You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I'm getting this error when uploading a build of my macOS app to App Store Connect. It has always worked before, and nothing changed about my use of app groups, and the iOS build uploaded without any problems. Cleaning the build folder and derived data folder doesn't help. I'm using automatically managed signing in Xcode. Invalid code signing entitlements. Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “[group.]” value for the com.apple.security.application-groups key in “.pkg/Payload/.app/Contents/MacOS/” isn’t supported. This value should be a string or an array of strings, where each string is the “group” value or your Team ID, followed by a dot (“.”), followed by the group name. If you're using the “group” prefix, verify that the provisioning profile used to sign the app contains the com.apple.security.application-groups entitlement and its associated value(s).

Hi, overnight I'm getting "HTTP status code: 403. Invalid or inaccessible developer team ID for the provided Apple ID. Ensure the Team ID is correct and that you are a member of that team." in my pipeline running notarytool store-credentials. I'm getting --apple-id, --team-id and --password from CI variables. Double checked the values (even though they shouldn't change). Tried a new app specific password I did not change anything to cause this and my apple developer account is active. Really scratching my head what's going on here. Some assistance would be greatly appreciated!

Normally I get a response from a submit via notarytool within 30 seconds. Today - with a process that worked a few days ago - I don't get any answer, although the system status claims that the service is up and work. Anybody else, or is it only me?

I'm trying to setup a macOS 26 build environment in a VM (using UTM and the virtualization framework Apple provides). I have Xcode 26 installed and have logged into my Apple ID and verified that the team and other configuration looks fine in Xcode settings. When trying to build the macOS app, I see errors saying the VM's device ID has not been registered. I have confirmed that the device ID is registered both in the Provisioning portal AND the downloaded .provisionprofiles (in Library > Developer > Xcode > UserData). This problem appears on multiple targets (e.g. the main app and extensions). If I try to manually provision the app, using the Provisioning portal, I can build the product, but it will not launch because of Gatekeeper issues. Finally, signing to run locally doesn't work either. As the app launches, frameworks refuse to load because Team IDs don't match. With ad hoc provisioning, there are no Team IDs. I've come to the conclusion that this just isn't possible. Which is a shame because I need to support products with a build environment on macOS 15 and cannot move over to macOS 26 yet. I suspect many developers outside of Apple are in a similar position.

Hello, We use automatic signing and Fastlane on our CI. Fastlane uses xcodebuild to create an archive. xcodebuild -workspace ourApp.xcworkspace -scheme app-dev -destination generic/platform=iOS -archivePath app-dev.xcarchive -skipPackagePluginValidation -allowProvisioningUpdates -authenticationKeyID OurAppStoreConnectAuthKey -authenticationKeyIssuerID OurAppStoreConnectAuthKeyIssuerId -authenticationKeyPath /path/to/OurAppStoreConnectKey.p8 clean archive All works fine, but .... Why does Xcode 16 log out logged Apple ID and create a new every build? As a result, we have more and more Unknown Apple IDs in Xcode, and for each of them an error appears in log. Error: xcodebuild[3174:1804334] DVTDeveloperAccountManager: Failed to load credentials for 0A1DF15C-ETC-ETC: Error Domain=DVTDeveloperAccountCredentialsError Code=0 "Invalid credentials in keychain for 0A1DF15C-ETC-ETC, missing Xcode-Username" UserInfo={NSLocalizedDescription=Invalid credentials in keychain for 0A1DF15C-ETC-ETC, missing Xcode-Username} Of course, the originally logged-in Apple ID has an error corresponding to his non-logged-in state. xcodebuild[3174:1804334] DVTDeveloperAccountManager: Failed to load credentials for originally_logged-in_user: Error Domain=DVTDeveloperAccountCredentialsError Code=0 "Invalid credentials in keychain for originally_logged-in_user, missing Xcode-Token" UserInfo={NSLocalizedDescription=Invalid credentials in keychain for originally_logged-in_user, missing Xcode-Token} Why does this happen and how can it be fixed? Why does Xcode 16 log out its logged Apple ID?

