I have two apps that installed by .pkg . They are both signed by Developer Application . One of my apps has purpose of updating another app. It is implemented by deleteting it from folder, and unzipping archive with new .app to it's folder. Even if new app is signed and notarized, has stepled ticket on it, I get error "App is damaged and can't be opened". In Secrity and Confidentiality preferences I have warning that developer is unauthorized, even if this new app is notarized and signed. How can I implement app update to not throw error that app is damaged> Thanks a lot in advance

Hello, I'm create an app using QT on MacOs with Generate to Xcode, when submitting it to the App Store the upload process was successful but I got email feedback with the message containing the following: ITMS-90238: Invalid Signature - The main app bundle Tren at path Tren.app has following signing error(s): a sealed resource is missing or invalid . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple .com/library/mac/technotes/tn2206/_index.html for more information. ITMS-90296: App sandbox not enabled - The following executables must include the 'com.apple.security.app-sandbox' entitlement with a Boolean value of true in the entitlements property list: [[Tren.app/Contents/MacOS/Tren ]] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. I've done the methods available in the community, but it still doesn't work. I hope someone will provide a solution, thank you

I am having trouble submitting the next build of my macOS app to the App Store Connect. I keep getting a variation of this error: ITMS-90238: Invalid Signature - The main app bundle MyApp at path MyApp.app has following signing error(s): code has no resources but signature indicates they must be present In subcomponent: MyApp.app/Contents/Frameworks/GoogleAppMeasurement.framework . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information. ITMS-90238: Invalid Signature - The main app bundle MyApp at path MyApp.app has following signing error(s): code has no resources but signature indicates they must be present In subcomponent: MyApp.app/Contents/Frameworks/GoogleAppMeasurementIdentitySupport.framework . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information. ITMS-90238: Invalid Signature - The main app bundle MyApp at path MyAppt.app has following signing error(s): code has no resources but signature indicates they must be present In subcomponent: MyApp.app/Contents/Frameworks/FirebaseAnalytics.framework . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information. I am using Firebase framework as a Swift package. I tried updating Swift package to the latest version and that didn't help. I also tried to revert to the last version that was successfully used on the App Store/TestFlight and that didn't help. I have no control over this framework other than not use it or choose a specific version. I also tried to export the app and use the Transporter app and that didn't help. Any suggestions?

According to the new requirements for binary XCFrameworks they should be code signed. I watched the WWDC23 video 10061-Verify app dependencies with digital signatures and while it helpfully provides the command to sign the framework after building, it doesn’t mention how to sign it when your distribution certificates are of the Cloud managed kind, and therefore not actually in the macOS Keychain. My question is how can I sign a binary XCFramework when the only distribution certificate we have is in the cloud? I am a part of a team in App Store Connect, if that’s relevant. Thanks 🙌

In macOS, the App Sandbox is designed to restrict applications' access to system resources and user data, mitigating damage from potential threats. However, I'm unclear on its relationship with permissions and how it effectively reduces such threats. For example, with com.apple.security.device.camera, it seems to me that NSCameraUsageDescription should suffice. If an application is granted permission via NSCameraUsageDescription, configuring com.apple.security.device.camera still doesn't guarantee protection against malicious access to user data, does it? Or, if I haven't configured both com.apple.security.device.camera and NSCameraUsageDescription, could a malicious app still somehow prompt the camera permission dialog or bypass permission checks and access the camera without the com.apple.security.device.camera configuration?

I've developed a crypto token kit extension using the Xcode template. I've successfully added the certificate and its corresponding private key to the keychain. However, when attempting to sign with this certificate, I need to call a command-line interface (CLI) that I've created. The CLI is located at ~/Applications/mycli/cli_executable. My issue arises because the extension is sandboxed, prohibiting direct communication with the CLI. I attempted to remove the sandbox, but that didn't resolve the problem (the extension wasn't being registered without the app sandboxed). Additionally, the CLI relies on a database, so simply copying the file to the app container folder isn't a feasible solution (unless it's a symlink – I'm unsure if this is possible). How can I effectively address this problem and enable communication between the sandboxed extension and my CLI (GoLang app)? Thank you.

Is it possible to read messages from chat.db inside a MacOS app? I'm developing a MacOS app, I'm able to successfully connect to ~/Library/Messages/chat.db but when I try to run a query I get Error preparing select: authorization denied I know other apps like TablePlus are able to read chat.db but these apps are outside of iOS. Thanks in advance!

I hope this message finds you well. I am seeking assistance regarding the Full Disk Access entries. While the following command worked for entries with a bundle ID: sudo tccutil reset All com.mcafee.tp.endpointsecurity I am facing difficulty with entries lacking a bundle ID. The commands I used for specific entries are as follows: sudo tccutil reset SystemPolicyAllFiles /usr/local/McAfee/AntiMalware/VShieldScanner sudo tccutil reset SystemPolicyAllFiles /usr/local/McAfee/fmp/bin64/fmpd Unfortunately, these commands do not seem to remove the entries. Could you provide guidance on how to reset entries without a bundle ID? Note: it’s a Mcafee product and all the files are removed except from full disk entry i just want to remove only the VShieldScanner and fmpd Your assistance in resolving this matter is greatly appreciated & find the attached snap.

We create app but not select Bundle ID. I was create some Certificates, Identifiers & Profiles. But not show one this. Please check bug. Thank Apple!

