You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I submitted a Family Controls Distribution entitlement request on April 21, 2026 for my app Dopfast. I also resubmitted on April 29, 2026. I received the confirmation page both times but have not received any approval, rejection, or status update. I contacted Developer Support (Case #102879238806) and was told the request is handled by another team and they cannot check the status. Details: Team ID: HSJ6KB4WEZ App: Dopfast (digital wellbeing / screen time management) Bundle ID: com.dopfast Purpose: #2 — individual device management for focus and productivity (personal screen time tracking and app blocking) This entitlement is the only remaining blocker for our App Store submission. The app is fully built and ready to ship. Has anyone experienced similar delays recently? Is there a recommended way to expedite this request?

I am experiencing an issue with Apple Development certificate creation in Xcode for my organization account. Account details: Organization: Jtecx LLC Team ID: 8V397ULNY4 Issue: When I attempt to create a new Apple Development certificate in Xcode under the Jtecx LLC (8V397ULNY4) team, the certificate is consistently generated under a different team: Apple Development: Joseph Salmond (67P4AAZ5TA) This appears to be my personal team, not the organization team. Impact: Because of this mismatch: Provisioning profiles created under 8V397ULNY4 cannot find a matching signing certificate Xcode shows “Signing Certificate: None” Xcode reports that the provisioning profile does not include the signing certificate I am unable to run or test the app on physical devices due to signing failures Troubleshooting performed: Deleted all Apple Development certificates from Keychain Access Revoked existing Apple Development certificates in the Apple Developer Portal Created a new Certificate Signing Request (CSR) using Keychain Access Generated a new Apple Development certificate through the Apple Developer portal Downloaded and installed the certificate into Keychain Attempted certificate creation via Xcode (Settings → Accounts → Manage Certificates → + → Apple Development) Verified installed identities using Terminal (security find-identity) Confirmed that only the following development identity is being created: Apple Development: Joseph Salmond (67P4AAZ5TA) Deleted this identity and repeated the process multiple times Recreated provisioning profiles after generating new certificates Downloaded and installed new provisioning profiles Attempted both manual signing and “Automatically manage signing” in Xcode Revoked certificates directly from Xcode and allowed Xcode to regenerate them Confirmed that Apple Distribution certificates are correctly issued under 8V397ULNY4 Despite all of the above steps, every new Apple Development certificate continues to be created under Team ID 67P4AAZ5TA instead of 8V397ULNY4. Expected behavior: When creating an Apple Development certificate while the Jtecx LLC (8V397ULNY4) team is selected, the certificate should be issued under that same team: Apple Development: Joseph Salmond (8V397ULNY4) Requested fix: Please investigate and correct the team association so that: Apple Development certificates are generated under the correct team (8V397ULNY4) is properly associated with the Jtecx LLC developer team for certificate issuance Xcode correctly creates and uses development certificates for the organization team Additional notes: Apple Distribution certificates are working correctly under 8V397ULNY4 Only Apple Development certificates are affected This issue is blocking local development and testing on physical devices Thank you.

I have a macOS app (a background daemon) that I distribute outside the App Store as a .pkg installer. My build process is: Build the app (xcodebuild archive) Sign the app with Developer ID Application Package it with pkgbuild, signed with Developer ID Installer Notarize with notarytool Staple with stapler This works perfectly on my local machine using custom build_pkg.sh. I'm trying to automate this in Xcode Cloud using a ci_post_xcodebuild.sh script so a new build is triggered whenever I push to git repository. The problem is: • security find​-identity shows 0 valid identities in the post-build script environment • The archived app has Signature​=adhoc (no Developer ID signing) • pkgbuild can't sign the .pkg without a Developer ID Installer certificate • Notarization rejects everything because nothing is signed with Developer ID My question: Is there any way to make Developer ID certificates available in Xcode Cloud's post-build scripts? Or is Xcode Cloud only designed for App Store distribution, and I need to use a different CI (like GitHub Actions) for Developer ID / notarized .pkg workflows? Are there other ways to trigger creation of notarized pkg files whenever I push to GitHub?

