General:
DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements
Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities.
Developer > Support > Certificates covers some important policy issues
Entitlements documentation
TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series.
WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing
Certificate Signing Requests Explained DevForums post
--deep Considered Harmful DevForums post
Don’t Run App Store Distribution-Signed Code DevForums post
Resolving errSecInternalComponent errors during code signing DevForums post
Finding a Capability’s Distribution Restrictions DevForums post
Signing code with a hardware-based code-signing identity DevForums post
Mac code signing:
DevForums tag: Developer ID
Creating distribution-signed code for macOS documentation
Packaging Mac software for distribution documentation
Placing Content in a Bundle documentation
Embedding Nonstandard Code Structures in a Bundle documentation
Embedding a Command-Line Tool in a Sandboxed App documentation
Signing a Daemon with a Restricted Entitlement documentation
Defining launch environment and library constraints documentation
WWDC 2023 Session 10266 Protect your Mac app with environment constraints
TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference.
Manual Code Signing Example DevForums post
The Care and Feeding of Developer ID DevForums post
TestFlight, Provisioning Profiles, and the Mac App Store DevForums post
For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Provisioning Profiles
RSS for tagA provisioning profile is a type of system profile used to launch one or more apps on devices and use certain services.
Posts under Provisioning Profiles tag
104 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Howdy,
I thought this would be an easy question, but it turns out it's really not! In fact, it flies in the face of how the Apple ecosystem is set up. That said, I still need an answer to be able to inform our customers of what their app update options are.
The question: Does app store provisioning ever expire? Based on the very limited information I can find, it either expires in one year, two years, or never. Anecdotal evidence seems to indicate that the answer could be never, but I need to confirm this.
The use case: Some of our customers are very old school. They tend to find a technical solution and stick with it. As such, they do not update apps regularly on their field iPads. They generally only update when they are forced to. They use MDM to deploy the app, and would set the MDM not to pull updated apps from the app store when available, essentially keeping the same version of the app in use for as much as 3 years or more. If this were to happen, I need to know if the provisioning for the old version of the app will ever expire if they get it from the app store.
I know with an enterprise deployment of .ipa files via MDM, the app provisioning/certificate will expire after 1 or 2 years (can't remember which atm), but I can't find an answer about app store provisioning. Hopefully someone can provide me with an answer on this forum.
Thanks in advance,
Mapguy
In an expo managed project which utilizes custom expo plugins, we're having trouble getting the keychain-access-groups entitlement inserted to our provisioningprofile for signing.
The provisioning profile we download from apple dev portal contains:
<key>keychain-access-groups</key>
<array>
<string>56APMZ7FZY.*</string>
<string>com.apple.token</string>
</array>
and this is not recognized by xcode for signing; an error is thrown:
Provisioning profile "ccpp" doesn't include the com.apple.developer.keychain-access-groups entitlement.
A matching error is thrown during EAS build.
So we need to find a way to modify the ccpp.mobileprovision locally and then sign the build using the modified ccpp.mobileprovision.
Or, we need guidance on the proper way to resolve this situation.
Questions:
why does the downloaded mobileprovision file have the keychain-access-groups key, and not com.apple.developer.keychain-access-groups? Both Xcode and EAS appear to demand the latter keyname.
when I use expo prebuild, I am able to see the following in the .entitlements file:
<key>com.apple.developer.keychain-access-groups</key>
<array>
<string>$(AppIdentifierPrefix)com.myapp</string>
</array>
I am adding this entitlement using a custom expo plugin. However, the mobileprovision file downloaded from apple developer portal has no knowledge of this setting which is only applied through expo prebuild.
So what I am left with at the end is an entitlements file generated by my expo prebuild which has the correct setting, and a provisioningprofile downloaded from dev portal with an incorrect setting, and I don't know how to mend the downloaded provisioningprofile (incorrect setting) with my local entitlements file (correct setting).
Hello! I'm suddenly having some difficulty debugging a Flutter-based app. When I run an app from VS Code, it launches Xcode and builds & installs the app on an iPhone running 18.1. However, once the app is installed on the phone, it disappears and in Xcode, a dialog appears with:
Failed to install embedded profile for : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)
However, when I look at the provisioning profile being used, it seems to have the correct entitlement:
I've also tried enabling automatic signing (instead of the current manual signing using match), as well as generating an adhoc profile and re-adding the device UDID in developers.apple.com. None of these have worked.
