General:
DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements
Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities.
Developer > Support > Certificates covers some important policy issues
Entitlements documentation
TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series.
WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing
Certificate Signing Requests Explained DevForums post
--deep Considered Harmful DevForums post
Don’t Run App Store Distribution-Signed Code DevForums post
Resolving errSecInternalComponent errors during code signing DevForums post
Finding a Capability’s Distribution Restrictions DevForums post
Signing code with a hardware-based code-signing identity DevForums post
Mac code signing:
DevForums tag: Developer ID
Creating distribution-signed code for macOS documentation
Packaging Mac software for distribution documentation
Placing Content in a Bundle documentation
Embedding Nonstandard Code Structures in a Bundle documentation
Embedding a Command-Line Tool in a Sandboxed App documentation
Signing a Daemon with a Restricted Entitlement documentation
Defining launch environment and library constraints documentation
WWDC 2023 Session 10266 Protect your Mac app with environment constraints
TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference.
Manual Code Signing Example DevForums post
The Care and Feeding of Developer ID DevForums post
TestFlight, Provisioning Profiles, and the Mac App Store DevForums post
For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Provisioning Profiles
RSS for tagA provisioning profile is a type of system profile used to launch one or more apps on devices and use certain services.
Posts under Provisioning Profiles tag
111 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
(I posted this in the "Distribution >> App Submission and Review" forum 2 days ago but it has not received a response. Trying here...)I had to rebuild my iMac a few months ago and I restored from my Time Machine backup.I now need to make a change to an app but what used to compile without error is now failing at the codesign step with:Signing Identity: "-"As far as I can see, all of the account profiles are valid with expiry dates in the future. The only 'odd' thing is that some have a 'Download' button in the 'Action' column of the 'Provisioning Profiles' seciotn of the account details - when I select the "Download All Profiles" button, they turn grey but never seem to download or disappear (even after aiting for several hours!). Looking at the 'developer' web page, all of my certificates and provisioning profiles are all active.Any ideas welcomedThanksSusan
Hi,my apps run on the iOSSimulator without problems and used to run on devices as well, but after updating to latest XCode-Version I am getting the above error message when trying to run an app on my iPhone 7. It says :"codesign wants to access key "access" in your bunch of keys . To allow this enter your password".... but my apple-Developer-ID-Password doesn't work. And until updating to latest XCode-Version I never had any problems with codesign when running an app on iPhone device.Any hints what's going wrong ?XCode Version 9.1 (9B55)iOS Version 11.1.2 (15B202)Latest High Sierra Version, macbook Pro 2015
Hello,I am new to ios development. On the internet I have found tutorials how to create a free (restricted) developer account however in this tutorials there are different descriptions how to register an iOS device with the acount in xcode in order to install apps that I develop.Is there any official tutorial from apple how to do this?Or can some member of Apple staff confirm that this tutorial https://developer.xamarin.com/guides/ios/getting_started/installation/device_provisioning/free-provisioning/ work for Xcode version 9.2, please?Thanks in advancePetra
I hope the pending antitrust suits force Apple to allow us to sign and provision our own apps for more than a week. For the price paid I should be able to write my own apps and use them without restriction outside of Apple services such as iCloud and so on. I understand distribution restrictions but please kill that 1 week annoyance, give me some level of freedom over my own apps on my own device.
Or I hope it’s forced.
Cheers and Thanks in advance.
We seem to be dealing with a weird issue where the clinical health records entitlement keeps on getting added into our final embedded.mobileprovision when we prepare a build for distribution.
We seem to get this in the final package.
<key>com.apple.developer.healthkit.access</key>
<array>
<string>health-records</string>
</array>
But in our projects entitlement file there is no reference to health records. Below is the raw values inside of this file.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>aps-environment</key>
<string>development</string>
<key>com.apple.developer.healthkit</key>
<true/>
<key>com.apple.developer.healthkit.access</key>
<array/>
<key>com.apple.security.application-groups</key>
<array>
<string>group.xxxxx</string>
</array>
</dict>
</plist>
And also in the project this isn't selected in the capabilities section either. Has anyone come across this issue before where Xcode automatically adds clinical records even though you haven't selected the checkbox.
All identifiers updated in summer 2020 has new value for keychain-access-groups - com.apple.token. What is its purpose? What can happen if this value will not be added to entitlements?
