General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

My team has developed an app with a Matter commissioner feature (for own ecosystem) using the Matter framework on the MatterSupport extension. Recently, we've noticed that commissioning Matter devices with the MatterSupport extension has become very unstable. Occasionally, the HomeUIService stops the flow after commissioning to the first fabric successfully, displaying the error: "Failed to perform Matter device setup: Error Domain=HMErrorDomain Code=2." (normally, it should send open commissioning window to the device and then add the device to the 2nd fabric). The issue is never seen before until recently few weeks and there is no code changes in the app. We are suspected that there is some data that fail to download from the icloud or apple account that cause this problem. For evaluation, we tried removing the HomeSupport extension and run the Matter framework directly in developer mode, this issue disappears, and commissioning works without any problems.

I am encountering a cloud signing permission error when archiving and uploading an iOS app using Xcode with Automatically manage signing enabled. Xcode reports that it cannot access or create cloud-managed distribution certificates, and therefore cannot find any App Store provisioning profiles for either the main app target or an associated Notification Service Extension. The error message returned by Apple’s certificate API indicates that access to cloud-managed distribution certificates is forbidden. Error messages Cloud signing permission error You haven't been given access to cloud-managed distribution certificates. Please contact your team's Account Holder or an Admin to give you access. No profiles were found Xcode couldn't find any iOS App Store provisioning profiles matching the app or extension targets. Environment Xcode: 16.x Signing method: Automatic signing (App Store distribution) Apple Developer Program team with existing distribution certificates Apple ID role: Admin (recently upgraded from a lower role) What I have verified Automatic signing is enabled for all targets The correct team is selected Bundle identifiers are valid and already registered The app and extension exist in App Store Connect Distribution certificates already exist in the team (previously created manually) Observed behavior Xcode attempts to access cloud-managed distribution certificates Apple certificate service responds with a permission-denied error As a result, provisioning profiles cannot be generated automatically Question After being upgraded to an Admin role, is there a known delay or additional requirement before an account can access cloud-managed distribution certificates, especially for teams that previously used manually managed distribution certificates? Is there any recommended action (besides waiting or having the Account Holder perform an initial signing operation) to unblock automatic signing in this situation?

Hello, We're developing endpoint security software using the Endpoint Security framework, and we've encountered challenges with the behavior change in macOS 15 regarding provisioning UDIDs in cloned VMs. The Change Prior to macOS 15, cloning a VM preserved its UDID (format: 0000FE00-9C4ED9F68BBDC72D). Starting with macOS 15, cloned VMs receive a new UDID generated from the host's Secure Enclave (format: b043d27202c7ac37ca3c6b82673302225485cae9), making each clone effectively a new device. Our Workflow We maintain a clean base VM image and clone it for each test run. We add the base VM's UDID to our provisioning profile once, then create clones which (previously) retained that same UDID, allowing us to start new testing cycles without re-registering devices. This is essential because our product involves low-level system integration through the Endpoint Security framework, and if something goes wrong during development, it has the potential to affect system stability. To prevent any cascading issues between test runs or different product versions, we need each test to start from a known clean state rather than reusing the same VM. The Challenge With each VM clone generating a new UDID, we're hitting Apple's device registration limits quickly. This particularly impacts: New team members who spin up VMs for the first time and can't run signed builds Our CI/CD pipeline where multiple test environments need provisioning profiles Developers testing different branches who need separate clean environments Current Workaround We've found that VMs created on macOS 14 and upgraded to macOS 15+ retain their original UDID format. However, we're concerned this workaround may stop working in future macOS versions, which would leave us without a viable path forward. If the workaround stops working, our fallback would be signing each CI build with a Developer ID signature to allow running on any device. However, we'd prefer to avoid this as it would significantly increase load on Apple's signing infrastructure for what are essentially internal test builds. We completely understand the security reasoning behind tying UDIDs to the host's Secure Enclave for Apple Account support. However, for development workflows that don't require Apple Account features in VMs but do require clean, isolated test environments, the previous behavior was quite valuable. Question Is there a recommended approach for teams in our situation? We're happy to explore alternative workflows if there's a pattern we're missing, or we'd be glad to provide more context if this is a use case Apple is considering for future updates. Thanks for any guidance you can provide! Feedback case: FB21389730

