You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

The problem is the following: We create a keychain item called NotaryTool (There are multiple accounts that use Notary tool and we created it for all of them ) This is created in the following way: $ xcrun notarytool store-credentials This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name. Profile name: NotaryTool We recommend using App Store Connect API keys for authentication. If you'd like to authenticate with an Apple ID and app-specific password instead, leave this unspecified. Path to App Store Connect API private key: //AuthKey_ABCDEFGH.p8 App Store Connect API Key ID: <ABCDEFGH> App Store Connect API Issuer ID: ABCDEF-ABCD-1234-1234-1234567 Validating your credentials... Success. Credentials validated. Credentials saved to Keychain. To use them, specify `--keychain-profile "NotaryTool"` The key is downloaded from Apple and some other IDs are provided alongside. These should remain in the keychain for as long as the user process is running (just like any other process) A few runs are successful when we run with the profile that was created. After a few runs we start seeing a failure. Now we are seeing the following issue where the keychain item just vanishes: Error: No Keychain password item found for profile: NotaryTool\n\nRun 'notarytool store-credentials' to create another credential profile.\nError during the not process\nTue Aug 26 06:02:09 2025 Notarization failed with notarytool with exit code 17664: \nTue Aug 26 06:02:09 2025 could not upload for notarization!!!

Can someone please explain why Mac app packaging is so farcically convoluted? Windows app packaging can be picked up in an hour or so. But I've spent longer trying to fathom how to package the Mac version than I did building the app. And it's not done with me yet. Every single line of code requires a deep dive into a new, unrelated skillset. So, it’s sidebar after sidebar. Kafka’s ‘The Trial’ comes to mind. Why does it have to be like this?

Hi there, I am trying to build the Apple SimpleAudioDriver example but fail with codesign and/or provisioning. I would be ok for now with the local option, but XCode 16.4 doesn't show the option "build to run locally" (SIP is disabled). When using "Automatically manage signing" it ends in a "Please file a bug report". I found that having two different development teams tripped it up, so I deleted all certificates and keys and made sure to be only signed into one account in Xcode. Can anyone give advice? Thanks a ton! Here is the URL to the sample: https://developer.apple.com/documentation/coreaudio/building-an-audio-server-plug-in-and-driver-extension macOS: 15.6.1 XCode: 16.4 Hardware: MacBook Pro M2 Max SIP: disabled

Validation failed (409) Missing Code Signing Entitlements. No entitlements found in bundle 'com.seeyon.yiboyun.child' for executable 'Payload/M3.app/PlugIns/CMPSharePublish.appex/CMPSharePublish'." (ID: 6e5429ed-b896-45a0-ab23-bb8fcb472072)

Hello everyone, I'm facing a critical build issue related to Family Controls entitlements and would appreciate any insights or help from the community or Apple engineers. My Goal: I am trying to build and run my app on a physical device to test my DeviceActivityMonitor and ShieldConfigurationExtension. I have already been approved for the Family Controls (Development) entitlement. The Problem: When I try to build, Xcode fails with the following errors, preventing me from testing: For my DeviceActivityMonitor target: Provisioning profile "..." doesn't include the com.apple.developer.deviceactivity entitlement. For my SOSAppShieldExtension target: Provisioning profile "..." doesn't include the com.apple.developer.screen-time-api entitlement. The Core Evidence: This seems to be a server-side issue with how the provisioning profiles are generated. I have used the security cms -D -i command to inspect the downloaded .mobileprovision files. The inspection reveals that the profiles do contain the parent com.apple.developer.family-controls entitlement. However, they are missing the required child entitlements: The profile for my monitor extension is missing com.apple.developer.deviceactivity. The profile for my shield extension is missing com.apple.developer.screen-time-api. Troubleshooting Steps I've Already Taken: I believe I have exhausted all possible client-side fixes. Here is what I have tried over the past few days: Confirmed Approval: I am fully approved for the Family Controls (Development) entitlement. Enabled Capabilities: The "Family Controls" capability is checked and enabled for all three relevant App IDs (main app, monitor extension, shield extension) on the developer portal. Profile Regeneration: I have deleted and regenerated all provisioning profiles for all targets multiple times. Forcing a Server Refresh: I have toggled the "Family Controls" capability off, saved, and then toggled it back on and saved again for each App ID. Creating New Identifiers: I created a brand new, clean App ID for the DeviceActivityMonitor extension (com.sosapp.ios.devicemonitor) and created a new profile for it, but the error persists. Xcode Configuration: I am using manual signing in Xcode and have double-checked that each target is pointing to the correct, newly downloaded provisioning profile. I have also cleaned the build folder and deleted Derived Data multiple times. My Question: Given that my account is approved and the capability is enabled, but the generated profiles are provably missing the necessary child entitlements, this points directly to a bug in the profile generation service on Apple's backend. Has anyone else experienced this specific issue where the parent entitlement is present but the required child entitlements are missing? Is there a known workaround, or can an Apple engineer please investigate the profile generation for my Team ID? Any help would be greatly appreciated. Thank you!

