I've updated Xcode to 16.1, then I've created a new provisioning profile in developer.apple.com, successfully built and signed my application. It was on monday, 2024-11-04. Two or three days later I was asked to add more devices and I had to create a new profile. I've noticed a new feature to control profile's name (yeah, cool!), had to accept new agreements. Then, have created a new profile, downloaded it, but could not add it with double-click to Xcode or import to Keychain Access - "Failed to install one or more provisioning profiles on the device". And whatever I tried, I couldn't register any new profiles since. Therefore, my app cannot be signed and tested anymore. This is quite weird as nothing has changed on the system throughout the week. Is this a known issue or is there any fix for that?

mac .cer证书不能导出.p12证书 不知道那个步骤出错

Hi Developer Community, I'm encountering persistent code signing failures on macOS Sonoma 15.3 with a valid Developer ID Application certificate. The error occurs consistently across multiple certificate regenerations and various troubleshooting approaches. Environment macOS Version: Sonoma 15.3 Developer Account Type: Developer ID Certificate Type: Developer ID Application Certificate Details: Developer ID Application certificate valid until 2027 Using SHA-256 with RSA Encryption Certificate shows as valid in Keychain Access with associated private key Error Message Warning: unable to build chain to self-signed root for signer "Developer ID Application: [my certificate]" [filename]: errSecInternalComponent Steps to Reproduce Install certificate chain in order: Apple Root CA (System keychain) Apple WWDR CA (System keychain) Developer ID CA (System keychain) Developer ID Application certificate (Login keychain) Verify certificate installation: security find-identity -v -p codesigning Result shows valid identity. Attempt code signing with any binary: codesign -s "Developer ID Application: [my certificate]" -f --timestamp --options runtime [filename] Results in errSecInternalComponent error Troubleshooting Already Attempted Regenerated Developer ID Application certificate multiple times from Developer Portal Completely removed and reinstalled entire certificate chain Verified trust settings on all certificates (set to "Always Trust" for code signing) Tried multiple codesign command variations including --no-strict flag Verified keychain integrity Installed latest Apple CA certificates from apple.com/certificateauthority Verified certificate chain is properly recognized by security verify-cert Additional Information All certificates show as valid in Keychain Access Private key is properly associated with Developer ID Application certificate Trust settings are correctly configured for all certificates in the chain Problem persists after clean certificate installations Error occurs with any binary I try to sign Has anyone else encountered this issue on Sonoma 15.3? Any suggestions for resolving this system-level certificate trust chain issue would be greatly appreciated. Thanks in advance!

Howdy, I thought this would be an easy question, but it turns out it's really not! In fact, it flies in the face of how the Apple ecosystem is set up. That said, I still need an answer to be able to inform our customers of what their app update options are. The question: Does app store provisioning ever expire? Based on the very limited information I can find, it either expires in one year, two years, or never. Anecdotal evidence seems to indicate that the answer could be never, but I need to confirm this. The use case: Some of our customers are very old school. They tend to find a technical solution and stick with it. As such, they do not update apps regularly on their field iPads. They generally only update when they are forced to. They use MDM to deploy the app, and would set the MDM not to pull updated apps from the app store when available, essentially keeping the same version of the app in use for as much as 3 years or more. If this were to happen, I need to know if the provisioning for the old version of the app will ever expire if they get it from the app store. I know with an enterprise deployment of .ipa files via MDM, the app provisioning/certificate will expire after 1 or 2 years (can't remember which atm), but I can't find an answer about app store provisioning. Hopefully someone can provide me with an answer on this forum. Thanks in advance, Mapguy