This issue appeared within the past day or so and was working fine yesterday with no code changes, so I've been stumped. All my certs are relatively new and were issued within the past few months. I've tried regenerating the provisioning profiles using match, but this gives the same thing.
What's odd is that I can run the build and upload to testflight, then download and install the app just fine through there. But this obviously makes debugging an issue.
After upgrading the virtual machines used for building and testing our macOS application, it seems that something new in Sequoia is preventing virtual machines from running anything signed with a Mac Development certificate.
At first glance the issue seems very similar to this thread, but it could be unrelated. We are using the tart toolset to build and run our VMs. People seem to be having related issues there with Sequoia in particular.
I have added the VM's hardware UUID to the Devices list of our account. I have included that device in the devices list of our Mac Development provisioning profile. I have re-downloaded the profile, ensured that it is properly getting built into the app, and ensured that the hardware UUID of the VM matches the embedded provisioning profile:
Virtual-Machine App.app/Contents % system_profiler SPHardwareDataType | grep UUID
Hardware UUID: 0CAE034E-C837-53E6-BA67-3B2CC7AD3719
Virtual-Machine App.app/Contents % grep 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 ../../App.app/Contents/embedded.provisionprofile
Binary file ../../App.app/Contents/embedded.provisionprofile matches
However, when I try to run the application, it fails, and while I have searched the system logs to find a more informative error message, the only thing I can find is that the profile doesn't match the device somehow:
Virtual-Machine App.app/Contents % open ../../App.app
The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x6000039440f0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}
Virtual-Machine App.app/Contents % log show --info --debug --signpost --last 3m | grep -i embedded.provisionprofile
2025-01-21 16:33:32.369829+0000 0x65ba Error 0x0 2872 7 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] embedded provisioning profile not valid: file:///private/tmp/builds/app/.caches/Xcode/DerivedData/Build/Products/Debug/App.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.}
I don't understand why the provisioning profile wouldn't allow the device if the hardware UUID matches. I have also attempted to add the Provisioning UDID in the devices list instead, but the form rejects that value because it's a different format (the form specifically requests a hardware UUID for macOS development, and a provisioning UDID for everything else).
If there is any debugging tool that lets me check a provisioning profile against the running hardware and print a more verbose reason for why it's not allowed on the device, please let me know.
Otherwise I'd have to conclude that, since I haven't experienced this issue before on an earlier OS, it has something to do with virtual machines running macOS Sequoia. (The same Mac Development-signed application runs just fine on my MacBook Pro running 15.2, as well as the VM host, which is also running 15.2.) I have also tried resetting the VM's hardware UUID and adding that one to the devices list, to no effect.
This is obviously seriously impacting our CI/CD pipelines to allow for proper UI testing of our application. If anyone is aware of any workarounds, I would love to hear them!
Hi,
We are developing software that configures a network extension via a system extension on MacOS.
The host application (run as service) enables network extension and system extension capabilities. It registers the network extension.
The network extension has network extension capabilities and configures an app-group to be bundled into the service.
What we have built is already working, i.e. we build, sign, notarize and ship the code (it's already running on hundreds of SIP enabled customer devices in production).
But, we are currently falling back to manual profile management (i.e. download and import the profile) so that Xcode accepts the entitlements suffixed with -systemextention.
Recently we are testing deployment on iOS devices. For iOS profiles we cannot overcome the issues with setting the profile manually, XCode complains about mismatching networkextension entitlements even when manually importing the profile.
So I thought I get to the bottom of why automated signing is not working and hopefully overcome the issues with iOS.
Upon configuring automatic signing we ran into the following problem:
For a network extension that is installed via a system extension the network extension capabilities are expected to be defined with a -systemextension suffix, i.e.:
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
<string>app-proxy-provider-systemextension</string>
<string>content-filter-provider-systemextension</string>
<string>dns-proxy-systemextension</string>
<string>dns-settings</string>
<string>relay</string>
When using automated signing the profile in our development account reflects these settings, i.e. the profile is correctly generated with the values above.
However, XCode complains that the network extension capabilities don't match.
I went as far as to configuring a new application-ID so that XCode would generate a new profile in the development account. I then downloaded and decoded the generated profile.
The capabilities of the development portal profile were created as expected (as above), but somehow, the locally generated profile that is generated by XCode auto-sign expects:
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>packet-tunnel-provider</string>
<string>dns-proxy</string>
<string>dns-settings</string>
<string>relay</string>
What XCode auto-sign expects is not reflected in the development account profile (!).
I tried to overcome this by changing the entitlements of the project to omit the -systemextension suffix.
