You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

Hello, I’m developing a macOS application signed with a Developer ID (outside the App Store) that includes a Network Extension. The app has been successfully notarized, and the network filter is registered, but the Network Extension itself remains inactive — it does not install or run properly. It seems that the issue might be related to the entitlements configuration between the container app and the Network Extension target. Could you please provide a detailed checklist for: 1.The required entitlements and configurations for the container app, and 2.The required entitlements and configurations for the Network Extension target? Additionally, are there any specific Xcode settings that are mandatory for the Network Extension to be properly installed and activated on macOS when distributed via Developer ID? Thank you in advance for your help.

Hello, I’m developing a macOS application signed with a Developer ID (outside the App Store) that includes a Network Extension. The app has been successfully notarized, and the network filter is registered, but the Network Extension itself remains inactive — it does not install or run properly. It seems that the issue might be related to the entitlements configuration between the container app and the Network Extension target. Could you please provide a detailed checklist for: The required entitlements and configurations for the container app, and The required entitlements and configurations for the Network Extension target? Additionally, are there any specific Xcode settings that are mandatory for the Network Extension to be properly installed and activated on macOS when distributed via Developer ID? Thank you in advance for your help.

I'm unable to sign the an example application using xcode and "automatically manage signing". The error I'm getting is: CodeSign [...] (in target 'foobar' from project 'foobar') Signing Identity: "Apple Development: [xxxx] " /usr/bin/codesign --force --sign 4ABB258102FF656E9F597546A49274C28D2B8B3E -o runtime --timestamp\=none --generate-entitlement-der [filename] 4ABB258102FF656E9F597546A49274C28D2B8B3E: no identity found Command CodeSign failed with a nonzero exit code However, I am able to see a certificate and a private identity on my keychain: % security find-certificate -aZ | grep -i 4ABB258102FF656E9F597546A49274C28D2B8B3E SHA-1 hash: 4ABB258102FF656E9F597546A49274C28D2B8B3E and % security find-key -s | grep -q 'Apple Development' && echo YES YES what is puzzling is that security does not find an identity: % security find-identity -p codesigning Policy: Code Signing Matching identities 0 identities found Valid identities only 0 valid identities found but XCode claims that everything is working fine. Anybody knows what might I be missing? I tried logging out, requesting new certificates, rebooting, moving them to another keychain, and asking to developer friends.

急需一个企业开发者证书，有意者可联系tg:@moonkf2025

Hi everyone, We're experiencing a critical and persistent code signing failure (HTTP 403) after accepting the latest Apple Developer Agreement, blocking our application release. Problem: Despite confirming the new Apple Developer Agreement is signed and active on the portal, code signing attempts return an HTTP 403 error, stating a "required agreement is missing or has expired." Steps Taken: Accepted new Apple Developer Agreement. Verified active developer membership and valid certificates (good for years). Cleared caches, restarted systems. Confirmed Team ID, Apple ID, and provisioning profile validity. Any help is greatly appreciated, its been stuck for more than 2 days now.

Hi, I am developing a iOS app with Packet Tunnel Provider Network Extension. I manage signing manually. I created a distribution provisioning profile. Then when I archive and click "validate" I get this error: Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value 'url-filter-provider' for key 'com.apple.developer.networking.networkextension' So I run security cms -D -i profiles/vpn_distribution.mobileprovision and I see there <key>Entitlements</key> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider</string> <string>content-filter-provider</string> <string>packet-tunnel-provider</string> <string>dns-proxy</string> <string>dns-settings</string> <string>relay</string> <string>url-filter-provider</string> <string>hotspot-provider</string> </array> Where are those coming from. My entitlement file has <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> </array> <key>com.apple.security.application-groups</key> <array> <string>group.my-app-group</string> </array> </dict> </plist> What is happening here. How can I get a provisioning profile that only has the entitlements that I actually need?

Hi all, I'm a solo iOS developer trying to update an app I released in 2010. My current Team ID is Q37598Q8GE, but the app's original App ID uses an old prefix, YHX995W43P. When I try to create a new App ID with the original Bundle ID (eu.andela.woordenes) to generate a new distribution provisioning profile, I get the error:An attribute in the provided entity has invalid value An App ID with Identifier 'eu.andela.woordenes' is not available. Please enter a different string. I understand this might be due to the old prefix from pre-2011, when Apple allowed multiple prefixes per account. I still have access to the app in App Store Connect and want to push an update, not create a new app. How can I resolve this?Can I reuse the existing App ID (eu.andela.woordenes with prefix YHX995W43P) for a new provisioning profile, or do I need to match my current Team ID (Q37598Q8GE)? If the Bundle ID is already taken by my current app, how do I update the app without changing the Bundle ID? Any steps to fix the prefix mismatch in Xcode or App Store Connect?