This issue keeps cropping up on the forums and so I decided to write up a single post with all the details. If you have questions or comments: If you were referred here from an existing thread, reply on that thread. If not, feel free to start a new thread. Use whatever topic and subtopic is appropriate for your question, but also add the Entitlements tag so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Determining if an entitlement is real In recent months there’s been a spate of forums threads involving ‘hallucinated’ entitlements. This typically pans out as follows: The developer, or an agent working on behalf of the developer, changes their .entitlements file to claim an entitlement that’s not real. That is, the entitlement key is a value that is not, and never has been, supported in any way. Xcode’s code signing machinery tries to find or create a provisioning profile to authorise this claim. That’s impossible, because the entitlement isn’t a real entitlement. Xcode reports this as a code signing error. The developer misinterprets that error [1] in one of two ways: As a generic Xcode code signing failure, and so they start a forums thread asking about how to fix that problem. As an indication that the entitlement is managed — that is, requires authorisation from Apple to use — and so they start a forums thread asking how to request such authorisation. The fundamental problem is step 1. Once you start claiming entitlements that aren’t real, you’re on a path to confusion. Note If you’re curious about how provisioning profiles authorise entitlement claims, read TN3125 Inside Code Signing: Provisioning Profiles. There are a couple of ways to check whether an entitlement is real. My preferred option is to create a new test project and use Xcode’s Signing & Capabilities editor to add the corresponding capability to it. Then look at what Xcode did. You might find that Xcode claimed a different entitlement, or added an Info.plist key, or did nothing at all. IMPORTANT If you can’t find the correct capability in the Signing & Capabilities editor, it’s likely that this feature is available to all apps, that is, it’s not gated by an entitlement or anything else. Another thing you can do is search the documentation. The vast majority of real entitlements are documented in Bundle Resources > Entitlements. IMPORTANT When you search for documentation, focus on the Apple documentation. If, for example, you search the Apple Developer Forums, you might be mislead by other folks who are similarly confused. If you find that you’re mistakenly trying to claim a hallucinated entitlement, the fix is trivial: Remove it from your .entitlements file so that your app starts to build again. Then add the capability using Xcode’s Signing & Capabilities editor. This will do the right thing. If you continue to have problems, feel free to ask for help here on the forums. See the top of this post for advice on how to do that. [1] Xcode 26.2, currently being seeded as Release Candidate, is much better about this (r. 155327166). Give it a whirl! Commonly Hallucinated Entitlements This section lists some of the more commonly hallucinated entitlements: com.apple.developer.push-notifications — The correct entitlement is aps-environment (com.apple.developer.aps-environment on macOS), documented here. There’s also the remote-notification value in the UIBackgroundModes property. com.apple.developer.in-app-purchase — There’s no entitlement for in-app purchase. Rather, in-app purchase is available to all apps with an explicit App ID (as opposed to a wildcard App ID). com.apple.InAppPurchase — Likewise. com.apple.developer.storekit — Likewise. com.apple.developer.in-app-purchase.non-consumable — Likewise. com.apple.developer.in-app-purchase.subscription — Likewise. com.apple.developer.app-groups — The correct entitlement is