A signed DriverKit extension fails OSSystemExtensionRequest activation on macOS 26.4.1. The user-facing error is OSSystemExtensionErrorDomain code 4 ("Extension not found in App bundle") — but the dext is in the bundle, the identifier matches, and sysextd confirms it received the request: sysextd: [com.apple.sx:XPC] client activation request for com.arqitekta.bluefield.rshim.driver sysextd: attempting to realize extension with identifier com.arqitekta.bluefield.rshim.driver …and then nothing further. systemextensionsctl list reports 0 extensions. Question: Which log subsystem/category surfaces the kernel-side reason that sysextd aborts after "attempting to realize"? com.apple.sx only shows the request was accepted; whatever vetoes the realize step isn't in that subsystem (or isn't at info/debug level). Is there a separate predicate for the kernelmanagerd / dext-loading path I should be capturing? Environment: macOS 26.4.1 (25E253), Apple Silicon Mac Studio Xcode 26.2 (17C52), DriverKit SDK 25.2 SIP disabled, systemextensionsctl developer on Apple Developer Program, signed "Apple Development: …" DriverKit entitlement request 264CFJJU36 approved; profile includes com.apple.developer.driverkit, allow-any-userclient-access, transport.pci Already verified: Dext at Contents/Library/SystemExtensions/RshimDriver.dext CFBundleIdentifier matches the request, CFBundlePackageType=DEXT codesign --verify --deep --strict passes on app + dext embedded.provisionprofile parses, contains the expected entitlements Three IOKitPersonalities (BF2 / BF2-alt / BF3) using Apple's placeholder IOPCIPrimaryMatch Installer app entitled with com.apple.developer.system-extension.install only spctl -a -vv on the dext reports "rejected" — expected for development signing, should be bypassed under developer mode Minimal repro: https://github.com/jfabienke/bluefield-macos-toolkit/tree/dev-stub-entitlements/rshim-dext — build.sh produces the failing app dext. Captured artefacts (build output, embedded profile dump, signing report, repro shell script) under rshim-dext/dts-artifacts/. Looking for either (a) the right log show predicate to find the actual refusal reason, or (b) an environmental requirement on macOS 26 I'm missing.

My app's notarization progress is stuck. ID: aa61b008-a329-4e31-bb23-648029510e36 Forum mod DTS Engineer gives "copy-paste" answers to every user who has this problem.

I have 2 Notarisation stuck for nearly 24 hours oth submission UUIDs: b78aa323-9993-40fd-a510-4fff5e989e8f and 952714cb-3a59-4caa-9343-674ca7dd86d4 Team ID 6A754AWMJB This is a Developer ID distribution (not App Store)

Hi, I have an approved com.apple.developer.family-controls entitlement for my main app bundle (com.maxflame.prove-it) and submitted a request on April 18, 2026 to extend it to an embedded extension: com.maxflame.prove-it.DeviceActivityMonitorExtension Request ID: 65CKJZ7DQ4 — status still shows "Submitted" with no further response. The extension uses DeviceActivity callbacks and needs to decode FamilyActivitySelection, which requires the entitlement on the extension bundle as well. In my experience, Family Controls entitlement approvals for the main app bundle have come through within 24 hours. It's now been 5 days with no response for this extension request, which seems unusual. Has anyone else gone through this for extension bundle IDs? Did you need to submit a separate request per bundle, or did Apple extend the approval to your extensions automatically once the main app was approved? And has anyone else experienced longer wait times specifically for extension bundles? Any guidance appreciated.

