General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

We’re planning to distribute our app outside of TestFlight because our testing period is expected to exceed the 90-day limit. Since we have an Apple Developer account, we’re considering using either Ad Hoc distribution or direct installation (debug/development builds) for longer-term testing. I have a few questions regarding this approach: Ad Hoc Distribution Validity What is the effective validity period of an Ad Hoc build? We’re aiming for long-term testing (4-5 months) and would like to avoid unexpected expiration—are there any constraints we should be aware of? Development/Debug Build Expiry & Limitations If we distribute the app using a development (debug) build via provisioning profiles, what is the expiration timeline? Are there practical limitations (e.g., device limits, performance differences, or provisioning renewal requirements) that could impact extended testing? Potential Complications & Best Practices Are there any issues we should anticipate when using these distribution methods for long-term testing? For example: Provisioning profile or certificate expiration Device registration limits Any policy or compliance considerations with Apple We’d appreciate any guidance or best practices for managing long-term testing outside of TestFlight while staying within Apple’s guidelines.

Getting a couple of errors on the Signing & Capabilities section in Xcode when trying to provision my iPhone for on-device prototyping. "Communication with Apple failed Your team has no devices from which to generate a provisioning profile. Connect a device to use or manually add device IDs in Certificates, Identifiers & Profiles. https://developer.apple.com/account/" "No profiles for 'com.danieljbuckley.Throwaway' were found Xcode couldn't find any iOS App Development provisioning profiles matching 'com.danieljbuckley.Throwaway'." Any ideas on how to resolve this?

I requested "DirverKit UserClient Access" Entitlement, But I Distribute App failed. I don't know the reason. I think when I request "DirverKit UserClient Access" I make a mistake. I fill in two Bundle ids in the "Request a System Extension or DriverKit Entitlement" form's "UserClient Bundle IDs" item. The reason is when I Add "DirverKit UserClient Access" Capability in the project of Xcode. The .entitlements file is like this: <string>com.turing.TuringTouch com.turing.TuringTouch.TouchDriver</string> But in "Signing" of Xcode's "Bundle Identifier" can fill in only on "Identifier" therefore they do not match. So I can't Distribute App. I reapply "DirverKit UserClient Access" Entitlement. But decline. The result is "decline". Please help me. Please tell me, how should can I do now? Thank you very much.

Hello! We built a macOS .pkg using pkgbuild (contains a DMG + postinstall bash script). The pkg works locally on the build machine but fails on other devices manually / via MDM unless signed. We tried signing with a Developer ID Installer certificate, but: security find-identity -p codesigning -v → 0 valid identities security find-identity -v → shows the cert Private key is present in Keychain OpenSSL check shows: X509v3 Extended Key Usage: Critical (Expected one might be: Code Signing) We recreated CSR + cert multiple times (G2 Sub-CA), ensured Login keychain, unlocked keychain, etc., but same result. Question: Why is the Developer ID Installer cert missing Code Signing usage and not recognized for signing? Is there any account restriction or step we might be missing? Any recommendations on resolving this issue. Thanks!

My team created an initial app bundle ID called Sendi from the front end of the app store connect account, and created a test app which hasn't been published to App store. Then we also created a second app programmatically using expo go which generated a new app bundle ID. What we need is to link the second configuration generated programmatically to the first Apple Bundle ID as that is the original name of the product, so we can maintain the same name for our App when we eventually go live. Any ideas on how we can achieve that?

