General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Creating CSR file from my Mac steps are :- Going to the Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority... Filling the required details in the field, save to desk then continue and save it desktop. Then going to the Developer account in Certification screen and creating a new certificate on click on plus icon then selecting Apple distribution > continue , Then uploading CSR file in the required box and continue. After this I have downloaded the “distribution.cer” file then double clicked on the file then going to the KeyChain Access to see the My Certificate section there is no certificate which I have installed but it showing in the Certificate section without Private key. This steps I have followed but not getting Private key in my certificate how to correct this issue System Configuration :- Mac OS- 14.5 Chip - Apple M1 Keychain Access version - Version 11.0 (55314)

What certificate does Xcode cloud use when distribute apps to App Store? Since cloud managed certs can't be downloaded, how to get its public key for the f..king recordation in China?

Hi all, I‘m using the certificates API in order to create a development certificate. I want to create a Jenkins job that will give employees an option to create a certificate without giving them admin rights. I’m creating a new certificate without any issues. When I try to create another certificate with a different CSR (for a diff user) I get an error that a certificate already exists. Is it limited to create only one certificate per API key?? Thanks!

I would like to code sign an app or installer with an RSA 4096-bit code signing certificate. I created a CSR using RSA4096bit and ECC in Mac Keychain Access, but I was unable to use that CSR to create a code signing certificate on the Apple Developer site. How do I issue an RSA4096-bit or ECC code signing certificate?

I created a fairplay.cer file using the below commands : openssl genrsa -out private_key.pem 1024 openssl req -new -key private_key.pem -out request.csr Here, I manually entered the Country, Organization, etc. I was supposed to use the below commands to make the same : openssl genrsa -aes256 -out privatekey.pem 1024 opensslreq-new-sha1-keyprivatekey.pem-outcertreq.csr-subj "/CN=SubjectName /OU=OrganizationalUnit /O=Organization /C=US" Owing to this, I am unable to create a .p12 file through Keychain Access. I thus want to generate a new fairplay.cer file for Fairplay 4.x. I want to revoke the certificate in order to generate a new one (as it has a limit of 1 certificate for Fairplay) Requesting developer support from Apple. Have raised multiple requests over the past 4 days.

I'm currently working on a project in Swift where I need to digitally sign a PDF file. I have the following resources available: Private Key stored in the iOS Keychain with a tag. Public Key also stored in the iOS Keychain with a tag. A valid certificate stored as a PEM string. I need to digitally sign a PDF file with the above keys and certificate, but I'm struggling to find a clear and straightforward example or guidance on how to achieve this in Swift. Specifically, I’m looking for help with: Creating the digital signature using the private key and certificate. Embedding this signature into the PDF file. Any considerations I should be aware of regarding the format of the signed PDF (e.g., CMS, PKCS7, etc.). If anyone has experience with digitally signing PDFs in Swift, I would greatly appreciate your guidance or code examples. Thank you in advance!

I have received email about your development certificate has been revoked, but couldn't identify who did that, due to this revocation one of our enterprise application stopped working. So posting here to seek some suggestion on following 1.) Identification of Revoking Party: Though I have already raised a support ticket to Apple still waiting for their reply. Is it possible for Apple to send logs or account activity logs that from which account or who did the revocation? 2.) How much does Apple take to reply to the support tickets. 3.) No one else received email in my development team. Is it because the certificate which I created is revoked that's the reason only I have received email? 4.) May I know what are the other scenarios that certificate can be revoked other than a human error? 5.) Is there a way for us to internally monitor activity within our developer account, such as identifying who has been actively logged in and updating certificates?

Hi, our team is facing a problem distributing our app archive to TestFlight. When we try to do so through the Product > Archive option, we get a generic Xcode Archive error message, stating that we can’t distribute or validate it. This issue has been persistent for a few days now, and we’ve been unable to resolve it. We’ve reviewed the documentation (e.g., TN3110, TN3109) to ensure that we’ve set the “Skip Install” option to “No” and the Installation Directory to $(LOCAL_APPS_DIR). However, these changes haven’t made any difference. Another complication is that we’re using our team member’s developer account to distribute the app. As a result, we’ve encountered code signing issues with their credentials on our own devices. Despite our efforts, we’ve been unable to log in to their account. We would greatly appreciate any assistance you can provide in resolving this issue. Thank you for your attention to this matter.

Hi there, our team is facing a problem distributing our app archive to TestFlight. When we try to do so through the Product > Archive option, we get a generic Xcode Archive error message, stating that we can’t distribute or validate it. This issue has been persistent for a few days now, and we’ve been unable to resolve it. We’ve reviewed the documentation (e.g., TN3110, TN3109) to ensure that we’ve set the “Skip Install” option to “No” and the Installation Directory to $(LOCAL_APPS_DIR). However, these changes haven’t made any difference. Another complication is that we’re using our team member’s developer account to distribute the app. As a result, we’ve encountered code signing issues with their credentials on our own devices. Despite our efforts, we’ve been unable to log in to their account. We would greatly appreciate any assistance you can provide in resolving this issue. Thank you for your attention to this matter.