We are using an app distributed via an iOS enterprise certificate. There is an exceptional user who could normally use the app signed with this certificate before upgrading to iOS 18. However, after updating to iOS 18 (currently on version 18.3), the app crashes immediately upon launch. Real-time logs indicate that the application fails to start. This issue is unique to this user, as other users on the same iOS 18.3 system do not experience the problem. console log

2022-07-24 16:43:30.074 *** Error: Notarization failed for '/var/folders/r1/3j8rdbl95l9csz588j1nc6xc0000gn/T/electron-notarize-gGm3Fr/git-icons.zip'. 2022-07-24 16:43:30.075 *** Error: You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id bb96a1a8-c3c3-4ded-a3c8-2abe369d8881 You do not have required contracts to perform an operation (-19208) { NSLocalizedDescription = "You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id bb96a1a8-c3c3-4ded-a3c8-2abe369d8881"; NSLocalizedFailureReason = "You do not have required contracts to perform an operation"; }

Starting a few hours ago (roughly 2:45PM Eastern time) we began experiencing elevated latency with the Developer ID Notary Service. There is nothing listed on the developer system status page about degraded performance or a service outage. Operations that usually take ~15 minutes, are stacking up for hours. The oldest pending entry we have was created at 2:45PM Eastern: createdDate: 2025-06-24T18:45:22.539Z id: 5209a4d2-eae4-4714-aa8e-6961677ff2e We currently have 27 pending builds in the notary service since we are required to notarize internal builds to ensure we satisfy our requirements so this is creating an issue for us.

I am a developer working on iOS apps. I would like to report an issue occurring in iOS 18 beta and iOS 18.1 beta. Our company has two Enterprise accounts, and we are developing two apps: A app / TeamId: ABCDEFG B app / TeamId: HIJKLMN When we distribute these apps, which have different TeamIds, and install them on a device running iOS 18 beta, both apps install successfully, but only one app will run. (Other app crashed immediately after being launched.) This issue does not occur on versions prior to iOS 18. I would like to know if this is a problem that will be resolved in future updates, or if it is a policy change.

We're having failures reported back to us from the notarization service as of the 4th of September. It's complaining about binaries inside .jar files, saying some aren't signed and others aren't signed with a valid developer certificate. These are third party jars; we unzip the unsigned binaries from these jars, sign them then put them back in using "jar -ufv". Notarizing is only complaining about binaries inside jars and not anything else, which implies our certificates are valid. Nothing has changed regarding these jars between the notarizing service accepting and rejecting our app. To confirm our suspicions that the notarizing service may be behaving differently, we sent it an app package that previously had succeeded in notarizing. Now the notarizing service fails, citing issues with the same jars as described above. Are you able to confirm whether anything has changed? Any ideas on what we could look at?

I've been trying to notarize an installer (.pkg file) on a new laptop. Previous versions have been notarized successfully on a previous Mac. However, in spite of having the required certificates (same as the old Mac, generated for the new Mac) the submission gets stuck at "In Progress". Doing it multiple times (even hours apart) doesn't help. Is there a FAQ / suggested list of steps to help resolve this issue? Here's what I see: xcrun notarytool history --keychain-profile "(my profile name)" results in (problem started with v4, the first version I've tried on this new Mac): createdDate: 2023-10-17T01:34:36.911Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-17T01:33:59.191Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-16T21:01:25.832Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-16T19:57:44.776Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-02T14:17:34.108Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v3.pkg status: Accepted -------------------------------------------------- createdDate: 2023-09-28T14:04:46.211Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v2.pkg status: Accepted -------------------------------------------------- createdDate: 2023-09-20T17:28:46.168Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v1.pkg status: Accepted -------------------------------------------------- xcrun notarytool log xxxxxxxxxxxxxxxxxxxx --keychain-profile "(my profile name)" results in: Submission log is not yet available or submissionId does not exist id: xxxxxxxxxxxxxxxxxxxxxxxx

A few hours ago, it took 3 minutes to get the notarization phase of our build done... now I've got one that's been running for 25 minutes and hasn't finished yet. The last time this happened, the waits got up to multiple hours, and the status page didn't get updated.

