I'm getting this error when uploading a build of my macOS app to App Store Connect. It has always worked before, and nothing changed about my use of app groups, and the iOS build uploaded without any problems. Cleaning the build folder and derived data folder doesn't help. I'm using automatically managed signing in Xcode. Invalid code signing entitlements. Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “[group.]” value for the com.apple.security.application-groups key in “.pkg/Payload/.app/Contents/MacOS/” isn’t supported. This value should be a string or an array of strings, where each string is the “group” value or your Team ID, followed by a dot (“.”), followed by the group name. If you're using the “group” prefix, verify that the provisioning profile used to sign the app contains the com.apple.security.application-groups entitlement and its associated value(s).

Hey devs, I have a really weird issue and at this point I cannot determine is it a Big Sur 11.1 or M1 issue or just some macOS settings issue. Short description programatically (from node, electron) I'd like to store x509 cert to keychain. I got the following error message: SecTrustSettingsSetTrustSettings: The authorization was denied since no user interaction was possible. (1) I could reproduce this issue on: a brand new mac mini with M1 chip and Big Sur 11.1 another brand new mac mini with M1 chip and Big Sur 11.1 a 2018 MacBook pro with Intel chip and Big Sur 11.1 I couldn't reproduce this issue on: 2020 MacBook pro with intel i9 chip and Big Sur 11.1 2020 MacBook pro with intel i9 chip and Big Sur 11.0 How am I trying to store the cert node test.js test.js const { exec } = require('child_process') exec( 	`osascript -e 'do shell script "security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/kotapeter/ssl/testsite.local.crt" with prompt "Test APP wants to store SSL certification to keychain." with administrator privileges'`, 	(error, stdout, stderr) => { 		if (error) { 			console.log(error.stack) 			console.log(`Error code: ${error.code}`) 			console.log(`Signal received: ${error.signal}`) 		} 		console.log(`STDOUT: ${stdout}`) 		console.log(`STDERR: ${stderr}`) 		process.exit(1) 	} ) testsite.local.crt: ----BEGIN CERTIFICATE MIIDUzCCAjugAwIBAgIUD9xMnL73y7fuida5TXgmklLswsowDQYJKoZIhvcNAQEL BQAwGTEXMBUGA1UEAwwOdGVzdHNpdGUubG9jYWwwHhcNMjEwMTE3MTExODU1WhcN NDEwMTEyMTExODU1WjAZMRcwFQYDVQQDDA50ZXN0c2l0ZS5sb2NhbDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBANM08SDi06dvnyU1A6//BeEFd8mXsOpD QCbYEHX/Pz4jqaBYwVjD5pG7FkvDeUKZnEVyrsofjZ4Y1WAT8jxPMUi+jDlgNTiF jPVc4rA6hcGX6b70HjsCACmc8bZd+EU7gm4b5eL6exTsVzHc+lFz4eQFXgutYTL7 guDQE/gFHwqPkLvnfg3rgY31p3Hm/snL8NuD154iE9O1WuSxEjik65uOQaewZmJ9 ejJEuuEhMA8O9dXveJ71TMV5lqA//svDxBu3zXIxMqRy2LdzfROd+guLP6ZD3jUy cWi7GpF4yN0+rD/0aXFJVHzV6TpS9oqb14jynvn1AyVfBB9+VQVNwTsCAwEAAaOB kjCBjzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIC9DA7BgNVHSUENDAyBggrBgEFBQcD AQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgwHQYDVR0O BBYEFDjAC2ObSbB59XyLW1YaD7bgY8ddMBkGA1UdEQQSMBCCDnRlc3RzaXRlLmxv Y2FsMA0GCSqGSIb3DQEBCwUAA4IBAQBsU6OA4LrXQIZDXSIZPsDhtA7YZWzbrpqP ceXPwBd1k9Yd9T83EdA00N6eoOWFzwnQqwqKxtYdl3x9JQ7ewhY2huH9DRtCGjiT m/GVU/WnNm4tUTuGU4FyjSTRi8bNUxTSF5PZ0U2/vFZ0d7T43NbLQAiFSxyfC1r6 qjKQCYDL92XeU61zJxesxy5hxVNrbDpbPnCUZpx4hhL0RHgG+tZBOlBuW4eq249O 0Ql+3ShcPom4hzfh975385bfwfUT2s/ovng67IuM9bLSWWe7U+6HbOEvzMIiqK94 YYPmOC62cdhOaZIJmro6lL7eFLqlYfLU4H52ICuntBxvOx0UBExn----END CERTIFICATE testsite.local.key: ----BEGIN RSA PRIVATE KEY MIIEpQIBAAKCAQEA0zTxIOLTp2+fJTUDr/8F4QV3yZew6kNAJtgQdf8/PiOpoFjB WMPmkbsWS8N5QpmcRXKuyh+NnhjVYBPyPE8xSL6MOWA1OIWM9VzisDqFwZfpvvQe OwIAKZzxtl34RTuCbhvl4vp7FOxXMdz6UXPh5AVeC61hMvuC4NAT+AUfCo+Qu+d+ DeuBjfWnceb+ycvw24PXniIT07Va5LESOKTrm45Bp7BmYn16MkS64SEwDw711e94 nvVMxXmWoD/+y8PEG7fNcjEypHLYt3N9E536C4s/pkPeNTJxaLsakXjI3T6sP/Rp cUlUfNXpOlL2ipvXiPKe+fUDJV8EH35VBU3BOwIDAQABAoIBAQDDGLJsiFqu3gMK IZCIcHCDzcM7Kq43l2uY9hkuhltrERJNle70CfHgSAtubOCETtT1qdwfxUnR8mqX 15T5dMW3xpxNG7vNvD/bHrQfyc9oZuV6iJGsPEreJaV5qg/+E9yFzatrIam0SCS7 YL6xovPU58hZzQxuRbo95LetcT2dSBY33+ttY7ayV/Lx7k6nh0xU6RmTPHyyr8m7 yHpoJoSxdT/xv5iBSZ8mM9/2Vzhr14SWipVuwVVhDSfbn8ngHpIoQDkaJLMpWr+m 4z3PqfftAwR6s6i96HnhYLnRir618TQh4B9IEngeEwCMn4XAzE3L+VTaKU1hg9el aMfXzPERAoGBAPa+sJ2p9eQsv0vCUUL8KeRWvwjDZRTd+YAIfpLMWrb0tMmrBM4V V0L2joF76kdDxt1SAlHoYCT/3Rn8EPmK0TN3MEskiXQ7v57iv+LZOZcpe0ppG/4A ZihF9+wUjFCDw4ymnRQD463535O6BgZV+rcZksFRD2AwvEjt1nYm93VXAoGBANsh AYM+FPmMnzebUMB0oGIkNkE9nVb9MPbQYZjEeOeHJqmt1Nl6xLuYBWTmWwCy7J4e QPtnuMCdO6C1kuOGjQPBFIpeyFMzll+E3hKzicumgCpt5U8nTZoKc/jZckRD7n3p lbYYgHOR3A/3GCDK5L3rwziWpSRAGMSCQylvkOC9AoGBAKLfZL3t/r3LO8rKTdGl mhF7oUYrlIGdtJ/q+4HzGr5B8URdeyJ9u8gb8B1Qqmi4OIDHLXjbpvtFWbFZTesq 0sTiHCK9z23GMsqyam9XbEh3vUZ082FK6iQTa3+OYMCU+XPSV0Vq+9NPaWGeHXP5 NTG/07t/wmKASQjq1fHP7vCpAoGBAK4254T4bqSYcF09Vk4savab46aq3dSzJ6KS uYVDbvxkLxDn6zmcqZybmG5H1kIP/p8XXoKCTBiW6Tk0IrxR1PsPHs2D3bCIax01 /XjQ1NTcYzlYdd8gWEoH1XwbJQWxHINummBTyowXguYOhVhM9t8n+eWbn1/atdZF 2i+vS3fhAoGAYKw6rkJfTSEswgBKlQFJImxVA+bgKsEwUti1aBaIA2vyIYWDeV10 G8hlUDlxvVkfwCJoy5zz6joGGO/REhqOkMbFRPseA50u2NQVuK5C+avUXdcILJHN zp0nC5eZpP1TC++uCboJxo5TIdbLL7GRwQfffgALRBpK12Vijs195cc=----END RSA PRIVATE KEY What I've already found If I run the following command from terminal It asks my password first in terminal and after that It asks my password again in OS password prompt. sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/kotapeter/ssl/testsite.local.crt It looks like I'm getting the above error message because osascript hides the second password asking dialog. The cert always gets stored in keychain but when I get the error message the cert "Trust" value is not "Always Trust". References StackOverflow question: https://stackoverflow.com/questions/65699160/electron-import-x509-cert-to-local-keychain-macos-the-authorization-was-deni opened issue on sudo-prompt electron package: https://github.com/jorangreef/sudo-prompt/issues/137

