While trying to create a new Distribution (iOS) certificate after the old one expired I came across the situation that we do not have the root certificate that was originally created. It was created on a mac of an employee that no longer works for us and which is not cooperative anymore. Is there any way around this, or to create a new root certificate that enables us to create trusted certificates to release updates for our app? I'm new to this whole certificate workflow so I'd be very thankful for any input that lets us progress. Best Regards, Hans

We changed from Enterprise to a regular developer account and understood our existing apps in the wild signed under the Enterprise account would be fine. However as of this morning it seems those certificates were revoked and attempts to launch are informing users that the application will harm their computer. Can this be undone so they work and avoid thousands of people needing to get a new dmg and re-install??

My company has an Azure pipeline to build our ionc cordova application and produce an IPA file. The Xcode archive step has suddenly started failing with the following errors. /Users/runner/work/1/s/platforms/ios/xxxxx.xcodeproj: error: Provisioning profile "Aaron_Dev_2" has platforms "watchOS and iOS", which does not match the current platform "macOS". (in target 'xxxxx' from project 'xxxxx') /Users/runner/work/1/s/platforms/ios/xxxxx.xcodeproj: error: Provisioning profile "Aaron_Dev_2" doesn't include the com.apple.security.get-task-allow entitlement. Profile qualification is using entitlement definitions that may be out of date. Connect to network to update. (in target 'xxxxx' from project 'xxxxx') /Users/runner/work/1/s/platforms/ios/xxxxx.xcodeproj: error: Provisioning profile "Aaron_Dev_2" doesn't include the currently selected device "Mac-1689862983816.local" (identifier 4203018E-580F-C1B5-9525-B745CECA79EB). (in target 'xxxxx' from project 'xxxxx') The script being run is: xcodebuild -workspace ./platforms/ios/xxxxx.xcworkspace -scheme xxxxx archive -archivePath $(Build.SourcesDirectory)/output/xxxxx.xcarchive And is being run in Azure pipeline using a macOS pool. I have seen a post with a similar error to my second error saying to change the signing from manual to automatic but I'm not sure how to do that. I have also checked the entitlements on the provisioning profile and it does include get-task-allow. Nothing has changed with the profile since it started failing and the version of Xcode being used in the build is the same as when the pipeline was running successfully. Any suggestions would be appreciated. Thanks, Aaron

I have a pipeline to build my company's ionic cordova app to an produce IPA file. The xcode archive step just started failing on the following errors. /Users/runner/work/1/s/platforms/ios/xxxxx.xcodeproj: error: Provisioning profile "Aaron_Dev_2" has platforms "watchOS and iOS", which does not match the current platform "macOS". (in target 'xxxxx' from project 'xxxxx') /Users/runner/work/1/s/platforms/ios/xxxxx.xcodeproj: error: Provisioning profile "Aaron_Dev_2" doesn't include the com.apple.security.get-task-allow entitlement. Profile qualification is using entitlement definitions that may be out of date. Connect to network to update. (in target 'xxxxx' from project 'xxxxx') /Users/runner/work/1/s/platforms/ios/xxxxx.xcodeproj: error: Provisioning profile "Aaron_Dev_2" doesn't include the currently selected device "Mac-1689862983816.local" (identifier 4203018E-580F-C1B5-9525-B745CECA79EB). (in target 'xxxxx' from project 'xxxxx') The script being ran is xcodebuild -workspace ./platforms/ios/SSEAirtricity.xcworkspace -scheme SSEAirtricity archive -archivePath $(Build.SourcesDirectory)/output/SSEAirtricity.xcarchive And is run in Azure pipelines using a macOS pool. I have created new profiles and certificates but they always give the same error. Nothing has changed with the profiles to cause the pipeline to suddenly fail so I'm wondering if it could be something to do with the Xcode version, although the same version was being used when the pipeline last ran successfully, 14.2. I have read here of a similar error to my second error that can be rsolved by using manual signing but I don't know how to change it from automatic to manual. https://developer.apple.com/forums/thread/733011 I have also checked the entitlements on the profile and get-task-allow is included. Any suggestions would be most welcome. Thanks, Aaron

