You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I am reaching out regarding a persistent issue I have been facing with code signing. Despite extensive troubleshooting, I am unable to resolve the problem, and I would greatly appreciate your assistance. When attempting to sign my electron application with codesign with the following command: codesign --keychain ~/Library/Keychains/login.keychain --sign “Developer ID Application: MYNAME (DEV-ID)” --force --timestamp --options runtime --verbose=4 dist/mac-arm64/my.app I receive the following error message: “Warning: unable to build chain to self-signed root for signer ‘Developer ID Application: MYNAME (DEV-ID)‘“. This prevents me from successfully completing the code signing and notarization process. To resolve this, I have meticulously tried to troubleshoot the problem. Here are the steps taken so far: Imported Certificates into Keychains: I imported all necessary certificates (including Developer ID Application, Developer ID Certification Authority, Apple Root CA and Apple Root CA - G2) into the keychain. I tested with both the System and Login keychains (one at a time to avoid errors due to duplicates) Checked Trust Settings: I confirmed that the trust settings for the certificates are properly configured to “Always Trust.” I verified the private key is present in Keychain Access and is properly linked to the public certificate. Ensured valid identity: I ensured that the correct Developer ID identity is valid and the associated private key is available (security find-identity -v -p codesigning and security find-key -t private | grep “MY NAME”) Ensured keychain access permissions: I ensured that the respective keychain has access permissions (security set-key-partition-list -S apple-tool:,apple: -s -k ~/Library/Keychains/login.keychain) Verified matching Issuer and Subject to build certificate chain: I verified that the Issuer and Subject fields in the certificates show the correct references to build the certificate chain. Deleted and Re-imported Certificates: I deleted and re-imported the certificates multiple times to ensure there were no import issues or corruption in the certificates. Tested simplified setup: I attempted to sign simple files, such as a plain .txt file, using the Developer ID Application certificate I also attempted signing with minimal flags to rule out any issues with the app structure or build configuration Updated Xcode Command Line Tools One potential factor is that I am signing the application on a different machine from the one where the certificates were originally generated. I included the private key when exporting the certificate as a .p12 file from the original computer and imported it into the second computer’s keychain. This second computer is not connected to iCloud, and I suspect this could potentially affect the signing process. Despite all these efforts, the issue persists, and I am unable to identify the root cause. I would greatly appreciate your guidance on resolving this matter so I can successfully complete the code signing and notarization process. Thank you for your time and support.

A few weeks ago I requested the subject entitlement. I'm still waiting for it to be added to our account. Who or how can I find out what going on with it. I have no correspondence from Apple yet saying it was denied and why. https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.developer.persistent-content-capture?language=objc Thank you.

I would like to code sign an app or installer with an RSA 4096-bit code signing certificate. I created a CSR using RSA4096bit and ECC in Mac Keychain Access, but I was unable to use that CSR to create a code signing certificate on the Apple Developer site. How do I issue an RSA4096-bit or ECC code signing certificate?

After sending the app archive to apple notarization services, I received the following error: "The signature of the binary is invalid". This error is shown for both the arm64 and x86_64 builds of the app. Some details about the project: I have been able to notarize the app in the past, with the latest successful notarization at the start of October. The organization does have a valid developer membership. The app has no new dependencies since the last successful notarization. The project uses automatic managed signing (no visible errors in xcode). What has changed in app and development environment since the last notarization: Updated macOS to macOS 15. Updated to use new Xcode version (16) The organizations membership did expire for a bit, but is now valid. Changed apps target macOS version from 12.3 -> 13.5. What I've tried to debug / resolve this issue: Clean build folder and re-create archive. Waiting a period of time and retrying the notarization. Toggling 'automatic managed signing' off and on. Tried to look through profiles, provisions, certs to see any issues. Debug the issue with 'codesign -vvv --deep --strict /path/to/binary/or/bundle' CLI command (output said binary was valid). (https://developer.apple.com/documentation/security/resolving-common-notarization-issues) Going back to last successful notarized commit and re-notarizing from that point, but that failed as well (changed version number). Reverted a change of increasing the target macOS version (12.3 -> 13.5). Compare failed notarization app's info.plist to previous info.plist for any obvious errors. I tried to install the previous Xcode version, but it seems to be incompatible with macOS 15. Tried looking online for any other options, but only found a couple similar issues and the suggestions I already tried. I can provide further information if needed.

we are currently using an APNs Authentication Key to send notifications and have not generated any Development or Production APNs certificates. Could you please confirm whether using the APNs Authentication Key alone is sufficient under the updated requirements? Alternatively, do we need to generate Development and Production APNs certificates that support SHA-2 for compliance with the changes?

For some reason Xcode said my certificate was revoked. Developer support says it’s active. Could someone point me towards the steps to reactivate it?