Hi (from France) I have a MacOS application which handles the App Store receipt by requesting at the url "https://buy.itunes.apple.com/verifyReceipt". From the response, I can know what are the inApps bought by the user and that suits for me. I don't know if if I must change something in my code accordingly to this TN3118. Does someone knows the response ? Best regards.

I am developing and distributing an XCFramework, and I want to ensure that it remains valid for as long as possible. I have some questions regarding certificate expiration and revocation: I understand that if an XCFramework is signed with a timestamp, it remains valid even after the signing certificate expires. However, if the signing certificate is revoked, the XCFramework immediately becomes unusable. As far as I know, Apple allows a maximum of two active distribution certificates at the same time. I assume that once a certificate expires, it will eventually need to be revoked in order to issue a third certificate. Is this correct? If an expired certificate is later revoked, will the XCFrameworks signed with that certificate also become invalid, even though they were timestamped? I want to ensure that released XCFrameworks remain valid for as long as possible. What is the best approach to achieve this? If anyone has insights or official documentation references on how to manage signing certificates for long-term XCFramework validity, I would appreciate your guidance. Thank you!

I'm facing an issue with revoking an iOS Development certificate in the Apple Developer Console. The certificate is in "Pending Approval" status, and when I attempt to revoke it, I receive the following error: "The specified resource does not exist. There is no certificate with ID 'XXXXXXXXX' on this team." Despite this error, the certificate still appears in my list, and the only available action remains "Revoke." Steps I've tried so far: Refreshed the page and cleared the browser cache Logged out and back into my Developer account Tried using different browsers (Safari, Chrome) Checked Xcode > Preferences > Accounts for certificate status Contacting Apple Support (Not response since over 3 weeks) Additional Info: The certificate type is iOS Development, not Distribution. The status has been "Pending Approval" since creation.

hông thể cài đặt “TrungDemo” Domain: IXUserPresentableErrorDomain Code: 14 Recovery Suggestion: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.kpOILI/extracted/TrungDemo.app : 0xe8008018 (The identity used to sign the executable is no longer valid.) Please ensure that the certificates used to sign your app have not expired. If this issue persists, please attach an IPA of your app when sending a report to Apple. User Info: { DVTErrorCreationDateKey = "2025-04-29 10:51:27 +0000"; IDERunOperationFailingWorker = IDEInstallCoreDeviceWorker; } Failed to install the app on the device. Domain: com.apple.dt.CoreDeviceError Code: 3002 User Info: { NSURL = "file:///Users/studiozego/Library/Developer/Xcode/DerivedData/TrungDemo-blspaulbkwypvhgaxxfjqbppuugg/Build/Products/Debug-iphoneos/TrungDemo.app"; } Không thể cài đặt “TrungDemo” Domain: IXUserPresentableErrorDomain Code: 14 Failure Reason: Không thể cài đặt ứng dụng này vì không thể xác minh tính toàn vẹn của ứng dụng. Recovery Suggestion: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.kpOILI/extracted/TrungDemo.app : 0xe8008018 (The identity used to sign the executable is no longer valid.) Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.kpOILI/extracted/TrungDemo.app : 0xe8008018 (The identity used to sign the executable is no longer valid.) Domain: MIInstallerErrorDomain Code: 13 User Info: { FunctionName = "+[MICodeSigningVerifier _validateSignatureAndCopyInfoForURL:withOptions:error:]"; LegacyErrorString = ApplicationVerificationFailed; LibMISErrorNumber = "-402620392"; SourceFileLine = 80; } Event Metadata: com.apple.dt.IDERunOperationWorkerFinished : { "device_identifier" = "00008132-0001786E22B9001C"; "device_isCoreDevice" = 1; "device_model" = "iPad16,4"; "device_osBuild" = "18.4 (22E240)"; "device_platform" = "com.apple.platform.iphoneos"; "device_thinningType" = "iPad16,4-A"; "dvt_coredevice_version" = "443.19"; "dvt_coresimulator_version" = "1010.10"; "dvt_mobiledevice_version" = "1784.102.1"; "launchSession_schemeCommand" = Run; "launchSession_state" = 1; "launchSession_targetArch" = arm64; "operation_duration_ms" = 1320; "operation_errorCode" = 14; "operation_errorDomain" = IXUserPresentableErrorDomain; "operation_errorWorker" = IDEInstallCoreDeviceWorker; "operation_name" = IDERunOperationWorkerGroup; "param_debugger_attachToExtensions" = 0; "param_debugger_attachToXPC" = 1; "param_debugger_type" = 3; "param_destination_isProxy" = 0; "param_destination_platform" = "com.apple.platform.iphoneos"; "param_diag_113575882_enable" = 0; "param_diag_MainThreadChecker_stopOnIssue" = 0; "param_diag_MallocStackLogging_enableDuringAttach" = 0; "param_diag_MallocStackLogging_enableForXPC" = 1; "param_diag_allowLocationSimulation" = 1; "param_diag_checker_tpc_enable" = 1; "param_diag_gpu_frameCapture_enable" = 0; "param_diag_gpu_shaderValidation_enable" = 0; "param_diag_gpu_validation_enable" = 0; "param_diag_guardMalloc_enable" = 0; "param_diag_memoryGraphOnResourceException" = 0; "param_diag_mtc_enable" = 1; "param_diag_queueDebugging_enable" = 1; "param_diag_runtimeProfile_generate" = 0; "param_diag_sanitizer_asan_enable" = 0; "param_diag_sanitizer_tsan_enable" = 0; "param_diag_sanitizer_tsan_stopOnIssue" = 0; "param_diag_sanitizer_ubsan_enable" = 0; "param_diag_sanitizer_ubsan_stopOnIssue" = 0; "param_diag_showNonLocalizedStrings" = 0; "param_diag_viewDebugging_enabled" = 1; "param_diag_viewDebugging_insertDylibOnLaunch" = 1; "param_install_style" = 2; "param_launcher_UID" = 2; "param_launcher_allowDeviceSensorReplayData" = 0; "param_launcher_kind" = 0; "param_launcher_style" = 99; "param_launcher_substyle" = 0; "param_runnable_appExtensionHostRunMode" = 0; "param_runnable_productType" = "com.apple.product-type.application"; "param_structuredConsoleMode" = 1; "param_testing_launchedForTesting" = 0; "param_testing_suppressSimulatorApp" = 0; "param_testing_usingCLI" = 0; "sdk_canonicalName" = "iphoneos18.4"; "sdk_osVersion" = "18.4"; "sdk_variant" = iphoneos; } System Information macOS Version 15.4.1 (Build 24E263) Xcode 16.3 (23785) (Build 16E140) Timestamp: 2025-04-29T17:51:27+07:00