XCode auto-sign seemingly works then, but once the application is actually signed by CodeSign the signing fails because the capabilities don't match with the development account profile.
I tried profile re-generation by clearing Library/Developer/Xcode/UserData/Provisioning Profiles, but it always results in the same problem - either XCode is happy and the code signing fails when building, or the other way round.
Bottom Line: I think that somehow XCode evaluates the profile validity differently from CodeSign; somehow when using automatic signing XCode does not take the network extension + system extension into account, but only expects the capabilities of the network extension.
If anybody know how to overcome this problem please help :)
When connected to the company's internal network without accessing the Internet, can an IPA installation package be generated if the certificate files are imported in advance?
Hey,
I'm trying to update my old app that used DarkSky to WeatherKit, and struggling. I always get:
ailed to generate jwt token for: com.apple.weatherkit.authservice with error: Error Domain=WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors Code=2 "(null)"
This is regardless if I do it on my iPad, or in the simulator. I have done the following:
Selected WeatherKit on the Capabilities and App Services tabs of the Identifier section on developer.
Put it under signing and capabilities in XCode
I've tried making a new provisioning profile, cleaning build folder, etc. Not sure what to do here. I suspect part of this problem is that I developed this app in 2018 and now I'm trying to update it.
I am able to run the app on TestFlight, but not as an internal tester. Apple won't let me, so I have to add myself as an external tester.
Thanks for any help you can provide!
I'm trying to download a profile for a developer download for an app, but I get this error and can't install the profile.
I've already registered the device and UDID and added it to the profile.
Please let me know what I need to do.
Hi,
I have an enterprise account, and i added the capability "main camera access" to my app. Although have an enterprise license and the entitlement is correctly setup, the inhouse provisioning profile that I am creating still says that the capabilities are missing. Not sure what i am missing here.
Hi,
I know my swiftui, but I'm completely new to macOS development. Using Xcode 16.2 I wrote a backup app that fits my needs. I got it to use iCloud Documents in its own container. It runs beautifully on my developing Mac.
When I copy it over to my other Mac and try to open it, I just get a message that macOS can't open the app ("Das Programm kann nicht geöffnet werden")
In terminal I get this message: "embedded provisioning profile not valid: file:///Users/niko/FlexBackup.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device."
I have "automatically manage signing" turned on and a Xcode Managed Profile.
How can I run my app on all of y Macs?
Hello,
I am trying to distribute an app that is using the Enterprise entitlements for Vision OS. It is failing to upload to Test Flight because it says I have not the entitlements for the provisioning. This does not happen when deployed directly from Xcode. I can deploy to the headset and ha
Is there anything I can do about it ?
Part of the log below:
2025-01-10 17:02:06 +0000 Provisioning profile "iOS Team Store Provisioning Profile: com.appmr2.3d-Playbook" failed qualification checks:
Profile doesn't support Main Camera Access and Passthrough in Screen Capture.
Profile doesn't include the com.apple.developer.arkit.main-camera-access.allow and com.apple.developer.screen-capture.include-passthrough entitlements.
2025-01-10 17:02:06 +0000 2025-01-10 17:02:06 +0000 IDEProvisioningRepair(3d-Playbook.app): 2025-01-10 17:02:06 +0000 IDEProvisioningRepair(3d-Playbook.app): Using account <DVTAppleIDBasedDeveloperAccount: 0x600003cba400; username=''> for repair
Thanks, Andres
After several years' lapse, I am coming back into app development for iPhone. Here's what I did:
Renewed my membership to Apple developer
I created a wildcard identifier, "me.joymaker.*"
I created a certificate
Using Xcode, I introduced my newest iPhone (a 12 mini) to Apple developer. Unlike my older models, this one has a UDID with a hyphen in it. To get it to take the UDID I had to remove the-and then paste the remaining continuous number into the field. But then it accepted it, and showed it back to me complete with hyphen.
I created a development provisioning profile using that certificate and ID, checking the box that said "Select all", so that every device registered to my account was included.
Using Xcode, I tried to upload the provisioning profile to the phone.
OOPS. Xcode replies, "Failed to install one or more provisioning profiles on the device. Please ensure the provisioning profile is configured for this device." Yes, I am very that it was!
There was an older identifier in the account, left over from years ago, named "XCode: Wildcard AppID", with an identifier of simply '*'. I tried building a provisioning profile with that one. Same results.
Now what? How to diagnose, how to pursue this?
BTW, although XCode sees this phone without difficulty, Music and Finder don’t. Relevant?? See this question for more details.
