Hi there, We've discovered a problem with our iOS app. We've been attempting to add a Driverkit driver to it, but any time we run the app through Testflight, the driver installs fine, but when we go to enable the driver toggle in the app's settings, the toggle stays on, but in the device logs I can see: could not insert bundle at <private> into manager: <private> As you would expect - this means the driver is not actually enabled and does not respond to a device being connected to the iPad. This does not happen when building & running the app locally, nor does it happen when installing an Ad Hoc build. We also have a different app, not yet shipped. We are able to add the driver to that app without issue. It works after going through Testflight. What we have discovered now is that everything works fine even if we just create an entirely new app with it's own bundle IDs. I should point out that in all cases, we're keeping the capabilities the same for each of these apps/IDs - including the managed capabilities. The bundle IDs that have this problem are older (5 years old or more). It seems like any newer ID will work, but trying to add the driver (and the associated managed capabilities) to an older app/ID results in this vague error message, with no further details. If we inspect the resulting dexts, we can also see that the "Internal requirements code size" is different on the ones that fail. The failing ones have a size of 204 bytes, whereas the working ones all have a size of 220 bytes. Not sure if that's related but it's strikingly consistent. Does this mean there is an issue with older app IDs, and we need Apple to manually refresh them in some way before the driverkit capabilities will work after going through Testflight? We have two apps in this state, both are of the same vintage (~5 years+). We've been battling this issue for months on and off, so would appreciate some help.

Hi there! I have an issue with uploading a PKG installer to the MacOS AppStore. Uploading with: xcrun altool --upload-app -t macos -f $PKGPATH -u $DEVELOPER_ID -p $APP_SPECIFIC_PWD results in error: *** Error: Validation failed Invalid Provisioning Profile. The provisioning profile included in the bundle com.frogblue.frogCom [com.frogblue.frogCom.pkg/Payload/frogSIP.app] is invalid. [Missing code-signing certificate.] For more information, visit the macOS Developer Portal. (ID: fc4e5488-6d09-4ab2-b1f7-017a33c69723) (409) Application seems to be correctly code signed with „3rd Party Mac Developer Application“ certificate. codesign -dv --verbose=4 /Users/dietmar.finkler/Desktop/frogSIP/deploy/frogSIP.app Identifier=com.frogblue.frogCom Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=266432 flags=0x10000(runtime) hashes=8315+7 location=embedded VersionPlatform=1 VersionMin=720896 VersionSDK=918784 Hash type=sha256 size=32 CandidateCDHash sha256=923de799a54616706b76050b50b7ee6d59f8355a CandidateCDHashFull sha256=923de799a54616706b76050b50b7ee6d59f8355a65aa7cce03e34bb2033da1e9 Hash choices=sha256 CMSDigest=923de799a54616706b76050b50b7ee6d59f8355a65aa7cce03e34bb2033da1e9 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=31604736 Executable Segment flags=0x1 Page size=4096 CDHash=923de799a54616706b76050b50b7ee6d59f8355a Signature size=9109 Authority=3rd Party Mac Developer Application: frogblue TECHNOLOGY GmbH (UG2P6T5LNH) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Timestamp=26.02.2025 at 10:07:08 Info.plist entries=31 TeamIdentifier=UG2P6T5LNH Runtime Version=14.5.0 Sealed Resources version=2 rules=13 files=1124 Internal requirements count=1 size=212 The PKG build with productbuild seems also be correctly code signed with„3rd Party Mac Developer Installer“ certificate. pkgutil --check-signature /Users/dietmar.finkler/Desktop/frogSIP/frogSIP-1.2a2.pkg Status: signed by a developer certificate issued by Apple (Development) Certificate Chain: 1. 3rd Party Mac Developer Installer: frogblue TECHNOLOGY GmbH (UG2P6T5LNH) Expires: 2026-02-25 17:17:54 +0000 SHA256 Fingerprint: D1 9E AC 27 C7 26 F3 2E 1E F5 50 2C 7A 1B 1D FB 54 D6 17 C1 1C 58 C1 7E F8 87 B6 44 D1 49 17 DC ------------------------------------------------------------------------ 2. Apple Worldwide Developer Relations Certification Authority Expires: 2030-02-20 00:00:00 +0000 SHA256 Fingerprint: DC F2 18 78 C7 7F 41 98 E4 B4 61 4F 03 D6 96 D8 9C 66 C6 60 08 D4 24 4E 1B 99 16 1A AC 91 60 1F ------------------------------------------------------------------------ 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24 KeyChain login items show both "3rd Party Mac Developer Application" and "3rd Party Mac Developer Installer“ certificates. But checking with security find-identity -v -p codesigning shows only the "3rd Party Mac Developer Application“ certificate. "3rd Party Mac Developer Installer“ is missing. I check also the entitlement in the app package, which looks ok for me. codesign -d --entitlements :- /Users/dietmar.finkler/Desktop/frogSIP/deploy/frogSIP.app <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.application-identifier</key><string>UG2P6T5LNH.com.frogblue.frogCom</string><key>com.apple.developer.aps-environment</key><string>production</string><key>com.apple.developer.associated-domains</key><array><string>applinks:go.dev.frogblue.cloud</string><string>applinks:go.test.frogblue.cloud</string><string>applinks:go.prod.frogblue.cloud</string></array><key>com.apple.developer.team-identifier</key><string>UG2P6T5LNH</string><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.cs.disable-library-validation</key><true/><key>com.apple.security.device.audio-input</key><true/><key>com.apple.security.device.camera</key><true/><key>com.apple.security.network.client</key><true/><key>com.apple.security.network.server</key><true/></dict></plist> What I am missing? Thanx for any hint! Regards Dietmar Finkler

