I am making an iOS step counting app and I have included a widget in the design. I would like to get the widget to pull data from the main app to display step count etc so I created a bundle id for the widget and have been trying to use a group id to link them together. The group capabilities for both seem to be set up/enabled properly with the same App Groups id, but I've been getting an error in xcode which says, " 'Provisioning Profile: "BUNDLE_ID" doesn't include the com.apple.developer.security.application-groups entitlement.' Try Again But the identifiers do have the App Group id enabled. I have tried automatic signing, manual signing with generated profiles, unchecking and rechecking auto-signing, removing and re-adding the group capability. Creating a new bundle id from scratch, creating a new group id from scratch. Always I get the error. I've really pulled my hair out troubleshooting this and would appreciate support. I'm happy to answer and questions or share details. Thank you.

Hi everyone, I am trying to generate an .ipa file for my .NET MAUI (net9.0-ios) application, but every attempt fails with the same codesigning error. I have tried multiple approaches, including building from Windows paired to macOS, and directly building through the macOS terminal, but nothing is working. Below are the exact steps I followed: Steps I Performed 1.>Generated the Apple Development certificate using Keychain Access on macOS. 2.>Added that certificate into my developer account and created the corresponding provisioning profile. 3.>Created an App ID, attached the App ID to the provisioning profile, and downloaded it. 4.>Added the provisioning profile into Xcode. Verified that the certificate is correctly visible in Keychain Access (private key available). Attempted to build/publish the MAUI app to generate the .ipa file. Issue Whenever I run the publish command or build via Windows/macOS, codesigning fails with the following error: /usr/bin/codesign exited with code 1: Frameworks/libSkiaSharp.framework: replacing existing signature Warning: unable to build chain to self-signed root for signer "Apple Development: Created via API (8388XAA3RT)" Frameworks/libSkiaSharp.framework: errSecInternalComponent Failed to codesign 'PCS_EmpApp.app/Frameworks/libSkiaSharp.framework': Warning: unable to build chain to self-signed root for signer "Apple Development: Created via API (8388XAA3RT)" PCS_EmpApp.app: errSecInternalComponent Build failed with 4 error(s) and 509 warning(s) Environment .NET: 9.0 MAUI: latest tools Xcode: 26.0.1 macOS: 26.0.1 Building for ios-arm64 (device) What I suspect It looks like the signer certificate might not be trusted, or the certificate chain cannot connect to an Apple root CA. But the certificate was created using the Developer website and appears valid. Need Help With Why is codesign unable to build the certificate chain? Do I need a different type of certificate? (App Store / Distribution vs Development?) How can I successfully generate the .ipa file? Any guidance will be greatly appreciated. Thank you!

Hello everyone, I am developing a Flutter iOS application that includes a Widget Extension + Live Activity (ActivityKit). The project runs successfully on the iOS simulator when launched directly from Xcode, but it cannot be signed properly via Flutter and I cannot upload the build to App Store Connect due to the following CodeSign error: Command CodeSign failed with a nonzero exit code Provisioning profile "…" doesn't include the entitlement: com.apple.developer.activitykit.allow-third-party-activity This error never goes away no matter what I try. And the main problem is that my App ID does NOT show any ActivityKit or Live Activity capability in the Apple Developer portal → Identifiers → App ID. So I cannot enable it manually. However: Xcode requires this entitlement Flutter requires this entitlement When I add the entitlement manually in the .entitlements file, Xcode says: “This entitlement must be enabled in your Developer account. It cannot be added manually.” So I am stuck in a loop where: Apple Developer portal does not show ActivityKit capability Xcode demands the ActivityKit entitlement Signing fails App Store upload fails And Live Activity is a critical feature of my app What I have already done ✔ “Automatically manage signing” is enabled ✔ Correct Team is selected for both Runner and the Widget Extension ✔ Bundle IDs are correct: com.yksbuddy.app com.yksbuddy.app.TimerWidgetExtension ✔ Deleted Derived Data completely ✔ Tried removing all ActivityKit-related entitlement keys manually ✔ Deleted Pods, reinstalled, rebuilt ✔ App Group settings match between Runner and Extension ✔ The same Live Activity code works perfectly in a clean Xcode-only project ✔ But fails only inside a Flutter project structure ✔ Xcode builds & runs on simulator, but App Store upload always fails due to missing entitlement Core Problem: In my Apple Developer “Identifiers → App ID” page, the Live Activity / ActivityKit capability does NOT appear at all, so I cannot enable: Live Activities ActivityKit Third-party activity entitlement Without being able to enable this capability, I cannot create a valid provisioning profile that includes: com.apple.developer.activitykit.allow-third-party-activity Flutter + Xcode insists this entitlement must exist, but Apple Developer portal does not give any option to enable it.

