Hello. I have an enterprise application that requires specific privileges to execute correctly on MacOS. One of these privileges is SystemPolicyAllFiles (aka Full Disk Access), as we use the endpoint security framework. When we distribute our application, we generate: A signed, notarized pkg consisting of our application binaries. An MDM-compatible .mobileconfig, which contains the SystemPolicyAllFiles setting. We expect our users to install both to get the application to function correctly. However, we have three environments we deploy to: Internal (local development on a developer's workstation), "development" (where features are integrated prior to release) and "production" (what our customers get). For local, our developers create an Apple account and use a Mac Development certificate for signing. They also generate their own embedded.provisionprofile and drop that into their local installation config. For development/production, we use our Developer ID certificate and Developer Installer certificate, with an endpoint security embedded.provisionprofile bound to those. However, when we generate a .mobileconfig, we need to include a CodeRequirement (CR) for SystemPolicyAllFiles. I've been retrieving this using codesign -dr - ... (i.e., the designated requirement aka DR). However, the designated requirement is very specific to the certificate, which is problematic specifically for local development, where each developer has their own Mac Development certificate. Here's what the relevant section of our generated mobileconfig looks like right now: <dict> <key>SystemPolicyAllFiles</key> <array> <dict> <key>Allowed</key> <true/> <key>CodeRequirement</key> <string>identifier "com.example.app and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = <TEAMID></string> <key>Comment</key> <string>app</string> <key>Identifier</key> <string>com.exmple.app</string> <key>IdentifierType</key> <string>bundleID</string> <key>StaticCode</key> <false/> </dict> </array> </dict> That's in a format that works for our Developer ID cert, but the DR for the Mac Development certificate looks like: identifier "com.example.app" and anchor apple generic and certificate leaf[subject.CN] = "Mac Developer: John Doe (12ABC34567)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */ Question: Is it possible to relax the code requirement so that it is generic enough to cover all Mac Developer certificates and Developer ID certificates we use? If not, is there a way to have one code requirement for our Mac Developer certificates and a separate CR for our Developer ID certificate? My use case is deploying a static "local" .mobileconfig using our internal company MDM (Apple Business Essentials) to all developer workstations so we don't have to have each developer manually configure their system for the software to run. Thanks! D

I started the notarization process for my electron app (just a browser window loading a URL) yesterday (26/03/2025) at around 05:23 GMT. I noticed in a couple of posts here in the forum that it may sometimes take a day to notarize the first app submitted by a team, but it has been over 30 hours since I submitted the app for notarization Here's the log. createdDate: 2025-03-26T05:23:11.102Z id: ddcb3fca-4667-4acb-8fd1-3298a7c244cc name: xolock-browser.zip status: In Progress Is there any reason why it is taking so long? Thanks in advance!

I have created a Mac Catalyst version of the same app, and it was transferred from an old account to a new one. However, the Mac Catalyst build has been stuck in progress for several days when attempting to notarize it. After many days, I got the rejection with the following error: Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions. I have already tried to create a new developer ID certificate, but it still has the same issue. On the other hand, the iOS app is working fine and has been published in the App Store. Could you please assist us in resolving this issue as quickly as possible? Your prompt help would be greatly appreciated.

All libraries are getting rejected with errors like: not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs

Hi, I am a long time programmer in C#, and newer to Rust, and a rookie to MacOS 15.1. Over the past few days I have made numerous attempts to run a Rust GUI binary that I compiled on Mac. Here are some examples of things I have tried using. Executable compiled in M1 mac not running on Apple Silicon Mac - help - The Rust Programming Language Forum And here.... How to run unsigned apps in macOS 15.1 Also here... "sudo spctl --master-disable" There are many more that I have tried. I also tried moving the binary from my developer folder to the Application folder and running.... xattr -r -d com.apple.quarantine /Applications/csv Note that "csv" is the name of my binary. You have probably seen this 100 times, so can you point me to me to something that allows my Rust binaries to run under MacOS? PS The Rust program code works just fine under Linux. I can either type Cargo Run and run the binary from the Terminal or go directly to the executable and double click on it to open the GUI application. The only thing that MacOS lets me do it open the GUI from the Terminal. Commander One says that I do not have the proper credentials to open the file directly. Finder also does not allow me to open the binary directly. Thanks, Jim

Hi, We have an app that is a default mail client, so it has this entry in its entitlements file: com.apple.developer.mail-client. This seems to create issues with ad-hoc distribution. We can distribute the app on App Store Connect without any issues and have been doing so for a while. We wanted to try using Xcode Cloud to manage our releases. The app export works fine for both App Store Distribution and Development Distribution. However, the ad-hoc distribution step fails. (We don't need ad-hoc distribution, but Xcode Cloud seems to prevent us from removing this step.) I tried building and releasing the app locally for ad-hoc distribution and encountered the same error as on Xcode Cloud. When Xcode tries to generate the profile, it outputs the following error: Provisioning profile "iOS Team Ad Hoc Provisioning Profile: com.infomaniak.mail" failed qualification checks: Profile doesn't support Default Mail App. Profile doesn't include the com.apple.developer.mail-client entitlement. Is it something broken with our config ? What are we missing ? Local error in Xcode Organizer: Remote error on Xcode cloud:

