I'm trying to use the App Store Connect API to get the list of expired certificates. When I make the web service call: https://api.appstoreconnect.apple.com/v1/certificates I'm able to get the list of developer certificate. The distribution certificates are not included in the list. According to the docs, I should all of them in the result set. Is there any thing special that needs to be added the web service call to have the distribution certs included in the result set?

I have Apple Account in that my clients give me App store admin access. still i can't access the Certificates, Identifiers & Profiles its show me Access Unavailable This resource is only for developers enrolled in a developer program or members of an organization’s team in a developer program. But my client already enrol or they give me access of admin level. can you please tell how can i got access of that ?

Hi, I got the error: /usr/bin/codesign exited with code 1: Warning: unable to build chain to self-signed root for signer "Apple Distribution: Q.A.C.F. - Quality Academy Consultoria E Formacao, Unipessoal, Lda (xxxxxx)" /Users/pedroramalho/Library/Caches/Xamarin/mtbs/builds/drBoxSaude.iOS/3bed3d51415af2e100a4d2bc57e1d36fb42d76ceb190de1db1c4d0dbccbff863/bin/iPhone/Release/drBoxSaude.iOS.app: errSecInternalComponent and /usr/bin/codesign exited with code 1: /Users/pedroramalho/Library/Caches/Xamarin/mtbs/builds/drBoxSaude.iOS/3bed3d51415af2e100a4d2bc57e1d36fb42d76ceb190de1db1c4d0dbccbff863/bin/iPhone/Release/drBoxSaude.iOS.app/Frameworks/libSkiaSharp.framework: replacing existing signature Warning: unable to build chain to self-signed root for signer "Apple Distribution: Q.A.C.F. - Quality Academy Consultoria E Formacao, Unipessoal, Lda (xxxxx)" /Users/pedroramalho/Library/Caches/Xamarin/mtbs/builds/drBoxSaude.iOS/3bed3d51415af2e100a4d2bc57e1d36fb42d76ceb190de1db1c4d0dbccbff863/bin/iPhone/Release/drBoxSaude.iOS.app/Frameworks/libSkiaSharp.framework: errSecInternalComponent Some one can help please

