General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello, I have been unable to install any development-signed app on any physical device for five months. Builds succeed, code signing passes locally, but every device rejects the app at install time with: Failed to verify code signature of .../extracted/MyApp.app : 0xe8008018 (The identity used to sign the executable is no longer valid.) ApplicationVerificationFailed The app installs briefly, then iOS immediately removes it. This started right after my account (Team ID MB4DXDTDMT) was reinstated following a duplicate-account flag. Background: I had a personal account that was converted to a business account (Wakeout LLC), then created a new personal account, which Apple flagged as a duplicate and later reinstated. The signing failure began immediately after that reinstatement. Isolation already done (this is not a local-setup problem) I have run the full isolation sequence — including every step DTS typically asks for — and the result points squarely at the account/team, not my machine: New blank Xcode project, automatic signing, new bundle ID → same 0xe8008018. Brand-new macOS user account → same failure. Multiple Macs, fresh Xcode installs → same failure. Multiple iOS devices (iPhone 17 Pro, iPhone 15 Pro, others) → same failure. Different Apple ID / different developer team on the same Mac + same device → installs fine. This is the decisive one: the local environment is healthy; only Team MB4DXDTDMT is rejected. Xcode Cloud builds for this same team install fine. Apple's cloud signing trusts MB4DXDTDMT; the device-verification backend does not. That gap can only exist server-side. I have also: revoked/regenerated all certificates multiple times, deleted/recreated all provisioning profiles, cleared ~/Library/MobileDevice/Provisioning Profiles, cleared DerivedData and CoreDevice, removed device pairing records, re-paired devices, confirmed Developer Mode and correct system time. Simulators work. codesign --verify --deep --strict passes. Profile certificate SHA-1 matches the signing cert exactly. Entitlements match. Why I'm posting here This is the same failure documented in thread 755762, where Quinn concluded: "this seems to be tied to your primary developer account and only DevPrograms has access to those details." That matches my evidence exactly: the problem isolates cleanly to one team, and only DevPrograms can see the account-side state. I've already gone through Developer Support on this — an open case has been with them for about five months without a resolution, which is what convinced me the fix isn't something I can reach from the support side. I'm posting here in case a DTS engineer can confirm the diagnosis and point me to the right path. Question for any DTS engineer: given that the failure isolates to a single team — different teams sign and install fine on the same Mac and same device, and Xcode Cloud builds for this same team install fine — can you confirm this is an account-side signing-trust state that has to be reset by Apple, and what's the most direct way to get that reset actioned? Happy to attach a sysdiagnose, full console output, or codesign -dvvv dumps on request. Thank you.

I've been trying to notarize an installer (.pkg file) on a new laptop. Previous versions have been notarized successfully on a previous Mac. However, in spite of having the required certificates (same as the old Mac, generated for the new Mac) the submission gets stuck at "In Progress". Doing it multiple times (even hours apart) doesn't help. Is there a FAQ / suggested list of steps to help resolve this issue? Here's what I see: xcrun notarytool history --keychain-profile "(my profile name)" results in (problem started with v4, the first version I've tried on this new Mac): createdDate: 2023-10-17T01:34:36.911Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-17T01:33:59.191Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-16T21:01:25.832Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-16T19:57:44.776Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-02T14:17:34.108Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v3.pkg status: Accepted -------------------------------------------------- createdDate: 2023-09-28T14:04:46.211Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v2.pkg status: Accepted -------------------------------------------------- createdDate: 2023-09-20T17:28:46.168Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v1.pkg status: Accepted -------------------------------------------------- xcrun notarytool log xxxxxxxxxxxxxxxxxxxx --keychain-profile "(my profile name)" results in: Submission log is not yet available or submissionId does not exist id: xxxxxxxxxxxxxxxxxxxxxxxx

Hello, about a month ago, the Apple Store account of my former company was closed. I was already registered as a developer, so there's no problem with that. Was my personal account also closed when this company account was shut down? I contacted Apple support about this, and they said they would investigate. I still haven't received a response. Was my account closed? Or is there another issue? Nobody is explaining why this happened.