Hi everyone, I am struggling with a persistent issue regarding my Developer Program membership and Xcode syncing. Even though the Apple Developer Portal shows that my developer license is active and I have full access to App Store Connect, it is unfortunately not possible to sign applications with this account. It behaves as if the license wasn't active. The Symptoms: -Portal status: Active (Account Holder/Admin), -Xcode Settings: When I navigate to Settings > Accounts and select my team, there is a Red X displayed next to "Certificates, Identifiers & Profiles.", Xcode suggests there is an issue accessing these resources and I cannot sign any binaries. Confirmed the membership is active in the web portal. Everything seems configured correctly on the web side, but the account simply doesn't work locally in Xcode. Has anyone faced this specific "Red X" issue despite a valid membership? Is there a specific cache I need to clear or a way to force Xcode to re-fetch the correct status? Any advice on how to resolve this loop would be greatly appreciated. Thanks! :)

Hi, I submitted a Family Controls (Distribution) entitlement request for my app Faith Lock (com.faithlock.ios) - a prayer-focused iOS app that uses the Screen Time API to help users block distracting apps. I received an approval email, but the portal still shows the request as "Submitted" and the Distribution option does not appear under Additional Capabilities for my identifier. This is blocking me from submitting to App Store Connect. Details: Bundle ID: com.faithlock.ios Team ID: F86P575UNP Request IDs: 3PWTDR8KL3 / 885ZK276KK Status in portal: Submitted (unchanged since approval email) Has anyone experienced this? Is there a way to get the portal manually updated to reflect the approval? Any help or escalation from a DTS engineer would be greatly appreciated. Thank you.

The following process to sign my .pkg installer for distribution outside the app store have been working for over a year and recently the notarization fails with a rc = 69. I not aware of any changes other then xtools updates for the latest macos 15.6.1. Admittedly I felt lucky to have gotten it all to work initially and I could really use help. Thanks in advance! Bill The signing (no errors): productsign --sign macos_cert myapp.pkg The notarization (rc=69): xcrun -v notarytool submit myapp.pkg --apple-id my_apple_id --team-id XXXXXXXXXX

Hi, I do have a strange behavior in my development environment on a Mac mini (M4) running 26.2 and Xcode 26.3. Everything was working as expected. My project had a stable state and I wanted to enable iCloud support. As result I could not run the app any more because code signing failed with the message that my profile does not include the above entitlement. On my notebook (M2) with XCode 26.3 everything is working. Im am using GIT and both computers have identical code. The code compiling and running on my notebook will not run any more on my Max mini. Any help to find what might have broken the code signing and how it could be fixed? Thanks in advance.

There seems to be a problem to a specific Apple Developer Account regarding Xcode Cloud Distribution (Signing). The Xcode Cloud Error Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “XcodeCloudTest.app/XcodeCloudTest” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing. Investigation Apple Developer Forums This issue seems to be known: https://developer.apple.com/forums/thread/746210 Debugging by ourselves We setup an example Xcode project from a default iOS Xcode app template to rule out any project issues. This example project failed with the same error as stated above. In the next step we tried the same example project with a different Apple Developer Account and it successfully distributed the example App through Xcode Cloud. Conclusion It seems like there is no setup issue on developer-side, because our example project works out-of-the-box on a different Apple Developer Account. Our only hope is that Apple will have a look on our Developer Account. Maybe there is some internal setting.

In my application I validate the authenticity of my own binaries by checking that the Team Identifier in the code signature matches a predefined value. Currently I do not perform a full signature validation that verifies the certificate chain up to Apple’s root CA. When attempting to do this using SecStaticCodeCheckValidityWithErrors (or validateWithRequirement), the operation sometimes takes several minutes. During that time the calling thread appears blocked, and the system logs show: trustd: [com.apple.securityd:SecError] Malformed anchor records, not an array Because of this delay, I decided to rely only on the Team Identifier. My question is: Can it be assumed that if a Mach-O binary contains a Team Identifier in its code signature, then it must have been signed with a valid Apple Developer certificate? Or are there cases where a binary could contain a Team ID but still not be signed by Apple’s trust chain? Thanks for the help !

