Invalid code signing entitlements with app group on macOS

Anything on this page help? Since you say your iOS app works fine, it might be that you've got the wrong code signing identity against macOS.

None of the suggestions on that page helps. These are my code signing settings, which have never changed.

It mysteriously got resolved when I changed my code signing settings to sign manually with a local provisioning profile and then changed them back to automatic. While uploading the build to App Store Connect, I had to enter my password several times to access the certificate. This seems to be a bug in Xcode or macOS.

Wiping derived data, toggling code signing settings, etc. has not resolved this for me. Looks like this regressed in the past week or so.

I started getting this error too even though nothing had changed for me either.

These are the steps that I seem to have resolved it for me: I created a provisioning profile in my developer account, used this provisioning profile instead of the automatic signing (although it couldn't find a corresponding certificate), and then switched back to automatic signing in Xcode. I was prompted several times to enter my password, including during the archiving/uploading process, and then it finally worked when I submitted the build to App Store Connect.

Same issue here, suddenly started happening while I haven't changed anything from code signing side.

same here... 😭

Now I'm getting this error when I try to run my app from Xcode on an iOS device:

Unable to Install “<app name>”

Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.PIDzl9/extracted/<app name>.app : 0xe8008015 (A valid provisioning profile for this executable was not found.)

Please ensure sure that your app is signed by a valid provisioning profile.

If this issue persists, please attach the following when sending a report to Apple:

- A sysdiagnose from this Mac

- A sysdiagnose from the device failing installation

- An IPA of the app failing installation

And the solution to the "Unable to Install" error was to disable the App Sandbox in the build settings.

It mysteriously got resolved

App groups are more complicated than you might think. I have a bunch of backstory to this in App Groups: macOS vs iOS: Fight!.

Note that the story has changed in the last few days. I suspect that the action you took here caused Xcode to rebuild your distribution profile, resulting in a new profile that includes your app group in its allowlist.

The good news here is that, now that we fully support iOS-style app groups on macOS, we’ll see a lot fewer problems like this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, I noticed that I now no longer get the dialog about accessing files when launching my app in the development environment. I'm glad that's finally resolved.

Were you fully able to resolve this? I am seeing the same error when uploading my macOS app to the App Store.

I'm using the iOS-style App Group ID and I can certainly resolve the issue by prefixing the App Group with my Team ID. However, this is problematic because users with existing installations of my macOS app will have their data in the Group Container folder that uses the iOS-style App Group ID.

I'm using the Xcode managed Profile for the provisioning profile and I've inspected it and it does appear that the com.apple.security.application-groups key with value group.com.XXXX exists in there. I'm not sure what else I'm missing here or if iOS-style App Group IDs just no longer works?

With the very recent changes in the Developer website, to accommodate the changes in Xcode 15.3 beta, you should be able to resolve this by creating a new provisioning profile. I’m not sure Xcode 16.2 knows that it can fix this for you. My advice is that you manually create a profile to confirm that things are working as required. Once you’ve done that, you just need to find a way to force Xcode to create a new profile for you (-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi DTS Engineer,

Thanks for your input. I have a couple of questions regarding your advice:

• Did you mean Xcode 16.3 beta instead of Xcode 15.3 beta?
• Could you please provide a more detailed solution or workaround? I have a single app targeting iPhone, iPad, and Mac Catalyst, and when I try to upload the Mac archive, I encounter the error. Any further guidance would be greatly appreciated.

Thanks in advance!

Did you mean Xcode 16.3 beta instead of Xcode 15.3 beta?

Yes. Version numbers are hard, apparently )-: Sorry about the confusion.

Could you please provide a more detailed solution or workaround?

All of those platforms have supported iOS-style app group IDs for a long time. I’m not 100% sure why you’re having problems, but I suspect it’s because Xcode 16.2 is using old state. Have you tried re-creating the provisioning profile for the Mac side of your app?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

The problem for me seems to be related to the app extensions and plugins bundled with my Mac app, such as an App Intents extension and a Widgets extension.

