General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I admit I am doing something unusual, and I would not be surprised if it didn't work. I am surprised, however, because after performing the equivalent operations on four bundles, all of the bundles work fine on macOS 15.6.1, but only two of them work on macOS 26.1 (beta 2). I don't know what causes the different outcomes. What I am trying to do is get Java to pass the macOS 26 AppKit UI SDK linkage checking without having to rebuild the JDK using Xcode 26. Rebuilding works for the latest SDK, but it is very inconvenient and may not work for older JDKs. It usually takes a while before the JDK build team successfully transitions to a new Xcode release. My approach is to use vtool to update the sdk version in the LC_BUILD_VERSION load command of $JAVA_HOME/bin/java, which is the launching executable for the JDK. I performed this operation on four JDKs: 25, 21, 17, and 11. (I ran vtool on macOS 15.) It was completely successful on JDK 25 and 21. The JDK launches correctly on macOS 15 and macOS 26. On macOS 26, AppKit uses the new UI, which is the desired outcome. The JDK runs despite that fact that I signed the modified $JAVA_HOME/bin/java with my developer ID, which is inconsistent with the JDK bundle signature. (Redoing the bundle signing is part of the JDK build process; if that were necessary, I would stick with rebuilding the JDK.) The operation was not successful on JDK 17 and 11. I noticed two problems, which are not obviously related. When vtool created the new version of the java program, it lost the tool definition. $ vtool -show-build-version java java: Load command 10 cmd LC_BUILD_VERSION cmdsize 32 platform MACOS minos 11.0 sdk 11.1 ntools 1 tool LD version 609.8 $ vtool -set-build-version 1 10.0 26.0 -output a.out java /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/vtool warning: code signature will be invalid for a.out $ vtool -show-build-version a.out a.out: Load command 22 cmd LC_BUILD_VERSION cmdsize 24 platform MACOS minos 10.0 sdk 26.0 ntools 0 Adding back the tool definition didn't seem to matter. When I try to run the revised executable (in the context of the JDK bundle), it works on macOS 15, but on macOS 26, it is rejected as damaged. If I run the revised executable outside the JDK bundle, it runs (but fails because it can't find the rest of the JDK, which is expected). In all cases, GateKeeper rejects the revised executable because it has not been notarized, but that doesn't seem to stop the program from executing.

Hello, my builds keep failing in Xcode Cloud at the creation of the archive for tesflight. I am receiving an email mentioning "ITMS-90035: Invalid Signature" TMS-90035: Invalid Signature - Code failed to satisfy specified code requirement(s). The file at path “BASELog.app/BASELog” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing. The thing is the archives which are not intended for testflight not App Store connect are not failing. I think I have the required distribution certificates (initially they were created by API for Xcode Icloud, I add 3, revoked them and recreated one manually and the other from Xcode directly) : even though certificats seems ok, in Xcode I see a dev certificate in the managed release and if I try to force a distribution certificate in the build I then get the following warning It looks like my managed profile is not behaving properly, like not embedding a distribution certificate. I looked on the web for the signing issues, and I have found in other threads an issue with assets having special charsets. I checked on my side, the only thing I see is my app icon is named "icon_v1.png" I assume it shouldn't be an issue. I dont see any special char anywhere else in the sources name. Anyone has any idea on what is causing those build fails on the archive?

Hello, we are struggling for hours with the following issue: I have an individual developer account and since yesterday I'm member of developer team with an own organization account. I have access to an app in the team account as an "App-Manager", also the option "Access to Certificates, Identifiers & Profiles" is activated and I can see that it is activated for my account in AppstoreConnect. In "Apple Developer" I can also see the team and can switch to. But then I do not see the "Certificates, Identifiers & Profiles" menu entry. Also the team is not showing up in XCode. What am I missing? Thanks and regards Philipp

I want to export Mac OS application out side App Store and I need to have Developer Id installer certificate to do the same. When I go to certificate section in developer portal - I only see option of Mac App Distribution Mac Installer Distribution Developer ID Application Does anyone know where I can check the Developer ID installer part. Developer ID application doesn't work for signing the app manually.

