The current structure of my SDK xcframework is XXXX-Release.xcframework. Inside that, I have an XXXX.xcframework and a LICENSE.md file. Currently, this structure works fine in Swift Package Manager, dropping the XXXX-Release.xcframework file into Xcode and CocoaPods. When I sign my xcframework as per Apple's requirements, I need to sign XXXX.xcframework, which is on the second level. Signing this works fine. Will this meet Apple's requirements for signing an xcframework? I just want to make sure the current structure of my SDK does not need to change. Thanks

Hello. We are working on a flutter project using the same unique iOS app bundle id in all of our team's local repo. Only one of us is enrolled in an individual Apple Developer Program. The app runs properly for at least 3 of us while others are getting the error that the bundle ID is not available. Given that it the 3 of us did not require a unique bundle ID in each of our local copies, do you know how to resolve this issue? Also, it would be helpful if you could share how to handle the issue of requiring a unique bundle ID for flutter projects if our team is not enrolled in the Apple Developer Enterprise program.

Hi, we are working on an application which will perform scheduled backup tasks in macOS 14. The app has been granted full disk permission. Recently we updated the code signing for the executable (/Applications/MyApp.app/Contents/MacOS/MyApp below) for passing the new notarization. After that, we found launchctl unable to load the plist for the schedule job <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <key>Label</key> <string>com.MyApp.scheduler</string> <key>ProgramArguments</key> <array> <string>/Applications/MyApp.app/Contents/MacOS/MyApp</string> <string>/Applications/MyApp.app</string> </array> <key>RunAtLoad</key> <true/> <key>AbandonProcessGroup</key> <true/> <key>WorkingDirectory</key> <string>/Applications/MyApp.app/bin</string> </dict> </plist> Related error message found in /var/log/com.apple.xpc.launchd/launchd.log* 2023-12-13 13:59:34.639672 (system/com.MyApp.scheduler [13434]) <Notice>: internal event: SOURCE_ATTACH, code = 0 2023-12-13 13:59:34.644530 (system/com.MyApp.scheduler [13434]) <Error>: Service could not initialize: posix_spawn(/Applications/MyApp.app/Contents/MacOS/MyApp), error 0x1 - Operation not permitted 2023-12-13 13:59:34.644545 (system/com.MyApp.scheduler [13434]) <Error>: initialization failure: 23C64: xpcproxy + 38300 [1097][925DE4E7-0589-3B33-BB64-7BC2F8629897]: 0x1 2023-12-13 13:59:34.644548 (system/com.MyApp.scheduler [13434]) <Notice>: internal event: INIT, code = 1 2023-12-13 13:59:34.644915 (system/com.MyApp.scheduler [13434]) <Notice>: xpcproxy exited due to exit(78) We have tried to update the entitlements for library and main executable files while still not success on make it works again. We have no idea what else could do for troubleshooting this. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.cs.debugger</key> <true/> <key>com.apple.application-identifier</key> <string>...</string> <key>com.apple.developer.team-identifier</key> <string>...</string> </dict> </plist> Appreciate for any suggestions. Thank you.

Why is "fork" prohibited in sandboxed apps?

有用户反馈有些APP引导弹窗多次弹出，经过埋点日志观察发现，这些用户保存在钥匙串中的openudid，沙盒数据，甚至网络请求的cookie都突然丢失了，然后后续几次重启后可能这些数据又都恢复了，感觉非常不可思议，代码上看不出有任何问题，有大神帮忙解答下吗？

Hi, I am trying to export my game app to Steam, and trying to understand the external distribution using Developer ID Application. Even when using the Account Holder account (because I cannot get a private key for Developer ID Application otherwise), I am unable to use a Provisioning Profile. It allows me to archive and distribute anyways. But once the app is sent for notarization, I never hear back from Apple. Can anyone help explain this process? I've scoured the web looking for clear instructions but it's eluding me. I had read that notarization is quick, but I don't get anything back, not even an error or rejection. Thanks

There is an app, that is distributed on the web using Company A Developer ID certificate. Now this has to be transferred to Company B apple developer account. There is a way to transfer apps that are distributed on the AppStore, but how to do it in case of Developer ID?