The Codesign command adds extended attributes to files that previously had no extended attributes. In my case codesign add following extended attributes to text file in Frrameworks folder: com.apple.cs.CodeDirectory com.apple.cs.CodeRequirements com.apple.cs.CodeRequirements-1 com.apple.cs.CodeSignature Can I somehow prevent this behavior? Thank you.

I’ve been working on a Catalyst version of my iOS apps. Finally everything is working apart from the custom intents the user user to configure the widgets. The config UI loads: And changing settings at this level works. But it can’t load the options for the other settings: “No options were provided for this parameter” I see this crash in the intent: Termination Reason: Namespace DYLD, Code 1 Library missing Library not loaded: @rpath/CocoaLumberjack.framework/Versions/A/CocoaLumberjack Referenced from: <E1BF4CC5-4181-3272-828C-86B1CD1A66BF> /Applications/my.app/Contents/PlugIns/Intents.appex/Contents/MacOS/Intents Reason: , (security policy does not allow @ path expansion) (terminated at launch; ignore backtrace) I have added the Hardened Runtime Capability to the Main App Target, the Widget Target and the Intents Target. I also allowed “Disable Library Validation” just in case. What am I missing?

I have built my application for arm and x64 so I have two files called DeepSkyStacker.app in different directories. I have followed the instructions to notarise the arm version of the app, but an concerned about what I should do to notarise the other one - do I just zip that up and then run: xcrun notarytool submit "DeepSkyStacker.zip" --keychain-profile "Notary Profile for DeepSkyStacker" --wait xcrun stapler staple DeepSkyStacker.app again or will that mess everything up? Related to that can I use the Notary Profile I created for DeepSkyStacker to notarise other apps that are part of the same product (DeepSkyStackerLive and DeepSkyStackerCL)?? Thanks David

On MacOS, I know that App Groups (com.apple.security.application-groups) do not require a provisioning profile. I was wondering if it's possible to sign them "ad hoc" and have it work? So maybe use a random TEAMID prefix and have it work? I would only need the app to work locally (for testing), not be distributed in that fashion, of course.

I’m having trouble with the notary step of our electron app. It sometimes says “In progress” for days on end, where other times, it only takes 15-20 minutes. For the last few weeks, I’ve noticed that it will take longer than the 20 minutes if our app was using a not latest version of the electron module -- https://www.npmjs.com/package/electron. I would then update our codebase to build using the latest version, and then try to sign and notarize the app again, and it would work till a new version was released. This was the first time that that process didn’t work. Everything is on latest, and we’re still getting stuck “in progress” for days on end. We have been signing and Notarizing this app for years now, so it's not the first time we're trying to do this process To make matters stranger, I have two branches of the same exact code base – same dependencies, same source code, same everything – there is no difference. One sign and notarize works 100% of the time where the other one hasn’t worked yet. Any ideas would be helpful. I'm not really sure where to begin to debug this. Thanks!

This is .entitlements file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.endpoint-security.client</key> <true/> </dict> </plist> Code signing: codesign --sign -vvv --timestamp --options=runtime --force --entitlements ./UES.entitlements -s "Developer ID Application: XXXX Ltd. (XXXXXX)" ./UES.app When I run it on macOS 13.x, it works fine. If I run the system on macOS 11.x, it reports a "killed" error (if codesign remove --entitlements ./UES.entitlements, Then the startup will not report an error, but the endpoint security rights cannot be used) System log: 2025-04-21 13:58:27.039638+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:27.039762+0800 0xd5bbf Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:27.039815+0800 0xd5bbf Default 0x0 0 0 kernel: proc 29354: load code signature error 4 for file "UES" 2025-04-21 13:58:27.040720+0800 0xd5bc0 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29354, /Applications/UES.app/Contents/MacOS/UES 2025-04-21 13:58:27.045974+0800 0xd58be Error 0x0 66405 0 CoreServicesUIAgent: [com.apple.launchservices:uiagent] handle LS launch error: {\n Action = oapp;\n AppMimimumSystemVersion = "10.13";\n AppPath = "/Applications/UES.app";\n ErrorCode = "-10826";\n} 2025-04-21 13:58:39.121619+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:39.121832+0800 0xd5e0f Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:39.121861+0800 0xd5e0f Default 0x0 0 0 kernel: proc 29415: load code signature error 4 for file "UES" 2025-04-21 13:58:39.122571+0800 0xd5e10 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29415, /Applications/UES.app/Contents/MacOS/UES 2025-04-21 13:58:46.297915+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:46.298031+0800 0xd5f85 Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:46.298072+0800 0xd5f85 Default 0x0 0 0 kernel: proc 29485: load code signature error 4 for file "UES" 2025-04-21 13:58:46.300248+0800 0xd5f86 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29485, /Applications/UES.app/Contents/MacOS/UES May I ask what the reason is?