I am trying to sign a enterprise app with provisioning profile which shows the tap to pay entitlement on Dev portal, but when downloaded on Xcode, it says the profile is missing the tap to pay capability and entitlement The capability was enabled by apple already, it was working fine until the provisioning profile got renewed.

The problem is described in full with log output in #16844 We are having an issue with TCC prompting users for access to the app group container despite signing with entitlements following all guidelines. This is a regression from the Feb 2025 Changes discussed in App Groups: macOS vs iOS: Working Towards Harmony The problem can only be reproduced with Xcode 16.0 and later. The entitlements for the app include access for the group container with [Key] com.apple.security.application-groups [Value] [Array] [String] G69SCX94XU.duck The documentation notes the group name can be arbitrary, e.g. <team identifier>.<group name>. Cyberduck uses G69SCX94XU.duck by default. Interestingly enough the alert is not shown when a group name matching the bundle identifier is used, e.g. G69SCX94XU.ch.sudo.cyberduck.

I have two certificates in my Accounts>Manage Certificates section. One is active, the other is greyed out with a status of "Not in Keychain". I only have ONE certificate in the developer account online. Timeline: Had an issue with fastlane codesigning and was trying to resolve that. In that attempt I deleted my related Certificates from my keychain Xcode showed them as disabled (greyed out) and not in Keychain. Look up how to resolve, need to revoke certificates in Developer account online. I go and revoke those certificates. Nothing changes I create new certificate and try to add it to xcode>account>certificate managment>"Apple Development". Get an error saying I can't add a new can't do that because a certificate is already pending. I waited a day because I assumed like somethings with apple, updates are not immediate. I come back the next day and am able to add a new certificate. However, the previous one that is greyed out and reads "Not in Keychain" under Status, is still there. How do I remove that "Not in Keychain" certificate? I emailed developer support and they directed me here.

I have certificates in my xcode>settings>account>manage certificates that I cannot get rid of. I know that they are linked to certificates in developer.apple.com but I've removed them from there and they persist in xcode. I have one that says "Not in Keychain", which is true. I deleted all the keychains related to these accounts in an attempt to fix something. I also have ones that say things like "Missing Private key" Our setup is that we have one main account "Company Inc." which I am setup to be an Admin in. I created a certificate under my credentials and added it to my keychain and showed up properly in xcode but I still have the other ones. HOW DO I REMOVE THEM :sob:

I have a major problem with team membership and Xcode. I work in a company, where my apple account was added to the development team with app manager role. I can see that on the apple portal, everything seems fine there. I have been also provided with the provisioning profile for the project and signing certificate of the company. However, when I log into Xcode the team does not show up anywhere. I am able to build the app, but cannot distribute to TestFlight (or anywhere else). When I use manual signing to choose the signing certificate it shows the "unknown team" message next to it. When I check my account in xcode it also only shows my personal team and does not allow to pick any other one (doesn't show any other one). When I click the "+" button on my xcode account to add a certificate an error pops up: "You already have active certificate or a pending request". I do have a pending request to enroll into apple developers program, but everyone says you don't need one if you are added to the team, you can just operate as a team member. Finally, when trying to upload to TestFlight, the following error is displayed: "No team for account ***" I have tried deleting and re-adding all the certificates. I have tried logging in and out of Xcode, I have tried deleting and re-adding my account in Xcode. I have tried reloading everything. My account was deleted and re-added to developers team. Nothing worked. I don't know the source of the issue, nor does my employer. I am new to ios development and this is my first project. Please help!