Hi everyone, I’m having trouble getting remote push notifications working on iOS for a production Flutter app, and it looks like it’s related to the provisioning profile / entitlements used during signing. Context Platform: Flutter Push provider: OneSignal (backend is Supabase; Android push works fine) CI: Codemagic Target: iOS TestFlight / App Store builds I’m on Windows, so I cannot open Xcode locally. All iOS builds happen via Codemagic. Capabilities / entitlements In the Apple Developer portal, my App ID for com.zachspizza.app has: Push Notifications capability enabled A separate Broadcast capability is listed but currently not checked. In my repo, ios/Runner/Runner.entitlements contains: xml aps-environment production So the project is clearly requesting the push entitlement. Codemagic signing setup For my App Store workflow (ios_appstore_release in codemagic.yaml ): I use a combination of manual and automatic signing: Environment variables can provide: P12_BASE64 + P12_PASSWORD (distribution certificate) MOBILEPROVISION_BASE64 (a .mobileprovision file) A script in the workflow: Creates a temporary keychain. Imports the .p12 and installs the .mobileprovision into ~/Library/MobileDevice/Provisioning Profiles. For the final export, I generate an exportOptions.plist that does: If a profile name/UUID is provided via env (PROV_PROFILE_SPEC, PROV_PROFILE_UUID, PROVISIONING_PROFILE_SPECIFIER, PROVISIONING_PROFILE): xml signingStylemanual provisioningProfiles com.zachspizza.app[profile name or UUID] Otherwise, it falls back to: xml signingStyleautomatic After archiving and exporting, my script runs: bash codesign -d --entitlements :- "$ARCHIVE_PATH/Products/Applications/Runner.app" ... and again on the signed Runner.app inside the exported IPA codesign -d --entitlements :- "$SIGNED_APP" In both cases, the effective entitlements output does not show aps-environment, even though: The App ID has push enabled. Runner.entitlements includes aps-environment = production. Observed behavior iOS devices (TestFlight build) do not receive remote push notifications at all. Android devices receive notifications as expected with the same backend payloads. OneSignal configuration and backend are verified; this appears to be an APNs / signing / entitlements problem. The Codemagic logs strongly suggest that the provisioning profile being used for signing does not carry aps-environment. Questions Under what conditions would a distribution provisioning profile (for an App ID with Push Notifications enabled) result in a signed app without aps-environment, even when: The entitlements file in the project includes aps-environment, and The App ID in the Developer portal has Push Notifications enabled? Does using a CI flow like the above (custom .p12 + .mobileprovision installed via script, exportOptions with signingStyle=manual) increase the chances of: Xcode ignoring the requested entitlements, or Selecting a provisioning profile variant that does not include the push entitlement? Is there a recommended way, from the Apple side, to verify that a given .mobileprovision (the one I’m base64-encoding and installing in CI) definitely includes the aps-environment entitlement for my bundle ID? i.e., a canonical method to inspect the profile and confirm that APNs is included before using it in CI? Are there any known edge cases where: The project entitlements include aps-environment, The App ID has Push Notifications enabled, But the final signed app still has no aps-environment, due to profile mismatch or signing configuration? Given that I’m on Windows and can’t open Xcode to manage signing directly, I’d really appreciate guidance on how to ensure that the correct push-enabled provisioning profile is being used in this CI/manual-signing setup, and how to debug why aps-environment is being stripped or not applied. CodeMagic Signing/Export Step: Signing / entitlements output from Codemagic Dumping effective entitlements for Runner.app in archive... /Users/builder/clone/build/ios/archive/Runner.xcarchive/Products/Applications/Runner.app: code object is not signed at all Failed to dump entitlements Exporting IPA with exportOptions.plist... 2025-11-20 22:25:00.111 xcodebuild[4627:42054] [MT] IDEDistribution: -[IDEDistributionLogging _createLoggingBundleAtPath:]: Created bundle at path "/var/folders/w2/rrf5p87d1bbfyphxc7jdnyvh0000gn/T/Runner_2025-11-20_22-25-00.110.xcdistributionlogs". 2025-11-20 22:25:00.222 xcodebuild[4627:42054] [MT] IDEDistribution: Command line name "app-store" is deprecated. Use "app-store-connect" instead. ▸ Export Succeeded Dumping entitlements from signed Runner.app inside exported IPA... Executable=/private/var/folders/w2/rrf5p87d1bbfyphxc7jdnyvh0000gn/T/tmp.LHkTK7Zar0/Payload/Runner.app/Runner warning: Specifying ':' in the path is deprecated and will not work in a future release application-identifier.com.zachspizza.app beta-reports-active com.apple.developer.team-identifier get-task-allow As you can see, the signed app’s entitlements do not contain aps-environment at all, even though Runner.entitlements in the project has aps-environmentproduction and the App ID has Push Notifications enabled. Thanks in advance for any help and pointers.