The embedded.provisionprofile generated by Xcode for the Mac app itself correctly contains the com.apple.security.application-groups entitlement for my iOS style prefixed group. However, all the related extensions do not, and this is what Xcode is throwing an error about when uploading.

When building the same app for iOS, the com.apple.security.application-groups entitlement is correctly included in the embedded.mobileprovision files of the extensions.

I've tried this with Xcode 16.2 using automatically managed signing. I haven't had the chance to try this with the 16.3 beta yet. Perhaps that version fixes how the provisioning profiles are created.

After trying with both the release and beta version of Xcode and still getting the error I tried one of my older archives that have previously uploaded without error.

I expected the error to be about this build already having been uploaded, but instead it was this invalid code signing error for app-groups on my 3 bundled app extensions.

This makes me think it is a server-side issue.

Hello, I encountered the same issue. When I build my macOS application and upload it to the developer site for review, this error occurs. I tried uploading the package that was successfully uploaded before, but the issue still persists. Have you been able to resolve it?

I had to create a new profile for mac os build at the website, and import the downloaded profile into xcode. I know this is just a stopgap, but totally inconvenient...

anyway, it worked.

hope the new xcode will fix this mess.

This makes me think it is a server-side issue.

I don’t think that’s the case, but it’s easy to test this theory:

1. On the Developer website, add the app group to your App ID.

2. Then generate a new macOS provisioning profile for that App ID.

3. And download it.

4. Then examine that profile [1].

When I did this the profile included my iOS-style app group in its allowlist.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] You can probably just Quick Look it, but if you want all the details then see the commands in TN3125 .

Same issue here.

Invalid code signing entitlements. Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “[TeamID.mydomain, group.mydomain]” value for the com.apple.security.application-groups key in “mydomain.pkg/Payload/MyApp.app/Contents/MacOS/MyApp” isn’t supported. This value should be a string or an array of strings, where each string is the “group” value or your Team ID, followed by a dot (“.”), followed by the group name. If you're using the “group” prefix, verify that the provisioning profile used to sign the app contains the com.apple.security.application-groups entitlement and its associated value(s).

My macOS App contains two group "group.mydomain" and "TeamID.mydomain". Last release version, Xcode uploading works, but today Xcode send me the "Validation failed" error.

Even I Validate my last release version in Xcode Organizer, it returns the same error.

I have try the manual provisioning profile, it does not works. Maybe it's a server-side validation issue.

When I did this the profile included my iOS-style app group in its allowlist.

This seems to be correct. So, the actual issue seems to be that Xcode managed signing does not generate the correct provisioning profiles for app extensions, because it doesn't include iOS-style app groups in the profile. This is broken in Xcode 16.2 and 16.3 beta.

This recently became an issue because App Store Connect started to reject builds without the 'correct' provisioning profiles. So now the only way to create a build with the correct profile is to generate the profile manually.

So the way I see it, this is an issue that needs to be fixed in Xcode. In the meantime, developers running into this should work around the issue by creating manual provisioning profiles. (Of course, ideally ASO would stop rejecting the builds that use auto-signing until this is fixed, but that's beyond the scope of this thread I guess.)

I've been stuck on this for two days now. Specifically, I have two Mac (non-Catalyst) targets bundled with my Mac Catalyst app and these fail on submission with the same error everyone else is seeing.

First, I tried generating manual provisioning profiles with the application-group entitlement added. Archive works but submitting to ASC fails with the same error as before.

Second, I installed the Xcode 16.3 beta, toggled "Automatically manage signing" off and on, and then deleted and re-added the App Group capability. This finally updated my Xcode Managed Profiles to include the application-group entitlement. However, submitting to ASC still fails (I tried archiving and submitting with both Xcode 16.3 and 16.2).

I'm not sure what else to try at this point.

Our team also has been stuck on this problem, so the new release has been blocked. It's been completely fine until 20th Feb. Recreating provision profile didn't help. In the entitlement, there are only "group.xxx" so we are using 100% iOS style app groups but server rejects my upload with the error stated in this thread.

Can this issue be escalated somehow and help us going forward?