Dear Apple Support, sometimes we observe exit code 68 in stapling via xcrun stapler staple <pkg_file.pkg> The notarization went fine but then stapling does not work. The output for the last ast failed launch looks like Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={_kCFStreamErrorCodeKey=-2102, NSUnderlyingError=0x60000363c7b0 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "(null)" UserInfo={_kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <4F2E1620-9251-4525-91E7-C5F3E3681CD0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <4F2E1620-9251-4525-91E7-C5F3E3681CD0>.<1>" NSLocalizedDescription=The request timed out., NSErrorFailingURLStringKey=https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup, NSErrorFailingURLKey=https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup, _kCFStreamErrorDomainKey=4} CloudKit's response is inconsistent with expections: (null) As per manual of stapler and sysexit(3) the exit code means EX_NOHOST (68) The host specified did not exist. This is used in mail addresses or network requests. Make a retry sense or is there any other things which is not set correctly at that time? What is your suggestion to avoid this failure and stabilizing our automation of notarization? Best ergards, Stefan

Hello, I have been hitting status code 7000 on every notarization submission since April 21, 2026. The notable detail: earlier submissions on April 18 and April 20 from the same team were Accepted normally. Whatever flag flipped between April 20 and April 21 is on the notary side, because nothing changed on my end. Team details Team ID: ZS76A62WJ4 Organization: KENOPA LTD (UK private limited company) Role: Account Holder Apple Developer Program: Active until April 17, 2027 Apple Developer Program License Agreement: accepted April 16, 2026 Paid Apps Agreement, Free Apps Agreement: both Active in App Store Connect W-8BEN-E and banking: Active Certificate Type: Developer ID Application Identity: "Developer ID Application: KENOPA LTD (ZS76A62WJ4)" Valid through 2027-02-01, full chain trusted App details Platform: macOS (native AppKit, Objective-C, no Electron) Hardened runtime: enabled Code signing passes verify and strict checks Sandbox: not used (Developer ID distribution outside the App Store) Submission history (Team ID ZS76A62WJ4) Accepted submissions: 2026-04-18 10:00 UTC 39856e43-... 2026-04-18 10:03 UTC 3edf2f4f-... 2026-04-18 10:25 UTC 858c52e7-... 2026-04-20 17:17 UTC 4766f3ce-... 2026-04-21 03:58 UTC 9eed3336-... 2026-04-21 05:44 UTC b759941f-... Then everything since flips to Rejected with code 7000: 2026-04-21 19:10 UTC bedc99ad-... 2026-04-21 20:24 UTC 4dbb55f0-... 2026-04-22 07:36 UTC 50e1420e-... 2026-04-24 04:11 UTC 7e4adf81-... 2026-04-25 04:31 UTC 4c0367ea-... 2026-04-25 08:02 UTC a3ce5f56-... (still In Progress at the time of posting) I can paste the full submission IDs in a follow-up if helpful. Sample notary log The body of every Rejected log is the same: status: Rejected statusCode: 7000 statusSummary: "Team is not yet configured for notarization. Please contact Developer Programs Support..." Submissions all upload successfully, sit "In Progress" for hours-to-days, then flip to Rejected with this code. What I have verified All four agreements (Apple Developer Program License, Apple Developer Agreement, Paid Apps, Free Apps) are accepted and Active. Re-checked under the Account Holder login on both portals. Banking and W-8BEN-E are Active. Developer ID Application, Apple Distribution, and Apple Development certificates are all valid and the private keys import cleanly. App Store Connect API key works (notarytool history returns the full list with no auth errors). Same codesign invocation, same notarytool submit flags, same hardened runtime entitlements that worked on April 18-20 still produce the rejection on April 21+. Existing support channels Opened a support ticket via the developer contact form under "Development and Technical / Other Development or Technical Questions" (the exact path the error message specifies). Also emailed Developer Programs separately. Question Has anyone with the same "was working, then suddenly 7000 with no other change" pattern had it resolved? I am aware that DTS engineers have stated on this forum that they cannot escalate this. I am trying to get a sense of: Typical resolution time once a Developer Programs case is open (reports range from days to two-plus months). Whether anyone has found a particular wording of the support request that gets routed faster. Whether the Account Holder doing anything specific in the portal (re-accepting an agreement, toggling something in Membership, etc.) ever cleared this for someone. Thanks.