com.apple.security.application-groups, documented here. And if you’re working on the Mac, see App Groups: macOS vs iOS: Working Towards Harmony. com.apple.developer.background-modes — Background modes are controlled by the UIBackgroundModes key in your Info.plist, documented here. UIBackgroundModes — See the previous point. com.apple.developer.voip-push-notification — There’s no entitlement for this. VoIP is gated by the voip value in the UIBackgroundModes property. com.apple.developer.family-controls.user-authorization — The correct entitlement is com.apple.developer.family-controls, documented here. IMPORTANT As explained in the docs, this entitlement is available to all developers during development but you must request authorisation for distribution. com.apple.developer.device-activity — The DeviceActivity framework has the same restrictions as Family Controls. com.apple.developer.managed-settings — If you’re trying to use the ManagedSettings framework, that has the same restrictions as Family Controls. If you’re trying to use the ManagedApp framework, that’s not gated by an entitlement. com.apple.developer.callkit.call-directory — There’s no entitlement for the Call Directory app extension feature. com.apple.developer.nearby-interaction — There’s no entitlement for the Nearby interaction framework. com.apple.developer.secure-enclave — On iOS and its child platforms, there’s no entitlement required to use the Secure Enclave. For macOS specifically, any program that has access to the data protection keychain also has access to the Secure Enclave [1]. See TN3137 On Mac keychain APIs and implementations for more about the data protection keychain. com.apple.developer.networking.configuration — If you’re trying to configure the Wi-Fi network on iOS, the correct entitlement is com.apple.developer.networking.HotspotConfiguration, documented here. com.apple.developer.musickit — There is no MusicKit capability. Rather, enable MusicKit via the App Services column in the App ID editor, accessible from Developer > Certificates, Identifiers, and Profiles > Identifiers. These app services are tied to your App ID on the server side, meaning that they have no presence in your code signature. com.apple.developer.shazamkit — There is no ShazamKit capability. Like MusicKit, this is an app service. com.apple.mail.extension — Creating an app extension based on the MailKit framework does not require any specific entitlement. com.apple.security.accessibility — There’s no entitlement that gates access to the Accessibility APIs on macOS. Rather, this is controlled by the user in System Settings > Privacy & Security. Note that sandboxed apps can’t use these APIs. See the Review functionality that is incompatible with App Sandbox section of Protecting user data with App Sandbox. com.apple.developer.adservices — Using the AdServices framework does not require any specific entitlement. [1] While technically these are different features, they are closely associated and it turns out that, if you have access to the data protection keychain, you also have access to the SE. Revision History 2026-04-23 Added com.apple.developer.shazamkit to the common hallucinations list. Added a little more info about app services. 2025-12-09 Updated the Xcode footnote to mention the improvements in Xcode 26.2rc. 2025-11-03 Added com.apple.developer.adservices to the common hallucinations list. 2025-10-30 Added com.apple.security.accessibility to the common hallucinations list. 2025-10-22 Added com.apple.mail.extension to the common hallucinations list. Also added two new in-app purchase hallucinations. 2025-09-26 Added com.apple.developer.musickit to the common hallucinations list. 2025-09-22 Added com.apple.developer.storekit to the common hallucinations list. 2025-09-05 Added com.apple.developer.device-activity to the common hallucinations list. 2025-09-02 First posted.