Hi there! I have an issue with uploading a PKG installer to the MacOS AppStore. Uploading with: xcrun altool --upload-app -t macos -f $PKGPATH -u $DEVELOPER_ID -p $APP_SPECIFIC_PWD results in error: *** Error: Validation failed Invalid Provisioning Profile. The provisioning profile included in the bundle com.frogblue.frogCom [com.frogblue.frogCom.pkg/Payload/frogSIP.app] is invalid. [Missing code-signing certificate.] For more information, visit the macOS Developer Portal. (ID: fc4e5488-6d09-4ab2-b1f7-017a33c69723) (409) Application seems to be correctly code signed with „3rd Party Mac Developer Application“ certificate. codesign -dv --verbose=4 /Users/dietmar.finkler/Desktop/frogSIP/deploy/frogSIP.app Identifier=com.frogblue.frogCom Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=266432 flags=0x10000(runtime) hashes=8315+7 location=embedded VersionPlatform=1 VersionMin=720896 VersionSDK=918784 Hash type=sha256 size=32 CandidateCDHash sha256=923de799a54616706b76050b50b7ee6d59f8355a CandidateCDHashFull sha256=923de799a54616706b76050b50b7ee6d59f8355a65aa7cce03e34bb2033da1e9 Hash choices=sha256 CMSDigest=923de799a54616706b76050b50b7ee6d59f8355a65aa7cce03e34bb2033da1e9 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=31604736 Executable Segment flags=0x1 Page size=4096 CDHash=923de799a54616706b76050b50b7ee6d59f8355a Signature size=9109 Authority=3rd Party Mac Developer Application: frogblue TECHNOLOGY GmbH (UG2P6T5LNH) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Timestamp=26.02.2025 at 10:07:08 Info.plist entries=31 TeamIdentifier=UG2P6T5LNH Runtime Version=14.5.0 Sealed Resources version=2 rules=13 files=1124 Internal requirements count=1 size=212 The PKG build with productbuild seems also be correctly code signed with„3rd Party Mac Developer Installer“ certificate. pkgutil --check-signature /Users/dietmar.finkler/Desktop/frogSIP/frogSIP-1.2a2.pkg Status: signed by a developer certificate issued by Apple (Development) Certificate Chain: 1. 3rd Party Mac Developer Installer: frogblue TECHNOLOGY GmbH (UG2P6T5LNH) Expires: 2026-02-25 17:17:54 +0000 SHA256 Fingerprint: D1 9E AC 27 C7 26 F3 2E 1E F5 50 2C 7A 1B 1D FB 54 D6 17 C1 1C 58 C1 7E F8 87 B6 44 D1 49 17 DC ------------------------------------------------------------------------ 2. Apple Worldwide Developer Relations Certification Authority Expires: 2030-02-20 00:00:00 +0000 SHA256 Fingerprint: DC F2 18 78 C7 7F 41 98 E4 B4 61 4F 03 D6 96 D8 9C 66 C6 60 08 D4 24 4E 1B 99 16 1A AC 91 60 1F ------------------------------------------------------------------------ 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24 KeyChain login items show both "3rd Party Mac Developer Application" and "3rd Party Mac Developer Installer“ certificates. But checking with security find-identity -v -p codesigning shows only the "3rd Party Mac Developer Application“ certificate. "3rd Party Mac Developer Installer“ is missing. I check also the entitlement in the app package, which looks ok for me. codesign -d --entitlements :- /Users/dietmar.finkler/Desktop/frogSIP/deploy/frogSIP.app <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.application-identifier</key><string>UG2P6T5LNH.com.frogblue.frogCom</string><key>com.apple.developer.aps-environment</key><string>production</string><key>com.apple.developer.associated-domains</key><array><string>applinks:go.dev.frogblue.cloud</string><string>applinks:go.test.frogblue.cloud</string><string>applinks:go.prod.frogblue.cloud</string></array><key>com.apple.developer.team-identifier</key><string>UG2P6T5LNH</string><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.cs.disable-library-validation</key><true/><key>com.apple.security.device.audio-input</key><true/><key>com.apple.security.device.camera</key><true/><key>com.apple.security.network.client</key><true/><key>com.apple.security.network.server</key><true/></dict></plist> What I am missing? Thanx for any hint! Regards Dietmar Finkler