I would like to know on a mdm managed supervised device, how to force use Safari if a user has non-safari browser set as default.
can enforcing safari for a domain or web clip be done?
even shortcuts now, when using safari it opens whatever is set as default browser. Ironically if same simple shortcut of open URL with Chrome is created it opens with Chrome, regardless if default browser is set to firefox for example
this default browser setting is great for personal use but cause issues now for corporate use for me
anybody else figure this out? Also affects certificates for our managed devices
Hi! I need to transfer an app, which is already available in the App Store, from one developer to another.
The new developer account (one to receive the app) has problems building the app for the local testing iPhone device, Xcode giving the error messages:
"Failed to register bundle identifier"
(The app identifier "com.app.name" cannot be registered to your development team because it is not available. Change your bundle identifier to a unique string to try again.)
and
"No profiles for 'com.app.name' were found"
(Xcode couldn't find any iOS App Development provisioning profiles matching 'com.app.name')"
Obviously, Bundle ID isn't unique, as the app already exists on the App Store, but he's only trying to build for the local iPhone to preview the app.
I need to be sure the new developer will be able to compile/build the application before we initiate the transfer of the app from one account to another. Also, the new dev has not yet paid for the APPLE DEVELOPER PROGRAM.
Should we change the Bundle ID temporarily to be able to test the app?
Thank you in advance!
I am trying to compile Xcode project on an online platform Bitrise. I am facing issue with sign in and provisioning .. after trying 4-5 days I am approaching you.
Please solve this.
❌ error: No profiles for 'my app bundle id' were found: Xcode couldn't find any iOS App Development provisioning profiles matching 'my app bundle id'. Automatic signing is disabled and unable to generate a profile.
To enable automatic signing, pass -allowProvisioningUpdates to xcodebuild. (in target 'myapp-Development' from project 'myapp')
How to enable this "allowProvisioningUpdates"
also why it is too difficult to do such processes with apple development.. I tried for android and it compiled successfully in a single attempt.
please help.
When I try to add HealthKit capabilities to my app, I get the following signing errors:
Communication with Apple failed. Your account does not have sufficient permissions to modify containers.
Provisioning profile "iOS Team Provisioning Profile: com.domain.app" doesn't support the HealthKit capability.
Provisioning profile "iOS Team Provisioning Profile: com.domain.app" doesn't include the com.apple.developer.healthkit and com.apple.developer.healthkit.access entitlements.
In my developer account, the HK capability is enabled. And the entitlements needed are automatically generated by Xcode when I add HK capability, if I try to add them, it says they're already there.
I have automatically managed signing selected. Clinical health records are not enabled for Health Kit. Common solutions like cleaning, derived data, and restarts don't help.
Does anybody know what this is?
When I download my provisioning profile I can't find the com.apple.developer.carplay-audio entitlement in it.
Here's what I did:
For our app identifier on Apple Developer Portal in "Additional Capabilities" I enabled "CarPlay Audio App (CarPlay framework)".
After that I generated a provisioning profile and downloaded it. In the provisional profile info on Apple Developer Portal I can see "CarPlay Audio App (CarPlay framework)" in "Enabled Capabilities".
When I import the downloaded profile in Xcode, I can't see the CarPlay entitlement there. After I added the "com.apple.developer.carplay-audio" entitlement to my .entitlements file, I'm getting the "Provisioning profile ... doesn't include the com.apple.developer.carplay-audio entitlement.". When I'm opening the profile in my text editor, I also can't find "carplay-audio" there.
Is there a way to solve this problem?
Hello. I have an iOS app written in Xamarin, but this issue is not related to Xamarin or Visual Studio. I am trying to deploy my xamarin app onto an iOS device, but I am unable to get the iOS device to install the provisioning profile via Xcode. I work at a company with a decent variety of test devices and the result seems to be the same from iPads to iPods to iPhones of various ages.
I have created a certificate and a provisioning profile. The certificate is associated with the provisioning profile on the developer portal. I have imported the certificate (including private keys) into my login keychain on MacOS. I have the .mobileprovision file downloaded to the machine. I am signed into Xcode with my apple developer account.
In Xcode, i went to Window > Devices and Simulators and selected my device. I right clicked my device and selected "Show Provisioning Profiles". I clicked the plus and chose my .mobileprovision file. I get the same error on every device:
Failed to install one or more provisioning profiles on the device.
Please ensure the provisioning profile is configured for this device. If not, please try to generate a new profile.|
this is an incredibly vague and unhelpful error. I'm not really sure what it means by "configured for this device". Not sure where to go from here
Hi, I'm trying to integrate with Tap to Pay feature under Stripe. For this reason i need to add com.apple.developer.proximity-reader.payment.acceptance entitlement to my Identifier. I can see it under Provisioning Profile -> Enabled Capabilities.