Hi guys, I'm developing a FinderSync Extension that extends Finder contextual menu with a couple of items doing some trivial file operations. I'm using Xcode 16.2 on macOS Sequoia 15.3.2 I could run the containing app in debug, and in System Preferences -> File Providers the flag is enabled for my app finder extension. Anyway, the contextual menu does not show in Finder, probably because the finder extension crashes immediately. Some output: pluginkit -m | grep "com\.[^a]" + com.mycompany.MyApp.MyAppFinderExtension(1.1.14) codesign -dvvv --entitlements - /Users/me/Library/Developer/Xcode/DerivedData/MyApp-dmzhnwmosboixodalsrrbwvwvmqm/Build/Products/Debug/MyApp.app/Contents/PlugIns/MyApp\ Finder\ Extension.appex Executable=/Users/me/Library/Developer/Xcode/DerivedData/MyApp-dmzhnwmosboixodalsrrbwvwvmqm/Build/Products/Debug/MyApp.app/Contents/PlugIns/MyApp Finder Extension.appex/Contents/MacOS/MyApp Finder Extension Identifier=com.mycompany.MyApp.MyAppFinderExtension Format=bundle with Mach-O thin (arm64) CodeDirectory v=20400 size=659 flags=0x2(adhoc) hashes=9+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=b59538ef9e3b6e8cf462a3e260e3bf26d050deb5 CandidateCDHashFull sha256=b59538ef9e3b6e8cf462a3e260e3bf26d050deb5e21fb27d4fa0a4fe5f3e78b7 Hash choices=sha256 CMSDigest=b59538ef9e3b6e8cf462a3e260e3bf26d050deb5e21fb27d4fa0a4fe5f3e78b7 CMSDigestType=2 CDHash=b59538ef9e3b6e8cf462a3e260e3bf26d050deb5 Signature=adhoc Info.plist entries=23 TeamIdentifier=not set Sealed Resources version=2 rules=13 files=9 Internal requirements count=0 size=12 [Dict] [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.application-groups [Value] [Array] [String] [Key] com.apple.security.assets.movies.read-write [Value] [Bool] true [Key] com.apple.security.assets.music.read-write [Value] [Bool] true [Key] com.apple.security.assets.pictures.read-write [Value] [Bool] true [Key] com.apple.security.files.documents.read-write [Value] [Bool] true [Key] com.apple.security.files.downloads.read-write [Value] [Bool] true [Key] com.apple.security.files.user-selected.read-write [Value] [Bool] true [Key] com.apple.security.get-task-allow [Value] [Bool] true [Key] com.apple.security.personal-information.location [Value] [Bool] true The log is showing something very strange: log show --predicate 'eventMessage contains "com.mycompany.MyApp" and messageType = error' --last 1h Filtering the log data using "composedMessage CONTAINS "com.mycompany.MyApp" AND logType == 16" Skipping info and debug messages, pass --info and/or --debug to include. Timestamp Thread Type Activity PID TTL 2025-03-25 10:20:48.428127+0100 0x221af Error 0x53dbe 159 0 tccd: [com.apple.TCC:access] Request message contains a target_token to accessing_process (TCCDProcess: identifier=com.mycompany.MyApp, pid=4140, auid=501, euid=501, binary_path=/Users/me/Library/Developer/Xcode/DerivedData/MyApp-dmzhnwmosboixodalsrrbwvwvmqm/Build/Products/Debug/MyApp.app/Contents/MacOS/MyApp) but TCCDProcess: identifier=com.apple.audio.coreaudiod, pid=184, auid=202, euid=202, binary_path=/usr/sbin/coreaudiod is not a TCC manager for service: kTCCServiceScreenCapture. 2025-03-25 10:20:53.166554+0100 0x22139 Error 0x67ff4 163 0 runningboardd: (RunningBoard) [com.apple.runningboard:general] RBSStateCapture remove item called for untracked item 163-158-7088 (target:[app<application.com.mycompany.MyApp.36628067.36635236.92E24CD3-97A8-4340-A46E-4493456283C7(501)>:4140]) 2025-03-25 10:20:53.166575+0100 0x22139 Error 0x67ff4 163 0 runningboardd: (RunningBoard) [com.apple.runningboard:general] RBSStateCapture remove item called for untracked item 163-158-7087 (target:[app<application.com.mycompany.MyApp.36628067.36635236.92E24CD3-97A8-4340-A46E-4493456283C7(501)>:4140]) 2025-03-25 10:20:53.166582+0100 0x22139 Error 0x67ff4 163 0 runningboardd: (RunningBoard) [com.apple.runningboard:general] RBSStateCapture remove item called for untracked item 163-158-7091 (target:[app<application.com.mycompany.MyApp.36628067.36635236.92E24CD3-97A8-4340-A46E-4493456283C7(501)>:4140]) 2025-03-25 10:20:53.166593+0100 0x22139 Error 0x67ff4 163 0 runningboardd: (RunningBoard) [com.apple.runningboard:general] RBSStateCapture remove item called for untracked item 163-132-7084 (target:[xpcservice<com.apple.finder.FinderSync.IsExtensionEnabled([app<application.com.mycompany.MyApp.36628067.36635236.92E24CD3-97A8-4340-A46E-4493456283C7(501)>:4140])(501)>{vt hash: 0}:4144:4144]) -------------------------------------------------------------------------------------------------------------------- Log - Default: 0, Info: 0, Debug: 0, Error: 13, Fault: 0 Activity - Create: 0, Transition: 0, Actions: 0 Especially the first line: MyApp is not accessing coreaudiod - neither trying to get a ScreenCapture, so ... WTF??? How is it possibile? Why is the system blocking MyApp FinderExtension, or preventing it to run? Thank you in advance _Alex

It is not working properly. What should I do?

I’m building an Electron app for macOS that I plan to distribute to users in a .dmg outside the Mac App Store. I have a Developer ID Application certificate (from Apple’s Developer Portal) and a private key, and I can see “Developer ID Certification Authority” in my System Roots keychain. • My Developer ID Application certificate is in the login keychain, and it shows up under “My Certificates” with its private key. • On Keychain, certificate shows red message "not trusted", but when I evaluate and check it specifically for codesigning it shows a green checkmark and success • Developer ID Certification Authority is in System Roots. • security find-identity -p codesigning – shows my certificate, but shows 0 valid identities • Updated operating system and deleted and recreated a new certificate, still get the same issue

It'd be great if someone would give an overview of the steps to create a new app from an existing one. Can I copy my Xcode project to get started? After I copy my Xcode project, what do I need to do in Xcode? What do I need to do regarding certificate(s) and bundle id. Are there any steps where order is super important? Feel free, of course, to provide a link to an article and/or video on this as that'd be awesome if the information is current. What I've found online is typically out-of-date or more specific - not an overview.