Hi All, I am building my own MDM server. It seems that in order for the MDM commands to function an MDM Push Certificate for the APNS framework. And in order to get the MDM Push Certificate from the Apple Push Certificates Portal (https://identity.apple.com/pushcert/) you need to upload your CSR usually provided and sign by the MDM Vendor of your choosing. I am familiar with this process. But now that I am the MDM Vendor, I am not sure where to get this MDM Vendor CSR Signing Certificate. I've already submitted a formal request via the "contact us" form. Apple's response pointed me to the documentation on Setting Up Push Notifications and the MDM Vendor CSR Signing Certificate help page (which I had already reviewed): https://developer.apple.com/documentation/devicemanagement/setting-up-push-notifications-for-your-mdm-customers https://developer.apple.com/help/account/certificates/mdm-vendor-csr-signing-certificate/ The issue is that these documents describe using the signing certificate, but not the process for obtaining it as a new, independent vendor. So does anyone know of a portal or method of generating this “MDM Vendor Certificate”? or maybe I'm going about this all wrong and there is a simpler way… the again, its apple, so I’m probably on the right path just beed a little direction please. (I am not sure where to get this MDM Vendor CSR Signing Certificate.)

When submitting my new build to app store connect directly from dreamflow, I get this error: Failed Step: Flutter build ipa and automatic versioning Building com.pinpictu for device (ios-release)... ════════════════════════════════════════════════════════════════════════════════ No valid code signing certificates were found You can connect to your Apple Developer account by signing in with your Apple ID in Xcode and create an iOS Development Certificate as well as a Provisioning Profile for your project by: 1- Open the Flutter project's Xcode target with open ios/Runner.xcworkspace 2- Select the 'Runner' project in the navigator then the 'Runner' target in the project settings 3- Make sure a 'Development Team' is selected under Signing & Capabilities > Team. You may need to: - Log in with your Apple ID in Xcode first - Ensure you have a valid unique Bundle ID - Register your device with your Apple Developer Account - Let Xcode automatically provision a profile for your app 4- Build or run your project again 5- Trust your newly created Development Certificate on your iOS device via Settings > General > Device Management > [your new certificate] > Trust For more information, please visit: https://developer.apple.com/library/content/documentation/IDEs/Conceptual/ AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html Or run on an iOS simulator without code signing ════════════════════════════════════════════════════════════════════════════════ No development certificates available to code sign app for device deployment Build failed :| Step 10 script Flutter build ipa and automatic versioning exited with status code 1 Please not I am on a windows pc, not a mac. I'm not sure how to clear this error and I am not an experinced coder, so any advice would be greatly appreciated, especially if it is simple and easy to follow.

How should certificates and notarization be configured for a desktop application developed with Electron so that it can be used properly? The software is distributed via website download.

Hey Apple Friends, We currently have an enterprise version of our app for debugging and internal distribution. Our release configuration uses our App Store account. However, it appears you cannot add a 'Declared Age Range' to the Enterprise app as a capability making it impossible to debug because we have added the 'Declared Age Range API' locally, but we cannot add it as a capability on the dev portal. Is there any work around for this?