Since around September (iOS 26 release), i'm unable to test my app normally. It says "internet connection is required to verify [my certificate id]", or just crashing. All terms and conditions accepted, everything is valid, certificates are OK. Reinstallation via xcode does not help. Removal of provisioning profile, generating new does not help. Revoking of certificate and generating new does for around week, then it happens again, but do i need to do it every week now? In logs i see the following: default amfid validation failed because of missing trust and/or authorization (0xe8008026) error amfid not valid: 0xe8008026: The provisioning profile requires online authorization. error amfid Unexpected MISError (0xe8008026): The provisioning profile requires online authorization. default +0300 amfid /private/var/containers/Bundle/Application/5B8E560E-75B2-46EF-8606-02072D99E9CF//Frameworks/oss.dylib not valid: Error Domain=AppleMobileFileIntegrityError Code=-400 "An unknown error was encountered" UserInfo={NSURL=file:///private/var/containers/Bundle/Application/5B8E560E-75B2-46EF-8606-02072D99E9CF//Frameworks/oss.dylib, NSLocalizedDescription=An unknown error was encountered} default kernel AMFI: code signature validation failed. It looks like apple validation servers are not working, or is it iOS bug? All provisioning profiles are showing like "valid" in apple developer center. My network is not behind a proxy, connection is direct. If use EXACTLY the same app, signed with the same provisioning, same signature, on another test device, it works! When i reset current device to default settings and installing the EXACTLY same app after it, it works as well. Looking for a help from apple developer support

I am using Automatically Manage Signing And I have registered my Mac UUID in developer account, but it is still giving me these errors - Device My Mac is not registered to your team Ai Glider Inc. Devices must be registered in order to run your code, but you do not have permission to register them. Please check with your team's admin. No profiles for 'com.aiexample.sebexample' were found Xcode couldn't find any Mac App Development provisioning profiles matching 'com.aiexample.sebexample'.

Hello, my iOS apps are exiting right after launch on a few of our iOS devices. I tried a couple of my apps that are deployed to our fleet and they do the same thing. If I run the app(s) in the Simulator it works fine and if I run the app(s) on the offending devices it works fine as well. Once I stop the run in Xcode the app on the device will not launch. I'm thinking something is missing like a certificate etc. Just not sure. Any ideas on how to troubleshoot this? I would really like to get this fixed.

I got an email with the subject "Action Needed: Developer ID Application Certificate Expires in 30 Days" But on the cert page it's not exactly clear to my how to renew the cert or generate a new one. Confused by the fact that I already have half a dozen ...somehow? Any help or guidance appreciated.

I have added an in-app purchase function into my app, and have enabled in-app purchase profile in developer portal(it's on by default and is marked gray in developer portal, I don't know if that's how it supposed to look like). I have issued the agreements and tried signing the app both manually and automatically, but neither of that worked. App can be built successfully in simulator but does not show the simulation window, but cannot build on real device or archive. Errors: Missing com.apple.developer.in-app-purchase, com.apple.developer.in-app-purchase.non-consumable, and com.apple.developer.in-app-purchase.subscription entitlements. Automatic signing failed Xcode failed to provision this target.

Hello everyone, I'm facing a critical, blocking issue where my developer account (Team ID: K655PX7A46) is unable to generate a valid provisioning profile with the App Attest entitlement. I have confirmed this is a server-side issue and am hoping to get visibility from an Apple engineer who can investigate. The Problem: When I generate a provisioning profile for an App ID with the "App Attest" capability enabled, the resulting profile is defective. It is missing the required com.apple.developer.app-attest.environment key in its entitlements dictionary, causing Xcode to fail the build. What I Have Proven: The issue is not a misconfiguration. The App Attest capability is correctly enabled and saved on the App ID configuration page. The issue is not isolated to one App ID. I created a brand new App ID from scratch, enabled the capability during creation, and the server still generates a defective profile with the same missing entitlement. I have definitive proof by inspecting the downloaded .mobileprovision file. The contents confirm the required key is missing. Steps to Reproduce on My Account: Create a new App ID on the Developer Portal. Enable the "App Attest" capability and save. Generate a new "iOS App Development" provisioning profile for this App ID. Download the profile and inspect its contents via security cms -D -i [profile]. Observe that the com.apple.developer.app-attest.environment key is missing. The Evidence (Contents of the Defective Profile): Here is the output from inspecting the profile for a brand new App ID (com.technology519.linksi.app2). As you can see, the correct entitlement is missing, and an incorrect devicecheck entitlement is present instead. This is a critical bug in the provisioning profile generation service for my account that is blocking all development. I have already filed a support ticket (Case #102721408444) but have so far only received generic, unhelpful responses. Can an Apple engineer please investigate this server-side issue with my account? Thank you.

