You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

I'm trying to setup a macOS 26 build environment in a VM (using UTM and the virtualization framework Apple provides). I have Xcode 26 installed and have logged into my Apple ID and verified that the team and other configuration looks fine in Xcode settings. When trying to build the macOS app, I see errors saying the VM's device ID has not been registered. I have confirmed that the device ID is registered both in the Provisioning portal AND the downloaded .provisionprofiles (in Library > Developer > Xcode > UserData). This problem appears on multiple targets (e.g. the main app and extensions). If I try to manually provision the app, using the Provisioning portal, I can build the product, but it will not launch because of Gatekeeper issues. Finally, signing to run locally doesn't work either. As the app launches, frameworks refuse to load because Team IDs don't match. With ad hoc provisioning, there are no Team IDs. I've come to the conclusion that this just isn't possible. Which is a shame because I need to support products with a build environment on macOS 15 and cannot move over to macOS 26 yet. I suspect many developers outside of Apple are in a similar position.

I have a DriverKit system extension (dext) that uses PCIDriverKit. I would like to get the build environment straightened out to successfully distribute the dext and associated software to end users. There are three types of software involved: The Dext-hosting application - this is the application that must be installed to /Applications/, and will perform the registration of the dext. The dext is deployed "within" this application, and can be found in the /Contents/Library/SystemExtensions folder of the app bundle. The dext itself - this is the actual binary system extension, which will be registered by its owning application, and will operate in its own application space independent of the hosting application. Additional applications that communicate with the dext - these are applications which will connect to the dext through user clients, but these applications do not contain the dext themselves. There are multiple locations where settings need to be exactly correct for each type of software to be signed, provisioned, and notarized properly in order to be distributed to users: developer.apple.com - where "identifiers" and "provisioning profiles" are managed. Note that there are differences in access between "Team Agent", "Admin", and "Developer" at this site. Xcode project's Target "Signing & Capabilities" tab - this is where "automatically manage signing" can be selected, as well as team selection, provisioning profile selection, and capabilities can be modified. Xcode project's Target "Build Settings" tab - this is where code signing identity, code signing development team, code signing entitlements file selection, Info.plist options and file selection, and provisioning profile selection. Xcode's Organizer window, which is where you manage archives and select for distribution. In this case, I am interested in "Developer ID" Direct Distribution - I want the software signed with our company's credentials (Team Developer ID) so that users know they can trust the software. Choosing "automatically manage signing" does not work for deployment. The debug versions of software include DriverKit (development) capability (under App ID configuration at developer.apple.com), and this apparently must not be present in distributable provisioning. I believe this means that different provisioning needs to occur between debug and release builds? I have tried many iterations of selections at all the locations, for all three types of binaries, and rather than post everything that does not work, I am asking, "what is supposed to work?"

After upgrading the virtual machines used for building and testing our macOS application, it seems that something new in Sequoia is preventing virtual machines from running anything signed with a Mac Development certificate. At first glance the issue seems very similar to this thread, but it could be unrelated. We are using the tart toolset to build and run our VMs. People seem to be having related issues there with Sequoia in particular. I have added the VM's hardware UUID to the Devices list of our account. I have included that device in the devices list of our Mac Development provisioning profile. I have re-downloaded the profile, ensured that it is properly getting built into the app, and ensured that the hardware UUID of the VM matches the embedded provisioning profile: Virtual-Machine App.app/Contents % system_profiler SPHardwareDataType | grep UUID Hardware UUID: 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 Virtual-Machine App.app/Contents % grep 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 ../../App.app/Contents/embedded.provisionprofile Binary file ../../App.app/Contents/embedded.provisionprofile matches However, when I try to run the application, it fails, and while I have searched the system logs to find a more informative error message, the only thing I can find is that the profile doesn't match the device somehow: Virtual-Machine App.app/Contents % open ../../App.app The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x6000039440f0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}} Virtual-Machine App.app/Contents % log show --info --debug --signpost --last 3m | grep -i embedded.provisionprofile 2025-01-21 16:33:32.369829+0000 0x65ba Error 0x0 2872 7 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] embedded provisioning profile not valid: file:///private/tmp/builds/app/.caches/Xcode/DerivedData/Build/Products/Debug/App.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.} I don't understand why the provisioning profile wouldn't allow the device if the hardware UUID matches. I have also attempted to add the Provisioning UDID in the devices list instead, but the form rejects that value because it's a different format (the form specifically requests a hardware UUID for macOS development, and a provisioning UDID for everything else). If there is any debugging tool that lets me check a provisioning profile against the running hardware and print a more verbose reason for why it's not allowed on the device, please let me know. Otherwise I'd have to conclude that, since I haven't experienced this issue before on an earlier OS, it has something to do with virtual machines running macOS Sequoia. (The same Mac Development-signed application runs just fine on my MacBook Pro running 15.2, as well as the VM host, which is also running 15.2.) I have also tried resetting the VM's hardware UUID and adding that one to the devices list, to no effect. This is obviously seriously impacting our CI/CD pipelines to allow for proper UI testing of our application. If anyone is aware of any workarounds, I would love to hear them!