Hi, I'm trying to integrate with Tap to Pay feature under Stripe. For this reason i need to add com.apple.developer.proximity-reader.payment.acceptance entitlement to my Identifier. I can see it under Provisioning Profile -> Enabled Capabilities. But after downloading this profile in Xcode I don't see this entitlement. What could be the reason for this discrapency?

Hi there, I am trying to build the Apple SimpleAudioDriver example but fail with codesign and/or provisioning. I would be ok for now with the local option, but XCode 16.4 doesn't show the option "build to run locally" (SIP is disabled). When using "Automatically manage signing" it ends in a "Please file a bug report". I found that having two different development teams tripped it up, so I deleted all certificates and keys and made sure to be only signed into one account in Xcode. Can anyone give advice? Thanks a ton! Here is the URL to the sample: https://developer.apple.com/documentation/coreaudio/building-an-audio-server-plug-in-and-driver-extension macOS: 15.6.1 XCode: 16.4 Hardware: MacBook Pro M2 Max SIP: disabled

Hello everyone, I'm hoping to get some guidance on a frustrating codesigning issue. I have a macOS application that successfully completes the entire notarization and stapling process, but it is still rejected by Gatekeeper during the final verification step. The rejection only happens when I apply the entitlements that I believe are necessary for my app's functionality. The application is built with PyInstaller and has the following components: A main executable written in Python. A bundled Tcl/Tk instance for the GUI. Embedded Playwright components, which include the Node.js runtime and a full Chromium browser instance. These are located deep inside the .app bundle. The Problem The core of my application relies on Playwright to perform some automated tasks, and its bundled Chromium browser requires specific entitlements to function under the Hardened Runtime. Specifically, it needs com.apple.security.cs.allow-jit and com.apple.security.cs.allow-unsigned-executable-memory. My signing process is as follows: Prepare Entitlements: I use two separate .plist files: main_app_entitlements.plist: This is for the main Python executable and only contains com.apple.security.cs.allow-jit. jit_helper_entitlements.plist: This is for the node and Chromium Helper executables within the Playwright framework. It contains both com.apple.security.cs.allow-jit and com.apple.security.cs.allow-unsigned-executable-memory. Inside-Out Signing: I perform a deep signing process. I find all binaries, dylibs, and frameworks, sort them by path length (deepest first), and sign each one individually with the appropriate entitlements. The main .app bundle is signed last. Notarization: I zip the .app bundle and submit it using xcrun notarytool submit --wait. The tool reports a successful notarization every time. Stapling: I use xcrun stapler staple on the .app bundle, and it confirms that the ticket was successfully stapled. The point of failure The final step is to verify the result with spctl: spctl --assess --type execute --verbose --ignore-cache "MyApp.app" This is where it fails. The output is: MyApp.app: rejected source=Unnotarized Developer ID This "Unnotarized Developer ID" message is confusing because xcrun notarytool and stapler both report complete success. The crucial detail If I run the entire process without any entitlements—just signing with the Hardened Runtime enabled—the final spctl assessment passes. However, the application then crashes at runtime as soon as it tries to use Playwright, which is expected since the browser helpers are missing their required JIT entitlements. My question Is there a known issue where using com.apple.security.cs.allow-jit or com.apple.security.cs.allow-unsigned-executable-memory on nested helper executables can invalidate an otherwise successful notarization? Is my strategy of applying different, granular entitlements to different executables within the same app bundle correct? Could the issue be related to how or when these entitlements are applied during an "inside-out" signing process? Is there a better way to structure the signing of these complex components? I'm confident the notarization itself is working, but it seems Gatekeeper's local assessment is stricter and is being tripped up by my entitlement configuration. Thank you in advance for any help or suggestions you can provide