Hi, I would love to disable app sandbox completely, because my music application requires extended filesystem permissions. Like reading configuration files from $HOME and enabling services through sockets. The UI toolkit I am using endorses IPC mechanism. cheers, Joël

Hi, I have create a universal app then did this: https://support.apple.com/en-vn/guide/apple-business-essentials/axm20c32e0c6/web But this doesn't produce a working package installer. productbuild --sign "3rd Party Mac Developer Installer: ****" --component /Applications/MyApp.app MyApp-universal.pkg Do I need to create a code signature with codesign, prior to call productbuild? regards, Joël

Following the description from https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app* I successfully managed to run my app sandboxed on my development system. Nevertheless the copied application refuses to call the external tool unless it is compiled with NO for the App Sandbox entitlement. My app can be downloaded from: https://github.com/mac-curver/Postscript-Playground The last commit is using the App Sandbox entitlement but the commit before is not using it like compiled and zipped app in the Application folder on Github. The attached picture shows, running the sandboxed app on my development machine. Why the sandboxed does not run on other MACs? How could I test this? *P.S. I could not exactly execute all tasks as written in *, for example I require OS 13.0 and I am using a non commercial dev account (not paying for it).

For some years I have developed and maintained a SwiftUI based app as GUI ontop of the command line tool rsync. The app is available on HomeBrew and works as expected, included using rsync command line tool from HomeBrew. I have now developed a new GUI, a downscale version of the original app, using SwiftData and using only the default rsync in /usr/bin/rsync. No access to remote servers by ssh-keys, only local attached disk on your Mac. SwiftData is used for storing data about synchronise tasks and log records from run. The app works, but as soon as I enable the App Sandbox, the app does not permit to executed default included command line tool from /usr/bin. The GUI app executes the command line tool by a Swift Process object.

I want to develop a very basic app for my wife. Since I'm into Windows and Android, I don't have any experience with MacOS. My wife is visually impaired and chose for an iPhone, and never switched since. I want to buy a cheap second hand MacBook Pro 2011 to be able to compile. Found this one online. Is it good enough? It doesn't matter if it's slow or has some weird glitches. Only thing I want is develop the app, install it, and then let the MacBook rest for the rest of its live (sorry for this sad story MacBook-lovers :)) [Image Edited by Moderator to Remove Serial Number]

We are using an iPhone app distributed as an AdHoc app, but an error message saying "App cannot be verified" was displayed. The error screen says, "Internet connection is required to verify the credibility of developer "Apple Distribution:●●●● CO.,LTD.(QQQ29B8GG2)"." When using this app, We are connected to the LAN, but not connected to the Internet. If you temporarily connect to the Internet and start the app when the error screen appears, the error screen will disappear. After that, when I switched from connecting to the Internet to connecting to LAN, it worked normally for a while, but after about 2 months, the same error screen appears again. Please tell me how to resolve this error.

My sandboxed macOS app requires the user to grant permission under Privacy & Security / Accessibility in order to support extra functionality. If no permission is granted the app can still be used albeit with very basic functionality. In order to allow the user NOT to have to immediately decide whether to grant this permission when first launching the app, a dialog allows them to say “I’ll do it later”. As such, the app uses a timer with a one second interval to ask the system if permission has been granted and if so, implements the extra functionality. By the way, I would rather have used a notification instead of a timer, but there does not seem to be one. // Schedule a timer to periodically check accessibility status accessibilityTimer = Timer.scheduledTimer(timeInterval: 1.0, target: self, selector: #selector(checkAccessibilityStatus), userInfo: nil, repeats: true) func isAccessibilityEnabled() -> Bool { let accessibilityEnabled = AXIsProcessTrusted() return accessibilityEnabled } @objc func checkAccessibilityStatus() { if isAccessibilityEnabled() { print("Accessibility is enabled.") accessibilityTimer?.invalidate() if gEventTap == nil { tapper()//as003 gTypeIt4MeMenu?.item(at: kPauseResumeItem)?.title = "Pause" gStatusItem?.button!.image = NSImage(named: "menubar_icon_16x16") NotificationCenter.default.post(name: NSNotification.Name(rawValue: "showGreenTick"), object: nil) } } else { print("Accessibility is disabled.") } } My problem is that when I build the app with my development certificate, it runs as expected. However, when I upload it to TextFlight and download from there, it no longer “notices” when I grant it permission.