We have a Mac that is used to sign and notarize our installers. This Mac will be going away soon, so I have to setup a new Mac to do that work. I've been able to install all the tools, but I can't get them to work. The certificates are in the keychain, but don't show up in the "My Certificates", probably because the related keys don't exist in the "Keys" list. I'm using the same Apple Dev ID that I used on the other machine. HOW do I get things setup on the new machine to work? There must be some way to get key/certificate pairs to work. (I am very definitely NOT a Mac expert, barely even a novice.)

Hi, after 2 years of not updating my app on appstore i wanted to submit an update for my iOS app which also containts a watch app target. When i try to submit it to upload it i get the following errors: Failed registering bundle identifier The app identifier "(myappBundleID).watchkitapp" cannot be registered to your development team because it is nit available. Change your bundle identifier to a unique string to try again. No Profiles for "(myappBundleID).watchkitapp" were found. Xcode culdn't find any iOS App Store provisining profiles matching "(myappBundleID).watchkitapp" Since i have my app already in store with that bundle identifier i don't know why it can not be registered to my team. Also i don't want to change the bundle identifier because then i can not publish it as update to store.

Hi everyone! We use to have an intel Mac machine where we generate the Developer ID Installer & Application certs for signing and notarization process. This process works sweet. Now, we move from an intel to a m1 Mac machine, where we want to do the same process as before. I had try two different approaches, but ending up with the same result. I export the cert with the private key from my intel to the m1 machine, but when I try to sign, I get: Invalid signature. (Not sure what this error means in this case as everything works on the intel machine. I am guessing the cipher for creating either the private key or the signature differs between the architecture) I try to generate new certs for this m1 machine, but I get the following error: You already have a current Developer ID installer certificate or a pending certificate request. I try with the same account, but also with a different account. In both cases got the same error. I create a ticket for apple, where they said to expect a reply between one and two business days, but no luck yet.

I developed it as Unity. Originally, I updated Unity to the latest version to fix the problem of not being able to log in to Apple. That's when I found out my team ID had changed. The current Apple membership team ID is HBEMGSUAQ3, When I check "Automatically manage sing" in Xcode Selected with the team ID "ESB392LR64". Where did this team come from all of a sudden? I've only used "HVEMGSUAQ3" for a very long time. The change in ID was a test build while developing another project yesterday, but it changed then. If I manually select the provisioning profile of my project "Failed to install embedded profile for : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)" This error appears and the test installation is not possible.. So I created a new certificate, identifier, and profile. However, it continues to be created with the ID of "ESB392LR64". Keychain registration is also naturally registered with "ESB392LR64" status. Again, my team ID is "HVEMGSUAQ3" and there is no way to check "ESB392LR64" on my dev page... This situation suddenly appeared when my certificates were updated with the ID of "ESB392LR64" on June 12, and What I suspect is that I updated my MacBook to the latest version of OS on the day of the issue. Please let me know what's going on. I'm hoping it's not a big deal....

After using backup to setup my new Mac Mini my xCode App projects run ok in the Simulator but fail to Archive or Analyze with the error: "The specified item could not be found in the keychain." The item is a provisioning profile. I was able to Run, Archive and Validate these projects on my old Mac Mini just before the final backup. Are there known problems in backup of provisioning profiles or keychains? I have tried creating new profiles etc without success for several days. I'm not an expert developer so I'm hoping there is a simple solution. Please suggest the best way to resolve and/or clarify this problem.

I am trying out the new xcode 16, and am trying to sign some existing apps. I have a .developerprofile from xcode 15. But I cannot find a way to import it (I think I need the private certs, in order to sign an app). There is no "import" button at the bottom of the Accounts tab, within the xcode Accounts Settings.... Is there any other way (e.g: Terminal) to import an existing .developerprofile into xcode? Or am I missing something?

How do I replace an Apple Developer ID Certificate that indicates it is not trusted? When I look at my Certificate Expiring 02-20-2025, I see a valid status displayed. (See annotation #1.) However, when I look at my Apple Developer ID Certificate renewal, I see the words not trusted. (See annotation #2.) I downloaded the renewal certificate and double double-clicked the downloaded item to place it in my KeyChain. This certificate period is from 01-21-2025 to 01-22-2030. QUESTIONS Why does the renewal certificate say "certificate is not trusted"? (Its period is 01-21-2025 to 01-22-2030. Today is 01-27-2025.) How did the renewal certificate get damaged? What must I do to get the damaged certificate replaced with a valid one?

I can't upload my macOS app to app store connect. Each time i try to upload, i see this message: Provisioning profile failed qualification Profile doesn't support App Groups. An empty app without an app group uploads fine, but if i add an app group to it, it does not upload.

I am trying to resign a package using a script from Docebo. But I got an error when running the script error: The specified item could not be found in the keychain. So I ran security find-identity and I got a 0 Valid identity message. But I can see these certificates installed in my keychain and downloaded a brand new mobile provissioning profile. No dice... any ideas?