Hello, My project fails to build/run on a physical device or archive, due to a persistent provisioning error. Exact Error: Provisioning profile "iOS Team Provisioning Profile: com.huiwan.Ohra-Journal" doesn't include the BGTaskSchedulerPermittedIdentifiers entitlement. I have already performed extensive troubleshooting, and all local configurations appear to be correct: Capabilities: "Background Modes" with the "Background processing" option is enabled in the target's "Signing & Capabilities" tab. Info.plist: The Permitted background task scheduler identifiers key is present in the target's Info.plist, and it contains the correct task identifier (com.huiwan.ohra-journal.refresh). Entitlements File: The .entitlements file is correctly configured by Xcode. Full Reset: I have tried a complete reset procedure, including deleting ~/Library/Developer/Xcode/DerivedData and ~/Library/MobileDevice/Provisioning Profiles/, restarting Xcode, and letting the automatic signing system regenerate the profile from scratch. The issue persists. Despite all these correct local settings, the provisioning profile automatically generated by Xcode is consistently missing the required entitlement. This strongly suggests a server-side issue with the provisioning service for my App ID (com.huiwan.Ohra-Journal). I filed a bug report on the Feedback Assistant (FB20268285) a week ago but have not received a response. This issue is completely blocking my development and ability to submit the app. Could you please investigate the status of my App ID and the provisioning services associated with it? Thank you.

I've created a new project in Xcode. I'm running the Xcode 16.4 and MacOS 15.5. I'm trying to run my barebones project on my iPhone 16 (I'm just getting started). I turned on developer mode on my iPhone and went through the whole process. But in the Signing & Capabilities of my project under status I see two errors... There is a problem with the request entity A device with number 'XXXX8801C' already exists on this team. Provisioning profile "iOS Team Provisioning Profile: [MyBundleID]" doesn't include the currently selected device "My iPhone" (identifier XXXX8801C). I noticed in the devices on the developer portal that my device is showing as "Processing." I feel ike it's stuck. But I can't figure out how to clear it all out and try again. It's been 24 hours since this error came up. I've tried to clear trusted computers on the iPhone. I've deleted the "Derived Data" folder. I've removed my developer account from Xcode and added it again. I've restarted both my Mac and my iPhone multiple times. I've noticed it asked to authorize my computer twice. When I clear the authorized computers and then plug the phone back in it asks twice again. So I'm not sure if this is the issue? No idea why it asks twice but I'm only ever able to respond to the second request as the first request gets blocked in the UI by the second requests if that makes sense? I'm also not able to turn off developer mode on my iPhone. The switch isn't there as the docs state it should be. So again, I feel like this is the phone and the developer portal stuck causing the problem. Note: I saw someone else had encountered this problem and I replied to it and boosted it. But it looks like it was posted in 2017? Hence this new post.

Hello, I have an Apple Developer Enterprise account, and Apple Support has already enabled MDM for my account. I successfully downloaded and installed my MDM Vendor Certificate (it shows up in Keychain as MDM Vendor: [My Company Name] with its private key). Here’s what I’ve done so far: Exported the Vendor Certificate + private key as a .p12, then converted to .pem and .key using OpenSSL. Generated an unsigned CSR with CN=com.apple.mgmt.External. using OpenSSL. Attempted to sign the CSR using: my Vendor certificate the Vendor private key Apple Worldwide Developer Relations (WWDR) intermediate certificate OpenSSL smime -sign command with DER output Problem: Every time I try to upload the vendor-signed CSR to the Apple Push Certificates Portal, I get an error (CSR rejected). Sometimes OpenSSL even fails with “unable to load certificates” depending on how the WWDR certificate is included. My Questions: What is the correct OpenSSL command and certificate chain Apple expects for signing the CSR? Do I need to include any additional intermediates besides WWDR? Is there an official Apple reference example for generating the vendor-signed CSR that the Push Certificates Portal will accept? Any guidance from the community (or someone who has successfully done this end-to-end) would be greatly appreciated. Thank you, Sergio Sanchez

My post-build script takes the "developeridexport" archive export, zips it up and uses notarytool to notarize it. I then add the .zip to a .dmg disk image. The next step is to codesign the disk image before notarizing that too. The issue is my Developer ID Application certificate is not accessible to the build host. (When I was doing this in Microsoft AppCenter (now defunct), it had a copy of my Developer ID Application certificate.) What steps do I need to take to get the disk image signed for notarization? Thanks! Lance