We have an enterprise application which customers are using since long. Suddenly some customers have reported they are unable to open app in iOS 18 OS. On lower versions like 17 it is working fine. We have a deploy this enterprise application on our server from that link our customer can download and install the app in iPhone. Now they are blocked due to this error. After installing the app when they open app below error message is shown to them. "AppName" is no longer available.

The product archive package's signature is invalid. Ensure that it is signed with your "3rd Party Mac Developer Installer" certificate. (90237) I'm receiving this error, despite the fact that I'm using this certificate when creating the pkg (with electron-forge) My configuration is shown below - note the 3rd Party Mac Developer Installer identity when using new MakerPKG. const config: ForgeConfig = { packagerConfig: { asar: true, name: 'Deep Focus', icon: 'resources/icon.icns', osxSign: { identity: 'Apple Distribution: Timeo Williams (3Y4F3KTSJA)', type: 'distribution', provisioningProfile: '/Users/timeo/Desktop/Deep Focus/deepWork/distribution.provisionprofile', preAutoEntitlements: false, // eslint-disable-next-line @typescript-eslint/explicit-function-return-type optionsForFile() { return { entitlements: 'build/entitlements.mas.plist' } } }, extendInfo: 'build/info.plist', osxUniversal: { mergeASARs: true }, appCategoryType: 'public.app-category.productivity', appBundleId: 'com.electron.deepfocus', extraResource: [ 'resources/.env', 'resources/icon.icns', ] }, rebuildConfig: {}, makers: [ new MakerSquirrel({}), new MakerZIP({}), new MakerRpm({}), new MakerDeb({}), new MakerDMG({ appPath: './out/Deep Focus-darwin-arm64/Deep Focus.app', name: 'Deep Focus', icon: './resources/icon.icns', format: 'ULFO', overwrite: true, contents: (opts) => [ { x: 130, y: 220, type: 'file', path: opts.appPath }, { x: 410, y: 220, type: 'link', path: '/Applications' } ] }), new MakerPKG({ name: 'Deep Focus', identity: '3rd Party Mac Developer Installer: Timeo Williams (3Y4F3KTSJA)' }) ], plugins: [ new VitePlugin({ build: [ { entry: 'src/main.ts', config: 'vite.main.config.ts', target: 'main' }, { entry: 'src/preload.ts', config: 'vite.preload.config.ts', target: 'preload' } ], renderer: [ { name: 'main_window', config: 'vite.renderer.config.mts' // Path to Vite config for renderer process } ] }), new FusesPlugin({ version: FuseVersion.V1, [FuseV1Options.RunAsNode]: false, [FuseV1Options.EnableCookieEncryption]: true, [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, [FuseV1Options.EnableNodeCliInspectArguments]: false, [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true, [FuseV1Options.OnlyLoadAppFromAsar]: true }) ] } Yet, I'm getting the error from Transporter that it's invalid?

I want to distribute a macOS application created with Electron to third parties, but I am currently unable to do so because the code signing is not working correctly. From the following response, it appears that the code signing itself was successful: $ codesign -dvvv dist/mac-arm64/AnySticky.app Executable=/Users/myname/dev/electron-tutorial/dist/mac-arm64/AnySticky.app/Contents/MacOS/AnySticky Identifier=com.electron.electron-tutorial Format=app bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=778 flags=0x10000(runtime) hashes=13+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=e105ecd3c2051554239df404c185f00fca5900de CandidateCDHashFull sha256=e105ecd3c2051554239df404c185f00fca5900de742e572c154aa889e9929186 Hash choices=sha256 CMSDigest=e105ecd3c2051554239df404c185f00fca5900de742e572c154aa889e9929186 CMSDigestType=2 CDHash=e105ecd3c2051554239df404c185f00fca5900de Signature size=9083 Authority=Apple Development: MY NAME (66MDM239Z8) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Timestamp=Dec 18, 2024 at 20:26:03 Info.plist entries=30 TeamIdentifier=9C8S7XP2UN Runtime Version=14.0.0 Sealed Resources version=2 rules=13 files=11 Internal requirements count=1 size=192 However, when I attempt to notarize the app, I receive an error stating that the app is not signed with a valid Developer ID certificate: $ xcrun notarytool submit dist/mac-arm64/AnySticky.zip --keychain-profile "AnySticky" --wait Excerpt from the error message: { "severity": "error", "code": null, "path": "AnySticky.zip/AnySticky.app/Contents/MacOS/AnySticky", "message": "The binary is not signed with a valid Developer ID certificate.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "arm64" }, { "severity": "error", "code": null, "path": "AnySticky.zip/AnySticky.app/Contents/Frameworks/AnySticky Helper (Renderer).app/Contents/MacOS/AnySticky Helper (Renderer)", "message": "The binary is not signed with a valid Developer ID certificate.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "arm64" }, ... I would greatly appreciate any guidance on how to resolve this issue. Thanks.

note technically code-signing but related...... Why has there been no update to the documentation at: https://developer.apple.com/documentation/appstorereceipts/validating_receipts_on_the_device To demonstrate how to validate an SHA256 app store hash ??? The January deadline is looming and I can find no working example code which sucessfully validates an SHA256 hash HELP !!!!