Hello! I've been facing an issue with notarizing a macOS app with an Enterprise API Key. Due to some misunderstanding setting up the project some years ago, the notarization step was using a developer's accounts API Key. I am looking to fix it to have everything centralized in the Enterprise account we work with, but I get "Debug [JWT] Generating new JWT for key ID" with the new key. This is using the xcrun notarytool directly to get more input. Using Fastlane it fails as: Error polling for notarization info: [11:29:25]: unexpected token at '' The project is deployed via MDM, so we need it to prevent the security warning. I used this documentation to create the key: https://developer.apple.com/documentation/enterpriseprogramapi/creating-api-keys-for-enterprise-program-api I have tried a Developer and an Admin access key, and the Account Holder has also created an Admin key but the errors keep the same. I just updated my Fastlane script to use the new key with the updated values. The old developer account key still works. I am not sure if I am missing any steps in the documentation or if this is not achievable. Important to add that all the profiles and certificates were already set up properly in the Enterprise account, the only error was using an App Store Connect Key instead of an Enterprise Key. Thanks in advance for the help.

I'm having issues with notarizing my Electron app using electron-builder. The build process works, but notarization gets hung up on submitting to Apple. Versions electron: 33.2.1 electron-builder: 24.9.1 @electron/notarize: 2.3.2 macOS runner: macos-latest Current Setup Using GitHub Actions for CI/CD Developer ID Application certificate is properly installed and verified Apple ID credentials are confirmed working (verified via altool) Notarization is configured in both package.json and build arguments Logs 2024-12-29T18:56:37.198Z electron-notarize:spawn spawning cmd: xcrun args: [ '--find', 'notarytool' ] opts: {} 2024-12-29T18:56:38.652Z electron-notarize:spawn cmd xcrun terminated with code: 0 2024-12-29T18:56:38.653Z electron-notarize:notarytool starting notarize process for app: /Users/runner/work/***/***/dist/mac-arm64/***.app 2024-12-29T18:56:38.653Z electron-notarize:helpers doing work inside temp dir: /var/folders/95/0ydz4d79163427j3k5crp3fh0000gn/T/electron-notarize-KxNa7e 2024-12-29T18:56:38.653Z electron-notarize:notarytool zipping application to: /var/folders/95/0ydz4d79163427j3k5crp3fh0000gn/T/electron-notarize-KxNa7e/***.zip 2024-12-29T18:56:38.654Z electron-notarize:spawn spawning cmd: ditto args: [ '-c', '-k', '--sequesterRsrc', '--keepParent', '***.app', '/var/folders/95/0ydz4d79163427j3k5crp3fh0000gn/T/electron-notarize-KxNa7e/***.zip' ] opts: { cwd: '/Users/runner/work/***/***/dist/mac-arm64' } 2024-12-29T18:56:47.906Z electron-notarize:spawn cmd ditto terminated with code: 0 2024-12-29T18:56:47.906Z electron-notarize:notarytool zip succeeded, attempting to upload to Apple 2024-12-29T18:56:47.906Z electron-notarize:spawn spawning cmd: xcrun args: [ 'notarytool', 'submit', '/var/folders/95/0ydz4d79163427j3k5crp3fh0000gn/T/electron-notarize-KxNa7e/***.zip', '--apple-id', '*********', '--password', '*********', '--team-id', '*********', '--wait', '--output-format', 'json' ] opts: {} This is the farthest I've been able to get after pushing through many errors.. I set a timeout of 3 hours and this will now be my 4th time attempting I believe. Configuration package.json json "mac": { "hardenedRuntime": true, "gatekeeperAssess": false, "entitlements": "build/entitlements.mac.plist", "entitlementsInherit": "build/entitlements.mac.plist", "notarize": { "teamId": "APPLE_TEAM_ID WAS MANUALLY PUT HERE AFTER ISSUES WITH SECRETS" } } GitHub Actions Workflow Using samuelmeuli/action-electron-builder@v1 with proper environment variables for APPLE_ID, APPLE_TEAM_ID, and APPLE_APP_SPECIFIC_PASSWORD. What I've Tried Verified Apple Developer account access and Team ID Confirmed certificate installation works Tested credentials using altool (successfully lists providers) Added explicit notarization environment variables Any help would be appreciated!

I requested the Family Controls Entitlement last week and haven’t heard back at all. I’ve submitted the request three times now, but I haven’t received a confirmation, a case number, or even an acknowledgment that it was received. I called Apple Support, but they said they have no visibility into the entitlement request process, which leaves me completely in the dark. I just want to know if my request is under consideration or not. This is especially frustrating because I’ve had strong engagement on social media around my app, and I have stakeholders waiting for updates. Right now, I can’t send the app for review, and I can’t even distribute it via TestFlight to internal testers. Honestly, I didn’t expect this kind of radio silence from Apple. Has anyone else experienced this when requesting entitlements?

