Hi guys, New to publishing apps on Apple Store. I encounter some notarization error before and resolved it in this post. By solving the previous issue, I updated the Trust setting from "Always Trust" to "Use System Defaults" for Apple certificates. The codesign and notarization no longer give me any problem. But now, I encountered another issue. When I ran the .app on my local Macbook, it now gives me "zsh: trace trap" error. Dive a little further and check the crash report, I found the some details as following. Process: my_app [30652] Path: /Users/USER/my_app_path Identifier: my_app Version: 0.0.0 (???) Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 501 Date/Time: 2025-07-15 14:57:58.9874 -0400 OS Version: macOS 15.5 (24F74) Report Version: 12 Anonymous UUID: 2335F0B6-A26E-6446-6074-0FCE620C4B6A Time Awake Since Boot: 6000 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid)) Exception Codes: UNKNOWN_0x32 at 0x00000001064b4000 Exception Codes: 0x0000000000000032, 0x00000001064b4000 Termination Reason: Namespace CODESIGNING, Code 2 Invalid Page VM Region Info: 0x1064b4000 is in 0x1064b4000-0x1064b8000; bytes after start: 0 bytes before end: 16383 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL mapped file 1064ac000-1064b4000 [ 32K] r-x/rwx SM=COW Object_id=d2a02fbf ---> VM_ALLOCATE 1064b4000-1064b8000 [ 16K] r-x/rwx SM=PRV __TEXT 1064b8000-1068a4000 [ 4016K] r-x/rwx SM=COW my_app.app/Contents/Frameworks/Python.framework/Versions/3.12/Python I can tell it's about codesign and signature invalid. I have tried to rebuild, re-codesign and re-notarize. But the error still persists. Could someone help me? Thanks!

Hi! I'm trying to add Sign in with Apple to my macOS app. I enabled this capability from the developer portal and created the corresponding certificate & provisioning profile (both of type Developer ID Application.) However, Xcode keeps prompting me that the profile doesn't support Sign in with Apple. If I enable Automatically manage signing from Xcode, I can build and run the app but not distribute. If I turn it off and use the profile I got, it just keeps showing the errors below and doesn't even let me build.

Hello Everyone, I am currently building an app using React Native with Swift bridging, integrating VoIP functionality using Twilio, PushKit, and CallKit. I am encountering the following issue during development: "The current provisioning profile doesn't include the com.apple.developer.voip-push-notification entitlement." What I’ve Done So Far: VoIP Certificate: I have created a valid VoIP Services certificate in the Apple Developer portal. Bundle Identifier and Provisioning Profile: A new Bundle ID was created specifically for this app. I created a provisioning profile for this Bundle ID and downloaded it for use in Xcode. Xcode Capabilities Push Notifications: Enabled Background Modes: Voice over IP: Enabled, Remote notifications: Enabled Entitlements File I have an entitlements file named VoiceCallDemoProjectRelease.entitlements with the following content: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>aps-environment</key> <string>development</string> <key>com.apple.developer.voip-push-notification</key> <true/> </dict> </plist> This entitlements file is properly linked in the project’s build settings. Project Setup I have integrated PushKit for VoIP push handling and CallKit for incoming call UI and control. Problem: In the Apple Developer portal under my App ID settings, I only see an option to enable Push Notifications. There is no option available to enable Voice over IP, and therefore the provisioning profile generated does not include the com.apple.developer.voip-push-notification entitlement. Despite enabling VoIP background mode in Xcode, adding the entitlement in my project, and using a valid VoIP certificate, the profile does not include the required entitlement. Additional Information: I am using an Individual Apple Developer Account, not an Organization account. I have already attempted re-downloading the provisioning profile, restarting Xcode, and cleaning the build folder. Question: What steps should I take to resolve this and ensure that the com.apple.developer.voip-push-notification entitlement is included in my provisioning profile? Is this limitation due to the type of developer account (individual vs. organization), and do I need to upgrade to an Organization account to access this entitlement? Is there any way to request for 'com.appple.developer.voip-push-notification' entitlement to Apple Team ? Any clarification would be appreciated. Thank you.