I requested "DirverKit UserClient Access" Entitlement, But I Distribute App failed. I don't know the reason. I think when I request "DirverKit UserClient Access" I make a mistake. I fill in two Bundle ids in the "Request a System Extension or DriverKit Entitlement" form's "UserClient Bundle IDs" item. The reason is when I Add "DirverKit UserClient Access" Capability in the project of Xcode. The .entitlements file is like this: <string>com.turing.TuringTouch com.turing.TuringTouch.TouchDriver</string> But in "Signing" of Xcode's "Bundle Identifier" can fill in only on "Identifier" therefore they do not match. So I can't Distribute App. I reapply "DirverKit UserClient Access" Entitlement. But decline. The result is "decline". Please help me. Please tell me, how should can I do now? Thank you very much.

I am experiencing an issue with Apple Development certificate creation in Xcode for my organization account. Account details: Organization: Jtecx LLC Team ID: 8V397ULNY4 Issue: When I attempt to create a new Apple Development certificate in Xcode under the Jtecx LLC (8V397ULNY4) team, the certificate is consistently generated under a different team: Apple Development: Joseph Salmond (67P4AAZ5TA) This appears to be my personal team, not the organization team. Impact: Because of this mismatch: Provisioning profiles created under 8V397ULNY4 cannot find a matching signing certificate Xcode shows “Signing Certificate: None” Xcode reports that the provisioning profile does not include the signing certificate I am unable to run or test the app on physical devices due to signing failures Troubleshooting performed: Deleted all Apple Development certificates from Keychain Access Revoked existing Apple Development certificates in the Apple Developer Portal Created a new Certificate Signing Request (CSR) using Keychain Access Generated a new Apple Development certificate through the Apple Developer portal Downloaded and installed the certificate into Keychain Attempted certificate creation via Xcode (Settings → Accounts → Manage Certificates → + → Apple Development) Verified installed identities using Terminal (security find-identity) Confirmed that only the following development identity is being created: Apple Development: Joseph Salmond (67P4AAZ5TA) Deleted this identity and repeated the process multiple times Recreated provisioning profiles after generating new certificates Downloaded and installed new provisioning profiles Attempted both manual signing and “Automatically manage signing” in Xcode Revoked certificates directly from Xcode and allowed Xcode to regenerate them Confirmed that Apple Distribution certificates are correctly issued under 8V397ULNY4 Despite all of the above steps, every new Apple Development certificate continues to be created under Team ID 67P4AAZ5TA instead of 8V397ULNY4. Expected behavior: When creating an Apple Development certificate while the Jtecx LLC (8V397ULNY4) team is selected, the certificate should be issued under that same team: Apple Development: Joseph Salmond (8V397ULNY4) Requested fix: Please investigate and correct the team association so that: Apple Development certificates are generated under the correct team (8V397ULNY4) is properly associated with the Jtecx LLC developer team for certificate issuance Xcode correctly creates and uses development certificates for the organization team Additional notes: Apple Distribution certificates are working correctly under 8V397ULNY4 Only Apple Development certificates are affected This issue is blocking local development and testing on physical devices Thank you.

I cannot distribute an app on xcode becouse he cannot find a certificate valid for my personal or business team. Need to address XCODE to access to my business account and not personal

We’re planning to distribute our app outside of TestFlight because our testing period is expected to exceed the 90-day limit. Since we have an Apple Developer account, we’re considering using either Ad Hoc distribution or direct installation (debug/development builds) for longer-term testing. I have a few questions regarding this approach: Ad Hoc Distribution Validity What is the effective validity period of an Ad Hoc build? We’re aiming for long-term testing (4-5 months) and would like to avoid unexpected expiration—are there any constraints we should be aware of? Development/Debug Build Expiry & Limitations If we distribute the app using a development (debug) build via provisioning profiles, what is the expiration timeline? Are there practical limitations (e.g., device limits, performance differences, or provisioning renewal requirements) that could impact extended testing? Potential Complications & Best Practices Are there any issues we should anticipate when using these distribution methods for long-term testing? For example: Provisioning profile or certificate expiration Device registration limits Any policy or compliance considerations with Apple We’d appreciate any guidance or best practices for managing long-term testing outside of TestFlight while staying within Apple’s guidelines.