Could someone let me know if it is possible to create a self-signed Developer ID Installer certificate? Create an installer package using this certificate. And share it with others. This is just to do a simple proof of concept.

Hello, I have an application which is running sandboxed and it also launches a child processes via posix_spawn. I already learned that child processes are running in the same sandbox as the launching application. What I wonder is if there is a way to launch the child with different sandbox profile from the parent application while maintaining the parent-child relationship? My use case is that helper applications doesn't need access to bunch of stuff the parent needs and we want to limit blast radius in case of security problem. I know that's what XPCServices are for, but we have a multi-platform code which is relying on POSIX process model quite heavily. Thank you

The current structure of my SDK xcframework is XXXX-Release.xcframework. Inside that, I have an XXXX.xcframework and a LICENSE.md file. Currently, this structure works fine in Swift Package Manager, dropping the XXXX-Release.xcframework file into Xcode and CocoaPods. When I sign my xcframework as per Apple's requirements, I need to sign XXXX.xcframework, which is on the second level. Signing this works fine. Will this meet Apple's requirements for signing an xcframework? I just want to make sure the current structure of my SDK does not need to change. Thanks

Hello. We are working on a flutter project using the same unique iOS app bundle id in all of our team's local repo. Only one of us is enrolled in an individual Apple Developer Program. The app runs properly for at least 3 of us while others are getting the error that the bundle ID is not available. Given that it the 3 of us did not require a unique bundle ID in each of our local copies, do you know how to resolve this issue? Also, it would be helpful if you could share how to handle the issue of requiring a unique bundle ID for flutter projects if our team is not enrolled in the Apple Developer Enterprise program.

Hi, we are working on an application which will perform scheduled backup tasks in macOS 14. The app has been granted full disk permission. Recently we updated the code signing for the executable (/Applications/MyApp.app/Contents/MacOS/MyApp below) for passing the new notarization. After that, we found launchctl unable to load the plist for the schedule job <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <key>Label</key> <string>com.MyApp.scheduler</string> <key>ProgramArguments</key> <array> <string>/Applications/MyApp.app/Contents/MacOS/MyApp</string> <string>/Applications/MyApp.app</string> </array> <key>RunAtLoad</key> <true/> <key>AbandonProcessGroup</key> <true/> <key>WorkingDirectory</key> <string>/Applications/MyApp.app/bin</string> </dict> </plist> Related error message found in /var/log/com.apple.xpc.launchd/launchd.log* 2023-12-13 13:59:34.639672 (system/com.MyApp.scheduler [13434]) <Notice>: internal event: SOURCE_ATTACH, code = 0 2023-12-13 13:59:34.644530 (system/com.MyApp.scheduler [13434]) <Error>: Service could not initialize: posix_spawn(/Applications/MyApp.app/Contents/MacOS/MyApp), error 0x1 - Operation not permitted 2023-12-13 13:59:34.644545 (system/com.MyApp.scheduler [13434]) <Error>: initialization failure: 23C64: xpcproxy + 38300 [1097][925DE4E7-0589-3B33-BB64-7BC2F8629897]: 0x1 2023-12-13 13:59:34.644548 (system/com.MyApp.scheduler [13434]) <Notice>: internal event: INIT, code = 1 2023-12-13 13:59:34.644915 (system/com.MyApp.scheduler [13434]) <Notice>: xpcproxy exited due to exit(78) We have tried to update the entitlements for library and main executable files while still not success on make it works again. We have no idea what else could do for troubleshooting this. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.cs.debugger</key> <true/> <key>com.apple.application-identifier</key> <string>...</string> <key>com.apple.developer.team-identifier</key> <string>...</string> </dict> </plist> Appreciate for any suggestions. Thank you.

Why is "fork" prohibited in sandboxed apps?

有用户反馈有些APP引导弹窗多次弹出，经过埋点日志观察发现，这些用户保存在钥匙串中的openudid，沙盒数据，甚至网络请求的cookie都突然丢失了，然后后续几次重启后可能这些数据又都恢复了，感觉非常不可思议，代码上看不出有任何问题，有大神帮忙解答下吗？

Hi, I am trying to export my game app to Steam, and trying to understand the external distribution using Developer ID Application. Even when using the Account Holder account (because I cannot get a private key for Developer ID Application otherwise), I am unable to use a Provisioning Profile. It allows me to archive and distribute anyways. But once the app is sent for notarization, I never hear back from Apple. Can anyone help explain this process? I've scoured the web looking for clear instructions but it's eluding me. I had read that notarization is quick, but I don't get anything back, not even an error or rejection. Thanks

There is an app, that is distributed on the web using Company A Developer ID certificate. Now this has to be transferred to Company B apple developer account. There is a way to transfer apps that are distributed on the AppStore, but how to do it in case of Developer ID?

Hi, I would love to disable app sandbox completely, because my music application requires extended filesystem permissions. Like reading configuration files from $HOME and enabling services through sockets. The UI toolkit I am using endorses IPC mechanism. cheers, Joël

Hi, I have create a universal app then did this: https://support.apple.com/en-vn/guide/apple-business-essentials/axm20c32e0c6/web But this doesn't produce a working package installer. productbuild --sign "3rd Party Mac Developer Installer: ****" --component /Applications/MyApp.app MyApp-universal.pkg Do I need to create a code signature with codesign, prior to call productbuild? regards, Joël