Subject: Questions Regarding Signing Certificates for MDM Configuration Profiles Dear all, I hope this message finds you well. I have some questions regarding the signing certificates used for MDM configuration profiles. Currently, our company uses an SSL certificate to sign MDM configuration profiles. However, with the announcement that the validity period of SSL certificates will gradually be shortened starting in 2026, we are considering alternative options for signing certificates. Through our internal testing and investigation, we have found examples of the following certificate chains being used: ・Developer ID - G1 (Expiring 02/01/2027 22:12:15 UTC) + Developer ID Application certificate chain ・Apple Root CA + Apple Worldwide Developer Relations Intermediate Certificate + MDM CSR certificate chain We would appreciate any insights or experiences you can share regarding the following points: Apple Support previously advised that "certificates issued by public certificate authorities (CAs) trusted by Apple" are recommended. The certificates listed at https://www.apple.com/certificateauthority/ are typically preinstalled on Apple devices. Are these considered "trusted public CAs" by Apple in this context? Is it acceptable in practice to use a certificate obtained from the “Certificates, Identifiers &amp; Profiles” section on developer.apple.com for signing MDM configuration profiles? We would be grateful to hear about any real-world experiences. If the answer to question 2 is yes, which certificate type within “Certificates, Identifiers &amp; Profiles” would be most appropriate for signing configuration profiles? If using certificates from question 2 is not suitable, are there alternative certificate types (other than SSL) that are valid for longer periods (e.g., more than one year) and appropriate for signing MDM configuration profiles? Apple's official documents do not seem to clearly specify what type of certificate should be used to sign MDM configuration profiles. If you know of any helpful documents or resources related to this topic, we would greatly appreciate it if you could share them. Thank you very much for your time and support. We would truly appreciate any advice or guidance you can provide.

// Request curl --location --request POST 'https://api.appstoreconnect.apple.com/v1/devices' --header 'Authorization: ${the_token}' --header 'Content-Type: application/json' --data-raw '{ "data": { "type": "devices", "attributes": { "name": "${the_device_name}", "udid": "${the_device_udid}", "platform": "IOS" } } }' // Response { "errors": [ { "status": "403", "code": "FORBIDDEN_ERROR", "id":"8a45808f-aa56-4e29-bef0-3f836d571a24","title": "This request is forbidden for security reasons", "detail": "You are not allowed to perform this operation. Please check with one of your Team Admins, or, if you need further assistance, please contact Apple Developer Program Support. https://developer.apple.com/support" } ] }

I'm hoping to make certain in-house apps fail to launch by revoking the in-house certificate that they were built on. This is by way of encouraging users of these apps to download updates built on a new certificate. How long will it take app built on a now-revoked certificate to no longer launch? Also, what is Apple's process for checking the validity of an in-house certificate in an app built on that certificate, running on iOS devices? I understand that provisioning profiles have built-in expiration dates, but will an in-house app that's built on a valid provisioning profile keep running even on a revoked certificate if the revocation happened before the certificate's own expiration date? Craig Umanoff

Hi there, can anyone help here. I think somewhere along the way I screw certificates or don't have the right one, anyway long story short when building product I get this error: Embedded binary is not signed with the same certificate as the parent app. Verify the embedded binary target's code sign settings match the parent app's.