Getting a couple of errors on the Signing & Capabilities section in Xcode when trying to provision my iPhone for on-device prototyping. "Communication with Apple failed Your team has no devices from which to generate a provisioning profile. Connect a device to use or manually add device IDs in Certificates, Identifiers & Profiles. https://developer.apple.com/account/" "No profiles for 'com.danieljbuckley.Throwaway' were found Xcode couldn't find any iOS App Development provisioning profiles matching 'com.danieljbuckley.Throwaway'." Any ideas on how to resolve this?

Hello! We built a macOS .pkg using pkgbuild (contains a DMG + postinstall bash script). The pkg works locally on the build machine but fails on other devices manually / via MDM unless signed. We tried signing with a Developer ID Installer certificate, but: security find-identity -p codesigning -v → 0 valid identities security find-identity -v → shows the cert Private key is present in Keychain OpenSSL check shows: X509v3 Extended Key Usage: Critical (Expected one might be: Code Signing) We recreated CSR + cert multiple times (G2 Sub-CA), ensured Login keychain, unlocked keychain, etc., but same result. Question: Why is the Developer ID Installer cert missing Code Signing usage and not recognized for signing? Is there any account restriction or step we might be missing? Any recommendations on resolving this issue. Thanks!

My team created an initial app bundle ID called Sendi from the front end of the app store connect account, and created a test app which hasn't been published to App store. Then we also created a second app programmatically using expo go which generated a new app bundle ID. What we need is to link the second configuration generated programmatically to the first Apple Bundle ID as that is the original name of the product, so we can maintain the same name for our App when we eventually go live. Any ideas on how we can achieve that?

Hi everyone, I am struggling with a persistent issue regarding my Developer Program membership and Xcode syncing. Even though the Apple Developer Portal shows that my developer license is active and I have full access to App Store Connect, it is unfortunately not possible to sign applications with this account. It behaves as if the license wasn't active. The Symptoms: -Portal status: Active (Account Holder/Admin), -Xcode Settings: When I navigate to Settings > Accounts and select my team, there is a Red X displayed next to "Certificates, Identifiers & Profiles.", Xcode suggests there is an issue accessing these resources and I cannot sign any binaries. Confirmed the membership is active in the web portal. Everything seems configured correctly on the web side, but the account simply doesn't work locally in Xcode. Has anyone faced this specific "Red X" issue despite a valid membership? Is there a specific cache I need to clear or a way to force Xcode to re-fetch the correct status? Any advice on how to resolve this loop would be greatly appreciated. Thanks! :)

Hi, I submitted a Family Controls (Distribution) entitlement request for my app Faith Lock (com.faithlock.ios) - a prayer-focused iOS app that uses the Screen Time API to help users block distracting apps. I received an approval email, but the portal still shows the request as "Submitted" and the Distribution option does not appear under Additional Capabilities for my identifier. This is blocking me from submitting to App Store Connect. Details: Bundle ID: com.faithlock.ios Team ID: F86P575UNP Request IDs: 3PWTDR8KL3 / 885ZK276KK Status in portal: Submitted (unchanged since approval email) Has anyone experienced this? Is there a way to get the portal manually updated to reflect the approval? Any help or escalation from a DTS engineer would be greatly appreciated. Thank you.

The following process to sign my .pkg installer for distribution outside the app store have been working for over a year and recently the notarization fails with a rc = 69. I not aware of any changes other then xtools updates for the latest macos 15.6.1. Admittedly I felt lucky to have gotten it all to work initially and I could really use help. Thanks in advance! Bill The signing (no errors): productsign --sign macos_cert myapp.pkg The notarization (rc=69): xcrun -v notarytool submit myapp.pkg --apple-id my_apple_id --team-id XXXXXXXXXX

Hi, I do have a strange behavior in my development environment on a Mac mini (M4) running 26.2 and Xcode 26.3. Everything was working as expected. My project had a stable state and I wanted to enable iCloud support. As result I could not run the app any more because code signing failed with the message that my profile does not include the above entitlement. On my notebook (M2) with XCode 26.3 everything is working. Im am using GIT and both computers have identical code. The code compiling and running on my notebook will not run any more on my Max mini. Any help to find what might have broken the code signing and how it could be fixed? Thanks in advance.

