the development account. I then downloaded and decoded the generated profile. The capabilities of the development portal profile were created as expected (as above), but somehow, the locally generated profile that is generated by XCode auto-sign expects: <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider</string> <string>content-filter-provider</string> <string>packet-tunnel-provider</string> <string>dns-proxy</string> <string>dns-settings</string> <string>relay</string> What XCode auto-sign expects is not reflected in the development account profile (!). I tried to overcome this by changing the entitlements of the project to omit the -systemextension suffix. XCode auto-sign seemingly works then, but once the application is actually signed by CodeSign the signing fails because the capabilities don't match with the development account profile. I tried profile re-generation by clearing Library/Developer/Xcode/UserData/Provisioning Profiles, but it always results in the same problem - either XCode is happy and the code signing fails when building, or the other way round. Bottom Line: I think that somehow XCode evaluates the profile validity differently from CodeSign; somehow when using automatic signing XCode does not take the network extension + system extension into account, but only expects the capabilities of the network extension. If anybody know how to overcome this problem please help :)

When connected to the company's internal network without accessing the Internet, can an IPA installation package be generated if the certificate files are imported in advance?

Hey, I'm trying to update my old app that used DarkSky to WeatherKit, and struggling. I always get: ailed to generate jwt token for: com.apple.weatherkit.authservice with error: Error Domain=WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors Code=2 "(null)" This is regardless if I do it on my iPad, or in the simulator. I have done the following: Selected WeatherKit on the Capabilities and App Services tabs of the Identifier section on developer. Put it under signing and capabilities in XCode I've tried making a new provisioning profile, cleaning build folder, etc. Not sure what to do here. I suspect part of this problem is that I developed this app in 2018 and now I'm trying to update it. I am able to run the app on TestFlight, but not as an internal tester. Apple won't let me, so I have to add myself as an external tester. Thanks for any help you can provide!

I'm trying to download a profile for a developer download for an app, but I get this error and can't install the profile. I've already registered the device and UDID and added it to the profile. Please let me know what I need to do.

Hi, I have an enterprise account, and i added the capability "main camera access" to my app. Although have an enterprise license and the entitlement is correctly setup, the inhouse provisioning profile that I am creating still says that the capabilities are missing. Not sure what i am missing here.

Hi, I know my swiftui, but I'm completely new to macOS development. Using Xcode 16.2 I wrote a backup app that fits my needs. I got it to use iCloud Documents in its own container. It runs beautifully on my developing Mac. When I copy it over to my other Mac and try to open it, I just get a message that macOS can't open the app ("Das Programm kann nicht geöffnet werden") In terminal I get this message: "embedded provisioning profile not valid: file:///Users/niko/FlexBackup.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." I have "automatically manage signing" turned on and a Xcode Managed Profile. How can I run my app on all of y Macs?

Hello, I am trying to distribute an app that is using the Enterprise entitlements for Vision OS. It is failing to upload to Test Flight because it says I have not the entitlements for the provisioning. This does not happen when deployed directly from Xcode. I can deploy to the headset and ha Is there anything I can do about it ? Part of the log below: 2025-01-10 17:02:06 +0000 Provisioning profile "iOS Team Store Provisioning Profile: com.appmr2.3d-Playbook" failed qualification checks: Profile doesn't support Main Camera Access and Passthrough in Screen Capture. Profile doesn't include the com.apple.developer.arkit.main-camera-access.allow and com.apple.developer.screen-capture.include-passthrough entitlements. 2025-01-10 17:02:06 +0000 2025-01-10 17:02:06 +0000 IDEProvisioningRepair(3d-Playbook.app): 2025-01-10 17:02:06 +0000 IDEProvisioningRepair(3d-Playbook.app): Using account <DVTAppleIDBasedDeveloperAccount: 0x600003cba400; username=''> for repair Thanks, Andres

After several years' lapse, I am coming back into app development for iPhone. Here's what I did: Renewed my membership to Apple developer I created a wildcard identifier, "me.joymaker.*" I created a certificate Using Xcode, I introduced my newest iPhone (a 12 mini) to Apple developer. Unlike my older models, this one has a UDID with a hyphen in it. To get it to take the UDID I had to remove the-and then paste the remaining continuous number into the field. But then it accepted it, and showed it back to me complete with hyphen. I created a development provisioning profile using that certificate and ID, checking the box that said "Select all", so that every device registered to my account was included. Using Xcode, I tried to upload the provisioning profile to the phone. OOPS. Xcode replies, "Failed to install one or more provisioning profiles on the device. Please ensure the provisioning profile is configured for this device." Yes, I am very that it was! There was an older identifier in the account, left over from years ago, named "XCode: Wildcard AppID", with an identifier of simply '*'. I tried building a provisioning profile with that one. Same results. Now what? How to diagnose, how to pursue this? BTW, although XCode sees this phone without difficulty, Music and Finder don’t. Relevant?? See this question for more details.

I have the same problem as this question: https://developer.apple.com/forums/thread/757605 "That indicates you’re using a unique App ID prefix. This is a legacy feature that’s not supported on macOS." Mine is a macOS App distributed in 2021, that now needs an update. It has always been under Xcode automatically managed signing with a Team. (Still have the project files from 2021: automatic) Now validating a new version gives me that error : Invalid Provisioning Profile. The provisioning profile included in the bundle com.*** [***.pkg/Payload/***.app] is invalid. [Invalid 'com.apple.application-identifier' entitlement value.] For more information, visit the macOS Developer Portal. (ID: ***) And even re-validating the old archive from 2021 gives me this error. I have looked at my Apple Id's on "Certificates, Identifiers & Profiles", and I can indeed see that this app has an "App ID Prefix" that is not my Team, but something I don't recognise. I can not make a new App ID Configuration for the bundle id I have been using: "An App ID with Identifier 'com..appname' is not available. Please enter a different string." Removing the existing App ID Config does not work either: The App ID '.com..' appears to be in use by the App Store, so it can not be removed at this time. So, I'm a bit stuck. (Help!)

I get the error message in Xcode signing certificate Provisioning profile "iOS Team Provisioning Profile: com.example.app" doesn't include the pushkit entitlement. I have push notifications ticked in my Identifier in the online developer account. There is no other dedicated pushkit capability available to select. Push notifications, time sensitive notifications and background mode-> voice over ip are added as capabilities in the Xcode project. The team provisioning profile for the app states under its enabled capabilities: both push notifications and time sensitive notifications. Is pushkit part of another capability that I need to select? I have read the guide below and it just says to add the push notification capability. https://developer.apple.com/documentation/pushkit/supporting-pushkit-notifications-in-your-app I have gone round and round in circles trying to get this profile to work for this, so any pointers would be much appreciated. Thanks