I have the same problem as this question: https://developer.apple.com/forums/thread/757605
"That indicates you’re using a unique App ID prefix. This is a legacy feature that’s not supported on macOS."
Mine is a macOS App distributed in 2021, that now needs an update.
It has always been under Xcode automatically managed signing with a Team. (Still have the project files from 2021: automatic)
Now validating a new version gives me that error :
Invalid Provisioning Profile. The provisioning profile included in the bundle com.*** [***.pkg/Payload/***.app] is invalid. [Invalid 'com.apple.application-identifier' entitlement value.] For more information, visit the macOS Developer Portal. (ID: ***)
And even re-validating the old archive from 2021 gives me this error.
I have looked at my Apple Id's on "Certificates, Identifiers & Profiles", and I can indeed see that this app has an "App ID Prefix" that is not my Team, but something I don't recognise.
I can not make a new App ID Configuration for the bundle id I have been using: "An App ID with Identifier 'com..appname' is not available. Please enter a different string."
Removing the existing App ID Config does not work either: The App ID '.com..' appears to be in use by the App Store, so it can not be removed at this time.
So, I'm a bit stuck. (Help!)
I get the error message in Xcode signing certificate
Provisioning profile "iOS Team Provisioning Profile: com.example.app" doesn't include the pushkit entitlement.
I have push notifications ticked in my Identifier in the online developer account. There is no other dedicated pushkit capability available to select.
Push notifications, time sensitive notifications and background mode-> voice over ip are added as capabilities in the Xcode project.
The team provisioning profile for the app states under its enabled capabilities: both push notifications and time sensitive notifications.
Is pushkit part of another capability that I need to select?
I have read the guide below and it just says to add the push notification capability. https://developer.apple.com/documentation/pushkit/supporting-pushkit-notifications-in-your-app
I have gone round and round in circles trying to get this profile to work for this, so any pointers would be much appreciated.
Thanks
Hi, I am trying to make my app build on GitHub Action CI pipeline. App builds fine on xcode on my mac. For CI I am using command line xcode.
I am getting following error:
No profiles for 'com.snslocation.electricians-now' were found: Xcode couldn't find any iOS App Development provisioning profiles matching 'com.snslocation.electricians-now'. Automatic signing is disabled and unable to generate a profile. To enable automatic signing, pass -allowProvisioningUpdates to xcodebuild. (in target 'myapp' from project 'myapp')
You can see full log of the build here:
https://github.com/nbulatovi/ElectriciansNow/actions/runs/12603115423/job/35127512689
The provisioning profile is present, and verified in the previous steps in the pipeline, however xcode refuses to find it. If I add -allowProvisioningUpdates error stays. I tried manually mapping app id to profile name.
Is there a way to get any debug log from xcode profile search, to see why is it not picking up the correct profile? Or can you maybe help in some other way?
xcode version is 15.4, iOS SDK 17.5
I'd like to create a "product/archive" in xcode, to use in "Testflight"
I get these errors:
Communication with Apple failed
Your team has no devices from which to generate a provisioning profile. Connect a device to use or manually add device IDs in Certificates, Identifiers & Profiles. https://developer.apple.com/account/
I do not have a physical iOs device.
Can i assign a provisioning profile to a simulated device?
Or do i need to have a physical iOS device, to connect my app to Apple, and be able to let poeple test it with "Testflight"?
Thanks for your answers.
In my AppleDeveloperAccount i'd like to connect to an app in xCode.
I'm trying to "Register a New Provisioning Profile" for "iOS App Development".
At the step "select Devices" i get stucked, because i do not have an IOS device. I only have a Mac.
Do i need a physical IOS device to develop and publish IOS applications?
Backup and restore Personal IOS data to a Supervised device?
We currently have around 200+ iPhone users that are using their devices as personal devices. We are planning on moving them to Intune using Automated Device Enrollment (Supervised).
Is it any way possible to backup their devices, do a factory reset, enroll them in Intune, then restore the old data?
Is it possible to do backup and restore in this situation? Is there an alternative way to restore the data back to a supervised device?
From the Apple Connect API documentation, it seems like this API does not provide an endpoint to add devices to provisioning profiles (or update profiles in any other way). Am I missing something in the docs or is this a known limitation? If latter, are there any viable alternatives?
When I upload the app to testflight, I get the following error: "Provisioning profile failed qualification. Profile doesn't include the selected signing certificate.". I have regenerated the profile. I have cleared cache, deleted profile and certificate and imported it back to xcode. Any ideas?