Hello, I have been running into this issue with locating the java runtime I am installing with brew while attempting to run a gradle command. Has anyone found any issues relating to this? If I can't use a java runtime I won't be able to use Xcode Cloud entirely is seems. Thanks

Hello, I am attempting to use Xcode Cloud to build my application (specifically running the 'xcode archive' command); however, have been running into an issue relating to certificate signing. All the questions/documentation surrounding this issue seem to be related to local builds. For the project, I'm using automatic signing with my org as the 'Team' without a Provisioning Profile. I have 'Apple Development' set as the 'Code Signing Identity' with 'Code Signing Style' set to 'Automatic'. The error I'm getting: No signing certificate "iOS Development" found: No "iOS Development" signing certificate matching team ID "<TEAM_ID>" with a private key was found. (in target '<PROJECT_NAME>' from project '<PROJECT_NAME>') Any would would be greatly appreciated. Thanks!

Do we need to generate a distribution certificate for each app we create? Or can we use one distribution certificate for multible apps?

Hello Apple team, We're having a problem submitting one of our apps to TestFlight via Xcode Cloud. We have over 10 apps with the same codebase and all of them build successfully. However, one application fails to build in Xcode Cloud, although there is no problem with manual build. We would appreciate your help in resolving this situation. Can you please help us resolve this issue? We are ready to provide additional information or logs to clarify the causes of the error. Sincerely, Anton Babich Xcode Cloud Archive - iOS encountered a failure that caused the build to fail. Prepare Build for App Store Connect Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “moBiel Live.app/Frameworks/grpcpp.framework/grpcpp” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing. Prepare Build for App Store Connect Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “moBiel Live.app/Frameworks/Braintree.framework/Braintree” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing.