Hi everyone, I’m developing an Electron application on macOS and I’m trying to register and activate a macOS System Extension, but I’m running into startup and entitlement issues. 🔧 What I’m trying to build • An Electron app packaged with electron-builder • Signed with Developer ID Application • Notarized using @electron/notarize • A macOS System Extension is already built and signed • The System Extension provides a virtual camera • I wrote a Swift helper that: • Registers / activates the virtual camera • Calls OSSystemExtensionManager • This Swift code is compiled into a .node native addon • The .node module is loaded and called from Electron (Node.js) to trigger system extension registration ❗ The problem When I add the following entitlement: com.apple.developer.system-extension.install the application fails to launch at all on macOS. Without this entitlement: • The app launches normally • But system extension activation fails with: Error Domain=OSSystemExtensionErrorDomain Code=2 Missing entitlement com.apple.developer.system-extension.install With this entitlement: • The app does not launch • No UI is shown • macOS blocks execution silently 🤔 My questions 1. Is it valid for an Electron app’s main executable to have com.apple.developer.system-extension.install? 2. Does Apple require a separate helper / launcher app to install system extensions instead of the Electron main app? 3. Are there any Electron-specific limitations when working with macOS System Extensions? 4. Is there a known working example of Electron + macOS System Extension? 5. Do I need a specific provisioning profile or App ID capability beyond Developer ID + notarization?

I received an email saying this: Your iOS Distribution Certificate will no longer be valid in 30 days. To generate a new certificate, sign in and visit Certificates, Identifiers & Profiles. If I don't correct that situation, what will be the consequences for my apps' users? The Apple documentation is vague on this, because they seem to automatically assume that I plan to comply and renew the cert. However I don't own a Mac at present, nor an iOS device. My apps are monetarily free, so no financial incentive exists to buy either. If I don't renew the distribution cert again (maybe by borrowing a Mac), will my apps' existing users be adversely affected? FWIW, my apps don't support iCloud in any way. I would also note that the "Certificates, Identifiers & Profiles" section isn't visible anywhere; I'm using Firefox.

Hello there, Apologies for this most basic question!. We have an iOS application and no developers left to work on it. That is fine as we are not planning on making any changes to the app for a long time, however, we have just received an email stating that our "iOS Distribution Certificate" is due to expire soon. We have looked through the documentation but it is very technical. Firstly, what I am trying to understand is: The only options we have under "Certificates, Identifiers & Profiles" on the Apple Developer web site are "Download" and "Revoke". Do we have to "Revoke" the certificate before creating a new one? If so, won't this stop the released app from working? Is it possible to just re-create the certificates from the Apple Developer web site without re-releasing the iOS app? Or do you have to sign the app with the new certificates in XCode and re-release it? Many thanks!

我们开发了一款SDK，并用自签名证书对SDK进行了签名，我们的证书会在2025年1月30日到期，到期后对已发布至appstore的app会有影响吗？ 用户在2025年1月31日打开app时，会因为自签名证书到期而闪退吗？有不少app集成了我们的SDK，这个问题对我们来说非常紧急和重要，麻烦尽快回复，谢谢！ 以下是我们的签名步骤： 自签名步骤：self-signed certificate xcframework 1、钥匙串创建：证书助理-创建证书-自签名根证书+代码签名 2、自行签名根证书修改信任设置 3、对已经打包好的xcframework进行签名 （官方命令示例）codesign --timestamp -v --sign "证书名字" ~/Desktop/MySDK.xcframework

When connected to the company's internal network without accessing the Internet, can an IPA installation package be generated if the certificate files are imported in advance?

I am trying to make a driver release, but failing (I think) because the manually generated distribution profiles are for the MacOS platform only, rather than MacOS and iOS together. As far as I can tell, everything is correct in the manual profiles apart from the platform. The necessary entitlements appear to be correct. In contrast, Xcode generated profiles list both MacOS and iOS as the platform and work fine for development and to generate a release archive. But Archives 'Distribute Content' gives only 'Custom' as a distribution mechanism, and no option for notarization. So, the question is: is this a problem with my developer account (and if so, what is the appropriate channel to fix it!), or is this something subtle in the project configuration?