Hi, I'm having a really hard time figuring out why I cannot perform cloud signing via Developer ID with xcodebuild. I have a macOS application, which I can perfectly cloud sign the following way: Sign into Xcode with my Admin + Account Holder Apple ID. Delete my Developer ID Application certificate from Keychain Access. In Xcode, click Archive. When archived, click "Distribute App" in Xcode Organizer. The app is cloud signed. I prove this by extracting the certificate codesign --extract-certificates -- /path/to/app.app then locate the 1.2.840.113635.100.6.1.32 bit mentioned by Quinn in this post. I however do it by simply opening the certifiacte with Keychain Access, where I can investigate the content of the certificate, rather than use that tool he does. Then, I do the following to attempt to cloud sign via xcodebuild: Create an API Key for the whole team in Users and Access > Integrations > App Store Connect with the "Admin" role selected. Download the private key .p8 file to ~/Downloads. Sign out of my Apple ID in Xcode by removing the account in Settings > Accounts. Create an archive: xcodebuild archive -scheme "<redacted scheme name>" -archivePath ~/Downloads/archive.xcarchive -authenticationKeyIssuerID <redacted issuer id> -authenticationKeyID <redacted key id> -authenticationKeyPath ~/Downloads/AuthKey_<redacted key id>.p8 -allowProvisioningUpdates The archive is successfully created, with a new "Apple Development: Created via API (TEAM ID)" naming. Export the archive: xcodebuild -exportArchive -archivePath ~/Downloads/archive.xcarchive -authenticationKeyIssuerID <redacted issuer id> -authenticationKeyID <redacted key id> -authenticationKeyPath ~/Downloads/AuthKey_<redacted key id>.p8 -allowProvisioningUpdates -exportOptionsPlist ~/Downloads/exportOptions.plist -exportPath ~/Downloads which then fails: 2025-03-07 10:27:58.706 xcodebuild[2152:40704] [MT] IDEDistribution: -[IDEDistributionLogging _createLoggingBundleAtPath:]: Created bundle at path "/var/folders/tn/yy7ynz3d0yb4p3sd_5q_wl0h0000gn/T/<redacted app name> macOS_2025-03-07_10-27-58.706.xcdistributionlogs". error: exportArchive Cloud signing permission error error: exportArchive No signing certificate "Developer ID Application" found ** EXPORT FAILED ** Opening the distribution logs, I find this in the Provisioning Log: 2025-03-07 09:09:58 +0000 2025-03-07 09:09:58 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:58 +0000 IDEProvisioningRepair(<redacted app name>.app): Sending request 84E57539-BC1D-407A-8402-7BCE9F2FD100 to <https://appstoreconnect.apple.com/xcbuild/v1/certificates> for session DVTServicesTeamBasedSession <issuer: <redacted issuer id>; key identifier: <redacted key id>>. Method: POST Headers: { Accept = "application/vnd.api+json"; "Accept-Encoding" = "gzip, deflate"; Authorization = "Bearer <redacted bearer token>"; "Content-Length" = 116; "Content-Type" = "application/vnd.api+json"; "User-Agent" = Xcode; "X-HTTP-Method-Override" = GET; "X-Xcode-Version" = "16.2 (16C5032a)"; } Payload: {"urlEncodedQueryParams":"teamId=<redacted team id>&filter%5BcertificateType%5D=DEVELOPER_ID_APPLICATION_MANAGED&limit=200"} 2025-03-07 09:09:59 +0000 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): Received response for 84E57539-BC1D-407A-8402-7BCE9F2FD100 @ <https://appstoreconnect.apple.com/xcbuild/v1/certificates>. Code = 0 2025-03-07 09:09:59 +0000 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): Response payload: { "errors" : [ { "id" : "3d09690a-e26f-497f-b576-25104064387e", "status" : "403", "code" : "FORBIDDEN_ERROR", "title" : "This request is forbidden for security reasons", "resultCode" : 7495, "detail" : "You haven't been given access to cloud-managed distribution certificates. Please contact your team's Account Holder or an Admin to give you access. If you need further assistance, contact Apple Developer Program Support at https://developer.apple.com/contact/." } ] } Which is really weird, since I am using an API key with Admin rights. If I create a new key, and use it only for this command, App Store Connect does show the "Last Used" date as today after running the command. I thought some time might need to pass, but the issue has been persisting since yesterday. What could be wrong here? I do have a managed Developer ID Application certificate showing in my account but I still can't retrieve it with an Admin right imbued API key.