Hi, Since Xcode 26.2 beta 1, till now (I thought RC or actual release will solve this issue) I have problems exporting archive to appstore via Xcode Cloud (locally everything works and using Xcode 26.2 I was able to submit app to AppStore). Build is archived successfully but during export I get an error Exporting for App Store Distribution failed. Please download the logs artifact for more information. In xcodebuild-export-archive.log I see multiple attempts & errors like this 2025-12-13T08:29:34.040644840Z 2025-12-13 00:29:33.900 xcodebuild[10889:58988] DVTServices: Sending request 9A4173F4-CD87-4A76-95FC-501B4D11EF22 to <http://172.16.55.70:8089/services/v1/capabilities> for session DVTFoundation.DVTServicesSessionProxy. 2025-12-13T08:29:34.040647258Z Method: POST 2025-12-13T08:29:34.040648780Z 2025-12-13T08:29:34.040650230Z Headers: 2025-12-13T08:29:34.040651730Z { 2025-12-13T08:29:34.040653539Z Accept = "application/vnd.api+json"; 2025-12-13T08:29:34.040655403Z "Accept-Encoding" = "gzip, deflate"; 2025-12-13T08:29:34.040673847Z "Content-Length" = 124; 2025-12-13T08:29:34.040675883Z "Content-Type" = "application/vnd.api+json"; 2025-12-13T08:29:34.040677903Z "User-Agent" = Xcode; 2025-12-13T08:29:34.040681998Z "X-HTTP-Method-Override" = GET; 2025-12-13T08:29:34.040684468Z "X-Xcode-Version" = "26.2 (17C52)"; 2025-12-13T08:29:34.040686326Z } 2025-12-13T08:29:34.040688028Z 2025-12-13T08:29:34.040689711Z Payload: 2025-12-13T08:29:34.040692163Z {"urlEncodedQueryParams":"teamId=8CKLLLC9UE&filter%5BreferenceType%5D=bundle&filter%5BincludeRequestable%5D=true&limit=200"} 2025-12-13T08:29:34.308538247Z 2025-12-13 00:29:34.208 xcodebuild[10889:58988] DVTServices: Received response for 9A4173F4-CD87-4A76-95FC-501B4D11EF22 @ <http://172.16.55.70:8089/services/v1/capabilities>. Code = 0 2025-12-13T08:29:34.308555026Z 2025-12-13 00:29:34.208 xcodebuild[10889:58988] DVTServices: Response payload: { 2025-12-13T08:29:34.308557639Z "errors" : [ { 2025-12-13T08:29:34.308569919Z "id" : "0316154c-332b-4f9d-a90a-5770d4f8dc1a", 2025-12-13T08:29:34.308573588Z "status" : "400", 2025-12-13T08:29:34.308575871Z "code" : "PARAMETER_ERROR.INVALID", 2025-12-13T08:29:34.308578343Z "title" : "A parameter has an invalid value", 2025-12-13T08:29:34.308581767Z "detail" : "A parameter 'filter[includeRequestable]' has an invalid value : ''includeRequestable' is not a valid field name.'", 2025-12-13T08:29:34.308584989Z "source" : { 2025-12-13T08:29:34.308587270Z "parameter" : "filter[includeRequestable]" 2025-12-13T08:29:34.308589531Z } 2025-12-13T08:29:34.308591437Z } ] 2025-12-13T08:29:34.308593381Z } 2025-12-13T08:29:34.308595389Z 2025-12-13T08:29:34.308597297Z 2025-12-13T08:29:34.308600188Z 2025-12-13 00:29:34.208 xcodebuild[10889:58988] DVTServices: Could not fetch capabilities from network due to error: error = 'A parameter has an invalid value' When I use Xcode 26.1.1 to export the same commit, eveything works and workflow sends build to AppStoreConnect, any ideas what might cause this issue? Unfortunately I need to use Xcode 26.2 if I want to use tabViewBottomAccessory(isEnabled:content:) bcs even though this api is available since iOS 26.1, it's not available in Xcode 26.1

The profile expiration date is approaching, and no amount of inquiries will solve it. Create a new profile Download a new profile from Xcode Press archive, press Distribute App, press Enterprise, and distribute Invalid expiration date in profile of summary of review app.ipa content I've tried everything that comes out by Googleing profiles, such as regenerating profiles, erasing caches, updating Xcode, updating macOS, deleting existing profile information, etc. Expiration date different from the expiration date of the profile created in that menu is displayed. The expiration date of the profile I created is December 8, 2026, and the previous certificate is January 22, 2026. However, the profile information of the generated ipa is February 12, 2026. So I can't distribute this app because I'm scared, and the expiration date is coming up. Users should have a period of time to update. Get me a novice developer who's choking up.