Our team (AI Eesti OU, Team ID: W4WXCM4DLL) submitted our first app for notarization and both submissions have been stuck "In Progress" for over 20 hours. Submission IDs: 7433a69a-af1a-463a-a9fc-c80526eb6eab (submitted 2026-04-06 19:11 UTC) d033e2f1-9b33-4b7d-8f8d-271c99f1c61c (submitted 2026-04-06 21:03 UTC) The app is signed with Developer ID Application, hardened runtime enabled, and codesign --verify --deep --strict passes. This is our first notarization submission as a new team. Is this expected for first-time submissions, or is something stuck?

Hi everyone, We're experiencing a critical and persistent code signing failure (HTTP 403) after accepting the latest Apple Developer Agreement, blocking our application release. Problem: Despite confirming the new Apple Developer Agreement is signed and active on the portal, code signing attempts return an HTTP 403 error, stating a "required agreement is missing or has expired." Steps Taken: Accepted new Apple Developer Agreement. Verified active developer membership and valid certificates (good for years). Cleared caches, restarted systems. Confirmed Team ID, Apple ID, and provisioning profile validity. Any help is greatly appreciated, its been stuck for more than 2 days now.

I've submitted my app, signed with a new Developer Id Certificate for a distribution outside of the App Store, 88 hours ago. xcrun notarytool history ... Shows the submission as "In Progress". xcrun notarytool log ... Tells me "Submission log is not yet available or submissionId does not exist". I don't know if that's expected for an "In Progress" submission. As far as I can tell the signing worked without problems. I'm using the Tauri toolchain, which under its hood is using notarytool. How long can I expect this to take? If there is a problem with my submission does the status just stay on "In Progress" or do I get an error? Thanks

Hoping to get visibility on a Family Controls (Distribution) entitlement request pending without status updates after an app transfer. Context: Digital wellbeing app, 500K+ active iOS users Previous team had Family Controls (Distribution) approved and shipping to production App transferred to new team (H2HM68H8PP) ~1 month ago; entitlement re-requested immediately Capability page shows "View Requests (6)" with no approvals, rejections, or updates Developer Support cases opened (102883853173, 20000112879750, 102875975624) — confirmed they cannot check entitlement status Impact: Core app feature depends on Family Controls. Production app for 500K+ users will break once transfer fully propagates at provisioning level. This is a continuity issue, not a new-app launch — entitlement was previously approved on the prior team. Questions: Recommended escalation path for post-transfer entitlement requests? Should I stop resubmitting to avoid queue deprioritization? Could the entitlements team provide a status update? Happy to share bundle ID, previous team ID, and request dates privately with Apple staff.

I want to help contribute a feature in a virtual-machine app in macOS that supports PCIe device passthrough over thunderbolt. I have a question about the entitlements. Since I do not represent the GPU vendors, would I be allowed to get a driver signed that matches GPU vendor IDs? Is there such a thing as wildcard entitlement for PCIDriverKit? I don't want end-users to have to disable SIP to be able to use this. Any suggestions/leads? Thank you.

Hi, I submitted a Family Controls (Distribution) entitlement request for my app Faith Lock (com.faithlock.ios) - a prayer-focused iOS app that uses the Screen Time API to help users block distracting apps. I received an approval email, but the portal still shows the request as "Submitted" and the Distribution option does not appear under Additional Capabilities for my identifier. This is blocking me from submitting to App Store Connect. Details: Bundle ID: com.faithlock.ios Team ID: F86P575UNP Request IDs: 3PWTDR8KL3 / 885ZK276KK Status in portal: Submitted (unchanged since approval email) Has anyone experienced this? Is there a way to get the portal manually updated to reflect the approval? Any help or escalation from a DTS engineer would be greatly appreciated. Thank you.

Hi everyone, After I recently changed my Apple ID (iCloud) password, my Developer ID certificate stopped working for signing macOS apps. Symptoms: Signing fails with the Developer ID certificate that was previously working fine. I tried re-downloading the certificate from my Apple Developer account and importing it into the Keychain, but the issue persists. It seems that the Developer ID identity is no longer trusted or properly linked to my system since the password change. Attempts: Re-downloaded and installed the certificate from the developer portal. Verified that the private key is present and linked. Checked keychain access and code-signing identity — everything appears normal, but the signed apps are rejected or the signing process fails. Blocking issue: I am unable to delete or revoke the Developer ID certificate on my account (Apple Support says it's not possible). Also, I can't create a new one due to the certificate limit. Questions: Is it expected for a Developer ID certificate to become invalid after changing the Apple ID password? Is there a recommended way to refresh or restore the certificate trust on macOS? How can I invalidate the current certificate and generate a new one if I'm stuck? Any insights or official guidance would be really appreciated. Thanks in advance!