Hey everyone, We’re running into a frustrating issue with Xcode Cloud builds submitted to App Store Review. After every build, we must manually delete all code signing certificates generated by Xcode Cloud; otherwise, the reviewers can’t open the exported App Store app. When they try to open it, they see the error: “Apple Information Security: A process was blocked from running and moved to Trash: [Our App Name]” Oddly enough, if we delete all Xcode Cloud-generated certificates and then trigger a new Xcode Cloud build, the problem temporarily disappears—until the next submission, where we have to repeat the process. Has anyone else encountered this issue? Any recommendations on how to prevent this from happening? We’d rather not keep trashing certificates after every build. Thanks!

Hi all, reposting this from here: https://unix.stackexchange.com/questions/789849/xattr-c-not-removing-com-apple-finderinfo-attribute I came to this problem because my Xcode project was failing to build due to the error "resource fork, Finder information, or similar detritus not allowed" (was trying the solutions on this post). Basically, running xattr -cr . in the terminal on my project directory removes all extended attributes except com.apple.FinderInfo, which stays on all .xcodeproj and .xcworkspace files. I've tried everything under the sun, from sudo to xattr -d to dot_clean to tar to rsync and nothing works. Is this just an immortal attribute that can never be removed? I'm truly at a loss here, this is for my senior thesis project.

I am developing a macOS app that requires the Associated Domains entitlement. The app will be distributed as a custom app. The app needs to be signed using Team A’s Developer ID Application certificate and packaged under Team A’s Team ID. Team A has a secure signing and packaging setup, but they do not provide access to their Developer ID Application Identity (cert) or their provisioning profile. I am part of Team B and have access to Team B’s Developer ID Application identity and provisioning profiles. I am thinking of doing the following: I create a provisioning profile under Team B that authorizes the Associated Domains entitlement. I sign the app using Team B’s Developer ID Application identity, ensuring the required entitlements are included. Then, I re-sign the app using Team A’s Developer ID Application identity, since Team A has also set up the same bundle ID with the Associated Domains entitlement and corresponding provisioning profile. Questions: Is this approach correct & does it have any drawback? Will the double signing process work without issues, given that Team A has the required provisioning profile for the same bundle ID? Are there better ways to handle this situation where signing must be done under Team A but access is limited? Thanks!

I have used XCode for decades as my default C/C++ programming IDE. I write code that I run locally on my Mac, via "Sign to run locally". Typically this has always "just worked". I am now using MacOS 14.7 Sonoma, and I suddenly find I cannot run my code projects because I cannot dynamically load unsigned libraries. "not valid for use in process: library load disallowed by system policy" BUT - it appears that to allow my local MacOS code to bypass this requires I have a bundle identifier to modify entitlements. Which in turn requires a developer account which I don't have. Is this all correct? Is there any way to have code run locally and use dynamic libraries as I've done previously? Any advice is much appreciated.

I can't upload my macOS app to app store connect. Each time i try to upload, i see this message: Provisioning profile failed qualification Profile doesn't support App Groups. An empty app without an app group uploads fine, but if i add an app group to it, it does not upload.

I have a pass type id that expired. I created a CSR in keychain access on my Mac. I uploaded the CSR and generated a new cert. I downloaded the new cert and imported into keychain access. I don't see the associated private key and I cannot export a .p12 certificate. It's possible I started with the wrong key to generate the CSR or maybe I inadvertently deleted key while trying to locate the cert after importing. I'm not sure how to determine which. I do still have the private key from the cert that expired. But, I cannot figure out how to sign a cert again, my only option now is download. I've been searching the forum and while there may be an answer, I may just be looking for the wrong thing. I could use some help if anybody would be so kind.

In an expo managed project which utilizes custom expo plugins, we're having trouble getting the keychain-access-groups entitlement inserted to our provisioningprofile for signing. The provisioning profile we download from apple dev portal contains: <key>keychain-access-groups</key> <array> <string>56APMZ7FZY.*</string> <string>com.apple.token</string> </array> and this is not recognized by xcode for signing; an error is thrown: Provisioning profile "ccpp" doesn't include the com.apple.developer.keychain-access-groups entitlement. A matching error is thrown during EAS build. So we need to find a way to modify the ccpp.mobileprovision locally and then sign the build using the modified ccpp.mobileprovision. Or, we need guidance on the proper way to resolve this situation. Questions: why does the downloaded mobileprovision file have the keychain-access-groups key, and not com.apple.developer.keychain-access-groups? Both Xcode and EAS appear to demand the latter keyname. when I use expo prebuild, I am able to see the following in the .entitlements file: <key>com.apple.developer.keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)com.myapp</string> </array> I am adding this entitlement using a custom expo plugin. However, the mobileprovision file downloaded from apple developer portal has no knowledge of this setting which is only applied through expo prebuild. So what I am left with at the end is an entitlements file generated by my expo prebuild which has the correct setting, and a provisioningprofile downloaded from dev portal with an incorrect setting, and I don't know how to mend the downloaded provisioningprofile (incorrect setting) with my local entitlements file (correct setting).