I´m tring to integrate InApp push provisioning but when I send the information from the issuer to SDK to add my debit card to wallet I saw this error: PKPassKitErrorDomain Code 2 error Looking in the forum I found how to see part of the logs to get more detail on the error and I found: POST https://pr-pod9-smp-device.apple.com:443/broker/v4/devices/04131B65D01590022288082867404947F3CCA674C3D41F3C/cards/683986c983984251b9aecfc8ff51d88a/enable 'Error Domain=PKPaymentWebServiceErrorDomain Code=0 "Error inesperado." UserInfo={PKErrorHTTPResponseStatusCodeKey=500, NSLocalizedDescription=Error inesperado.

Dear We try to generate IPA with Xcode Cloud but this task fail in Export archive phase (Export archive for app-store distribution). The error that appear in the archive logs is: error: exportArchive Provisioning profile "iOS Team Store Provisioning Profile: cl.app.myapp" doesn't include the com.apple.CommCenter.fine-grained entitlement. Any idea about to resolve this problem ? king regards

In Xcode's (version 16.1) "Devices and Simulators" window pressing the device's context menu item "Show Provisioning Profiles..." does nothing: no new window, no message, nothing. How can I fix this?

Is it possible for an iOS app to programmatically detect if its built for TestFlight/App Store distribution versus built for development? The motivation for doing this is so that the app can detect if a push server should send pushes using the Apple production server or the sandbox server - when the app sends the push token to the server, I'd like it to additionally send an indicator to the server so the server knows which of the Apple servers to use. Is there a way to achieve this? TIA

Hello, I would like to clarify how link association and app-opening preferences work in iOS, specifically when a user opens a URL in a browser that can be handled by an installed application. I have noticed the following behavior: When a user taps a URL that can be opened by an app, iOS sometimes asks whether to open the link in the app or continue in the browser. After choosing an option once (for example, "Open in App" or "Stay in Browser"), it seems that this preference becomes persistent. Even after deleting the application and reinstalling it, the browser (Safari or third-party browsers) sometimes continues to open the link directly in the browser without asking the user again. In some cases, it appears impossible to reset or clear this association, and the user is not prompted again to choose how the link should be opened. My questions are: How exactly does iOS store link-handling preferences between apps and browsers? Are these preferences saved on the system level, inside Safari, or associated with the app installation itself? Is there a way for a user to manually reset or clear these link-opening associations? Should deleting and reinstalling the app reset these preferences, or is the behavior expected to persist? Is this behavior different for Universal Links, App Clips, or for regular URL scheme associations? This situation is important for us because it affects user experience, and at the moment it is difficult to understand or reproduce the internal logic behind these link associations. Thank you in advance for your clarification.

I need to post an app so how do you do it

We got an app for iPad which has two targets one for the App itself (MainApp target ) and another one for the Driver ( Driver Target ) using DriverKit. The app works fine in Development, but I'm trying to distribute it with adhoc. I've requested the Distribution Entitlement to Apple, after getting it, the App Id for the Driver has the following Capabilities: DriverKit, DriverKit (development), DriverKit USB Transport (development), DriverKit USB Transport - VendorID, In-App Purchase Now in the profile section, I've created a adhoc profile for the Driver AppId (Identifier). Obviously I've also created an Adhoc profile for the Main AppId Finally in the Signing & Capabilities Section I set up the profiles for MainApp target, int the Debug one I set up the Development one and int the Release one I set up the adhoc one. I do the same in the Driver Target, but when I set up the Adhoc one in the Release, I've got a warning: Xcode 14 and later requires a DriverKit development profile enabled for iOS and macOS. Visit the developer website to create or download a DriverKit profile Also interestingly the Signing Certificate section says: None I also set up the Capabilities for the Driver Target: DriverKit USB Transport - VendorID DriverKit USB Transport ( Development ) Inside these capabilities I set up the vendor ID as dictionary The problem is, if I try to Archive the app I will get the previous Warning message as error: Xcode 14 and later requires a DriverKit development profile enabled for iOS and macOS. Visit the developer website to create or download a DriverKit profile. Any idea what I'm missing? Thanks

We have NFC capabilties enabled for our app ID - com.uob.mightyvn but our minimum deployment target is 15.0. We do not have an option deselect PACE from provisioning profile. Hence, the validation is failed for IPA. Invalid entitlement for core nfc framework. The sdk version '18.2' and min OS version '15.0' are not compatible for the entitlement 'com.apple.developer.nfc.readersession.formats' because 'NDEF is disallowed'