Is it possible to change the Primary App ID set in the Group with an existing primary App ID to another Primary App ID within the same group If there is a change, whether the sub values of the token will be changed upon successful login If an app corresponding to the existing Group Primary App ID is deleted from the app store, ask whether or not other apps in the same group are affected and what effect it will have If anyone knows about the above, please let me know please

Hi Apple Developer Community, We have carefully reviewed the documentation on App Transfer and User Migration, but we still have a few unresolved questions regarding Apple Sign-In token behavior and testing strategies. Would appreciate any guidance! Token Behavior for Pre-Transfer App Versions After the app transfer: If a user logs in via an existing pre-transfer version of the app (published under Team A before transfer), will the Apple Sign-In token’s sub (or private email) switch to new value tie to Team B, or unchanged? This is critical for our user migration plan. Preserving sub Across Transfers (Internal Team Transfer) Since our app-transfer is an internal transfer (no change in app ownership outside our organization), is there a way to retain the original sub value（or private email） for users after the transfer? We are concerned that Apple Sign-In errors during the app transfer process may negatively impact user experience. Testing the Transfer Process Safely We’d like to simulate the app transfer and user migration process in a sandbox/test environment before executing it in production. Is there a way to test app transfers without affecting live users? (e.g., a staging mode for transfers) Thank you for your expertise! Any insights would be invaluable.