I was trying to put my game to test flight. I would test features like ads and in-app-purchases, then put on the Appstore(release). The game already works on Ipad. For test flight, the "automatically manage signing" option was enabled. Then I pressed the "archive" button. Built succeeded. Then I clicked the distribute button. That time, I had an error. "Upload failed, Invalid signature, App is not properly signed". I researched, and found special characters in name, team name and address can make errors. My name, address and team name have special characters(turkish). If it will be resolved, I want to re-write(fix) my name, team name and address. I already tried to change my name, team name and address from apple developer website but failed. They are asking a document of my identity of my new name but I didn't changed my name and address. Overall, there aren't any other facts that cause this issue as I know. If I send my current, unchanged identity and home address, could they allow to change(fix) them? On Console Log: DangerNo.app/DangerNo: ID : 6cfa13a9-685c-4df9-86dd-7506d67be8c5 DangerNo.app/Frameworks/UnityFramework.framework/UnityFramework: ID : 2b63aacc-9caf-453c-913f-bae0db14d363 My App ID : 6744022885 Error : Invalid Binary rejection email indicating a corrupted code signature was detected. Explanation : Invalid Signature - Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose "Clean All" in Xcode, delete the "build" directory in the Finder, and rebuild your release target.

I am running into this error with productbuild in github actions where the program hangs with a specific developer id. I have verified that my certification files are properly uploaded etc. and i am able to run this without the --sign command online and with --sign offline. if i sign with a "3rd party mac developer installer: ***" it will run but then crash on stapling because this isn't the actual org i want to staple and don't really need to verify that i could staple with this other license since it is my personal license and i will be leaving this job soon so setting up all my other certs is a waste of time since it doesn't solve the problem. When i use my bosses/org "Developer ID Installer: ***" productbuild just hangs. I am at a loss here... the acutal command running is productbuild --resources ./resources --distribution distribution.xml --sign "${{ secrets.DEVELOPER_ID_INSTALLER }}" --timestamp "${{ env.ARTIFACT_NAME }}.pkg" I have confirmed that my distribution file is fine etc. because I can productbuild without signing fine. Any suggestions on where to go?

Hello, In our Account we have an iOS app with an explicit identifier "ABC123.com.some.app" that is using non-team prefix which is DEF456. It has also explicit identifiers for Widgets bundle and Notification Service. Due to non-team prefix, it can't access e.g. shared keychain and data put there by our other apps. Since we are working on features that require these capabilities, we would like to update the app identifier, so it is prefixed with our team id DEF456. Initially, we thought that the process would require steps like: Create new app, team-prefixed identifier(s) for app and all things that need them Recreate the provisioning profiles with new App Identifier Roll out the app using with new profiles via App Store but when trying to create the new identifier with com.some.app and team id prefix DEF456 we are getting following error: An App ID with Identifier com.some.app is not available. Please enter a different string. Can anybody advise us how to correctly perform such change and what steps are required from our end? We would like to keep our existing App Store entry, ratings and smoothly switch users. We are aware that this kind of migration results in loss of Keychain access. Thanks for any advice on that!