I can't upload my macOS app to app store connect. Each time i try to upload, i see this message: Provisioning profile failed qualification Profile doesn't support App Groups. An empty app without an app group uploads fine, but if i add an app group to it, it does not upload.

Hello Team, I am building an Electron app and building platform-related installers line exe, appimage and dmg. To build an installer, I am using the electron builder library. When I do code signing and notarization, the signing process gets stuck without any error. I have verified certificate and other information are correct. Below are more details. Versions @electron/notarize": "^2.5.0 @electron/rebuild": "3.3.0 electron": "26.2.1 electron-builder": "^25.1.8 electron-devtools-installer": "3.2.0 Current Setup CircleCI pipeline Developer ID Application certificate is properly installed and verified Notarization is configured in both package.json and build arguments I see the last log as below where it gets stuck without any error. • selecting signing options file=release/build/mac-arm64/xxxx Assistant.app entitlements=assets/entitlements.mac.plist hardenedRuntime=true timestamp=http://timestamp.apple.com/ts01 requirements=undefined additionalArguments=[] Package.json "build": { "productName": "xxxxx - Your AI Work xxxxx", "executableName": "xxxx xxxxx", "artifactName": "xxxxx-Assistant-${version}-${arch}.${ext}", "appId": "org.erb.xxxx", "asar": true, "asarUnpack": "**\\*.{node,dll}", "files": [ "dist", "node_modules", "package.json", "assets/tray.ico", "!**/*.lproj/**/*", "!**/locale.pak", "!locales/**/*" ], "afterSign": ".erb/scripts/notarize.js", "mac": { "timestamp": "http://timestamp.apple.com/ts01", "identity": "xxxxx Technology Inc (xxxxxxxx)", "target": [ "dmg", "zip" ], "electronLanguages": [ "en-US" ], "icon": "build/mac-icon/Logo512x512.icns", "type": "distribution", "hardenedRuntime": true, "entitlements": "assets/entitlements.mac.plist", "entitlementsInherit": "assets/entitlements.mac.plist", "gatekeeperAssess": false }, "dmg": { "icon": "build/mac-icon/xxxxxxLogo512x512.icns", "contents": [ { "x": 130, "y": 220 }, { "x": 410, "y": 220, "type": "link", "path": "/Applications" } ] }, "directories": { "app": "release/app", "buildResources": "assets", "output": "release/build" }, "extraResources": [ "./assets/**" ] } Entitlement <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <!-- Required for Electron/Chromium JIT --> <key>com.apple.security.cs.allow-jit</key> <true/> <!-- Required for basic Electron functionality --> <key>com.apple.security.inherit</key> <true/> <!-- Required for network communication (REST APIs) --> <key>com.apple.security.network.client</key> <true/> </dict> </plist> I have made the following verification. I already tried on multiple macos with different processors. Verified on a high-speed network. Certificate is exported to .p12 and verified. All Env Variables are set with the correct value. (APPLE_APP_SPECIFIC_PASSWORD+APPLE_ID+APPLE_TEAM_ID ) I have tried with CSC_LINK/CSC_KEY_PASSWORD + Keystore as well. Appriciate any help.