Hello Apple support, A few days ago, I received an e-mail granting the entitlement for Critical Alerts to my app VIAWEB Mobile, bundle ID br.com.viawebsystem.VIAWEBservice . This was my second attempt: in the first time I requested the entitlement for all our apps, but it was denied. This time I requested for just our main app, and now it was approved. I have just followed several tutorials and instructions available on the Internet, but I couldn't enable this capability in my app. What I tried and where I stopped: In my Xcode 16.4, target "VIAWEB Mobile", Signing & Capabilities, All: unchecked the Automatic manage signing and checked again, selected the correct Team. In the iOS section, Xcode Managed Profile, click in the little "i" and there is no Critical Alerts in the Capabilities list, nor com.apple.developer.usernotifications.critical-alerts in the Entitlements list. And so, there is no Critical Alerts in the "+ Capability" window. If I go to Certificates, Identifiers & Profiles, Identifiers, and click to edit my App ID Configuration, there is no Critical Alerts to enable in the Capabilities list. In Capability Requests, I just see the plus sign next to Critical Alerts (to make an additional request), and the status Approved when I click on View Requests (2). Can you provide me with updated instructions on how I can enable this entitlement for my app? Thank you! Best regards, The VIAWEB Developer Team.

Hello everyone, I'm encountering an issue while trying to publish an app on TestFlight. The app in question is Home Assistant, which I've compiled from the source. I am able to compile and install the app on my device without any problems. My company's developer account is properly configured, and I have set Xcode to automatically manage the provisioning profile. The archive is also created successfully, but when I attempt to upload it to Apple Store Connect for testing via TestFlight, I receive the following error: ERROR: [ContentDelivery.Uploader] Asset validation failed (90525) Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: ceac6dcc-9c76-412e-8ea7-f2d2845f8013) I've made several attempts to resolve this issue to no avail. For instance, if I add the missing capability manually, then I am informed that the provisioning profile is incorrect. However, checking the network extension settings on my company's dev account, I see nothing related to push notifications, which are located elsewhere. Thus, I am stuck in a loop where either the provisioning file is correct but the entitlement is missing, or if the entitlement is present, then the provisioning profile is deemed incorrect. URL:https://contentdelivery.itunes.apple.com status code: 409 (conflict) httpBody: { "errors" : [ { "id" : "ceac6dcc-9c76-412e-8ea7-f2d2845f8013", "status" : "409", "code" : "STATE_ERROR.VALIDATION_ERROR.90525", "title" : "Asset validation failed", "detail" : "Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'." }, { "id" : "9ff2143b-3c00-4912-b59f-8342fa6fe5c0", "status" : "409", "code" : "STATE_ERROR.VALIDATION_ERROR.90525", "title" : "Asset validation failed", "detail" : "Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'." } ] } ======================================= 2024-01-10 23:19:35.506 ERROR: [ContentDelivery.Uploader] Asset validation failed (90525) Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: ceac6dcc-9c76-412e-8ea7-f2d2845f8013) 2024-01-10 23:19:35.506 DEBUG: [ContentDelivery.Uploader] Error Domain=ContentDelivery Code=90525 "Asset validation failed" UserInfo={NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: ceac6dcc-9c76-412e-8ea7-f2d2845f8013), NSUnderlyingError=0x6000022b6430 {Error Domain=IrisAPI Code=-19241 "Asset validation failed" UserInfo={status=409, detail=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'., id=ceac6dcc-9c76-412e-8ea7-f2d2845f8013, code=STATE_ERROR.VALIDATION_ERROR.90525, title=Asset validation failed, NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'., NSLocalizedDescription=Asset validation failed}}, iris-code=STATE_ERROR.VALIDATION_ERROR.90525, NSLocalizedDescription=Asset validation failed} 2024-01-10 23:19:35.507 ERROR: [ContentDelivery.Uploader] Asset validation failed (90525) Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: 9ff2143b-3c00-4912-b59f-8342fa6fe5c0) 2024-01-10 23:19:35.507 DEBUG: [ContentDelivery.Uploader] Error Domain=ContentDelivery Code=90525 "Asset validation failed" UserInfo={NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: 9ff2143b-3c00-4912-b59f-8342fa6fe5c0), NSUnderlyingError=0x6000022b6640 {Error Domain=IrisAPI Code=-19241 "Asset validation failed" UserInfo={status=409, detail=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'., id=9ff2143b-3c00-4912-b59f-8342fa6fe5c0, code=STATE_ERROR.VALIDATION_ERROR.90525, title=Asset validation failed, NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'., NSLocalizedDescription=Asset validation failed}}, iris-code=STATE_ERROR.VALIDATION_ERROR.90525, NSLocalizedDescription=Asset validation failed} 2024-01-10 23:19:35.507 DEBUG: [ContentDelivery.Uploader] swinfo errors: ( "Error Domain=ContentDelivery Code=90525 \"Asset validation failed\" UserInfo={NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: ceac6dcc-9c76-412e-8ea7-f2d2845f8013), NSUnderlyingError=0x6000022b6430 {Error Domain=IrisAPI Code=-19241 \"Asset validation failed\" UserInfo={status=409, detail=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'., id=ceac6dcc-9c76-412e-8ea7-f2d2845f8013, code=STATE_ERROR.VALIDATION_ERROR.90525, title=Asset validation failed, NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'., NSLocalizedDescription=Asset validation failed}}, iris-code=STATE_ERROR.VALIDATION_ERROR.90525, NSLocalizedDescription=Asset validation failed}", "Error Domain=ContentDelivery Code=90525 \"Asset validation failed\" UserInfo={NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: 9ff2143b-3c00-4912-b59f-8342fa6fe5c0), NSUnderlyingError=0x6000022b6640 {Error Domain=IrisAPI Code=-19241 \"Asset validation failed\" UserInfo={status=409, detail=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'., id=9ff2143b-3c00-4912-b59f-8342fa6fe5c0, code=STATE_ERROR.VALIDATION_ERROR.90525, title=Asset validation failed, NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'., NSLocalizedDescription=Asset validation failed}}, iris-code=STATE_ERROR.VALIDATION_ERROR.90525, NSLocalizedDescription=Asset validation failed}" )

Question based on the https://developer.apple.com/forums/thread/649172 What is the mechanics of using this entitlement? What should be done in the UNNotificationServiceExtension in order to prevent the display of a notification for the user? Just pass an empty UNNotificationContent object to contentHandler or something else?

I'm trying to help out one of our vendors by building a skeleton PCI dext which they can flesh out. However, I can't seem to get the signing right. I can't sign it at all using no team or my personal team. "Signing for requires a development team", and "Personal development teams ... do not support the System Extension capability". I can't sign the driver because "DriverKit Team Provisioning Profile: doesn't match the entitlements file's value for the com.apple.developer.driverkit.transport.pci entitlement. I think this problem occurs because our company has already been assigned a transport.pci entitlement, but for our own PCI vendor ID. But I want to build and test software that works with our vendor's PCI device. I tried generating a profile for the driver manually, it contained only our own company's PCI driver match: IOPCIPrimaryMatch = "0x0000MMMM&0x0000FFFF"; where MMMM is our own PCI vendor ID. Is there a better way to inspect the profile Xcode is using than the postage-stamped sized info popup which truncates the information? I would download the generated profile but it doesn't appear on the profile, but Xcode is accessing it from somewhere. When I look at the available capabilities I can add to an app identifier on the Developer portal, I see com.apple.developer.driverkit.transport.usb, which is "development only". There's no "development only" capability for PCI. Does this mean it isn't possible to develop even a proof-of-concept PCI driver without being first granted the DriverKit PCI (Primary Match) entitlement? When adding capabilities to a driver, the list of available capabilities shown in Xcode has one "DriverKit PCI (Primary Match) entry", but if I double click it, two such entries appear in the Signing and Capabilities tab for my driver target. On the Developer portal, when I look at my driver's Identifier, there are two Capabilities labelled DriverKit PCI (Primary Match). Why?