I've been running into issues with Xcode Cloud/my workflow when it's trying to archive the app. I've tested locally and both archiving and building the app for release works. I've tried a few things to clear it. pod deintegrate and pod install Checking off "archive" for the build scheme Creating a certificate for both development and distribution. I made sure automatic signing was enabled as well. I have a ci_scripts/ci_post_clone.sh script that successfully completes. Have tried setting the xcode version of the workflow to 16.2 which is what my local xcode version is. I've switched it back to the latest, 16.4. running pod update Updating flutter However, I consistently get the following 2 errors : `Showing All Messages Run command: 'xcodebuild archive -workspace /Volumes/workspace/repository/ios/Runner.xcworkspace -scheme Runner -destination generic/platform=iOS -archivePath /Volumes/workspace/build.xcarchive -derivedDataPath /Volumes/workspace/DerivedData -resultBundleVersion 3 -resultBundlePath /Volumes/workspace/resultbundle.xcresult -resultStreamPath /Volumes/workspace/tmp/resultBundleStreame3592434-5b88-48da-a3c4-f750abee4d08.json -IDEPostProgressNotifications=YES CODE_SIGN_IDENTITY=- AD_HOC_CODE_SIGNING_ALLOWED=YES CODE_SIGN_STYLE=Automatic DEVELOPMENT_TEAM=JG794CQD68 COMPILER_INDEX_STORE_ENABLE=NO -hideShellScriptEnvironment' ` and Showing All Messages Unhandled exception: ProcessException: No such file or directory Command: /Users/local/flutter/bin/flutter assemble --no-version-check --output=/Volumes/workspace/DerivedData/Build/Intermediates.noindex/ArchiveIntermediates/Runner/BuildProductsPath/Release-iphoneos/ -dTargetPlatform=ios -dTargetFile=lib/main.dart -dBuildMode=release -dConfiguration=Release -dIosArchs=arm64 -dSdkRoot=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS18.5.sdk -dSplitDebugInfo= -dTreeShakeIcons=true -dTrackWidgetCreation=false -dDartObfuscation=false -dAction=install -dFrontendServerStarterPath= --ExtraGenSnapshotOptions= --DartDefines=RkxVVFRFUl9WRVJTSU9OPTMuMzUuMQ==,RkxVVFRFUl9DSEFOTkVMPXN0YWJsZQ==,RkxVVFRFUl9HSVRfVVJMPWh0dHA6Ly9naXRodWIuY29tL2ZsdXR0ZXIvZmx1dHRlci5naXQ=,RkxVVFRFUl9GUkFNRVdPUktfUkVWSVNJT049MjBmODI3NDkzOQ==,RkxVVFRFUl9FTkdJTkVfUkVWSVNJT049MWU5YTgxMWJmOA==,RkxVVFRFUl9EQVJUX1ZFUlNJT049My45LjA= --ExtraFrontEndOptions= -dSrcRoot=/Volumes/workspace/repository/ios -dTargetDeviceOSVersion= -dCodesignIdentity=- release_ios_bundle_flutter_assets #0 _ProcessImpl._runAndWait (dart:io-patch/process_patch.dart:519:7) #1 _runNonInteractiveProcessSync (dart:io-patch/process_patch.dart:686:18) #2 Process.runSync (dart:io-patch/process_patch.dart:79:12) #3 Context.runSyncProcess (file:///Users/local/flutter/packages/flutter_tools/bin/xcode_backend.dart:154:20) #4 Context.runSync (file:///Users/local/flutter/packages/flutter_tools/bin/xcode_backend.dart:118:34) #5 Context.buildApp (file:///Users/local/flutter/packages/flutter_tools/bin/xcode_backend.dart:539:34) #6 Context.run (file:///Users/local/flutter/packages/flutter_tools/bin/xcode_backend.dart:51:9) #7 main (file:///Users/local/flutter/packages/flutter_tools/bin/xcode_backend.dart:17:5) #8 _delayEntrypointInvocation.<anonymous closure> (dart:isolate-patch/isolate_patch.dart:312:33) #9 _RawReceivePort._handleMessage (dart:isolate-patch/isolate_patch.dart:193:12) Command PhaseScriptExecution failed with a nonzero exit code Any help here would be greatly appreciated.