I’m looking for guidance from anyone who has experienced a similar situation. I’m a new Apple Developer Program organization member, and this was my first attempt to notarize a macOS app distributed outside the Mac App Store. What happened: My notarization submissions started failing with statusCode 7000 and the message: “Team is not yet configured for notarization.”. I created a support ticket and received the following reply: “We have escalated this issue to our internal team for further investigation and review.” This was more than 2 months ago, and I have not received any further updates since. About 3 weeks later macOS began rejecting my signed app: codesign --verify --deep --strict --verbose=4 succeeds (reports valid signing identity) spctl -a -vv --type exec returns CSSMERR_TP_CERT_REVOKED Around the same time, I also lost access to the Apple Developer portal. When signing in at developer.apple.com/account, I am redirected to the account access support form instead of the dashboard. My app has not been released to users. If there is an issue with my build, signing, entitlements, or packaging, I am fully willing to fix it immediately. What I cannot understand is the lack of any substantive response from Apple Developer Program Support for over 2 months. What I’m trying to understand: Has anyone encountered this combination of issues: statusCode 7000, Developer ID trust/revocation problems, Blocked developer portal access? Is there any documented appeal, review, or remediation process? If Apple believes a team has violated a policy, how is the developer supposed to find out what needs to be fixed? I’m not asking Apple to bypass security checks. I’m asking for a clear explanation and a path to resolve any issue, if one exists. Any help would be greatly appreciated. Thank you.

I've upgraded to a new Macbook recently, just when I was setting up my Xcode, I realized I there is a this red "X" showing up next to my development team as I was signing in to my account I have checked my permission on App Store Connect, everything seemed fine. I have also deleted my old Apple development certificate and requested for another one. Nothing worked.

This is a grave issue I am facing while testing my apps on my personal device. This is the error I seem to be getting: "The application could not be launched because the Developer App Certificate is not trusted." And on the phone side, this is the message: Unable to Verify App. An internet connection is required to verify the trust of the developer "Apple Development... Before I receive any recommendations, such as deleting Xcode or restarting my device, I would like to clarify that I have already taken all necessary precautions. The application I was testing appeared to function correctly in the morning a few hours prior to the update. However, after upgrading to the latest beta builds, iOS 26.4 beta and the latest macOS beta, this issue has become a recurring problem. I would greatly appreciate your assistance in resolving this matter, as it is of utmost importance to me.

Hello We have a pkg installer whose signing certificate is expiring next month. It has a trusted timestamp on it. As per https://developer.apple.com/support/certificates/ it states Developer ID Installer Certificate (Mac applications) If your certificate expires, users can still install packages that were signed with this certificate as long as the package includes a trusted timestamp. Previously installed apps will continue to run. However, new installations won’t be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate. Wanted to check on behavior for new installations post expiration date. Since the installer has a trusted timestamp we would not need to release a new installer with new cert ?? Any guidance here would be much appreciated.

I have gotten all necessary entitlements for all my extensions,

When I create an archive file and attempt to upload the app using the "Distribute App" button, the upload fails with the error "Automatic signing cannot update bundle identifier...". (The detailed message is below.) When creating an archive file in Xcode, I unchecked "Automatically Manage Signing" and proceeded with the archive. The message says "Font Enumeration," but other apps with the same option enabled upload successfully. Therefore, I believe the "Font Enumeration" option is not the issue. I tried creating a new provisioning file, but it still doesn't work. I deleted all DerivedData files from my Mac storage, restarted Xcode, and tried again, but it still doesn't work. This keeps happening only for certain targets (specific apps) in Xcode. Does anyone know how to fix this? Xcode is the latest version. Message: Automatic signing cannot update bundle identifier "com.xxxxxx.xxxxxx". Automatic signing cannot update your registered bundle identifier to enable Font Enumeration. Update your bundle identifier on https://developer.apple.com/account and then try again.

On our public Apple account we have distribution certificates that work for all Apple platforms. On our Enterprise account it will only generate iOS distribution certificates. Apple support did not provide any concrete solutions, only pointing us to the general docs. Any suggestions?

Is there a way to check your app signature to verify if any one has tampered with the ipa file. I want to know specifically how to determine and handle this type of situation. How can i do a check for this in code(swift).