I have multiple submissions for an app notarization. The goal is to distribute the DMG on my website rather than the app store (which I also have a submission in review for). These are the notarization logs: -------------------------------------------------- createdDate: 2025-06-23T20:26:46.597Z id: 75972c58-bc83-44a9-b3af-4aff1b1839c3 name: Mira-Assist-Fresh.dmg status: In Progress -------------------------------------------------- createdDate: 2025-06-23T17:53:11.825Z id: 4bccdfb6-6663-41d3-89bc-c0a15fbdd4b8 name: Mira Assist.zip status: In Progress -------------------------------------------------- createdDate: 2025-06-23T17:45:10.342Z id: fedca538-7619-4a7f-bcc8-3199d6e4b1a6 name: Mira-Assist-1.0.0-Hardened.dmg status: In Progress -------------------------------------------------- createdDate: 2025-06-23T02:51:04.289Z id: 19a866b9-e664-4641-b137-6ac852c14ac9 name: Mira Assist-1.0.0.dmg status: In Progress -------------------------------------------------- createdDate: 2025-06-23T02:44:25.372Z id: 455209e5-91dd-4324-aac0-d582f88efc95 name: Mira Assist-1.0.0.dmg status: In Progress The earliest of which occured more than 18 hours ago. This is my first time submitting an app for notarization. I also have a developer account that was created ~1-2 days ago. From what I've read online, notarization usually occurs in less than 10 minutes. When querying for the logs, it juts says that the submission ID is invalid or the logs aren't available yet. Submission log is not yet available or submissionId does not exist id: 75972c58-bc83-44a9-b3af-4aff1b1839c3

Hi there, I've developed a macOS app in Swift and SwiftUI. I'm planning to distribute the app outside of the App Store, so I'm currently getting it notarized. This is my first time notarizing an application. My application is signed correctly during the build / archive process, but whether I try to notarize the .app via Xcode's organizer or a .dmg via notarytool, it seems to get stuck. The status of Notarization attempts have been been stuck "In Progress", with the earliest attempt approaching 4 days. Below is the output of xcrun notary tool history Successfully received submission history. history -------------------------------------------------- createdDate: 2025-01-01T08:25:21.033Z id: be860d89-9edd-4330-9358-aa3766772041 name: Sidekick.zip status: In Progress -------------------------------------------------- createdDate: 2024-12-31T17:08:37.493Z id: 9cbd609e-d287-4217-afe3-362386159805 name: Sidekick-beta.dmg status: In Progress -------------------------------------------------- createdDate: 2024-12-31T15:35:11.609Z id: 3e22c207-e156-410d-a0d1-24a587bfdca6 name: Sidekick.zip status: In Progress I've been searching for similar issues on the developer forums, and while others have warned about long wait times for first-time notarization requests, I've never come across anyone else who had to wait 4 days.

Hello, I'm currently facing issues with the notarization process for my macOS app, which has been in progress for several days without completion. I’ve submitted multiple builds over the past few days, but they all remain stuck in "In Progress" status. { "message": "Successfully received submission history.", "history": [ { "status": "In Progress", "id": "3bab3c0e-203d-4d66-87e5-e9c46e366a6c", "name": "Offer鸡.zip", "createdDate": "2024-09-29T19:20:39.240Z" }, { "createdDate": "2024-09-29T18:28:08.522Z", "status": "In Progress", "name": "Offer鸡.zip", "id": "9bb19fae-e7c2-485b-90c5-7158a1639225" }, { "createdDate": "2024-09-29T12:31:52.458Z", "name": "Offer鸡.zip", "id": "ff0ec784-7014-412e-9e42-30feae65b546", "status": "In Progress" }, { "status": "In Progress", "id": "4be0d351-e3db-43cb-a2ce-71ebdecd623a", "createdDate": "2024-09-29T05:39:23.409Z", "name": "Offer鸡.zip" }, { "status": "In Progress", "createdDate": "2024-09-28T18:15:00.601Z", "name": "Offer鸡.zip", "id": "2a4947e0-3a4b-45e0-832a-723fdf221cbf" }, { "id": "e50fbd60-8448-4f12-8539-22dcf24caee5", "name": "offerji.zip", "createdDate": "2024-09-27T07:47:50.919Z", "status": "In Progress" }, { "createdDate": "2024-09-26T21:45:10.596Z", "name": "offerji.zip", "status": "Rejected", "id": "fc3490e9-3ff5-49f8-a08a-5bfac7cca81d" }, { "createdDate": "2024-09-26T06:59:51.950Z", "id": "d003f48c-01ec-48f7-89e0-8b8f5ad700bd", "name": "offerji.zip", "status": "Invalid" } ] } I also encountered two previous submission failures: offerji.zip (submitted on 2024-09-26 at 21:45) - Rejected offerji.zip (submitted on 2024-09-26 at 06:59) - Invalid Could anyone provide insight into what might have caused the earlier failures? And is it common for notarization to take this long? Any advice on how to expedite or resolve this issue would be greatly appreciated! Thanks in advance for your help.