productsign Command Appears to Succeed but Package has No Valid Signature Category: Security, macOS, Code Signing Question: productsign command, when signing a PKG created with productbuild, appears to succeed with a success message (Wrote signed product archive to ...) but spctl verification results in rejected, source=no usable signature, indicating that the signature was not actually applied. Details: Goal: To sign a distribution package created with productbuild using a Developer ID Installer certificate. Certificate Used: Developer ID Installer: [Company Name] ([Team ID]) This certificate was issued by Previous Sub-CA and is not the latest G2 Sub-CA recommended by Apple. We cannot create a new G2 Sub-CA certificate as we have reached the limit of 5. productsign Command: productsign --sign "Developer ID Installer: [Company Name] ([Team ID])" [input.pkg] [output.pkg] productsign Output: Wrote signed product archive to [output.pkg] (Appears as a success message). spctl Signature Verification: spctl -a -vv [output.pkg] Result: rejected, source=no usable signature Notarization Service Results (Behavioral difference between Macs): On Mac A, the submission status was Accepted. On Mac B, the status was Invalid, with the notarization log message being The binary is not signed.. Troubleshooting Steps Taken: We attempted to sign both component and distribution packages with productsign, and in both cases, the signature was not recognized by the system. We skipped productsign and relied on the notarization service's auto-signing, but the notarization log still reported The binary is not signed., and the notarization failed. We have confirmed that the certificate and private key are properly associated in Keychain Access. My Questions: Given that we are using an older Previous Sub-CA certificate and cannot create a new one, why does productsign appear to succeed when the signature is not being applied? What could cause the behavioral difference where notarization is Accepted on Mac A but Invalid on Mac B? Is this a known issue with Apple's tools, or is it possibly caused by the specific structure of our PKG? What is the recommended workflow or debugging method to successfully sign and notarize a PKG under these circumstances? Thank you for your assistance

My post-build script takes the "developeridexport" archive export, zips it up and uses notarytool to notarize it. I then add the .zip to a .dmg disk image. The next step is to codesign the disk image before notarizing that too. The issue is my Developer ID Application certificate is not accessible to the build host. (When I was doing this in Microsoft AppCenter (now defunct), it had a copy of my Developer ID Application certificate.) What steps do I need to take to get the disk image signed for notarization? Thanks! Lance

I am trying to set up code signing for my macOS/Tauri app and I’m running into a problem with my Developer ID Application certificate in Keychain Access. Steps I followed: Generated a CSR on my Mac using Keychain Access → Certificate Assistant → Request a Certificate From a Certificate Authority. Uploaded the CSR to the Apple Developer portal. Downloaded the resulting .cer file and installed it in my login Keychain. The certificate appears under All Items, but it does not show under My Certificates, and there is no private key attached. What I expected: The certificate should pair with the private key created during CSR generation and show under My Certificates, allowing me to export a .p12 file. What I’ve tried so far: Verified that the WWDR Intermediate Certificate is installed. Ensured I’m on the same Mac and same login Keychain where I created the CSR. Revoked and regenerated the certificate multiple times. Tried importing into both login and system Keychains. Problem: The certificate never links with the private key and therefore cannot be used for signing. Has anyone experienced this issue or knows why the certificate would fail to pair with the private key in Keychain Access? Any workaround or fix would be greatly appreciated.

Hello, I have an Apple Developer Enterprise account, and Apple Support has already enabled MDM for my account. I successfully downloaded and installed my MDM Vendor Certificate (it shows up in Keychain as MDM Vendor: [My Company Name] with its private key). Here’s what I’ve done so far: Exported the Vendor Certificate + private key as a .p12, then converted to .pem and .key using OpenSSL. Generated an unsigned CSR with CN=com.apple.mgmt.External. using OpenSSL. Attempted to sign the CSR using: my Vendor certificate the Vendor private key Apple Worldwide Developer Relations (WWDR) intermediate certificate OpenSSL smime -sign command with DER output Problem: Every time I try to upload the vendor-signed CSR to the Apple Push Certificates Portal, I get an error (CSR rejected). Sometimes OpenSSL even fails with “unable to load certificates” depending on how the WWDR certificate is included. My Questions: What is the correct OpenSSL command and certificate chain Apple expects for signing the CSR? Do I need to include any additional intermediates besides WWDR? Is there an official Apple reference example for generating the vendor-signed CSR that the Push Certificates Portal will accept? Any guidance from the community (or someone who has successfully done this end-to-end) would be greatly appreciated. Thank you, Sergio Sanchez