There seems to be a problem to a specific Apple Developer Account regarding Xcode Cloud Distribution (Signing). The Xcode Cloud Error Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “XcodeCloudTest.app/XcodeCloudTest” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing. Investigation Apple Developer Forums This issue seems to be known: https://developer.apple.com/forums/thread/746210 Debugging by ourselves We setup an example Xcode project from a default iOS Xcode app template to rule out any project issues. This example project failed with the same error as stated above. In the next step we tried the same example project with a different Apple Developer Account and it successfully distributed the example App through Xcode Cloud. Conclusion It seems like there is no setup issue on developer-side, because our example project works out-of-the-box on a different Apple Developer Account. Our only hope is that Apple will have a look on our Developer Account. Maybe there is some internal setting.

In my application I validate the authenticity of my own binaries by checking that the Team Identifier in the code signature matches a predefined value. Currently I do not perform a full signature validation that verifies the certificate chain up to Apple’s root CA. When attempting to do this using SecStaticCodeCheckValidityWithErrors (or validateWithRequirement), the operation sometimes takes several minutes. During that time the calling thread appears blocked, and the system logs show: trustd: [com.apple.securityd:SecError] Malformed anchor records, not an array Because of this delay, I decided to rely only on the Team Identifier. My question is: Can it be assumed that if a Mach-O binary contains a Team Identifier in its code signature, then it must have been signed with a valid Apple Developer certificate? Or are there cases where a binary could contain a Team ID but still not be signed by Apple’s trust chain? Thanks for the help !

I’m looking for guidance from anyone who has experienced a similar situation. I’m a new Apple Developer Program organization member, and this was my first attempt to notarize a macOS app distributed outside the Mac App Store. What happened: My notarization submissions started failing with statusCode 7000 and the message: “Team is not yet configured for notarization.”. I created a support ticket and received the following reply: “We have escalated this issue to our internal team for further investigation and review.” This was more than 2 months ago, and I have not received any further updates since. About 3 weeks later macOS began rejecting my signed app: codesign --verify --deep --strict --verbose=4 succeeds (reports valid signing identity) spctl -a -vv --type exec returns CSSMERR_TP_CERT_REVOKED Around the same time, I also lost access to the Apple Developer portal. When signing in at developer.apple.com/account, I am redirected to the account access support form instead of the dashboard. My app has not been released to users. If there is an issue with my build, signing, entitlements, or packaging, I am fully willing to fix it immediately. What I cannot understand is the lack of any substantive response from Apple Developer Program Support for over 2 months. What I’m trying to understand: Has anyone encountered this combination of issues: statusCode 7000, Developer ID trust/revocation problems, Blocked developer portal access? Is there any documented appeal, review, or remediation process? If Apple believes a team has violated a policy, how is the developer supposed to find out what needs to be fixed? I’m not asking Apple to bypass security checks. I’m asking for a clear explanation and a path to resolve any issue, if one exists. Any help would be greatly appreciated. Thank you.

I've upgraded to a new Macbook recently, just when I was setting up my Xcode, I realized I there is a this red "X" showing up next to my development team as I was signing in to my account I have checked my permission on App Store Connect, everything seemed fine. I have also deleted my old Apple development certificate and requested for another one. Nothing worked.

This is a grave issue I am facing while testing my apps on my personal device. This is the error I seem to be getting: "The application could not be launched because the Developer App Certificate is not trusted." And on the phone side, this is the message: Unable to Verify App. An internet connection is required to verify the trust of the developer "Apple Development... Before I receive any recommendations, such as deleting Xcode or restarting my device, I would like to clarify that I have already taken all necessary precautions. The application I was testing appeared to function correctly in the morning a few hours prior to the update. However, after upgrading to the latest beta builds, iOS 26.4 beta and the latest macOS beta, this issue has become a recurring problem. I would greatly appreciate your assistance in resolving this matter, as it is of utmost importance to me.

Hello We have a pkg installer whose signing certificate is expiring next month. It has a trusted timestamp on it. As per https://developer.apple.com/support/certificates/ it states Developer ID Installer Certificate (Mac applications) If your certificate expires, users can still install packages that were signed with this certificate as long as the package includes a trusted timestamp. Previously installed apps will continue to run. However, new installations won’t be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate. Wanted to check on behavior for new installations post expiration date. Since the installer has a trusted timestamp we would not need to release a new installer with new cert ?? Any guidance here would be much appreciated.