I regularly come across Mac developers who have an app in the Mac App Store but are unable to submit it to TestFlight. This post explains a common cause of that problem. If you have any questions or comments about this, start a new thread and tag it with Provisioning Profiles and TestFlight so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" TestFlight, Provisioning Profiles, and the Mac App Store A provisioning profile authorises a device to run your app. For historical reasons, not all Mac apps need a provisioning profile. A Mac app only needs a profile if it uses a restricted entitlement, that is, an entitlement that must be authorised by a profile. For more background on this, see TN3125 Inside Code Signing: Provisioning Profiles and, specifically, its Entitlements on macOS section. IMPORTANT Your Mac App Store apps must be signed with the App Sandbox Entitlement, but that entitlement is unrestricted. This means that many Mac App Store apps ship without a provisioning profile, and that’s absolutely fine. However, these apps run into problems with TestFlight. To submit an app to TestFlight, it must have a provisioning profile. If you attempt to submit an app without a profile to TestFlight, it’ll fail with an error like this: ITMS-90889: Cannot be used with TestFlight because the bundle at 'MyApp.app' is missing a provisioning profile. Main bundles are expected to have provisioning profiles in order to be eligible for TestFlight. The fix is to give your app a profile. How you do this depends on how you build your app. Fix an app built with Xcode If you build your app with Xcode, the fix is relatively straightforward: Sign your app with a restricted entitlement. This causes Xcode’s code signing machinery to kick in. If you have automatic code signing enable, Xcode will sort this all out for you. If you use manual signing, Xcode will highlight the problems you need to solve. A good restricted entitlement to use is the Keychain Access Groups Entitlement. Enable this by adding Keychain Sharing to the Signing & Capabilities editor for your app. You have two options here: Leave the Keychain Groups list empty. This will fix this problem while having no effect on any keychain code in your app. Use this as an opportunity to switch to the data protection keychain. In this case you might want to add one or more keychain access groups. For an explanation as to why you might want to switch to using the data protection keychain, see TN3137 On Mac keychain APIs and implementations. For more information about keychain access groups, see Sharing Access to Keychain Items Among a Collection of Apps Fix an app built outside of Xcode If you don’t use Xcode to build your app: Use Developer > Account > Identifiers to create an App ID for your app. Remember that your App ID is the combination of an App ID prefix and your app’s bundle ID. For new App IDs, use your Team ID as the App ID prefix. Use Developer > Account > Profiles to create a macOS App Development provisioning profile for that App ID. Use Developer > Account > Profiles to create a Mac App Store distribution provisioning profile for that App ID. Update your build system to embed a provisioning profile into your app. Use the profile from step 2 for development-signed builds and the one from step 3 for distribution-signed builds. For information about where to place the profile, see Placing Content in a Bundle. Add the following to your .entitlements: A com.apple.application-identifier property whose value is your App ID A com.apple.developer.team-identifier property whose value is your Team ID Build your app and check your work by dumping the entitlements claimed by your app and the entitlements authorised by your provisioning profile. For the specific commands to use, see TN3125 Inside Code Signing: Provisioning Profiles. WARNING In step 1, if your team has any unique App ID prefixes registered, the Developer website might default to using one of those legacy values rather than your Team ID (r. 70571514). If the App ID Prefix value is a popup, select your Team ID from the list. If the App ID value is a read-only copy of your Team ID, your team has no unique App ID prefixes, and so the Developer website always uses your Team ID as the App ID prefix. IMPORTANT In step 5, make sure that your .entitlements file is only applied to the app itself, not to any nested code. For more on this, see the Entitlements and Nested Code section below. Historically you might have been able to get away with using single .entitlements file for all your code. Once you start adding restricted entitlements, like com.apple.application-identifier, this bad practice will cause problems. For general information about how to sign and package apps outside of Xcode, see Creating Distribution-Signed Code for Mac and Packaging Mac Software for Distribution. Entitlements and Nested Code An App Store app might contain the following code; The app itself Nested libraries, like a framework or a dynamic library Nested executables, like a helper tool or an app extension Step 5 in the previous section specifically refers to the entitlements of the main app. When it comes to nested code, the first case is easy: Never add entitlements to nested libraries. It doesn’t do anything useful and can prevent your code from running. The story with nested executables is more nuanced. To start, every nested executable must be signed with at least one entitlement because: All App Store executables must be sandboxed. You enable the App Sandbox with the com.apple.security.app-sandbox entitlement. In many cases a nested executable only needs unrestricted entitlements, like com.apple.security.app-sandbox and com.apple.security.inherit. In that case the nested code doesn’t need a provisioning profile. If a nested executable uses restricted entitlements, it needs a provisioning profile to authorise the use of those entitlements, and its own unique App ID to tie the executable to the profile. Place this profile in the nested executable’s bundle, according to the rules in Placing Content in a Bundle. IMPORTANT The nested code can’t ‘piggyback’ off the app’s provisioning profile. It needs its own profile with its own unique App ID. Revision History 2023-08-17 Added the Entitlements and Nested Code section. Made other minor editorial changes. 2023-07-17 First posted.

I got an email from Apple, "Your Developer ID Installer Certificate will no longer be valid in 30 days". So I went to my certificates page on developer.apple.com, and I see the attached photo. Basically, yes, I have a Developer ID Installer Certificate that expires 2023/07/01; but I also have one that expires 2025/12/08, and one that expires 2026/01/09, and one that expires 2026/12/15, and another that expires 2026/12/16! Why do I have all these certificates? I have no idea. There is a "+" button to add a new one; but given that I already seem to have ones that won't expire for several more years, do I need to? There does not seem to be a "-" button, or any way to clear out this cruft. I then recalled that perhaps I have managed my certificates in Xcode in the past, not on this page (or maybe I have done both, at different times?). So I went to Xcode, and things seem to be rather a mess there too, but in a different way (second image attached). Here, I seem to have lots of stale certificates that are in gray and say "Not in Keychain" – how do I clear those out? Again there does not seem to be a "-" button. And the newer ones that I saw on developer.apple.com do not seem to be listed here, maybe – it's hard to compare, though, because on developer.apple.com it shows the expiration date but not creation date, whereas in Xcode it shows creation date but not expiration date. What should I do? Note that I am not a member of multiple different teams, or anything like that; I'm a solo developer. This stuff is really confusing and does not seem to be well-documented anywhere that I have found. Am I just being dense?