I have two certificates in my Accounts>Manage Certificates section. One is active, the other is greyed out with a status of "Not in Keychain". I only have ONE certificate in the developer account online. Timeline: Had an issue with fastlane codesigning and was trying to resolve that. In that attempt I deleted my related Certificates from my keychain Xcode showed them as disabled (greyed out) and not in Keychain. Look up how to resolve, need to revoke certificates in Developer account online. I go and revoke those certificates. Nothing changes I create new certificate and try to add it to xcode>account>certificate managment>"Apple Development". Get an error saying I can't add a new can't do that because a certificate is already pending. I waited a day because I assumed like somethings with apple, updates are not immediate. I come back the next day and am able to add a new certificate. However, the previous one that is greyed out and reads "Not in Keychain" under Status, is still there. How do I remove that "Not in Keychain" certificate? I emailed developer support and they directed me here.

I am trying to sign a enterprise app with provisioning profile which shows the tap to pay entitlement on Dev portal, but when downloaded on Xcode, it says the profile is missing the tap to pay capability and entitlement The capability was enabled by apple already, it was working fine until the provisioning profile got renewed.

The problem is described in full with log output in #16844 We are having an issue with TCC prompting users for access to the app group container despite signing with entitlements following all guidelines. This is a regression from the Feb 2025 Changes discussed in App Groups: macOS vs iOS: Working Towards Harmony The problem can only be reproduced with Xcode 16.0 and later. The entitlements for the app include access for the group container with [Key] com.apple.security.application-groups [Value] [Array] [String] G69SCX94XU.duck The documentation notes the group name can be arbitrary, e.g. <team identifier>.<group name>. Cyberduck uses G69SCX94XU.duck by default. Interestingly enough the alert is not shown when a group name matching the bundle identifier is used, e.g. G69SCX94XU.ch.sudo.cyberduck.

Hello, My project fails to build/run on a physical device or archive, due to a persistent provisioning error. Exact Error: Provisioning profile "iOS Team Provisioning Profile: com.huiwan.Ohra-Journal" doesn't include the BGTaskSchedulerPermittedIdentifiers entitlement. I have already performed extensive troubleshooting, and all local configurations appear to be correct: Capabilities: "Background Modes" with the "Background processing" option is enabled in the target's "Signing & Capabilities" tab. Info.plist: The Permitted background task scheduler identifiers key is present in the target's Info.plist, and it contains the correct task identifier (com.huiwan.ohra-journal.refresh). Entitlements File: The .entitlements file is correctly configured by Xcode. Full Reset: I have tried a complete reset procedure, including deleting ~/Library/Developer/Xcode/DerivedData and ~/Library/MobileDevice/Provisioning Profiles/, restarting Xcode, and letting the automatic signing system regenerate the profile from scratch. The issue persists. Despite all these correct local settings, the provisioning profile automatically generated by Xcode is consistently missing the required entitlement. This strongly suggests a server-side issue with the provisioning service for my App ID (com.huiwan.Ohra-Journal). I filed a bug report on the Feedback Assistant (FB20268285) a week ago but have not received a response. This issue is completely blocking my development and ability to submit the app. Could you please investigate the status of my App ID and the provisioning services associated with it? Thank you.