My app's notarization progress is stuck. ID: aa61b008-a329-4e31-bb23-648029510e36 Forum mod DTS Engineer gives "copy-paste" answers to every user who has this problem.

Hello everyone, I'm encountering an issue while trying to publish an app on TestFlight. The app in question is Home Assistant, which I've compiled from the source. I am able to compile and install the app on my device without any problems. My company's developer account is properly configured, and I have set Xcode to automatically manage the provisioning profile. The archive is also created successfully, but when I attempt to upload it to Apple Store Connect for testing via TestFlight, I receive the following error: ERROR: [ContentDelivery.Uploader] Asset validation failed (90525) Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: ceac6dcc-9c76-412e-8ea7-f2d2845f8013) I've made several attempts to resolve this issue to no avail. For instance, if I add the missing capability manually, then I am informed that the provisioning profile is incorrect. However, checking the network extension settings on my company's dev account, I see nothing related to push notifications, which are located elsewhere. Thus, I am stuck in a loop where either the provisioning file is correct but the entitlement is missing, or if the entitlement is present, then the provisioning profile is deemed incorrect. URL:https://contentdelivery.itunes.apple.com status code: 409 (conflict) httpBody: { "errors" : [ { "id" : "ceac6dcc-9c76-412e-8ea7-f2d2845f8013", "status" : "409", "code" : "STATE_ERROR.VALIDATION_ERROR.90525", "title" : "Asset validation failed", "detail" : "Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'." }, { "id" : "9ff2143b-3c00-4912-b59f-8342fa6fe5c0", "status" : "409", "code" : "STATE_ERROR.VALIDATION_ERROR.90525", "title" : "Asset validation failed", "detail" : "Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'." } ] } ======================================= 2024-01-10 23:19:35.506 ERROR: [ContentDelivery.Uploader] Asset validation failed (90525) Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: ceac6dcc-9c76-412e-8ea7-f2d2845f8013) 2024-01-10 23:19:35.506 DEBUG: [ContentDelivery.Uploader] Error Domain=ContentDelivery Code=90525 "Asset validation failed" UserInfo={NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: ceac6dcc-9c76-412e-8ea7-f2d2845f8013), NSUnderlyingError=0x6000022b6430 {Error Domain=IrisAPI Code=-19241 "Asset validation failed" UserInfo={status=409, detail=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'., id=ceac6dcc-9c76-412e-8ea7-f2d2845f8013, code=STATE_ERROR.VALIDATION_ERROR.90525, title=Asset validation failed, NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'., NSLocalizedDescription=Asset validation failed}}, iris-code=STATE_ERROR.VALIDATION_ERROR.90525, NSLocalizedDescription=Asset validation failed} 2024-01-10 23:19:35.507 ERROR: [ContentDelivery.Uploader] Asset validation failed (90525) Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: 9ff2143b-3c00-4912-b59f-8342fa6fe5c0) 2024-01-10 23:19:35.507 DEBUG: [ContentDelivery.Uploader] Error Domain=ContentDelivery Code=90525 "Asset validation failed" UserInfo={NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: 9ff2143b-3c00-4912-b59f-8342fa6fe5c0), NSUnderlyingError=0x6000022b6640 {Error Domain=IrisAPI Code=-19241 "Asset validation failed" UserInfo={status=409, detail=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'., id=9ff2143b-3c00-4912-b59f-8342fa6fe5c0, code=STATE_ERROR.VALIDATION_ERROR.90525, title=Asset validation failed, NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'., NSLocalizedDescription=Asset validation failed}}, iris-code=STATE_ERROR.VALIDATION_ERROR.90525, NSLocalizedDescription=Asset validation failed} 2024-01-10 23:19:35.507 DEBUG: [ContentDelivery.Uploader] swinfo errors: ( "Error Domain=ContentDelivery Code=90525 \"Asset validation failed\" UserInfo={NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: ceac6dcc-9c76-412e-8ea7-f2d2845f8013), NSUnderlyingError=0x6000022b6430 {Error Domain=IrisAPI Code=-19241 \"Asset validation failed\" UserInfo={status=409, detail=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'., id=ceac6dcc-9c76-412e-8ea7-f2d2845f8013, code=STATE_ERROR.VALIDATION_ERROR.90525, title=Asset validation failed, NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'., NSLocalizedDescription=Asset validation failed}}, iris-code=STATE_ERROR.VALIDATION_ERROR.90525, NSLocalizedDescription=Asset validation failed}", "Error Domain=ContentDelivery Code=90525 \"Asset validation failed\" UserInfo={NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: 9ff2143b-3c00-4912-b59f-8342fa6fe5c0), NSUnderlyingError=0x6000022b6640 {Error Domain=IrisAPI Code=-19241 \"Asset validation failed\" UserInfo={status=409, detail=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'., id=9ff2143b-3c00-4912-b59f-8342fa6fe5c0, code=STATE_ERROR.VALIDATION_ERROR.90525, title=Asset validation failed, NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'., NSLocalizedDescription=Asset validation failed}}, iris-code=STATE_ERROR.VALIDATION_ERROR.90525, NSLocalizedDescription=Asset validation failed}" )