I have created a XPC server and client using C APIs. I want to ensure that I trust the client, so I want to have a codesigning requirement on the server side, something like - xpc_connection_set_peer_code_signing_requirement(listener, "anchor apple generic and certificate leaf[subject.OU] = \"1234567\"") This checks if the client code was signed by a code-signing-identity issued by Apple and that the teamID in the leaf certificate is 1234567. My questions are- Is using teamID as a signing requirement enough? What else can I add to this requirement to make it more secure? How does xpc_connection_set_peer_code_signing_requirement work internally? Does it do any cryptographic operations to verify the clients signature or does it simply do string matching on the teamID? Is there a way actually verify the clients signature(cryptographically) before establishing a connection with the server? (so we know the client is who he claims to be)

Hi everyone, I am doing my app playground, when I change the development team or try to clear it, this bug happend? So I wonder do I have to remove it when I submit my work or just leave it there. Signing for "myapp" requires a development team. Select a development team in the Signing & Capabilities editor.

In an expo managed project which utilizes custom expo plugins, we're having trouble getting the keychain-access-groups entitlement inserted to our provisioningprofile for signing. The provisioning profile we download from apple dev portal contains: <key>keychain-access-groups</key> <array> <string>56APMZ7FZY.*</string> <string>com.apple.token</string> </array> and this is not recognized by xcode for signing; an error is thrown: Provisioning profile "ccpp" doesn't include the com.apple.developer.keychain-access-groups entitlement. A matching error is thrown during EAS build. So we need to find a way to modify the ccpp.mobileprovision locally and then sign the build using the modified ccpp.mobileprovision. Or, we need guidance on the proper way to resolve this situation. Questions: why does the downloaded mobileprovision file have the keychain-access-groups key, and not com.apple.developer.keychain-access-groups? Both Xcode and EAS appear to demand the latter keyname. when I use expo prebuild, I am able to see the following in the .entitlements file: <key>com.apple.developer.keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)com.myapp</string> </array> I am adding this entitlement using a custom expo plugin. However, the mobileprovision file downloaded from apple developer portal has no knowledge of this setting which is only applied through expo prebuild. So what I am left with at the end is an entitlements file generated by my expo prebuild which has the correct setting, and a provisioningprofile downloaded from dev portal with an incorrect setting, and I don't know how to mend the downloaded provisioningprofile (incorrect setting) with my local entitlements file (correct setting).

I have some questions regarding App Group Id's and use of the FileManager during an Appstore iOS transfer. I've read a lot of the topics here that cover app groups and iOS, but it's still unclear exactly what is going to happen during transfer when we try to release an updated version of the app from the new account. We're using this method FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: "group.com.foo.bar") to store files on the device that are important for app launch and user experience. Once we transfer the app and begin the process of creating a new version under the new account will we be able to read the files that are stored using this app group id under the new account? What steps do we need to take in order to handle this and continue being able to access these files? It seems like the app group is not transferred in the process? I've seen some users mention they removed the app group from the original account and created it again under the receiving account (with notes mentioning this is undocumented behavior). These conversations we're centered around Shared user defaults, and that applies as well but I'm more concerned with reading the values from the file system. Thanks!

I have read the posted solution threads and am still stuck with solving this issue. I have created a python app that works perfect on my machine and I would like to distribute externally via .zip file. I have created a certificate and downloaded it (G2 Sub-CA (Xcode 11.4.1 or later)) Next i have installed the Çert into the login keychain along with the Matching G2 Intermediate Cert (in system) and the proper Root Cert. However I am still not getting a proper chain when evaluating the developer certificate and I am at a loss at this point. I would love to pay someone to simply walk me through it if anyone has some time to solve this problem with me so I can run the notarytool and then distribute my application. Thanks!

I am trying to build/deploy app to my phone however I get this message: "provisioning profile doesn't include the currently selected device" My developer account is pretty old one and used to be one the paid-version one. My understanding is that I should be able to deploy apps using free account but I don't see where I can add or delete devices....stuck in the loop over here! :-) I've created support request via email but I don't know if that is being worked or not...four days since I put it in. I suppose my other options are new apple-id or pay $99 and hope apple pays attention then? Any other suggestions?