Hi all, I'm submitting a Developer ID-signed, hardened-runtime app for notarization. Every submission returns: "statusCode: 7000 statusSummary: Team is not yet configured for notarization. Please contact Developer Programs Support..." Team ID: V67NRZ84A2. Apple Developer membership is active, Developer ID Application certificate is valid, signing/verification all clean. Already opened a support case last week via the recommended path. The "contact page" on the developer site said Apple usually responds within 2 business days.... Has anyone hit this and gotten it resolved? How long did it take, and was there a more effective channel than the standard support form? I've seen people on Reddit claim they've actually been able to call a Developer phone line, but I haven't seen a valid phone number anywhere. I appreciate your response!

Hi, I have two notarization submissions stuck "In Progress" for over 18 hours. This is my first time notarizing on this Developer ID account. Submission 1: c1ae7112-79d9-4ada-92a8-bcf87930b5a3 (submitted ~24 hours ago) Submission 2: e201629a-35ef-48a9-b6c4-efbdeecee839 (submitted ~12 hours ago) Team ID: PH4PLAN782 Bundle ID: com.SoundHawkStudio.ComboDyn Type: macOS Audio Unit plugin (.component), universal binary (x86_64 + arm64), Developer ID Application signed, hardened runtime enabled. I have also filed support case 102876329587. Both submissions remain In Progress with no transition to Accepted or Invalid. Any assistance would be greatly appreciated.

Posting another data point in case it helps the team see the pattern. First-time notariser, Apple Developer Team ID Q9LV8L6XZ9. Four submissions (all Ping.zip, Electron app, arm64, hardened runtime, signed with Developer ID Application) submitted yesterday between 19:13 and 20:27 UTC. All still In Progress 19 hours later with no state change whatsoever. Submission IDs: 3861f4af-ec5e-47f9-93c7-d1583ba98863 c5b200a0-5c13-41cf-8376-83eab8d9afe4 cda1991e-1779-4d1d-9448-d464e64e930a 4f374650-4343-4aa8-8afe-03b150dd52b9 xcrun notarytool log <id> returns "Submission log is not yet available" for every one of them — so Apple hasn't produced any analysis output, successful or not. I appreciate that "in-depth analysis" can take longer for first-time uploads, but 19+ hours on four identical submissions with zero progress looks less like deep analysis and more like the jobs are stuck. Is there anything on the account/team-ID side that might be blocking them from entering the analysis pipeline? Happy to provide anything else that would help.

Hey everyone, Just enrolled in the Apple Developer Program yesterday and tried to notarize my first macOS app. I submitted via notarytool and the submission has been sitting at "In Progress" for over 22 hours now. I've submitted twice and both are stuck. The app is a macOS utility built with PyInstaller. I signed it with my Developer ID Application cert, enabled hardened runtime, added a secure timestamp, and included the appropriate entitlements. Everything looked fine on my end. When I query with notarytool info it just says status: In Progress. No rejection email, no acceptance email, nothing. Is this a known issue for first-time submissions? Or is there something specific about PyInstaller apps that causes this? Submission IDs if anyone from Apple is reading this: b512bd92-7eca-4975-823e-9561d5c2ad63 f90cd69f-cf36-4762-bcda-0d0b047d5f49 Already filed a support ticket but wanted to check here too.

Hi, I have a notarization submission that has been stuck in "In Progress" for over 26 hours with no resolution. Apple's system status page shows no incident for the Developer ID Notary Service. Submission details: Submission ID: 23dc147c-6355-49a8-8ebf-78ae40ba19a3 Team ID: 5DX9FFYJHV App: Chakra Browser (Chromium-based, arm64, macOS) Bundle ID: com.chakra.Browser.development Submitted: 2026-04-22 at 19:09 UTC Current status: In Progress I also have two earlier submissions for the same app that are stuck in the same state: 23fe6ea2-325b-4ae8-84a4-4f913e7d3aea (submitted ~17:58 UTC, same day) 943e737a-1c45-468d-ae6b-1ef7358fc1a5 (submitted ~18:32 UTC, same day) The app is signed with a valid Developer ID Application certificate. The zip is ~243 MB (738 MB app bundle). Entitlements used: com.apple.security.cs.allow-jit, com.apple.security.cs.allow-unsigned-executable-memory, com.apple.security.cs.disable-library-validation. These are standard for Chromium-based browsers. xcrun notarytool log returns "Submission log is not yet available" for all three submissions, so there is no error output to share. Has anyone seen notarization stuck this long without a reported service incident? Is there anything I can do to get these unblocked, or do I need to file a TSI? Thanks