Both the codesign tool and Xcode allow you to sign code with a hardware-based code-signing identity. However, setting that up can be a bit of a challenge. Recently a developer open a DTS tech support incident requesting help with this, and so I thought I’d post my instructions here for the benefit of all. If you have any questions or comments about this, please start a new thread, tagging it with Code Signing so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Signing code with a hardware-based code-signing identity Both the codesign tool and Xcode allow you to sign code with a hardware-based code-signing identity. This post explains how to set that up. I used macOS 14.2.1 with Xcode 15.2. For my hardware-based key I used a YubiKey 5 NFC that I reset to its defaults. I installed YubiKey Manager 1.2.5. IMPORTANT While I used a YubiKey, the code signing parts of this process should work with any token that has a functioning CryptoTokenKit driver. In the case of the YubiKey, it presents a PIV interface and thus it’s supported by macOS’s built-in PIV CryptoTokenKit driver. In this example I created an Apple Development certificate because those are dime a dozen. This process should work with any other type of code-signing certificate. Indeed, it make sense to store your most precious keys in a hardware token, including your Developer ID keys. For more on that topic, see The Care and Feeding of Developer ID. Generate a certificate signing request To generate a certificate signing request (CSR): Connect the YubiKey via USB. Dismiss any system alerts: If the “Allow this accessory to connect?” alert comes up, click Allow. If the Keyboard Setup Assistant comes up, quit that. If the ctkbind notification comes up, dismiss that. Coded signing does not require that you bind your login account to your hardware token. Launch YubiKey Manager. Choose Applications > PIV. Click Configure Certificates. Select Digital Signature (slot 9c). In the past I’ve run into situations where signing fails if you don’t use this slot, although I haven’t tested that in this particular case. Click Generate. Select Certificate Signing Request (CSR) and click Next. Select the RSA2048 algorithm and click Next. Enter a subject and click Next. The value you use here doesn’t matter because Apple ignores pretty much everything in the CSR except the public key. Click Generate. Choose a save location and name. Don’t include a file name extension. When prompted for the management key, enter that and click OK. When prompted for the PIN, enter that and click OK. The app will generate a .csr file at your chosen location. Quit YubiKey Manager. Note Apple typically uses the .certSigningRequest extension for CSRs, but this process works just fine with the .csr extension used by YubiKey Manager. Generate a certificate from your CSR To generate a certificate from that CSR: In Safari, go to Developer > Account and log in. If you’re a member of multiple teams, make sure you have the correct one selected at the top right. Click Certificates. Click the add (+) button to create a new certificate. Select Apple Development and click Continue. Click Choose File, select your CSR file, and click Upload. Click Continue to generate your certificate. That takes you to the Download Your Certificate page. Click Download. In Terminal, calculate a SHA-1 hash of your .cer file. % shasum "development.cer" 840f40ef6b10bedfb2315ac49e07f7e6508a1680 development.cer Import the certificate to form a code-signing identity To import this certificate into your YubiKey: Convert the certificate to PEM form: % openssl x509 -in "development.cer" -inform der -out "development.pem" Launch YubiKey Manager. Choose Applications > PIV. Click Configure Certificates. Select Digital Signature (slot 9c). Click Import. In the file dialog, select the PEM and click Import. When prompted for the management key, enter that and click OK. The UI updates to show the certificate issuer (Apple Worldwide Developer Relations Certificate Authority) and subject (Apple Development: UUU, where UUU identifies you). Quit YubiKey Manager. Unplug the YubiKey and then plug it back in. Sign a test program Before digging into Xcode, check that you can sign code with the codesign tool: Create a small program to test with. In my case I decided to re-sign the built-in true command-line tool: % cp "/usr/bin/true" "MyTool" % codesign -s - -f "MyTool" Run codesign to sign your program, passing in the SHA-1 hash of the certificate you imported into the YubiKey: % codesign -s 840f40ef6b10bedfb2315ac49e07f7e6508a1680 -f "MyTool" When prompted for the PIN, enter that and click OK. The codesign invocation completes like so: % codesign -s 840f40ef6b10bedfb2315ac49e07f7e6508a1680 -f "MyTool" MyTool: replacing existing signature Sign from Xcode To sign from Xcode: Open your project in Xcode. In my case I created a new project by choosing File > New then selecting macOS > Command Line tool. In Signing & Capabilities for the tool target, turn off “Automatically manage signing”. In Build Settings, find the Code Signing Identity build setting, choose Other, and then enter the SHA-1 hash of your certificate. Choose Product > Build. When prompted for the PIN, enter that and click OK. The build then completes. IMPORTANT This requires Xcode 13 or later. Earlier versions of Xcode only work with file-based code-signing identities.