Dear Apple Developer Support, We are experiencing an issue where our properly signed, notarized, and stapled PKG installer is being blocked by Gatekeeper on macOS Sequoia (15.3), despite passing all notarization checks. Team ID: 3888L7DV3P Organization: SKY GATE TECHNOLOGYS K.K. Certificate: Developer ID Installer: SKY GATE TECHNOLOGYS K.K. (3888L7DV3P) Issue Details: Our PKG installer is signed with "Developer ID Installer" certificate, notarized (status: Accepted, issues: null), and stapled successfully. pkgutil --check-signature confirms: "signed by a developer certificate issued by Apple for distribution" and "Notarization: trusted by the Apple notary service" xcrun stapler validate confirms: "The validate action worked!" However, spctl --assess --type install returns "rejected" with assessment:verdict = false and assessment:remote = true The system log shows: meetsDeveloperIDLegacyAllowedPolicy = 0 When users download and open the PKG (even from within a notarized DMG), Gatekeeper displays: "Apple could not verify [app] is free of malware" Notably, our .app bundles signed with "Developer ID Application" (same Team ID) pass Gatekeeper without issues. Only PKG installers are affected. Our software is a legitimate enterprise security product (VPN/Zero Trust client) distributed to corporate customers. Could you please: Investigate why our Team ID's PKG installers are being rejected by Gatekeeper's online assessment despite valid notarization Advise on any steps we can take to resolve the meetsDeveloperIDLegacyAllowedPolicy = 0 status for our Team ID Confirm whether there is a trust establishment process for new Developer ID Installer certificates with the Gatekeeper service Thank you for your assistance. Best regards, Riku Ogura Skygate Technologies K.K.

Hi everyone, I'm following up on this post I made earlier about an issue I'm having with FamilyControls and the DeviceActivityMonitor extension not working for external TestFlight testers. To briefly recap: I have official Apple approval for the com.apple.developer.family-controls entitlement (distribution) The entitlement is added to both my main app and the DeviceActivityMonitor extension The App Group is correctly configured for both targets On internal TestFlight builds, everything works as expected: app blocking works, the extension runs, and selected apps are shielded. On external TestFlight builds, users get the Screen Time permission prompt, can select apps to block, but nothing is blocked. Since that post, I submitted a Code Level Support request, and Apple asked me to file a bug report via Feedback Assistant. I did that almost a month ago. The only reply I’ve received since is that they can’t give a timeframe or guarantee it will be resolved. I'm stuck in limbo with no updates and no fix. This feature is critical to my app and I cannot launch without it. I’ve reached out to other developers who use app blocking, and none of them have run into this issue. My setup seems correct, and Apple has not said otherwise. If anyone has experienced something similar, found a workaround, or knows how to get real movement on a bug report like this, I would really appreciate any help. It’s been weeks, and I just want to launch my app. Thanks so much.