Is it possible to directly distribute a macOS app with a Developer ID Certificate that belongs to a different team? I am trying to resolve issues that arise when distributing a macOS app with a Network Extension (Packet Tunnel) outside the App Store using a Developer ID Certificate from a different team than the app’s provisioning profiles and entitlements. I started by attempting Direct Distribution in Xcode with automatic signing. However, it fails with the following message: Provisioning profile "Mac Team Direct Provisioning Profile: ” failed qualification checks: Profile doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. I suspect the issue is that the provisioning profile allows "packet-tunnel-provider-systemextension", whereas the entitlements generated by Xcode contain "packet-tunnel-provider". When I manually modify the .entitlements file to include the -systemextension suffix, the project fails to build because Xcode does not recognize the modified entitlement. If there is a workaround for this issue, please let me know. Due to these issues, I resorted to manually creating a signed and notarized app. My process is as follows: Export the .app from the Xcode archive. Since the exported .app does not contain the necessary entitlements or provisioning profile for direct distribution, I replace Contents/embedded.provisioningprofile in both the .app and the .appex network extension. Sign the app and its components in the following order: codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/Frameworks/<fw>.framework/ codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>"<app>.app/Contents/PlugIns/<netext>.appex/Contents/Frameworks/<fw>.framework/Versions/A/<fw> codesign --force --options runtime --entitlements dist-vpn.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/PlugIns/<netext>.appex/ codesign --force --options runtime --entitlements dist.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app Verify the code signature: codesign --verify --deep --strict --verbose=4 <app>.app - <app>.app: valid on disk - <app>.app: satisfies its Designated Requirement Create a ZIP archive using: ditto -c -k --sequesterRsrc --keepParent <app>.app <app>.zip Notarize the app with notarytool and staple it. The notarization completes successfully with errors: nil. Package the notarized app into a DMG, notarize, and staple the DMG. The app runs successfully on the development machine. However, when moved to another machine and placed in /Applications, it fails to open. Inspecting Console.app reveals Gatekeeper is blocking the launch:
 taskgated-helper <bundleid>: Unsatisfied entitlements: com.apple.developer.networking.networkextension, com.apple.developer.team-identifier taskgated-helper entitlements: { "com.apple.developer.networking.networkextension" = ("packet-tunnel-provider-systemextension"); "com.apple.developer.team-identifier" = <teamid>; } As mentioned earlier, the Developer ID Certificate used for signing belongs to a different team. We are a third-party developer and do not have access to the Developer ID Certificate of the team assigned as the team-identifier. When I changed the bundle identifier (app ID), team, entitlements, and provisioning profiles to match the team associated with the Developer ID Certificate, the app worked. My question is:
 Is this failure caused by using a Developer ID Certificate from a different team, or should it still work if the provisioning profiles and entitlements are correctly set? Could there be an issue elsewhere in the provisioning profiles or entitlements for the original app ID?

Hello, In our Account we have an iOS app with an explicit identifier "ABC123.com.some.app" that is using non-team prefix which is DEF456. It has also explicit identifiers for Widgets bundle and Notification Service. Due to non-team prefix, it can't access e.g. shared keychain and data put there by our other apps. Since we are working on features that require these capabilities, we would like to update the app identifier, so it is prefixed with our team id DEF456. Initially, we thought that the process would require steps like: Create new app, team-prefixed identifier(s) for app and all things that need them Recreate the provisioning profiles with new App Identifier Roll out the app using with new profiles via App Store but when trying to create the new identifier with com.some.app and team id prefix DEF456 we are getting following error: An App ID with Identifier com.some.app is not available. Please enter a different string. Can anybody advise us how to correctly perform such change and what steps are required from our end? We would like to keep our existing App Store entry, ratings and smoothly switch users. We are aware that this kind of migration results in loss of Keychain access. Thanks for any advice on that!

Hi all, I'm developing a simple Finder Sync Extension, using Xcode 16.3. When running in Debug with Xcode, everything works fine. Instead, when compiling in Release and launching the containing app (by double-clicking on it), the Extension is not recognized (neither loaded) by the system. The only difference between Debug and Release stands in Signing configuration: Debug: Release: As you can see, in Release I'm using a Provisiong Profile, configured with my company's Developer ID. I'm wondering if Capabilities and Entitlements are not what is needed by my app. Anyway, I have no idea what the issue is. Any suggestion will be appreciated. Thank you in advance _Alex

Hi there, We've discovered a problem with our iOS app. We've been attempting to add a Driverkit driver to it, but any time we run the app through Testflight, the driver installs fine, but when we go to enable the driver toggle in the app's settings, the toggle stays on, but in the device logs I can see: could not insert bundle at <private> into manager: <private> As you would expect - this means the driver is not actually enabled and does not respond to a device being connected to the iPad. This does not happen when building & running the app locally, nor does it happen when installing an Ad Hoc build. We also have a different app, not yet shipped. We are able to add the driver to that app without issue. It works after going through Testflight. What we have discovered now is that everything works fine even if we just create an entirely new app with it's own bundle IDs. I should point out that in all cases, we're keeping the capabilities the same for each of these apps/IDs - including the managed capabilities. The bundle IDs that have this problem are older (5 years old or more). It seems like any newer ID will work, but trying to add the driver (and the associated managed capabilities) to an older app/ID results in this vague error message, with no further details. If we inspect the resulting dexts, we can also see that the "Internal requirements code size" is different on the ones that fail. The failing ones have a size of 204 bytes, whereas the working ones all have a size of 220 bytes. Not sure if that's related but it's strikingly consistent. Does this mean there is an issue with older app IDs, and we need Apple to manually refresh them in some way before the driverkit capabilities will work after going through Testflight? We have two apps in this state, both are of the same vintage (~5 years+). We've been battling this issue for months on and off, so would appreciate some help.