Hi team We are facing following message "A timestamp was expected but was not found" during codesign for following .pkg file and it cause Jenkins NB process failed. We are facing this issue for last 3 days as it was working on last 18th January. Kindly let us know how to fix this problem. Rgds

Hello I jump on my mac every 3-4 months to release new version of my apps. Process usually is "ok" some cmake/compile issues as 99% of dev is done on windows but other than that its all good. But now I'm stuck. My app can run locally/start etc just fine, but clients are panicking because they can't run them. They have undefined developer warning. I don't understand this. Its notarised and been working for 2 years. What am I doing wrong ?! How can I test it ? I tried creating new user-profile on my mac, but there is no issue, app starts. Do I need to buy ANOTHER mac to test my apps before release ?! Can any1 help how to debug this issue? I'm lost, I used finder-compress myapp.app & send it via slack to client to get him quickly going but that does not help either. - I though it was zip stripping down data or something. Anyway, very frustrated here, and lost. Can any1 help? hint? Is this good resource to check against? https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html I've run spctl --assess --type execute myApp and I'm getting rejected (bundle format is ambiguous (could be app or framework)) But then why does it notarize/sign/etc with no errors ?! I'm so lost :- (((( Any help would be greatly appreciated I've attached app content > Ok I've tested my older releases, they all have the same issue but they all work on client system. I'm so lost :- (((

Hi, I've ran into an issue which only seems to affect one of my macs. It's currently running 14.2.1 but I first saw this issue in 13.6. If I download the macOS Sonoma 14.2.1 installer (via App store) onto this particular machine, it will never execute the installer. It always reports that the installer is "damaged". Of course I did reasearch this online and you get the usual unhelpful posts which just say "re download it" and of course, I wouldn't be posting here had I not tried that. This happens with any macOS installer I download using the softwareupdate --fetch-full-installer utility as well. The thing is, if I copy this .app to another (identical as far as I can tell) Mac - it will work. So far this also seems limited to macOS installers - other third party apps are fine. I'm convinced this is related to trusted execution and something has gone wrong in the environment. I've been looking at my router logs to see if any connections may have been blocked (I'm using OPNsense) and also looking to see what connections are being made via Little Snitch and so far it looks fine. Again, other machines on the network can run these just fine. I've read through eskimo's excellent guide here: https://forums.developer.apple.com/forums/thread/706442 but I was wondering if anyone can give me some pointers to narrow this down further. As it stands, I can't trust this machine for app development if I can't even get the official Apple installers to run sucessfully.

According to https://developer.apple.com/documentation/security/app_sandbox/discovering_and_diagnosing_app_sandbox_violations it is possible to view detailed violation reports for non-system services. Is it possible to do something similar for system services? I have encountered an issue where several (all?) of my Macbooks get into a sandbox violation situation (I assume). Below is in excerpt from logs focusing just on the sandbox violation. The errors are surrounded by XPC failures and errors. error 23:23:21.382263+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:24.385962+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:27.389910+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:36.408940+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:45.419593+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:54.432109+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence The above is just an except, and it seems that Family, imagent and searchpartyuseragent are trying to access com.apple.contactsd.persistance once per second or so and failing (there are also some attempts to reach com.apple.timed.xpc, but an insignificant amount in comparison to com.apple.contactsd.persistance). This in turn causes Diagnostics Reporter to start, and then end hastily almost every ten seconds. fault 23:23:05.903908+0100 Diagnostics Reporter Invalid launch. fault 23:23:16.038017+0100 Diagnostics Reporter Invalid launch. fault 23:23:26.136348+0100 Diagnostics Reporter Invalid launch. fault 23:23:36.274543+0100 Diagnostics Reporter Invalid launch. fault 23:23:46.414546+0100 Diagnostics Reporter Invalid launch. I have no idea how I did this, but I seemed to have messed up sandbox access rights to contacts for some system services?

Two days ago everything was working fine. Then I decided to step on with the OneSignal Sdk and the problems starts to come. Now I have two big problem but I want to go with order and begin from the first and maybe the second will follow. When I try the app on emulator, it builds fine but stopped immediately with The parent bundle has the same identifier (com.domain.bundlename) as sub-bundle at /Users/myname/Library/Developer/CoreSimulator/Devices/F2D73A5F-1B86-4D2D-9989-518387D0FB24/data/Library/Caches/com.apple.mobile.installd.staging/temp.O4MORK/extracted/Runner.app/Frameworks/App.framework (com.domain.bundlename is for obscuring the real ones) Then I tried creating a new emulator device, but I got the same error. No clues on my internet search.