I have certificates in my xcode>settings>account>manage certificates that I cannot get rid of. I know that they are linked to certificates in developer.apple.com but I've removed them from there and they persist in xcode. I have one that says "Not in Keychain", which is true. I deleted all the keychains related to these accounts in an attempt to fix something. I also have ones that say things like "Missing Private key" Our setup is that we have one main account "Company Inc." which I am setup to be an Admin in. I created a certificate under my credentials and added it to my keychain and showed up properly in xcode but I still have the other ones. HOW DO I REMOVE THEM :sob:

I want to export Mac OS application out side App Store and I need to have Developer Id installer certificate to do the same. When I go to certificate section in developer portal - I only see option of Mac App Distribution Mac Installer Distribution Developer ID Application Does anyone know where I can check the Developer ID installer part. Developer ID application doesn't work for signing the app manually.

Hello, my builds keep failing in Xcode Cloud at the creation of the archive for tesflight. I am receiving an email mentioning "ITMS-90035: Invalid Signature" TMS-90035: Invalid Signature - Code failed to satisfy specified code requirement(s). The file at path “BASELog.app/BASELog” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing. The thing is the archives which are not intended for testflight not App Store connect are not failing. I think I have the required distribution certificates (initially they were created by API for Xcode Icloud, I add 3, revoked them and recreated one manually and the other from Xcode directly) : even though certificats seems ok, in Xcode I see a dev certificate in the managed release and if I try to force a distribution certificate in the build I then get the following warning It looks like my managed profile is not behaving properly, like not embedding a distribution certificate. I looked on the web for the signing issues, and I have found in other threads an issue with assets having special charsets. I checked on my side, the only thing I see is my app icon is named "icon_v1.png" I assume it shouldn't be an issue. I dont see any special char anywhere else in the sources name. Anyone has any idea on what is causing those build fails on the archive?

I admit I am doing something unusual, and I would not be surprised if it didn't work. I am surprised, however, because after performing the equivalent operations on four bundles, all of the bundles work fine on macOS 15.6.1, but only two of them work on macOS 26.1 (beta 2). I don't know what causes the different outcomes. What I am trying to do is get Java to pass the macOS 26 AppKit UI SDK linkage checking without having to rebuild the JDK using Xcode 26. Rebuilding works for the latest SDK, but it is very inconvenient and may not work for older JDKs. It usually takes a while before the JDK build team successfully transitions to a new Xcode release. My approach is to use vtool to update the sdk version in the LC_BUILD_VERSION load command of $JAVA_HOME/bin/java, which is the launching executable for the JDK. I performed this operation on four JDKs: 25, 21, 17, and 11. (I ran vtool on macOS 15.) It was completely successful on JDK 25 and 21. The JDK launches correctly on macOS 15 and macOS 26. On macOS 26, AppKit uses the new UI, which is the desired outcome. The JDK runs despite that fact that I signed the modified $JAVA_HOME/bin/java with my developer ID, which is inconsistent with the JDK bundle signature. (Redoing the bundle signing is part of the JDK build process; if that were necessary, I would stick with rebuilding the JDK.) The operation was not successful on JDK 17 and 11. I noticed two problems, which are not obviously related. When vtool created the new version of the java program, it lost the tool definition. $ vtool -show-build-version java java: Load command 10 cmd LC_BUILD_VERSION cmdsize 32 platform MACOS minos 11.0 sdk 11.1 ntools 1 tool LD version 609.8 $ vtool -set-build-version 1 10.0 26.0 -output a.out java /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/vtool warning: code signature will be invalid for a.out $ vtool -show-build-version a.out a.out: Load command 22 cmd LC_BUILD_VERSION cmdsize 24 platform MACOS minos 10.0 sdk 26.0 ntools 0 Adding back the tool definition didn't seem to matter. When I try to run the revised executable (in the context of the JDK bundle), it works on macOS 15, but on macOS 26, it is rejected as damaged. If I run the revised executable outside the JDK bundle, it runs (but fails because it can't find the rest of the JDK, which is expected). In all cases, GateKeeper rejects the revised executable because it has not been notarized, but that doesn't seem to stop the program from executing.