Hi, I am developing a iOS app with Packet Tunnel Provider Network Extension. I manage signing manually. I created a distribution provisioning profile. Then when I archive and click "validate" I get this error: Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value 'url-filter-provider' for key 'com.apple.developer.networking.networkextension' So I run security cms -D -i profiles/vpn_distribution.mobileprovision and I see there <key>Entitlements</key> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider</string> <string>content-filter-provider</string> <string>packet-tunnel-provider</string> <string>dns-proxy</string> <string>dns-settings</string> <string>relay</string> <string>url-filter-provider</string> <string>hotspot-provider</string> </array> Where are those coming from. My entitlement file has <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> </array> <key>com.apple.security.application-groups</key> <array> <string>group.my-app-group</string> </array> </dict> </plist> What is happening here. How can I get a provisioning profile that only has the entitlements that I actually need?

According to the thread at https://developer.apple.com/forums/thread/787500?answerId=863361022#863361022, we should now be able to set VMs provisioning identifiers to run developer builds. However, the identifier check seems to be case-sensitive. I have an identifier from an old VM that was input (automatically via Xcode) to the portal as all-caps. However, now it's showing up as all lower-case (on the device). When I try to launch my application, the system logs report that the provisioning identifer doesn't match, so my application will not launch: # Error log error 13:41:36.173151-0600 taskgated-helper embedded provisioning profile not valid: file:///Applications/my-app.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.} # Device's identifier $ system_profiler SPHardwareDataType Hardware: ... Provisioning UDID: 9d136dc4ae3ce80124756cc5bcb40cd1117c04b6 # Embedded provision (from developer portal) $ security cms -D -i /Applications/my-app.app/Contents/embedded.provisionprofile <key>ProvisionedDevices</key> <array> <string>9D136DC4AE3CE80124756CC5BCB40CD1117C04B6</string> </array> I have tried disabling the previous record and adding it again (with lower-case) on the developer portal - but all that does is reenable the previous (all-caps) record. Either the check needs to be case-insensitive, or there needs to be a way to change the registration on the developer portal to properly match.

My Apple developer certificates(4 certificates) expire soon. I'm developing an application for iOS but the application is not yet released in the App Store, only Testflight releases for private testing. Is it necessary to create 4 new certificates or can I edit the current certificates so that they don't expire soon?

Anyone know how long it takes to get Apple to respond to a request for provisioning for endpoint security?

I have added an in-app purchase function into my app, and have enabled in-app purchase profile in developer portal(it's on by default and is marked gray in developer portal, I don't know if that's how it supposed to look like). I have issued the agreements and tried signing the app both manually and automatically, but neither of that worked. App can be built successfully in simulator but does not show the simulation window, but cannot build on real device or archive. Errors: Missing com.apple.developer.in-app-purchase, com.apple.developer.in-app-purchase.non-consumable, and com.apple.developer.in-app-purchase.subscription entitlements. Automatic signing failed Xcode failed to provision this target.

I have added an in-app purchase function into my app, and have enabled in-app purchase profile in developer portal(it's on by default and is marked gray in developer portal, I don't know if that's how it supposed to look like). I have issued the agreements and tried signing the app both manually and automatically, but neither of that worked. App can be built successfully in simulator but does not show the simulation window, but cannot build on real device or archive. Errors: Missing com.apple.developer.in-app-purchase, com.apple.developer.in-app-purchase.non-consumable, and com.apple.developer.in-app-purchase.subscription entitlements. Automatic signing failed Xcode failed to provision this target.

Our app (Bundle ID: org.grapplermobileapp) has the In-App Purchase capability enabled in the Apple Developer portal (checkbox is grayed out and checked). However, any new App Store provisioning profile we create for this App ID is missing the entitlement: com.apple.developer.in-app-purchase We confirmed this by inspecting the .mobileprovision file directly. As a result, all iOS builds fail with the error: Provisioning profile doesn't include the com.apple.developer.in-app-purchase entitlement Steps we've already taken: Deleted and re-created provisioning profiles (both automatic via Expo/EAS and manual in Developer portal). Uploaded the profile manually into EAS and rebuilt. Verified the entitlement is missing by searching the .mobileprovision file. Opened a support case (#102688824691). Apple Developer Support escalated, but then replied that In-App Purchase is a capability and not an entitlement, and directed me to the forums. So we’re stuck. The App ID shows IAP enabled, but profiles never include the entitlement, and builds cannot proceed. Has anyone seen this issue where Apple’s system fails to embed com.apple.developer.in-app-purchase into profiles? If so, how was it resolved?