Hi everyone, I'm following up on this post I made earlier about an issue I'm having with FamilyControls and the DeviceActivityMonitor extension not working for external TestFlight testers. To briefly recap: I have official Apple approval for the com.apple.developer.family-controls entitlement (distribution) The entitlement is added to both my main app and the DeviceActivityMonitor extension The App Group is correctly configured for both targets On internal TestFlight builds, everything works as expected: app blocking works, the extension runs, and selected apps are shielded. On external TestFlight builds, users get the Screen Time permission prompt, can select apps to block, but nothing is blocked. Since that post, I submitted a Code Level Support request, and Apple asked me to file a bug report via Feedback Assistant. I did that almost a month ago. The only reply I’ve received since is that they can’t give a timeframe or guarantee it will be resolved. I'm stuck in limbo with no updates and no fix. This feature is critical to my app and I cannot launch without it. I’ve reached out to other developers who use app blocking, and none of them have run into this issue. My setup seems correct, and Apple has not said otherwise. If anyone has experienced something similar, found a workaround, or knows how to get real movement on a bug report like this, I would really appreciate any help. It’s been weeks, and I just want to launch my app. Thanks so much.

I have tried again and again to generate and install the .mobileprovision on my device for testing apps following the exact instructions. I cannot get this to work. When I tap the .mobileprovision on the device I get the error "Profile Error - This profile cannot be installed." In Xcode in the console as I try to install the profile, this is what it shows: `profiled (ManagedConfiguration) Desc : Invalid Profile US Desc: Invalid Profile Domain : MCProfileErrorDomain Code : 1000 Type : MCFatalError and then profiled Desc : Invalid Profile Sugg : Invalid Profile US Desc: Invalid Profile US Sugg: Invalid Profile Domain : MCInstallationErrorDomain Code : 4000 Type : MCFatalError ...Underlying error: NSError: Desc : Invalid Profile US Desc: Invalid Profile Domain : MCProfileErrorDomain Code : 1000 Type : MCFatalError I have been at this for days and cannot get it to work. Any help would be appreciated

We have a Mac app that uses some restricted macOS entitlements, thus to test it we embed a development provisioning profile, that needs to contain the correct provisioning UDID. Typically, for test VMs, we extract the provisioning and UDID and add it to the developer portal and then re-generate the provisioning profiles. However when we try to do this in our newly created VM (Apple Silicon), our executable won't run, and macOS logs that the provisioning profile doesn't allow the device: 2025-06-12 12:37:52.168 E taskgated-helper[27489:e97da] [com.apple.ManagedClient:ProvisioningProfiles] embedded provisioning profile not valid: file:///Applications/foo.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.} 2025-06-12 12:37:52.169 E taskgated-helper[27489:e97da] [com.apple.ManagedClient:ProvisioningProfiles] Disallowing com.company.foo because no eligible provisioning profiles found 2025-06-12 12:37:52.169 Df amfid[112:e99b0] [com.apple.xpc:connection] [0xb34c74a00] invalidated because the current process cancelled the connection by calling xpc_connection_cancel() 2025-06-12 12:37:52.169 Df taskgated-helper[27489:e97da] [com.apple.xpc:connection] [0x839144000] invalidated because the client process (pid 112) either cancelled the connection or exited 2025-06-12 12:37:52.169 E amfid[112:e91ac] [com.apple.MobileFileIntegrity.framework:default] Failure validating against provisioning profiles: &lt;private&gt; 2025-06-12 12:37:52.169 E amfid[112:e91ac] [com.apple.MobileFileIntegrity.framework:default] Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=&lt;private&gt;, NSLocalizedDescription=No matching profile found} 2025-06-12 12:37:52.169 Df amfid[112:e91ac] /Applications/foo.app/Contents/MacOS/foo not valid: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=file:///Applications/foo.app/, NSLocalizedDescription=No matching profile found} The UDID for this VM does look weird, in System Profiler: But I can verify that this UDID string is present in the provisioning profile embedded in the app bundle: $ security cms -D -i /Applications/foo.app/Contents/embedded.provisionprofile | grep -i 7cd9234e9aa4fa8ba528ee417f857b2c993a20a3 &lt;string&gt;7CD9234E9AA4FA8BA528EE417F857B2C993A20A3&lt;/string&gt; I also tried deleting the manually added device from the Developer portal and installing Xcode on the VM and letting Xcode register the device, but I end up in the same situation there. Even after letting Xcode itself register the device, it says that "this device not registered to your account" and then when I click "Register device" it changes into " already exists". Has anyone else managed to get Mac development provisioning profiles to work in a VM?