I have a macOS app that captures screen images. The first time I run this application, a dialog is shown directing the user to give my app Screen Recording permission. Is there a way I can trigger this dialog earlier and detect whether the permission was granted?

What is the actual ASN.1 structure of the DER encoded entitlements used for iOS and MacOS applications? You can see a sample output at 'The Future is DER', but is there any official documentation or definition?

Hello Engineers My app was rejected with the message below, BUT I don't have this entitlements in my project! I already removed all Xcode files under ${HOME}/Developer/Xcode, but the problem still alive! Guideline 2.4.5(i) - Performance In order to continue reviewing your app, we require additional information. Your app uses one or more entitlements which do not appear to have matching functionality within the app. Please reply to this message in App Store Connect and describe how and where the app uses the following entitlements. You will not need to upload a new binary to provide this information. Apps should have only the minimum set of entitlements necessary for the app to function properly. If there are entitlements that are not needed, please remove them and submit an updated binary. You will need to Developer Reject the app to upload an updated version. "com.apple.security.assets.pictures.read-write" "com.apple.security.assets.movies.read-write" "com.apple.security.assets.music.read-write" "com.apple.security.files.downloads.read-write" Here my entitlements: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.org.eof.apps</string> </array> <key>com.apple.security.files.user-selected.read-write</key> <true/> </dict> </plist> code-block Who or where are these entitlements inserted? Which button should be clicked to deactivate them? Link to my project: DRFXBuilder Regards

Hello, I'm developing a feature for my app, that allows users to challenge their friends. The friend request functionality is built using Universal Links, but I've run into a significant issue. The Universal Links are correctly deep-linking into the app. However, once the app opens, nothing happens—the friend request acceptance or rejection flow does not occur. This prevents users from completing friend requests and building their friend list. Here are examples of the Universal Links I'm generating: https://www.strike-force.app/invite?type=invite&amp;amp;userID=... https://www.strike-force.app/invite?type=invite&amp;amp;friendRequestID=... https://www.strike-force.app/profile?userID=... I've recently updated my cloudflare-worker.js to serve a paths array of ["*"] in the AASA file, so I believe the links themselves should be valid. Technical Details &amp;amp; Error Logs In the console, I am consistently seeing the following error message: Cannot issue sandbox extension for URL:https://www.strike-force.app/invite?token=7EF1E439-090B-4DF2-BE64-9904F50A3F8B Received port for identifier response: &amp;lt;(null)&amp;gt; with error:Error Domain=RBSServiceErrorDomain Code=1 "Client not entitled" UserInfo={RBSEntitlement=com.apple.runningboard.process-state, NSLocalizedFailureReason=Client not entitled, RBSPermanent=false} elapsedCPUTimeForFrontBoard couldn't generate a task port This error appears to be related to entitlements and process state, but I am not sure if it's the root cause of the Universal Link issue or a separate problem. The 'Client not entitled' error on line 3 has had me chasing down entitlements issues. But, I've added the Associated Domains entitlement with the proper applink URLs and verified this in my Developer Portal. I've regenerated my provisioning profile, manually installed it, and selected/de-selected Automatically Manage Signing. As well I've verified my AASA file and it's correctly being served via HTTPS and returning a 200. curl -i https://strike-force.app/.well-known/apple-app-site-association curl -i https://www.strike-force.app/.well-known/apple-app-site-association I am looking for guidance on why the friend request flow is not being triggered after a successful deep-link and how I can fix the related error. Any insights or suggestions would be greatly appreciated.