Firstly - I didn't want to post here but my attempts at support call service and support submit issue service BOTH returned errors to me upon 'send'/'submit'. Maybe this is linked to my post below. So, here's another one to add to the list of recent (stuck/fail) posts: I'm unable to get any notarization submissions processed. Over the past 24 hours I've submitted 10+ builds of my macOS app and every submission remains at "In Progress" indefinitely — none have completed. To isolate the issue, I submitted a minimal test app (a single "Hello World" binary, ~50KB zip) using the same Developer ID certificate and API key credentials. That submission is also stuck at "In Progress," which suggests the issue is account-level rather than app-specific. What I've ruled out: Network issues (tested on multiple networks, all VPN/network extensions disabled) Authentication method (tested both app-specific password and App Store Connect API key) Code signing (signatures verify locally; one earlier submission did return "Invalid" with actionable errors, confirming the service can process my submissions) The Apple Developer System Status page shows all services as available. Could you please look into whether there's a processing issue or hold on my account's notarization queue? Submission IDs (all stuck at "In Progress"): 20e4c082-b682-4135-a85e-3f17280b0085 (minimal test app, 2026-04-23T07:03 UTC) 81835570-8a2c-462c-8d5a-bd25733a17c3 (2026-04-23T06:55 UTC) 5b7f337e-3e3f-4502-9fde-0a625a2061e7 (2026-04-23T03:38 UTC) bebe35f3-2944-40de-9caf-1c43b68986bb (2026-04-23 ~04:00 UTC) 3c010292-10d7-4cfc-80e3-8bdb4cdae669 (2026-04-23 ~04:30 UTC) a5ca8b1c-91c1-48db-a78a-9e4fd83fe27f (2026-04-23T03:38 UTC) 937f7a3c-435a-4b00-b5b5-7330b80855d4 (2026-04-23T01:59 UTC) 61af2ba4-f136-4993-a8fc-9cd18021fbb5 (2026-04-23T03:10 UTC) b1b7769a-9f1c-4d2b-b1f0-3224808cc901 (2026-04-23T00:12 UTC) 74653d5c-2edf-47b4-9cf3-1e8d33630f6b (2026-04-22T13:27 UTC) 961af655-30e3-44d3-a01b-1c69f5bccfa6 (2026-04-22T12:54 UTC) Thank you!

Hi, I’m requesting investigation of two CtxVault notarization submissions that have remained "In Progress" well past 24 hours. Team ID: DCY4ZS6CS6 App / archive: CtxVault.zip Platform: macOS direct distribution Pending submissions: e2f25e8c-8bf6-44e6-8e60-24b22467b7e6 — created 2026-04-22T12:50:04.988Z — still In Progress 1f41ff2d-cf61-4509-beba-3389f4496ba7 — created 2026-04-22T12:40:23.167Z — still In Progress Context: This is a new Developer ID release path for a personal team. Earlier submissions were Invalid due to unsigned nested Mach-O files inside a bundled Python runtime. That issue was corrected before the two pending submissions above. The current app is signed with Developer ID Application, hardened runtime, and secure timestamps. Local validation passes: codesign --verify --deep --strict spctl assessment on the signed app notarytool accepts the upload and returns submission IDs, but the submissions do not complete and no log is yet available. Earlier invalid submission for context: b4e665a0-98eb-4b92-b44c-58a0a2c6122e Could someone from Apple please confirm whether this team is stuck in queue or under extended review, and whether any team-side provisioning or backend action is needed? I am intentionally not creating more duplicate submissions while these corrected jobs remain pending. Thanks.