When building to macOS on GameMaker, I get the error "this identity cannot be used for signing code" when using the Developer ID Installer certificate. The certificate was neither expired nor revoked, but nonetheless I created new certificates to start fresh but am still getting that error. I don't get issues building to iOS via GameMaker, just to macOS. If it makes any difference, I only noticed this issue started happening after I converted my Apple Developer Program account from an individual account to an organizational account, although it was weeks to months before I built to macOS via GameMaker before then, so I don't know if it correlates with that.

I was trying to put my game to test flight. I would test features like ads and in-app-purchases, then put on the Appstore(release). The game already works on Ipad. For test flight, the "automatically manage signing" option was enabled. Then I pressed the "archive" button. Built succeeded. Then I clicked the distribute button. That time, I had an error. "Upload failed, Invalid signature, App is not properly signed". I researched, and found special characters in name, team name and address can make errors. My name, address and team name have special characters(turkish). If it will be resolved, I want to re-write(fix) my name, team name and address. I already tried to change my name, team name and address from apple developer website but failed. They are asking a document of my identity of my new name but I didn't changed my name and address. Overall, there aren't any other facts that cause this issue as I know. If I send my current, unchanged identity and home address, could they allow to change(fix) them? On Console Log: DangerNo.app/DangerNo: ID : 6cfa13a9-685c-4df9-86dd-7506d67be8c5 DangerNo.app/Frameworks/UnityFramework.framework/UnityFramework: ID : 2b63aacc-9caf-453c-913f-bae0db14d363 My App ID : 6744022885 Error : Invalid Binary rejection email indicating a corrupted code signature was detected. Explanation : Invalid Signature - Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose "Clean All" in Xcode, delete the "build" directory in the Finder, and rebuild your release target.

I am running into this error with productbuild in github actions where the program hangs with a specific developer id. I have verified that my certification files are properly uploaded etc. and i am able to run this without the --sign command online and with --sign offline. if i sign with a "3rd party mac developer installer: ***" it will run but then crash on stapling because this isn't the actual org i want to staple and don't really need to verify that i could staple with this other license since it is my personal license and i will be leaving this job soon so setting up all my other certs is a waste of time since it doesn't solve the problem. When i use my bosses/org "Developer ID Installer: ***" productbuild just hangs. I am at a loss here... the acutal command running is productbuild --resources ./resources --distribution distribution.xml --sign "${{ secrets.DEVELOPER_ID_INSTALLER }}" --timestamp "${{ env.ARTIFACT_NAME }}.pkg" I have confirmed that my distribution file is fine etc. because I can productbuild without signing fine. Any suggestions on where to go?

Hi everyone, I'm following up on this post I made earlier about an issue I'm having with FamilyControls and the DeviceActivityMonitor extension not working for external TestFlight testers. To briefly recap: I have official Apple approval for the com.apple.developer.family-controls entitlement (distribution) The entitlement is added to both my main app and the DeviceActivityMonitor extension The App Group is correctly configured for both targets On internal TestFlight builds, everything works as expected: app blocking works, the extension runs, and selected apps are shielded. On external TestFlight builds, users get the Screen Time permission prompt, can select apps to block, but nothing is blocked. Since that post, I submitted a Code Level Support request, and Apple asked me to file a bug report via Feedback Assistant. I did that almost a month ago. The only reply I’ve received since is that they can’t give a timeframe or guarantee it will be resolved. I'm stuck in limbo with no updates and no fix. This feature is critical to my app and I cannot launch without it. I’ve reached out to other developers who use app blocking, and none of them have run into this issue. My setup seems correct, and Apple has not said otherwise. If anyone has experienced something similar, found a workaround, or knows how to get real movement on a bug report like this, I would really appreciate any help. It’s been weeks, and I just want to launch my app. Thanks so much.

I have tried again and again to generate and install the .mobileprovision on my device for testing apps following the exact instructions. I cannot get this to work. When I tap the .mobileprovision on the device I get the error "Profile Error - This profile cannot be installed." In Xcode in the console as I try to install the profile, this is what it shows: `profiled (ManagedConfiguration) Desc : Invalid Profile US Desc: Invalid Profile Domain : MCProfileErrorDomain Code : 1000 Type : MCFatalError and then profiled Desc : Invalid Profile Sugg : Invalid Profile US Desc: Invalid Profile US Sugg: Invalid Profile Domain : MCInstallationErrorDomain Code : 4000 Type : MCFatalError ...Underlying error: NSError: Desc : Invalid Profile US Desc: Invalid Profile Domain : MCProfileErrorDomain Code : 1000 Type : MCFatalError I have been at this for days and cannot get it to work. Any help would be appreciated