Hi everyone, I recently migrated my individual Apple Developer account to an Organization account for my company "". My Team ID remained the same. I'm now facing persistent issues with code signing and push notifications for my iOS app (Bundle ID: com.).
 Current Problems:
 "Untitled" Certificates in Xcode: When I go to Xcode -> Settings -> Accounts -> [My Apple ID] -> Select "" Team -> "Manage Certificates...", a number of my newly created Apple Development and Apple Distribution certificates are listed древ "Untitled". Some older ones are "Revoked". (See attached screenshot if possible).
 "No App ID" for Push Notifications Console: In my app target's "Signing & Capabilities" tab, I've added the "Push Notifications" capability. However, when I click the info button to open the "Push Notifications Console", it states: "no app IDs: Register an App ID with the Push Notifications capability enabled to use the Push Notifications console." This is despite the fact that the Push Notifications capability IS enabled for my App ID com. in the Developer Portal, and I've configured an APNs Auth Key (.p8) for it.
 Push Notifications Not Received (from Backend): While I can successfully send a test push notification directly from the Firebase Console to my device's FCM token, notifications triggered by my backend (Firebase Cloud Functions writing to a Firestore collection, which then triggers another function to send via FCM) are not being delivered to iOS devices. (Android seems to be working more reliably now).
 Setup: Using an APNs Authentication Key (.p8) linked to my Organization Team ID in Firebase Cloud Messaging. Main App ID com. has "Push Notifications" capability enabled. Notification Service Extension com..ImageNotification also has its App ID and Provisioning Profile set up for the Organization team. Created new Development and Distribution certificates and Provisioning Profiles specifically for the Organization team. Using "Automatically manage signing" in Xcode with the Organization team selected for both the main app target and the extension target.
 Troubleshooting Done: Revoked old/problematic certificates and profiles. Recreated CSRs and new Development/Distribution certificates under the Organization team multiple times. Recreated Provisioning Profiles. Cleaned Derived Data in Xcode. Ensured Bundle Identifiers are consistent. Verified APNs Auth Key details (Key ID, Team ID) in Firebase.
 I suspect there's a fundamental issue with how Xcode is recognizing or linking the signing assets for my Organization team after the account type change, despite the Team ID being the same. The "Untitled" certificates are a major red flag.
 Has anyone encountered similar issues, particularly the "Untitled" certificates or the "No App ID" message for the Push Console, after an account migration or when working with Organization accounts? Any insights on how to resolve this would be greatly appreciated.
 Thanks,
Benni

Subject: Questions Regarding Signing Certificates for MDM Configuration Profiles Dear all, I hope this message finds you well. I have some questions regarding the signing certificates used for MDM configuration profiles. Currently, our company uses an SSL certificate to sign MDM configuration profiles. However, with the announcement that the validity period of SSL certificates will gradually be shortened starting in 2026, we are considering alternative options for signing certificates. Through our internal testing and investigation, we have found examples of the following certificate chains being used: ・Developer ID - G1 (Expiring 02/01/2027 22:12:15 UTC) + Developer ID Application certificate chain ・Apple Root CA + Apple Worldwide Developer Relations Intermediate Certificate + MDM CSR certificate chain We would appreciate any insights or experiences you can share regarding the following points: Apple Support previously advised that "certificates issued by public certificate authorities (CAs) trusted by Apple" are recommended. The certificates listed at https://www.apple.com/certificateauthority/ are typically preinstalled on Apple devices. Are these considered "trusted public CAs" by Apple in this context? Is it acceptable in practice to use a certificate obtained from the “Certificates, Identifiers & Profiles” section on developer.apple.com for signing MDM configuration profiles? We would be grateful to hear about any real-world experiences. If the answer to question 2 is yes, which certificate type within “Certificates, Identifiers & Profiles” would be most appropriate for signing configuration profiles? If using certificates from question 2 is not suitable, are there alternative certificate types (other than SSL) that are valid for longer periods (e.g., more than one year) and appropriate for signing MDM configuration profiles? Apple's official documents do not seem to clearly specify what type of certificate should be used to sign MDM configuration profiles. If you know of any helpful documents or resources related to this topic, we would greatly appreciate it if you could share them. Thank you very much for your time and support. We would truly appreciate any advice or guidance you can provide.

I'm hoping to make certain in-house apps fail to launch by revoking the in-house certificate that they were built on. This is by way of encouraging users of these apps to download updates built on a new certificate. How long will it take app built on a now-revoked certificate to no longer launch? Also, what is Apple's process for checking the validity of an in-house certificate in an app built on that certificate, running on iOS devices? I understand that provisioning profiles have built-in expiration dates, but will an in-house app that's built on a valid provisioning profile keep running even on a revoked certificate if the revocation happened before the certificate's own expiration date? Craig Umanoff

Hello, my builds keep failing in Xcode Cloud at the creation of the archive for tesflight. I am receiving an email mentioning "ITMS-90035: Invalid Signature" TMS-90035: Invalid Signature - Code failed to satisfy specified code requirement(s). The file at path “BASELog.app/BASELog” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing. The thing is the archives which are not intended for testflight not App Store connect are not failing. I think I have the required distribution certificates (initially they were created by API for Xcode Icloud, I add 3, revoked them and recreated one manually and the other from Xcode directly) : even though certificats seems ok, in Xcode I see a dev certificate in the managed release and if I try to force a distribution certificate in the build I then get the following warning It looks like my managed profile is not behaving properly, like not embedding a distribution certificate. I looked on the web for the signing issues, and I have found in other threads an issue with assets having special charsets. I checked on my side, the only thing I see is my app icon is named "icon_v1.png" I assume it shouldn't be an issue. I dont see any special char anywhere else in the sources name. Anyone has any idea on what is causing those build fails on the archive?