I am trying to sign a Java application, packaged in a disk image, via jpackage, invoked via Ant (so no XCode anywhere). The packaging itself works fine, but I am having trouble figuring out the signing parameters. In particular, it seems I will have to provide a parameter --mac-signing-key-user-name What value should I give to this parameter? I have an Apple Developer Account (well, obviously...), I have generated a certificate and quite a few other things, but I am confused as to what the "signing-key-user-name" should be. The error message I currently get from jpackage is: No certificate found matching [...] using keychain [] I am on MAC OS 12.6 and JDK 17. Any help would be greatly appreciated.

Hello. I have an iOS app written in Xamarin, but this issue is not related to Xamarin or Visual Studio. I am trying to deploy my xamarin app onto an iOS device, but I am unable to get the iOS device to install the provisioning profile via Xcode. I work at a company with a decent variety of test devices and the result seems to be the same from iPads to iPods to iPhones of various ages. I have created a certificate and a provisioning profile. The certificate is associated with the provisioning profile on the developer portal. I have imported the certificate (including private keys) into my login keychain on MacOS. I have the .mobileprovision file downloaded to the machine. I am signed into Xcode with my apple developer account. In Xcode, i went to Window &gt; Devices and Simulators and selected my device. I right clicked my device and selected "Show Provisioning Profiles". I clicked the plus and chose my .mobileprovision file. I get the same error on every device: Failed to install one or more provisioning profiles on the device. Please ensure the provisioning profile is configured for this device. If not, please try to generate a new profile.| this is an incredibly vague and unhelpful error. I'm not really sure what it means by "configured for this device". Not sure where to go from here

Xcode version : 14.0 Beta 3 macOS version : 13 Beta 3(22A5295i) Hi, I'm signing the DriverKit in Developer ID Application type profile with Developer ID Application (With Kext) type certificate on Xcode. But status shows error with"Xcode 14 and later requires a DriverKit development profile enabled for IOS and macOS.Visit the developer website to create or download a DriverKit profile" I have downloaded all profiles and Certificates to my Mac and installed all of them, then checked the website. I'm wondering what's different between "Development type" &amp; "Developer ID Application type" profile ? and the reason why "2022-07-22 14:41:54.162815+0800 0x22ee2    Error       0x0                  138    0    kernelmanagerd: Error occurred while handling request "DextLaunch(arguments: Optional(["Driver Extension Server Name": com.asix.dext.usbdevice, "Check In Token": 371, "Driver Extension Server Tag": 4294975444, "CFBundleIdentifier": com.asix.dext.usbdevice, "DriverKit Reslide Shared Cache": 0, "kOSBundleDextUniqueIdentifier": &lt;222f1e51 f5e890f7 b467c2a0 da761dbd 9b14dc5f 1bf56ff6 4eeab6b2 fed9683c&gt;]))": Error Domain=NSPOSIXErrorDomain Code=8 "Exec format error" error code show on when I starting the app. I'll appreciate that someone can give me some idea or suggestions. Thanks a lot.