Hi, I have two xcrun notarytool submissions stuck in status: In Progress for over 60 hours. Hoping an Apple engineer can take a look, or confirm whether there is an ongoing notarization service incident. Submissions Submission A: 55c155c2-0df9-4157-b2c1-b3510c453b22 Submission B: 06926b24-3e76-4d14-b5f1-2083f0d9dae9 Team ID: 4CXZ4H3C2R Both submitted: 2026-04-21 Both still return status: In Progress at 60+ hours No result email received from Apple xcrun notarytool log <UUID> returns "The log is not yet available" Environment macOS 15 Sequoia Xcode 16.x command-line tools (notarytool 1.x) Developer ID Application certificate, SHA-1 70:86:EB:14:E4:C5:AA:71:2F:C5:3D:A4:3F:E8:79:DE:32:CE:B3:42, valid through 2031-04-20 Hardened Runtime enabled Standard notarization workflow from the same dev environment that has processed previous releases successfully Notarized artifact: single DMG, ~120 MB What I have already tried Apple Developer Support case #102874171230 — opened 2026-04-21. Rep replied 3x suggesting Forums + Feedback Assistant (hence this post). Feedback Assistant FB22576862 — filed 2026-04-22 under Developer Tools > App Notarization > Incorrect/Unexpected Behavior, with attached notarytool poll log showing sustained In Progress. Code-level support request (DTS) — form routes this class of issue out to these Forums (no submit path for notarization service queue issues). Reviewed other Forums threads on similar symptoms from March-April 2026 — multiple teams reporting the same pattern. Asking Can any Apple engineer cross-reference UUIDs A and B against the notarization backend queue state? Is there an ongoing service incident affecting these submissions? Is it safe to resubmit, or will that create duplicate queue entries? Thank you.

Hi, I have an approved com.apple.developer.family-controls entitlement for my main app bundle (com.maxflame.prove-it) and submitted a request on April 18, 2026 to extend it to an embedded extension: com.maxflame.prove-it.DeviceActivityMonitorExtension Request ID: 65CKJZ7DQ4 — status still shows "Submitted" with no further response. The extension uses DeviceActivity callbacks and needs to decode FamilyActivitySelection, which requires the entitlement on the extension bundle as well. In my experience, Family Controls entitlement approvals for the main app bundle have come through within 24 hours. It's now been 5 days with no response for this extension request, which seems unusual. Has anyone else gone through this for extension bundle IDs? Did you need to submit a separate request per bundle, or did Apple extend the approval to your extensions automatically once the main app was approved? And has anyone else experienced longer wait times specifically for extension bundles? Any guidance appreciated.