When I submit my app for notarization, it takes more than 24 hours but still shows "In progress". Does anyone else experience the same issue? Here is the history records: Successfully received submission history. history -------------------------------------------------- createdDate: 2024-12-22T07:32:20.998Z id: 81f36df5-21a2-4101-a264-9ac62e7b85a5 name: Gatsbi.zip status: In Progress -------------------------------------------------- createdDate: 2024-12-22T04:00:29.496Z id: 6d99632c-7aef-4e46-bdef-d70845cd39b5 name: Gatsbi.zip status: In Progress -------------------------------------------------- createdDate: 2024-12-21T10:54:48.433Z id: 1fdcd6c6-d707-4521-9b4d-4a5f3e03959a name: Gatsbi.zip status: In Progress -------------------------------------------------- createdDate: 2024-12-21T10:05:02.700Z id: 4237e15e-00e3-4884-9bdd-f7f900af2dc1 name: Gatsbi.zip status: In Progress -------------------------------------------------- createdDate: 2024-12-21T08:40:19.404Z id: 102039b9-4a16-4fbb-8371-f9b6cb0e1a80 name: Gatsbi.zip status: In Progress -------------------------------------------------- createdDate: 2024-12-21T07:31:01.588Z id: b6f82941-1ac2-4f5d-99ed-c44141934a0d name: Gatsbi.zip status: Accepted

I have a bizzare issue with my Apple TV that is shown as "iPod" in Apple developer portal. It's correctly visible in Xcode as Apple TV, but when I add it to developer portal it says "iPod". The problem is since it's there as an iPod I can't use it to my provisioning profile to build on the device Anyone has any idea how this can be solved? [Edited by Moderator]

From my developer account, when I generate CSR and submit for certificate generation private key not available and loaded into keychain

Xcode 16.2 無法在IOS 18.2 Debug Xcode 16.2 iOS 18.2 直接建立新專案 Xcode -> Create New Project -> Multiplatform -> Application -> App 選擇 實體手機 -> 執行 error: attach by pid '1050' failed -- attach failed (Not allowed to attach to process. Look in the console messages (Console.app), near the debugserver entries, when the attach failed. The subsystem that denied the attach permission will likely have logged an informative message about why it was denied.) Logging Error: Failed to initialize logging system due to time out. Log messages may be missing. If this issue persists, try setting IDEPreferLogStreaming=YES in the active scheme actions environment variables.

Chrome has started crashing almost immediately after startup. I've reported the issue to the Chrome team here: https://issues.chromium.org/issues/385433270 I'm hoping to debug the issue a bit more myself. This page from the Chrome team https://chromium.googlesource.com/chromium/src/+/master/docs/mac/debugging.md#chrome-builds suggests using the follow to strip off the protections: codesign --force --sign - path/to/Google\ Chrome.app However, applying that seems to have no effect: % codesign --force --sign - /Applications/Google\ Chrome\ copy.app /Applications/Google Chrome copy.app: replacing existing signature /Applications/Google Chrome copy.app: resource fork, Finder information, or similar detritus not allowed % lldb /Applications/Google\ Chrome\ copy.app (lldb) target create "/Applications/Google Chrome copy.app" Current executable set to '/Applications/Google Chrome copy.app' (arm64). (lldb) run error: process exited with status -1 (attach failed (Not allowed to attach to process. Look in the console messages (Console.app), near the debugserver entries, when the attach failed. The subsystem that denied the attach permission will likely have logged an informative message about why it was denied.)) I have tried other variations like the following based on Stack Overflow, this forum, etc., but with the same result. (I'm still a little vague on the meaning for some flags, sorry.) Though codesign says that it's "replacing existing signature", as far as I can tell, nothing is changing: % cat <<EOF > debuggee-entitlement.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.get-task-allow</key> <true/> </dict> </plist> EOF % codesign --verbose=4 -fs - --options library-validation --entitlements debuggee-entitlement.xml /Applications/Google\ Chrome\ copy.app /Applications/Google Chrome copy.app: replacing existing signature /Applications/Google Chrome copy.app: resource fork, Finder information, or similar detritus not allowed file with invalid attached data: Disallowed xattr com.apple.FinderInfo found on /Applications/Google Chrome copy.app lldb still fails the same way. Here's what I see after the above: % codesign -d -vvv /Applications/Google\ Chrome\ copy.app Executable=/Applications/Google Chrome copy.app/Contents/MacOS/Google Chrome Identifier=com.google.Chrome Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=1821 flags=0x12a00(kill,restrict,library-validation,runtime) hashes=46+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=5d7beab2b03d9892426076b24acc19815d7a3ff8 CandidateCDHashFull sha256=5d7beab2b03d9892426076b24acc19815d7a3ff8c1446966e422c3c10672626b Hash choices=sha256 CMSDigest=5d7beab2b03d9892426076b24acc19815d7a3ff8c1446966e422c3c10672626b CMSDigestType=2 CDHash=5d7beab2b03d9892426076b24acc19815d7a3ff8 Signature size=8989 Authority=Developer ID Application: Google LLC (EQHXZ8M8AV) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Dec 17, 2024 at 2:47:58 PM Notarization Ticket=stapled Info.plist entries=44 TeamIdentifier=EQHXZ8M8AV Runtime Version=15.0.0 Sealed Resources version=2 rules=13 files=63 Internal requirements count=1 size=288 From what I can tell, my codesign runs have changed nothing... I see no diff as compared with what I see running codesign -d on a fresh copy. Is it possible to strip off the protections on my local instance to allow debugging with lldb? If so, could someone share a command for accomplishing that? Although I'm asking about this because of Chrome specifically, I'm hoping to learn more about codesigning in general and to be more empowered as a user to be able to debug when an app I depend on is crashing. Thanks much! Happy Holidays!