In my certificate list, I see a certificate type called “iOS Distribution Managed”. What is the difference between this and “iOS Distribution”? It's kind of automatic. I don't remember creating it

I am trying to compile Xcode project on an online platform Bitrise. I am facing issue with sign in and provisioning .. after trying 4-5 days I am approaching you. Please solve this. ❌ error: No profiles for 'my app bundle id' were found: Xcode couldn't find any iOS App Development provisioning profiles matching 'my app bundle id'. Automatic signing is disabled and unable to generate a profile. To enable automatic signing, pass -allowProvisioningUpdates to xcodebuild. (in target 'myapp-Development' from project 'myapp') How to enable this "allowProvisioningUpdates" also why it is too difficult to do such processes with apple development.. I tried for android and it compiled successfully in a single attempt. please help.

How to delete certificates from "Certificates, Identifiers &amp;amp; Profiles?" I have a new Mac and need to create new certificate for it but there is no option of deleting or editing of the existing certificates. When trying to add a new one the option is greyed out with the following commend: Developer ID Application This certificate is used to code sign your app for distribution outside of the Mac App Store. Maximum number of certificates generated.

I would like to know on a mdm managed supervised device, how to force use Safari if a user has non-safari browser set as default. can enforcing safari for a domain or web clip be done? even shortcuts now, when using safari it opens whatever is set as default browser. Ironically if same simple shortcut of open URL with Chrome is created it opens with Chrome, regardless if default browser is set to firefox for example this default browser setting is great for personal use but cause issues now for corporate use for me anybody else figure this out? Also affects certificates for our managed devices

I'm trying to generate a Pass Type certificate. In my request, I specifically specify the hash type as Sha256. However, when upload the request file, and generate the certificate on the apple developer site, the cer file states it is SHA1 (which has been depreciated). Any help would be greatly appreciated.

I am trying to implement sign in with apple with firebase. I cannot get around an issue where I get the following error when attempting a sign in: When running: Auth.auth().signIn(with: credential) { (authResult, error) in I get: nil credential = OAuthProvider.credential Optional(Error Domain=FIRAuthErrorDomain Code=17004 "The audience in ID Token [com.name.app] does not match the expected audience." UserInfo={NSLocalizedDescription=The audience in ID Token [com.name.app] does not match the expected audience., FIRAuthErrorUserInfoNameKey=ERROR_INVALID_CREDENTIAL}) Optional("The audience in ID Token [com.name.app] does not match the expected audience.") I have added my URL as stated on firebase to my identifier. To complete set up, add this authorization callback URL to your app configuration in the Apple Developer Console. Additional steps may be needed to verify ownership of this web domain to Apple.  More code: func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {   if let appleIDCredential = authorization.credential as? ASAuthorizationAppleIDCredential {    guard let nonce = currentNonce else {     fatalError("Invalid state: A login callback was received, but no login request was sent.")    }    guard let appleIDToken = appleIDCredential.identityToken else {     print("Unable to fetch identity token")     return    }    guard let idTokenString = String(data: appleIDToken, encoding: .utf8) else {     print("Unable to serialize token string from data: \(appleIDToken.debugDescription)")     return    }           print("credential = OAuthProvider.credential")    // Initialize a Firebase credential.    let credential = OAuthProvider.credential(withProviderID: "apple.com",                         idToken: idTokenString,                       rawNonce: nonce)     //Auth.auth().createUser(withEmail: T##String, password: T##String, completion: T##AuthDataResultCallback?##AuthDataResultCallback?##(AuthDataResult?, Error?) -&gt; Void)    // Sign in with Firebase.    Auth.auth().signIn(with: credential) { (authResult, error) in           print(Auth.auth().currentUser?.uid ," credential = OAuthProvider.credential ", error)

To support an older version of an iOS app, I needed to install Mojave with Xcode 9. I create a CSR and from there generate an iOS Distribution certificate online, which I download and double click to install in Keychain. However, when viewing in Keychain, it shows in red "iPhone Distribution: CompanyName certificate is not trusted". I'm not sure what I'm doing wrong as I follow the instructions to the T and have done this in the past with success. NOTE: I tried this with Sierra as well and got the same issue. It only seems to work on Catalina, which doesn't help me because I need an older version of Xcode.