Hi all, and particularly @Eskimo if you spot this — I believe I'm reproducing the backend issuance bug reported in thread 816377 (https://developer.apple.com/forums/thread/816377) on a different Team ID and would like a second pair of eyes before I burn a TSI. Feedback Assistant filed as FB22582333. Team ID: MCN4U9B2K4 · Bundle ID: com.michaeltocco.Sanbox · Xcode 17 · iOS 18.5 · Automatic signing Setup App ID com.michaeltocco.Sanbox has ShazamKit ticked in App Services; persists through portal reloads. Local entitlements file declares com.apple.developer.shazamkit = YES only (no MusicKit client entitlement, per DTS guidance in thread 799000: https://developer.apple.com/forums/thread/799000). CODE_SIGN_ENTITLEMENTS set in both Debug and Release XCBuildConfiguration buildSettings. NSMicrophoneUsageDescription and NSAppleMusicUsageDescription are both present in the generated Info.plist. What Xcode reports After wiping DerivedData and any Sanbox-matching profiles and running xcodebuild … -allowProvisioningUpdates -destination 'generic/platform=iOS': error: Entitlement com.apple.developer.shazamkit not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file. (in target 'Sanbox' from project 'Sanbox') What I verified on the profile Apple just issued $ security cms -D -i 0596f302-….mobileprovision | plutil -extract Entitlements xml1 -o - - shows only the baseline four entitlements — application-identifier, keychain-access-groups, get-task-allow, com.apple.developer.team-identifier. com.apple.developer.shazamkit is absent, which is exactly what thread 816377 describes. What I've already tried Deleted and recreated the App ID from scratch — same symptom. Performed the capability-toggle trick (uncheck ShazamKit → Save → wait 60s → re-check → Save → delete local profiles → rebuild) documented in the "Capability & entitlement updates" help page (https://developer.apple.com/help/account/reference/capability-entitlement-updates/) for the Game Center precedent — same symptom. Confirmed I am building for device, not Simulator. Confirmed the entitlement key name matches DTS guidance in thread 799000 and the live profile dumps in thread 816377. Runtime confirmation When I force a build with only the team wildcard profile, SHManagedSession().result() returns com.apple.ShazamKit Code=202 "Missing entitlements", wrapping an AMS 306 wrapping HTTP 401 from api.shazam.apple.com/v1/catalog/US/match. AMS server correlation key: E5VYL5YSUT4L55KQDDP4MJQAZE. So the server side is consistent: the token the client presents lacks ShazamKit scope because the binary doesn't carry the entitlement, and the binary doesn't carry it because Apple isn't issuing it into the profile. Question Is there a configuration step beyond "tick ShazamKit in App Services" that I've missed for Individual-program accounts, or is this the same backend issuance pathology as thread 816377? Happy to share the security cms output, the decoded plist, the build log, or anything else useful. Thanks.