Hi Everyone, Just a quick, and what is probably a really simple question. Do I require a 'Paid' Apple Developer account if I just wish to notarise my application for use on my local network. I don't see myself needing to use the App Store in the near future. I know I can manually add the app and authorise it, but I'd like to avoid this. Kindly Ryn

We notarize all of our apps as part of our nightly build. Every few weeks Apple changes something in the developer agreement, and therefore require the primary account holder to accept the new terms. However, this means our nightly builds break until the terms are accepted, which is a true pain in the ass. Is there some way to tell notarytool to force the notarization? Or tell the lawyers to chill tf out? This seems to happen every 2-4 weeks.

I want to code radeem for testflight

I have an executable file named infogodesk, located in the directory /usr/local/SmpAgent/rustdesk/infogodesk. When I execute it using the terminal with ./infogodesk, the process gets terminated by the kernel. However, if I move the executable to another directory, it works fine. This issue is very frustrating, and I hope to get some help. Below is the console log output: 默认 11:26:28.162205+0800 kernel ASP: Validation category (6) does not match top-level policy match (3) for process: /usr/local/SmpAgent/rustdesk/infogodesk 默认 11:26:28.162211+0800 kernel Validation category policy: Notifying syspolicyd about /usr/local/SmpAgent/rustdesk/infogodesk with PID 88264 默认 11:26:28.166695+0800 kernel CODE SIGNING: cs_invalid_page(0x104e04000): p=88264[infogodesk] final status 0x23000200, denying page sending SIGKILL 默认 11:26:28.166698+0800 kernel CODE SIGNING: process 88264[infogodesk]: rejecting invalid page at address 0x104e04000 from offset 0x0 in file "/usr/local/SmpAgent/rustdesk/infogodesk" (cs_mtime:1734509326.0 == mtime:1734509326.0) (depth:0) 默认 11:26:28.166738+0800 kernel infogodesk[88264] Corpse allowed 1 of 5 默认 11:26:28.255182+0800 ReportCrash ASI found [ReportCrash] (sensitive) 'Pid 88264 'infogodesk' CORPSE: Extracting Completed 1, Recent: Pid 86766 'ReportCrash' CORPSE' 默认 11:26:28.261619+0800 ReportCrash ASI found [ReportCrash] (sensitive) 'Pid 88264 'infogodesk' CORPSE: Extracting Completed 1, Recent: Pid 86767 'ReportCrash' CORPSE'

hi I am using fastlane and match to upload an app to test flight. The app requires com.apple.developer.storekit.external-link.account to be activated. My identifier has activated the capabilities and when I look at provisional profile, it also has it, but when the app has been uploaded, it's missing (although all other entitlements are there). Now it gets weird: Every time I run my flow I delete derived data, deletes all downloaded provisional profiles and use match to redownload them with read only (force is not an option). It does not work. I go to Apple dev and Toggles the capability off and on and saves. This invalidates the profile. I press edit and save. So no real changes. Run my flow and the app is uploaded correctly WITH the correct capabilities. Runs the flow again without the manual steps and the entitlements will be missing once again. Repeats the toggle stuff and the subsequent behavior repeats itself. Same flow and same code and same settings, app and profile.... I am building automated flows so this does not really work for me.... Heeeelp...