The problem is described in full with log output in #16844 We are having an issue with TCC prompting users for access to the app group container despite signing with entitlements following all guidelines. This is a regression from the Feb 2025 Changes discussed in App Groups: macOS vs iOS: Working Towards Harmony The problem can only be reproduced with Xcode 16.0 and later. The entitlements for the app include access for the group container with [Key] com.apple.security.application-groups [Value] [Array] [String] G69SCX94XU.duck The documentation notes the group name can be arbitrary, e.g. <team identifier>.<group name>. Cyberduck uses G69SCX94XU.duck by default. Interestingly enough the alert is not shown when a group name matching the bundle identifier is used, e.g. G69SCX94XU.ch.sudo.cyberduck.

I was granted permissions for family controls distribution for the main target of my app. Do I also need to request permission for the other targets like ShieldConfiguration, ShieldActionExtension, etc.? If no, how can i add the distribution capabilities to those targets?

I’ve been working on a Catalyst version of my iOS apps. Finally everything is working apart from the custom intents the user user to configure the widgets. The config UI loads: And changing settings at this level works. But it can’t load the options for the other settings: “No options were provided for this parameter” I see this crash in the intent: Termination Reason: Namespace DYLD, Code 1 Library missing Library not loaded: @rpath/CocoaLumberjack.framework/Versions/A/CocoaLumberjack Referenced from: <E1BF4CC5-4181-3272-828C-86B1CD1A66BF> /Applications/my.app/Contents/PlugIns/Intents.appex/Contents/MacOS/Intents Reason: , (security policy does not allow @ path expansion) (terminated at launch; ignore backtrace) I have added the Hardened Runtime Capability to the Main App Target, the Widget Target and the Intents Target. I also allowed “Disable Library Validation” just in case. What am I missing?

Hello everyone can you help me, i have requested main camera access API Enterprise and have got the license to, and i have setting up the project main camera access demo from apple with my new license and have create app bundle and identifier for it but when i tried to deploy it test flight i got some error say "Profile doesn't support Main Camera Access" and "Profile doesn't include the com.apple.developer.arkit.main-camera-access.alow entitlement, even have do it it app Certificates, Identifiers &amp; Profiles and add the additional capability Main Camera Access. can you help me fixing this so that i can use Main Camera Access Entitlement

How can I disable Hardened Runtime in Xcode only when signing ad hoc? If I make a new project, Xcode will say Disabling hardened runtime with ad-hoc codesigning. at the beginning of the build logs. However, somehow my project isn't doing this -- it's still hardening the runtime when ad-hoc signing. What should I do to debug this?

So I just updated Xcode to 16.3 and updated a project to its recommended build settings which includes "Register App Groups". So I have an outside Mac App Store app that uses app groups. Here we have an action extension. I can't debug it, can't get it to run. Nothing useful in Xcode is displayed when I try... but it looks like a code signing issue when I run and have Console open. So I try to make a provisioning profile manually and set it...didn't work. I noticed now though in signing & capabilities the group id is in red...like it's invalid, or something? This was a "macOS styled" group without the "group." prefix. So am I supposed to switch it to have the group. prefix? It makes the red text go away (no warnings or anything about app groups here, just red text). So if I change it to group. prefix..does that make an entire new container?What happens on app update for installs that don't have group. prefix? Does the system transparently migrate the group? Or Am I supposed to migrate the entire group container to the identifier with group. prefix? Also how does this affect running on older version of macOS? If I go with the "group." prefix to make the red text go away,.. what happens on macOS 11.0? Got a little more than I bargained for here after midnight.

Hello, I already have got approval from Apple for com.apple.developer.family-controls entitlement When I am building my app, there is one part where I need to check the list of applications which I have blocked with my app. To get the list I have to have com.apple.developer.managed-settings entitlement ... Now how and where show I get hold of it ? I already got permission for Family Control, how do I get hold of this now ?