I am trying to set up code signing for my macOS/Tauri app and I’m running into a problem with my Developer ID Application certificate in Keychain Access. Steps I followed: Generated a CSR on my Mac using Keychain Access → Certificate Assistant → Request a Certificate From a Certificate Authority. Uploaded the CSR to the Apple Developer portal. Downloaded the resulting .cer file and installed it in my login Keychain. The certificate appears under All Items, but it does not show under My Certificates, and there is no private key attached. What I expected: The certificate should pair with the private key created during CSR generation and show under My Certificates, allowing me to export a .p12 file. What I’ve tried so far: Verified that the WWDR Intermediate Certificate is installed. Ensured I’m on the same Mac and same login Keychain where I created the CSR. Revoked and regenerated the certificate multiple times. Tried importing into both login and system Keychains. Problem: The certificate never links with the private key and therefore cannot be used for signing. Has anyone experienced this issue or knows why the certificate would fail to pair with the private key in Keychain Access? Any workaround or fix would be greatly appreciated.

productsign Command Appears to Succeed but Package has No Valid Signature Category: Security, macOS, Code Signing Question: productsign command, when signing a PKG created with productbuild, appears to succeed with a success message (Wrote signed product archive to ...) but spctl verification results in rejected, source=no usable signature, indicating that the signature was not actually applied. Details: Goal: To sign a distribution package created with productbuild using a Developer ID Installer certificate. Certificate Used: Developer ID Installer: [Company Name] ([Team ID]) This certificate was issued by Previous Sub-CA and is not the latest G2 Sub-CA recommended by Apple. We cannot create a new G2 Sub-CA certificate as we have reached the limit of 5. productsign Command: productsign --sign "Developer ID Installer: [Company Name] ([Team ID])" [input.pkg] [output.pkg] productsign Output: Wrote signed product archive to [output.pkg] (Appears as a success message). spctl Signature Verification: spctl -a -vv [output.pkg] Result: rejected, source=no usable signature Notarization Service Results (Behavioral difference between Macs): On Mac A, the submission status was Accepted. On Mac B, the status was Invalid, with the notarization log message being The binary is not signed.. Troubleshooting Steps Taken: We attempted to sign both component and distribution packages with productsign, and in both cases, the signature was not recognized by the system. We skipped productsign and relied on the notarization service's auto-signing, but the notarization log still reported The binary is not signed., and the notarization failed. We have confirmed that the certificate and private key are properly associated in Keychain Access. My Questions: Given that we are using an older Previous Sub-CA certificate and cannot create a new one, why does productsign appear to succeed when the signature is not being applied? What could cause the behavioral difference where notarization is Accepted on Mac A but Invalid on Mac B? Is this a known issue with Apple's tools, or is it possibly caused by the specific structure of our PKG? What is the recommended workflow or debugging method to successfully sign and notarize a PKG under these circumstances? Thank you for your assistance