Is it possible to directly distribute a macOS app with a Developer ID Certificate that belongs to a different team? I am trying to resolve issues that arise when distributing a macOS app with a Network Extension (Packet Tunnel) outside the App Store using a Developer ID Certificate from a different team than the app’s provisioning profiles and entitlements. I started by attempting Direct Distribution in Xcode with automatic signing. However, it fails with the following message: Provisioning profile "Mac Team Direct Provisioning Profile: ” failed qualification checks: Profile doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. I suspect the issue is that the provisioning profile allows "packet-tunnel-provider-systemextension", whereas the entitlements generated by Xcode contain "packet-tunnel-provider". When I manually modify the .entitlements file to include the -systemextension suffix, the project fails to build because Xcode does not recognize the modified entitlement. If there is a workaround for this issue, please let me know. Due to these issues, I resorted to manually creating a signed and notarized app. My process is as follows: Export the .app from the Xcode archive. Since the exported .app does not contain the necessary entitlements or provisioning profile for direct distribution, I replace Contents/embedded.provisioningprofile in both the .app and the .appex network extension. Sign the app and its components in the following order: codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/Frameworks/<fw>.framework/ codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>"<app>.app/Contents/PlugIns/<netext>.appex/Contents/Frameworks/<fw>.framework/Versions/A/<fw> codesign --force --options runtime --entitlements dist-vpn.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/PlugIns/<netext>.appex/ codesign --force --options runtime --entitlements dist.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app Verify the code signature: codesign --verify --deep --strict --verbose=4 <app>.app - <app>.app: valid on disk - <app>.app: satisfies its Designated Requirement Create a ZIP archive using: ditto -c -k --sequesterRsrc --keepParent <app>.app <app>.zip Notarize the app with notarytool and staple it. The notarization completes successfully with errors: nil. Package the notarized app into a DMG, notarize, and staple the DMG. The app runs successfully on the development machine. However, when moved to another machine and placed in /Applications, it fails to open. Inspecting Console.app reveals Gatekeeper is blocking the launch:
 taskgated-helper <bundleid>: Unsatisfied entitlements: com.apple.developer.networking.networkextension, com.apple.developer.team-identifier taskgated-helper entitlements: { "com.apple.developer.networking.networkextension" = ("packet-tunnel-provider-systemextension"); "com.apple.developer.team-identifier" = <teamid>; } As mentioned earlier, the Developer ID Certificate used for signing belongs to a different team. We are a third-party developer and do not have access to the Developer ID Certificate of the team assigned as the team-identifier. When I changed the bundle identifier (app ID), team, entitlements, and provisioning profiles to match the team associated with the Developer ID Certificate, the app worked. My question is:
 Is this failure caused by using a Developer ID Certificate from a different team, or should it still work if the provisioning profiles and entitlements are correctly set? Could there be an issue elsewhere in the provisioning profiles or entitlements for the original app ID?

mac .cer证书不能导出.p12证书 不知道那个步骤出错

I am able to sign my application when logged in to the machine, however when build is running in CI (Jenkins), I get this: "Warning: unable to build chain to self-signed root for signer.." We just renewed or certificates, so I am not sure about previous procedure, but it used to work without temporary keychain and stuff, I believe. What should be the recommended way to sign an application on CI? What keychain should we use? system? temporary? other method? Thanks, Itay

I am a complete novice and I find that I cannot restore or delete the “Apple Development” certificate (I only use it for signing). From what I understand, you need to be in a program to manage certificates, but I have no intention of distributing any applications and, from my point of view, it makes no sense to pay. Am I wrong or am I doing something wrong? Notes: This happened after I installed Tahoe on a new installation. I was able to restore it using a copy of the keychains folder I had from Sequoia. Xcode (Apple Accounts - Manage Certificates) now shows me two certificates, indicating that one is not in the keychain and cannot be deleted.

I have two certificates in my Accounts>Manage Certificates section. One is active, the other is greyed out with a status of "Not in Keychain". I only have ONE certificate in the developer account online. Timeline: Had an issue with fastlane codesigning and was trying to resolve that. In that attempt I deleted my related Certificates from my keychain Xcode showed them as disabled (greyed out) and not in Keychain. Look up how to resolve, need to revoke certificates in Developer account online. I go and revoke those certificates. Nothing changes I create new certificate and try to add it to xcode>account>certificate managment>"Apple Development". Get an error saying I can't add a new can't do that because a certificate is already pending. I waited a day because I assumed like somethings with apple, updates are not immediate. I come back the next day and am able to add a new certificate. However, the previous one that is greyed out and reads "Not in Keychain" under Status, is still there. How do I remove that "Not in Keychain" certificate? I emailed developer support and they directed me here.