This issue keeps cropping up on the forums and so I decided to write up a single post with all the details. If you have questions or comments: If you were referred here from an existing thread, reply on that thread. If not, feel free to start a new thread. Use whatever topic and subtopic is appropriate for your question, but also add the Entitlements tag so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Determining if an entitlement is real In recent months there’s been a spate of forums threads involving ‘hallucinated’ entitlements. This typically pans out as follows: The developer, or an agent working on behalf of the developer, changes their .entitlements file to claim an entitlement that’s not real. That is, the entitlement key is a value that is not, and never has been, supported in any way. Xcode’s code signing machinery tries to find or create a provisioning profile to authorise this claim. That’s impossible, because the entitlement isn’t a real entitlement. Xcode reports this as a code signing error. The developer misinterprets that error [1] in one of two ways: As a generic Xcode code signing failure, and so they start a forums thread asking about how to fix that problem. As an indication that the entitlement is managed — that is, requires authorisation from Apple to use — and so they start a forums thread asking how to request such authorisation. The fundamental problem is step 1. Once you start claiming entitlements that aren’t real, you’re on a path to confusion. Note If you’re curious about how provisioning profiles authorise entitlement claims, read TN3125 Inside Code Signing: Provisioning Profiles. There are a couple of ways to check whether an entitlement is real. My preferred option is to create a new test project and use Xcode’s Signing & Capabilities editor to add the corresponding capability to it. Then look at what Xcode did. You might find that Xcode claimed a different entitlement, or added an Info.plist key, or did nothing at all. IMPORTANT If you can’t find the correct capability in the Signing & Capabilities editor, it’s likely that this feature is available to all apps, that is, it’s not gated by an entitlement or anything else. Another thing you can do is search the documentation. The vast majority of real entitlements are documented in Bundle Resources > Entitlements. IMPORTANT When you search for documentation, focus on the Apple documentation. If, for example, you search the Apple Developer Forums, you might be mislead by other folks who are similarly confused. If you find that you’re mistakenly trying to claim a hallucinated entitlement, the fix is trivial: Remove it from your .entitlements file so that your app starts to build again. Then add the capability using Xcode’s Signing & Capabilities editor. This will do the right thing. If you continue to have problems, feel free to ask for help here on the forums. See the top of this post for advice on how to do that. [1] Xcode 26.2, currently being seeded as Release Candidate, is much better about this (r. 155327166). Give it a whirl! Commonly Hallucinated Entitlements This section lists some of the more commonly hallucinated entitlements: com.apple.developer.push-notifications — The correct entitlement is aps-environment (com.apple.developer.aps-environment on macOS), documented here. There’s also the remote-notification value in the UIBackgroundModes property. com.apple.developer.in-app-purchase — There’s no entitlement for in-app purchase. Rather, in-app purchase is available to all apps with an explicit App ID (as opposed to a wildcard App ID). com.apple.InAppPurchase — Likewise. com.apple.developer.storekit — Likewise. com.apple.developer.in-app-purchase.non-consumable — Likewise. com.apple.developer.in-app-purchase.subscription — Likewise. com.apple.developer.app-groups — The correct entitlement is com.apple.security.application-groups, documented here. And if you’re working on the Mac, see App Groups: macOS vs iOS: Working Towards Harmony. com.apple.developer.background-modes — Background modes are controlled by the UIBackgroundModes key in your Info.plist, documented here. UIBackgroundModes — See the previous point. com.apple.developer.voip-push-notification — There’s no entitlement for this. VoIP is gated by the voip value in the UIBackgroundModes property. com.apple.developer.family-controls.user-authorization — The correct entitlement is com.apple.developer.family-controls, documented here. IMPORTANT As explained in the docs, this entitlement is available to all developers during development but you must request authorisation for distribution. com.apple.developer.device-activity — The DeviceActivity framework has the same restrictions as Family Controls. com.apple.developer.managed-settings — If you’re trying to use the ManagedSettings framework, that has the same restrictions as Family Controls. If you’re trying to use the ManagedApp framework, that’s not gated by an entitlement. com.apple.developer.callkit.call-directory — There’s no entitlement for the Call Directory app extension feature. com.apple.developer.nearby-interaction — There’s no entitlement for the Nearby interaction framework. com.apple.developer.secure-enclave — On iOS and its child platforms, there’s no entitlement required to use the Secure Enclave. For macOS specifically, any program that has access to the data protection keychain also has access to the Secure Enclave [1]. See TN3137 On Mac keychain APIs and implementations for more about the data protection keychain. com.apple.developer.networking.configuration — If you’re trying to configure the Wi-Fi network on iOS, the correct entitlement is com.apple.developer.networking.HotspotConfiguration, documented here. com.apple.developer.musickit — There is no MusicKit capability. Rather, enable MusicKit via the App Services column in the App ID editor, accessible from Developer > Certificates, Identifiers, and Profiles > Identifiers. These app services are tied to your App ID on the server side, meaning that they have no presence in your code signature. com.apple.developer.shazamkit — There is no ShazamKit capability. Like MusicKit, this is an app service. com.apple.mail.extension — Creating an app extension based on the MailKit framework does not require any specific entitlement. com.apple.security.accessibility — There’s no entitlement that gates access to the Accessibility APIs on macOS. Rather, this is controlled by the user in System Settings > Privacy & Security. Note that sandboxed apps can’t use these APIs. See the Review functionality that is incompatible with App Sandbox section of Protecting user data with App Sandbox. com.apple.developer.adservices — Using the AdServices framework does not require any specific entitlement. [1] While technically these are different features, they are closely associated and it turns out that, if you have access to the data protection keychain, you also have access to the SE. Revision History 2026-04-23 Added com.apple.developer.shazamkit to the common hallucinations list. Added a little more info about app services. 2025-12-09 Updated the Xcode footnote to mention the improvements in Xcode 26.2rc. 2025-11-03 Added com.apple.developer.adservices to the common hallucinations list. 2025-10-30 Added com.apple.security.accessibility to the common hallucinations list. 2025-10-22 Added com.apple.mail.extension to the common hallucinations list. Also added two new in-app purchase hallucinations. 2025-09-26 Added com.apple.developer.musickit to the common hallucinations list. 2025-09-22 Added com.apple.developer.storekit to the common hallucinations list. 2025-09-05 Added com.apple.developer.device-activity to the common hallucinations list. 2025-09-02 First posted.