But after downloading this profile in Xcode I don't see this entitlement.
What could be the reason for this discrapency?
Is there a way to get the new com.apple.developer.device-information.user-assigned-device-name entitlement to work with automatically managed signing, or is it required to change to manual signing to use this entitlement?
Someone else had the same problem as me in this reply on another post: https://developer.apple.com/forums/thread/708275?answerId=730156022#730156022 but it was suggested they start a new thread but I don't think they started such a thread so I am.
I was hoping, perhaps naively, that after getting approval for the entitlement and adding it to our entitlements file that it would "just work" but i'm getting the error:
Provisioning profile "iOS Team Provisioning Profile: [redacted bundle id]" doesn't include the com.apple.developer.device-information.user-assigned-device-name entitlement.
Really hoping to avoid having to manually manage signing or at least know for sure that it is unavoidable before I move to it.
The documentation for CarPlay (https://developer.apple.com/documentation/carplay/requesting_carplay_entitlements) tells you to disable automatic signing in the section titled "Import the CarPlay Provisioning Profile":
Click All in the scope bar, and then deselect “Automatically manage signing”.
There have also been other posts in the past about the inability to use automatic signing with CarPlay: https://developer.apple.com/forums/thread/63468
However in a recent post of mine (https://developer.apple.com/forums/thread/717429?login=true&page=1#732392022) I was instructed how to set it up so that I could use automatic signing for the new user-assigned-device-name entitlement and it worked so I thought "Can I do the same thing for CarPlay?" and it seems to be working so far.
Is automatic signing with CarPlay now possible? We have been able to use automatic signing to archive successfully and run to real devices and verify that CarPlay is working. I'm crossing my fingers that we'll be able to submit and get the build approved and never have to touch manual signing again.
Hopefully it works and the documentation is just out of date.
Hi there,
Currently having some issues debugging on a physical device. I am running a flutter app, and have a provisioning profile provided by our client company that is not expired and has worked up until recently just fine with physical devices. Running the app on a simulator works okay as well. However, all of the sudden the app will not run on a physical device. The build succeeds fine, but then I receive the error "Unable to install runner: A valid provisioning profile for this executable was not found".
I have opened devices and simulators and tried to install the provisioning profile on the device, but get the error "Failed to install one or more provisioning profiles on the device: Please ensure the provisioning profile is configured for this device. If not, please try to generate a new profile." I don't know why this error appears, because I have used this exact profile on this device many times before.
I'm hesitant to contact the client to receive a new provisioning profile because it is not easy to do, and again this one has worked fine until now. Does anyone have any ideas? Thanks!
Hi all,
I got the entiltlements for the DriverKit PCI (primary match). so I added it to my driver app ID.
so, I can show the ~~transport.pci entitlement item on my provision profile.
However, macOS system still block the my driver, and log show the " Unsatisfied entitlements: com.apple.developer.driverkit.transport.pci"
I'm struggling to get past the following error from Transporter. I've tried everything I can think of and I'm not sure what else to do.
WARNING ITMS-90885: ""Cannot be used with TestFlight because the executable “${executable}” in bundle “${bundle}” is missing a provisioning profile but has an application identifier in its signature. Nested executables are expected to have provisioning profiles with application identifiers matching the identifier in the signature in order to be eligible for TestFlight.""
Setup
I'm using electron with a main.app and nested helper apps (e.g. Main.app/Contents/Frameworks/Main Helper (Renderer).app)
I'm trying to upload to the Mac App Store
I'm codesign-ing the contents with Apple Distribution: ... and signing the pkg installer with 3rd Party Mac Developer Installer: ...
I'm using osx-sign to manage the code signing for me: basically it's doing a whole bunch of this:
codesign --sign {40-char-hash} --force --timestamp --options runtime --entitlements "$CHILD_PLIST" "packages/mas-universal/{APP_NAME}.app/Contents/Frameworks/{APP_NAME} Helper (Renderer).app"
I tried building and running our application with the new Xcode 15.0 beta (15A5160n)
The build fails with the following message:
Provisioning profile "REDACTED" doesn't support the Access Wi-Fi Information, Hotspot Configuration, and Push Notifications capability.
However none of those capabilities are new, they are part of the profile and I was just able to build the project with Xcode 14 before.
I already tried reloading the profiles but that does not help.
Automatic Signing is disabled for our project.