I've been running into issues with Xcode Cloud/my workflow when it's trying to archive the app. I've tested locally and both archiving and building the app for release works. I've tried a few things to clear it. pod deintegrate and pod install Checking off "archive" for the build scheme Creating a certificate for both development and distribution. I made sure automatic signing was enabled as well. I have a ci_scripts/ci_post_clone.sh script that successfully completes. Have tried setting the xcode version of the workflow to 16.2 which is what my local xcode version is. I've switched it back to the latest, 16.4. running pod update Updating flutter However, I consistently get the following 2 errors : `Showing All Messages Run command: 'xcodebuild archive -workspace /Volumes/workspace/repository/ios/Runner.xcworkspace -scheme Runner -destination generic/platform=iOS -archivePath /Volumes/workspace/build.xcarchive -derivedDataPath /Volumes/workspace/DerivedData -resultBundleVersion 3 -resultBundlePath /Volumes/workspace/resultbundle.xcresult -resultStreamPath /Volumes/workspace/tmp/resultBundleStreame3592434-5b88-48da-a3c4-f750abee4d08.json -IDEPostProgressNotifications=YES CODE_SIGN_IDENTITY=- AD_HOC_CODE_SIGNING_ALLOWED=YES CODE_SIGN_STYLE=Automatic DEVELOPMENT_TEAM=JG794CQD68 COMPILER_INDEX_STORE_ENABLE=NO -hideShellScriptEnvironment' ` and Showing All Messages Unhandled exception: ProcessException: No such file or directory Command: /Users/local/flutter/bin/flutter assemble --no-version-check --output=/Volumes/workspace/DerivedData/Build/Intermediates.noindex/ArchiveIntermediates/Runner/BuildProductsPath/Release-iphoneos/ -dTargetPlatform=ios -dTargetFile=lib/main.dart -dBuildMode=release -dConfiguration=Release -dIosArchs=arm64 -dSdkRoot=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS18.5.sdk -dSplitDebugInfo= -dTreeShakeIcons=true -dTrackWidgetCreation=false -dDartObfuscation=false -dAction=install -dFrontendServerStarterPath= --ExtraGenSnapshotOptions= --DartDefines=RkxVVFRFUl9WRVJTSU9OPTMuMzUuMQ==,RkxVVFRFUl9DSEFOTkVMPXN0YWJsZQ==,RkxVVFRFUl9HSVRfVVJMPWh0dHA6Ly9naXRodWIuY29tL2ZsdXR0ZXIvZmx1dHRlci5naXQ=,RkxVVFRFUl9GUkFNRVdPUktfUkVWSVNJT049MjBmODI3NDkzOQ==,RkxVVFRFUl9FTkdJTkVfUkVWSVNJT049MWU5YTgxMWJmOA==,RkxVVFRFUl9EQVJUX1ZFUlNJT049My45LjA= --ExtraFrontEndOptions= -dSrcRoot=/Volumes/workspace/repository/ios -dTargetDeviceOSVersion= -dCodesignIdentity=- release_ios_bundle_flutter_assets #0 _ProcessImpl._runAndWait (dart:io-patch/process_patch.dart:519:7) #1 _runNonInteractiveProcessSync (dart:io-patch/process_patch.dart:686:18) #2 Process.runSync (dart:io-patch/process_patch.dart:79:12) #3 Context.runSyncProcess (file:///Users/local/flutter/packages/flutter_tools/bin/xcode_backend.dart:154:20) #4 Context.runSync (file:///Users/local/flutter/packages/flutter_tools/bin/xcode_backend.dart:118:34) #5 Context.buildApp (file:///Users/local/flutter/packages/flutter_tools/bin/xcode_backend.dart:539:34) #6 Context.run (file:///Users/local/flutter/packages/flutter_tools/bin/xcode_backend.dart:51:9) #7 main (file:///Users/local/flutter/packages/flutter_tools/bin/xcode_backend.dart:17:5) #8 _delayEntrypointInvocation.<anonymous closure> (dart:isolate-patch/isolate_patch.dart:312:33) #9 _RawReceivePort._handleMessage (dart:isolate-patch/isolate_patch.dart:193:12) Command PhaseScriptExecution failed with a nonzero exit code Any help here would be greatly appreciated.

Hi there, can anyone help here. I think somewhere along the way I screw certificates or don't have the right one, anyway long story short when building product I get this error: Embedded binary is not signed with the same certificate as the parent app. Verify the embedded binary target's code sign settings match the parent app's.

Background We are using a Developer ID application certificate to sign our application. We lost the private key and we need to revoke it before we can receive a new one. Per documentation (https://developer.apple.com/support/certificates/), I know that previously installed applications will still be able to run, but new installations will not be able to work. I want to confirm what will happen when we revoke the certificate so we know how to prepare customers for this upcoming change. Questions Will existing installations of the application receive a notice that the certificate has been revoked? Will previously installed applications be able to launch again after they are closed? What will the user see when they try to install the application with the revoked certificate?

I'm hoping to make certain in-house apps fail to launch by revoking the in-house certificate that they were built on. This is by way of encouraging users of these apps to download updates built on a new certificate. How long will it take app built on a now-revoked certificate to no longer launch? Also, what is Apple's process for checking the validity of an in-house certificate in an app built on that certificate, running on iOS devices? I understand that provisioning profiles have built-in expiration dates, but will an in-house app that's built on a valid provisioning profile keep running even on a revoked certificate if the revocation happened before the certificate's own expiration date? Craig Umanoff