Hi Apple Developer Community, I'm trying to resolve the following Xcode build error: *"Provisioning profile 'iOS Team Provisioning Profile: ' doesn't include the com.apple.developer.live-activities entitlement." To fix this, I understand I need to add the Live Activity capability to my App ID and ensure it’s included in the provisioning profile. However, when I go to Certificates, Identifiers & Profiles, select my App ID, and click Edit under "App ID Configuration," the Live Activity capability is not available in the list of capabilities. As a result, I can’t proceed with enabling the entitlement or regenerating a correct provisioning profile. I’ve confirmed: My App ID is explicit (not a wildcard). The app’s deployment target is set to iOS 16.1 or later. I’m signed in with the correct Apple Developer Team account. etc. Has anyone experienced this? Is there a prerequisite that I might be missing? Thanks in advance for your help! Best regards, David Winograd Rokfin, Inc.

Hi, I need to bundle an additional binary along my yet published application. It is a Audio Unit test application. My yet published application implemented Audio Unit plugin support. But upload is always rejected: Validation failed (409) Invalid Provisioning Profile. The provisioning profile included in the bundle com.gsequencer.GSequencer [com.gsequencer.GSequencer.pkg/Payload/com.gsequencer.GSequencer.app] is invalid. [Missing code-signing certificate.] For more information, visit the macOS Developer Portal. (ID: ****) I have followed the instructions here: Embedding a helper tool in a sandboxed app but no luck. Does anyone know whats going on? I use Transporter to upload the application, the embedded.provisioningprofile is copied from Xcode build and code signing is done manually.

Hello All, I am trying to do my research, but wanted to ask for confirmation and clarification on a couple of points. We are currently developing and app for a client, we would like to distribute the ipa to them via our own site, rather than running through the app store upload. It's not going to be a public facing app. We used to have access to the Enterprise side of things, but this was removed when Apple added the minmum employees restriction. I'm assuming that we would need to use the Developer ID Application certificate? But I was also wondering if more than one person can have this certificate on their machines to create builds? I appreciate that these may be obvious to some, but I'm fairly new to signing apps etc. Thanks for your help.

I've successfully distributed a Java-based app .dmg from my intel iMac, but am trying to port over the signing authority ( Certificate and Identity) to an M2. I'm following the "backup your Identities" recipe to make a .p12 file, but I can't complete the Export. The .p12 file format option is greyed out (while .pem and .cer are offered). What could be causing this? I can sign my .dmg installers from this computer, so codesign is happy with what it is seeing in the Keychain.

I have a mac app which has a launch agent. I signed it with my account, but it always shows as my personal 'XX ***" in the login items of mac settings. Actually this is the reason I switched my personal account to a company account. But now it is still shown as 'XX ***' in the login items after I signed up again with this company account. Do you know how I can change this? The identity I also tried to create a new one with the team, but it does not allow me to create a new one. Chatgpt recommends revoking the current one, but this will affect our old release.

Hi all, I'm using xcode 13.2.1. I go to Product>Archive. The app builds and creates an archive, but there's no data for "version, identifier, type, team, architecture, etc." It's just creating a "generic xcode archive." When I go to "distribute content" it doesn't give the typical distribution methods like "App store Connect, Adhoc, Enterprise, or Development." What am I doing wrong? Thank you, Thomas

I've added my Vendor ID to the appropriate entitlement files but my binary fails validation when trying to upload it to the store for distribution. The embeded.mobileprovision file in the generated archive shows an asterisk instead of my approved Vendor ID. How can I make sure the embedded provisioning file has my Vendor ID?

Hi, I have a macOS Intel machine running Ventura 13.7.4. This machine is used as a build node for Jenkins to run a test for a USB device that has an HID interface. The test runner for this is Java's junit on Azul's Zulu JDK 8 for mac. I've added the com.apple.security.device entitlement to this JDK 8 bundle and signed using a self-signed certificate. This certificate is available in the system keychain at: keychain: "/Library/Keychains/System.keychain" version: 256 class: 0x80001000 On my personal account on this machine, I can run the test and it calls IOHIDDevicePlugin's open function and returns success: [junit] [debug] [hid.cpp:1457] HIDAccess::Open Success in open for cDeviceHandle: 0x6000006abb38 If I run the same test logged in as the Jenkins agent account, then open returns: [junit] [debug] [hid.cpp:1484] Could not open HID with handle: 0x600002a5c018, error (-1ffffd3f): (iokit/common) privilege violation I can see the certificate that signed the JDK bundle running the command: security find-certificate -c "java-rt-usb" -a -m The results are the same for both accounts. Is my setup expected to work? I.e. create a self-signed cert in one account with admin privileges, put the cert in the system keychain, sign an app bundle with a new usb entitlement using this cert, and then run that app in another account on the same machine. If it's expected to work, are there any more troubleshooting tools I can use? ioreg shows the same output for these devices under test in both accounts: $ ioreg -p IOUSB -w0 +-o CMSIS-DAP@14620000 <class AppleUSBDevice, id 0x1000026ae, registered, matched, active, busy 0 (1 ms), retain 17> +-o CMSIS-DAP@14630000 <class AppleUSBDevice, id 0x1000026d6, registered, matched, active, busy 0 (1 ms), retain 17>