I'm facing an issue with revoking an iOS Development certificate in the Apple Developer Console. The certificate is in "Pending Approval" status, and when I attempt to revoke it, I receive the following error: "The specified resource does not exist. There is no certificate with ID 'XXXXXXXXX' on this team." Despite this error, the certificate still appears in my list, and the only available action remains "Revoke." Steps I've tried so far: Refreshed the page and cleared the browser cache Logged out and back into my Developer account Tried using different browsers (Safari, Chrome) Checked Xcode &gt; Preferences &gt; Accounts for certificate status Contacting Apple Support (Not response since over 3 weeks) Additional Info: The certificate type is iOS Development, not Distribution. The status has been "Pending Approval" since creation.

I am developing and distributing an XCFramework, and I want to ensure that it remains valid for as long as possible. I have some questions regarding certificate expiration and revocation: I understand that if an XCFramework is signed with a timestamp, it remains valid even after the signing certificate expires. However, if the signing certificate is revoked, the XCFramework immediately becomes unusable. As far as I know, Apple allows a maximum of two active distribution certificates at the same time. I assume that once a certificate expires, it will eventually need to be revoked in order to issue a third certificate. Is this correct? If an expired certificate is later revoked, will the XCFrameworks signed with that certificate also become invalid, even though they were timestamped? I want to ensure that released XCFrameworks remain valid for as long as possible. What is the best approach to achieve this? If anyone has insights or official documentation references on how to manage signing certificates for long-term XCFramework validity, I would appreciate your guidance. Thank you!

I'm using libxpc in a C server and Swift client. I set up a code-signing requirement in the server using xpc_connection_set_peer_code_signing_requirement(). However, when the client doesn't meet the requirement, the server just closes the connection, and I get XPC_ERROR_CONNECTION_INTERRUPTED on the client side instead of XPC_ERROR_PEER_CODE_SIGNING_REQUIREMENT, making debugging harder. What I want: To receive XPC_ERROR_PEER_CODE_SIGNING_REQUIREMENT on the client when code-signing fails, for better debugging. What I’ve tried: Using xpc_connection_set_peer_code_signing_requirement(), but it causes the connection to be dropped immediately. Questions: Why does the server close the connection without sending the expected error? How can I receive the correct error on the client side? Are there any other methods for debugging code-signing failures with libxpc? Thanks for any insights!

After I upgraded to macOS 15.3, all of my current Xcode project have the signing issue, I spent half day and I didn't make any progress, I tried two projects, one is Swift AppKit App calling one C++ dylib, another one is a pure Swift AppKit app, when I build, there will be error: Warning: unable to build chain to self-signed root for signer "Apple Development: Steven Tang (XXXXX)" /Volumes/TwoTSSD/steventang/Library/Developer/Xcode/DerivedData/ImageEnhancement-ddbilgyraofrdyfeljyuknusunza/Build/Products/Release/ImageEnhancement.app: errSecInternalComponent I tried remove account, add account back in Xcode, none of it worked, also tried ChatGPT's WWDR updating and it won't help.

I have created a XPC server and client using C APIs. I want to ensure that I trust the client, so I want to have a codesigning requirement on the server side, something like - xpc_connection_set_peer_code_signing_requirement(listener, "anchor apple generic and certificate leaf[subject.OU] = \"1234567\"") This checks if the client code was signed by a code-signing-identity issued by Apple and that the teamID in the leaf certificate is 1234567. My questions are- Is using teamID as a signing requirement enough? What else can I add to this requirement to make it more secure? How does xpc_connection_set_peer_code_signing_requirement work internally? Does it do any cryptographic operations to verify the clients signature or does it simply do string matching on the teamID? Is there a way actually verify the clients signature(cryptographically) before establishing a connection with the server? (so we know the client is who he claims to be)