I'm trying to upload a build to app store connect. It's a build from a Unity project with the polyspatial SDK, and I also need to include a c++ library, which I've added as a dylib signed with the same provisioning profile as the app. The profile is an Apple Distribution profile created from an enterprise account. It succesfully uploads to Appstore connect, but fails with the following error message: ITMS-90426: Invalid Swift Support - The SwiftSupport folder is missing. Rebuild your app using the current public (GM) version of Xcode and resubmit it. This is unhelpful as I'm using a current version of Xcode. I've read that it's a provisioning issue, but I'm using the provisioning profile for apple distribution on an enterprise account, not an ad hoc profile. I've tried manually adding the SwiftSupport folder from the Xcode toolchain to the ipa/xarchive, resign and upload with Transporter, but that doesn't work. After spending a day trying to troubleshoot this, I'm at a loss. Any help with this is much appreciated. Note: I can sideload the app onto an AVP with an ad hoc build and ad hoc provisioning profile (I've added the signed dylib to build phases Link with Libraries and Embed Frameworks). Somehow this doesn't need the SwiftSupport?

Hi, When I try to create an App ID for my app, I get the following message: "An App ID with Identifier '' is not available. Please enter a different string. I have not manually created an App ID under my team with this bundle identifier. I have 'Automatic Signing' checked in Xcode but am unable to upload or register an app with the same bundler Identifier through Xcode as well. I am not a member of any other team so this bundle identifier should be unique and should not have been used before. Would appreciate any help. Thanks.

When attempting to run a build script that is currently working for several other projects, the export fails and the IDEDistribution.verbose.log (see below) suggestion is to add a profile to the Export Options property list but as can be seen in the ExportOptions.plist text (see below), there is a profile for each of the three builds. XCode 16.0 MacOS 14.7 IDEDistribution.verbose.log below 2024-10-28 12:20:30 +0000 [MT] Step failed: <IDEDistributionSigningAssetsStep: 0x60000146e840>: Error Domain=IDEDistributionSigningAssetStepErrorDomain Code=0 "Locating signing assets failed." UserInfo={NSLocalizedDescription=Locating signing assets failed., IDEDistributionUnderlyingErrors=( "Error Domain=IDEProvisioningErrorDomain Code=9 ""QuickDelegateTestApp.app" requires a provisioning profile." UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedDescription="QuickDelegateTestApp.app" requires a provisioning profile., NSLocalizedRecoverySuggestion=Add a profile to the "provisioningProfiles" dictionary in your Export Options property list.}" )} ExportOptions.plist below

Dear Support, I am trying to verify the installation of my macOS app via Test Flight. I have verified through code sign that it is properly signed and has all of the the required entitlements, including sandbox. The package uploaded successfully via Transporter, and the app installs with Test Flight. However, the app will not run. After numerous attempts, I discovered that the embedded.provisionprofile is missing from the Contents of the app bundle in the version that installs via Test Flight. If I install directly from the same PKG I uploaded to Transporter (that TestFlight is using for the build) I can verify that the embedded.provisionprofile is present. Why does uploading the PKG and installing through Test Flight result in the removal of the embedded provisioning file? Is this expected and/or could be another reason why my app is refusing to run? Much appreciated, ~Ross

Hi, I'm trying to ssh into another machine, copy an app into that machine and codesign it using my "Dev ID Application" certificate, then copy it back to my original machine. I'm getting the "errSecInternalComponent" error when running codesign. This is the bash script I'm running: ssh ${REMOTE_SERVER} "security -v unlock-keychain -p <REDACTED> /Users/<REDACTED>/Library/keychains/login.keychain-db" ssh ${REMOTE_SERVER} "codesign -vvv --deep --force --verify --verbose --timestamp --options runtime --sign \"Developer ID Application: <REDACTED>\" \"/tmp/$BUILD_ID/ui-app/<APP_NAME>.app\"" ssh ${REMOTE_SERVER} "codesign -dv --verbose=4 /tmp/$BUILD_ID/ui-app/<APP_NAME>.app" I've tried to follow all the available info found online, managed to sign it successfully through the machine's UI, set the ACL of the private key to ALLOW ALL, restarted the keychain service, tried with the system keychain, approved all pop ups through the UI. Still with no luck through the SSH session. Any help would be greatly appreciated. Thanks!

I have the latest version of xcode

As of Nov 25, 2024, Xcode 16.1 won't recognize an App Store provisional profile as Eligible so you cannot select the provisional profile for signing. Which means you cannot archive it for upload to Apple. Setting it to manual or automatic signing does not help. Even going to the dev site and making new, fresh provisional profiles did not work. rebooting xcode did not work. rebooting the computer did not work.