I added a new device and it's not recognizing the device model. This causes a message saying "Unable to verify" when signing an app. Has anyone else encountered this issue? This only happens with this one device, not others.

Anyone know how long it takes to get Apple to respond to a request for provisioning for endpoint security?

Dear Apple Developer Support, I am experiencing a critical issue with Developer ID certificates issued for Turkish (C=TR) developer accounts that prevents code signing on macOS. Issue Summary All Turkish Developer ID certificates issued on October 4, 2025, contain an Apple proprietary extension (OID 1.2.840.113635.100.6.1.13) marked as "critical" that both OpenSSL and codesign cannot handle. Technical Details Team ID: 4B529G53AG Certificate Country: TR (Turkey) Issue Date: October 4, 2025 macOS Version: 15.6.1 (24G90) Problematic Extension OID: 1.2.840.113635.100.6.1.13 (marked as critical) Evidence I have verified this issue across THREE different Turkish Developer ID certificates: Serial: 21F90A51423BA96F74F23629AD48C4B1 Serial: 461CBAF05C9EDE6E Serial: 184B6C2222DB76A376C248EC1E5A9575 All three certificates contain the same critical extension. Error Messages OpenSSL: error 34 at 0 depth lookup: unhandled critical extension Codesign: unable to build chain to self-signed root for signer errSecInternalComponent Comparison with Working Certificate My previous Developer ID certificate from Singapore (before revocation) worked perfectly and did NOT contain this critical extension. This confirms the issue is specific to Turkish certificates. Impact Cannot sign applications for distribution, which blocks: DMG signing for distribution Notarization process App distribution to users Questions What is the purpose of OID 1.2.840.113635.100.6.1.13? Why is it marked as critical only for Turkish certificates? Is this related to Turkish regulatory requirements? Can you issue a certificate without this critical extension? Is there a macOS update planned to support this extension? Request Please either: Issue a Developer ID certificate without the critical extension OID 1.2.840.113635.100.6.1.13 Provide a workaround for signing with current Turkish certificates Update the codesign tool to handle this extension This appears to be a systematic issue affecting all Turkish developers as of October 2025. Thank you for your urgent attention to this matter. Best regards,

In our local test configurations, a developer can sign test apps for device installation using any key associated with the company team. However, if a developer accidentally chooses an identity from some other team, installation fails with no information about the problem. It just mentions that no provisioning profile could be found, leaving everyone in the dark about what is wrong. Instead, we would like to pre-validate the selected signing identity by checking the team name or id. This could be done, for example, by extracting the x509 certificate from the signing identity and checking the "OU" field (which is set to the team id). However, none of the apple commands will divulge the x509 certificate from a developer id. So far our best options is to create a fake app, sign the app, then use command: codesign --display --extract-certificates This solution seems excessively serpentine. Is there no direct command that will accept the sha of a signing identity and return a nice .pem containing the associated certificate chain? Or, better yet, is there a command that takes the signing identity and simply returns the name or id of the associated team?

I'm trying to sign a .app package coming from Py2app. Unfortunately I keep running into the same two issues: The binary is not signed with a valid Developer ID certificate. and The signature does not include a secure timestamp. I tried everything, from recreating the signatures, with different arguments, different keys and certificates, but it keeps complaining with these two errors on a long list of files. For reference I added the python script I use for signing the files. code_singing.py

I have certificates in my xcode>settings>account>manage certificates that I cannot get rid of. I know that they are linked to certificates in developer.apple.com but I've removed them from there and they persist in xcode. I have one that says "Not in Keychain", which is true. I deleted all the keychains related to these accounts in an attempt to fix something. I also have ones that say things like "Missing Private key" Our setup is that we have one main account "Company Inc." which I am setup to be an Admin in. I created a certificate under my credentials and added it to my keychain and showed up properly in xcode but I still have the other ones. HOW DO I REMOVE THEM :sob:

I tried to create a new IOS provisioning profile and re-apply it to the app using Xcode to build it, but I got into trouble. The build is good, but it bounces when running the app. I would appreciate it if you could let me know what to do.