Hi all, and particularly @Eskimo if you spot this — I believe I'm reproducing the backend issuance bug reported in thread 816377 (https://developer.apple.com/forums/thread/816377) on a different Team ID and would like a second pair of eyes before I burn a TSI. Feedback Assistant filed as FB22582333. Team ID: MCN4U9B2K4 · Bundle ID: com.michaeltocco.Sanbox · Xcode 17 · iOS 18.5 · Automatic signing Setup App ID com.michaeltocco.Sanbox has ShazamKit ticked in App Services; persists through portal reloads. Local entitlements file declares com.apple.developer.shazamkit = YES only (no MusicKit client entitlement, per DTS guidance in thread 799000: https://developer.apple.com/forums/thread/799000). CODE_SIGN_ENTITLEMENTS set in both Debug and Release XCBuildConfiguration buildSettings. NSMicrophoneUsageDescription and NSAppleMusicUsageDescription are both present in the generated Info.plist. What Xcode reports After wiping DerivedData and any Sanbox-matching profiles and running xcodebuild … -allowProvisioningUpdates -destination 'generic/platform=iOS': error: Entitlement com.apple.developer.shazamkit not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file. (in target 'Sanbox' from project 'Sanbox') What I verified on the profile Apple just issued $ security cms -D -i 0596f302-….mobileprovision | plutil -extract Entitlements xml1 -o - - shows only the baseline four entitlements — application-identifier, keychain-access-groups, get-task-allow, com.apple.developer.team-identifier. com.apple.developer.shazamkit is absent, which is exactly what thread 816377 describes. What I've already tried Deleted and recreated the App ID from scratch — same symptom. Performed the capability-toggle trick (uncheck ShazamKit → Save → wait 60s → re-check → Save → delete local profiles → rebuild) documented in the "Capability & entitlement updates" help page (https://developer.apple.com/help/account/reference/capability-entitlement-updates/) for the Game Center precedent — same symptom. Confirmed I am building for device, not Simulator. Confirmed the entitlement key name matches DTS guidance in thread 799000 and the live profile dumps in thread 816377. Runtime confirmation When I force a build with only the team wildcard profile, SHManagedSession().result() returns com.apple.ShazamKit Code=202 "Missing entitlements", wrapping an AMS 306 wrapping HTTP 401 from api.shazam.apple.com/v1/catalog/US/match. AMS server correlation key: E5VYL5YSUT4L55KQDDP4MJQAZE. So the server side is consistent: the token the client presents lacks ShazamKit scope because the binary doesn't carry the entitlement, and the binary doesn't carry it because Apple isn't issuing it into the profile. Question Is there a configuration step beyond "tick ShazamKit in App Services" that I've missed for Individual-program accounts, or is this the same backend issuance pathology as thread 816377? Happy to share the security cms output, the decoded plist, the build log, or anything else useful. Thanks.

I will post my app xyz.app uses XY swift package this swift package is a wrapper for XYSDK.xcframework XYSDK.xcframework written in c++ and app running on arm64 macos and iphones succesfully. I got this error when i want to distribute it. Currently i sign .framework for ios with Apple Distribution Certificate and same certificate for macos framework there is no other signing step for swift package or xcframework other than that when i want to archive it validates succesfully. Exporting step shows that app has signed, has provisining profile. but .framework is only signed has no provisioning profile. Also one point i see: i have one target named xyz and its Frameworks, Lİbraries and Embedded Context has only XY package but Embed part has no option like embed and sign etc. Blank. I need more info about what am i doing wrong in which step ? I am stuck and can not move any further like weeks Error Detail: Invalid Signature. The binary with bundle identifier XYSDK at path “xyz.app/Frameworks/XYSDK.framework” contains an invalid signature. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing. (90035)