We have a Mac app that uses some restricted macOS entitlements, thus to test it we embed a development provisioning profile, that needs to contain the correct provisioning UDID. Typically, for test VMs, we extract the provisioning and UDID and add it to the developer portal and then re-generate the provisioning profiles. However when we try to do this in our newly created VM (Apple Silicon), our executable won't run, and macOS logs that the provisioning profile doesn't allow the device: 2025-06-12 12:37:52.168 E taskgated-helper[27489:e97da] [com.apple.ManagedClient:ProvisioningProfiles] embedded provisioning profile not valid: file:///Applications/foo.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.} 2025-06-12 12:37:52.169 E taskgated-helper[27489:e97da] [com.apple.ManagedClient:ProvisioningProfiles] Disallowing com.company.foo because no eligible provisioning profiles found 2025-06-12 12:37:52.169 Df amfid[112:e99b0] [com.apple.xpc:connection] [0xb34c74a00] invalidated because the current process cancelled the connection by calling xpc_connection_cancel() 2025-06-12 12:37:52.169 Df taskgated-helper[27489:e97da] [com.apple.xpc:connection] [0x839144000] invalidated because the client process (pid 112) either cancelled the connection or exited 2025-06-12 12:37:52.169 E amfid[112:e91ac] [com.apple.MobileFileIntegrity.framework:default] Failure validating against provisioning profiles: &lt;private&gt; 2025-06-12 12:37:52.169 E amfid[112:e91ac] [com.apple.MobileFileIntegrity.framework:default] Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=&lt;private&gt;, NSLocalizedDescription=No matching profile found} 2025-06-12 12:37:52.169 Df amfid[112:e91ac] /Applications/foo.app/Contents/MacOS/foo not valid: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=file:///Applications/foo.app/, NSLocalizedDescription=No matching profile found} The UDID for this VM does look weird, in System Profiler: But I can verify that this UDID string is present in the provisioning profile embedded in the app bundle: $ security cms -D -i /Applications/foo.app/Contents/embedded.provisionprofile | grep -i 7cd9234e9aa4fa8ba528ee417f857b2c993a20a3 &lt;string&gt;7CD9234E9AA4FA8BA528EE417F857B2C993A20A3&lt;/string&gt; I also tried deleting the manually added device from the Developer portal and installing Xcode on the VM and letting Xcode register the device, but I end up in the same situation there. Even after letting Xcode itself register the device, it says that "this device not registered to your account" and then when I click "Register device" it changes into " already exists". Has anyone else managed to get Mac development provisioning profiles to work in a VM?

I am able to sign my application when logged in to the machine, however when build is running in CI (Jenkins), I get this: "Warning: unable to build chain to self-signed root for signer.." We just renewed or certificates, so I am not sure about previous procedure, but it used to work without temporary keychain and stuff, I believe. What should be the recommended way to sign an application on CI? What keychain should we use? system? temporary? other method? Thanks, Itay

I am a complete novice and I find that I cannot restore or delete the “Apple Development” certificate (I only use it for signing). From what I understand, you need to be in a program to manage certificates, but I have no intention of distributing any applications and, from my point of view, it makes no sense to pay. Am I wrong or am I doing something wrong? Notes: This happened after I installed Tahoe on a new installation. I was able to restore it using a copy of the keychains folder I had from Sequoia. Xcode (Apple Accounts - Manage Certificates) now shows me two certificates, indicating that one is not in the keychain and cannot be deleted.

I have two certificates in my Accounts>Manage Certificates section. One is active, the other is greyed out with a status of "Not in Keychain". I only have ONE certificate in the developer account online. Timeline: Had an issue with fastlane codesigning and was trying to resolve that. In that attempt I deleted my related Certificates from my keychain Xcode showed them as disabled (greyed out) and not in Keychain. Look up how to resolve, need to revoke certificates in Developer account online. I go and revoke those certificates. Nothing changes I create new certificate and try to add it to xcode>account>certificate managment>"Apple Development". Get an error saying I can't add a new can't do that because a certificate is already pending. I waited a day because I assumed like somethings with apple, updates are not immediate. I come back the next day and am able to add a new certificate. However, the previous one that is greyed out and reads "Not in Keychain" under Status, is still there. How do I remove that "Not in Keychain" certificate? I emailed developer support and they directed me here.

I have a bizzare issue with my Apple TV that is shown as "iPod" in Apple developer portal. It's correctly visible in Xcode as Apple TV, but when I add it to developer portal it says "iPod". The problem is since it's there as an iPod I can't use it to my provisioning profile to build on the device Anyone has any idea how this can be solved? [Edited by Moderator]

In Xcode's (version 16.1) "Devices and Simulators" window pressing the device's context menu item "Show Provisioning Profiles..." does nothing: no new window, no message, nothing. How can I fix this?