My app designer cannot sign his code changes. He says the only way he can sign his code is for me to give him my Admin privileges. I have revoked and recreated my certificate, hoping to get a private passkey, but there was no private passkey issued with the certificate. Help, please?

Hi, I got the error: /usr/bin/codesign exited with code 1: Warning: unable to build chain to self-signed root for signer "Apple Distribution: Q.A.C.F. - Quality Academy Consultoria E Formacao, Unipessoal, Lda (xxxxxx)" /Users/pedroramalho/Library/Caches/Xamarin/mtbs/builds/drBoxSaude.iOS/3bed3d51415af2e100a4d2bc57e1d36fb42d76ceb190de1db1c4d0dbccbff863/bin/iPhone/Release/drBoxSaude.iOS.app: errSecInternalComponent and /usr/bin/codesign exited with code 1: /Users/pedroramalho/Library/Caches/Xamarin/mtbs/builds/drBoxSaude.iOS/3bed3d51415af2e100a4d2bc57e1d36fb42d76ceb190de1db1c4d0dbccbff863/bin/iPhone/Release/drBoxSaude.iOS.app/Frameworks/libSkiaSharp.framework: replacing existing signature Warning: unable to build chain to self-signed root for signer "Apple Distribution: Q.A.C.F. - Quality Academy Consultoria E Formacao, Unipessoal, Lda (xxxxx)" /Users/pedroramalho/Library/Caches/Xamarin/mtbs/builds/drBoxSaude.iOS/3bed3d51415af2e100a4d2bc57e1d36fb42d76ceb190de1db1c4d0dbccbff863/bin/iPhone/Release/drBoxSaude.iOS.app/Frameworks/libSkiaSharp.framework: errSecInternalComponent Some one can help please

I have been trying to notarize my application for about a month via this command - xcrun notarytool submit "Backlsh.zip" --apple-id "" --password "" --team-id "" but it throws error - { "logFormatVersion": 1, "jobId": "c8173ee6-edd2-4c51-a86b-8f3b8dea0a84", "status": "Rejected", "statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.", "statusCode": 7000, "archiveFilename": "Backlsh.zip", "uploadDate": "2025-03-06T05:33:56.287Z", "sha256": "b45e579f0c47070b55d74ac49e49c81d32f2315bd290ca5592f71f314018c44d", "ticketContents": null, "issues": null } I have raised ticket to apple support but i havent received any help yet ! I have tried to submit 5 times. Kindly help !

I am using matlab to create an application (.app) using matlab application compiler. Along with that, I use matlab to create an installer for that. Unfortunately, the installer is in (.app) format. So do some custom things to install the dependencies and copying my application to Applications folder. I am able to sign the original application with Developer ID application certificate. But I am not able to sign the installer in .app format with Developer ID installer certificate. Is there any flag in any signing executable that allows me to use Developer ID installer certificate to sign .app file instead of typical (.pkg/.dmg)? Any help would be much appreciated.

I am having the most difficult time trying to figure out the process for just getting my development .p12 figured out. Full disclosure, being a windows user does not make my life any easier. Seems fairly straightforward on a mac (which I do not have) So I thought I would come here and see if I could collect information on getting working certs and keys on windows pc. Here's what I have so far: -OpenSSL -openssl req -nodes -newkey rsa:2048 -keyout private_key.key -out cer_sign_request.csr Generates a key and a sign request. went to dev portal submit CSR --> recieved CER -back to OpenSSL -openssl x509 -in ios_development.cer -inform DER -out ios_development.pem -outform PEM CER-->PEM -openssl pkcs12 -export -inkey keyname.key -in ios_development.pem -out ios_development.p12 -"No cert in -in file 'ios_development.pem' matches private key" so here I am. Lost. Mind you I've tried the process in a few different ways and now I am on a mission to find my "private_key" somehow with no way to access keychain. I dunno feels convuluted. for good reason I am sure. If anyone has a streamlined version of how to get this done I will be forever indebted to you. Your time is greatly appreciated. for futher context I am just trying to get an eas build on my phone from expo. Thankyou!

Hi, I developed a Flutter app that works well in the iOS simulator, but that fails to deploy on my physical iPhone 13 Pro Max. Here is the error I get: Target debug_unpack_ios failed: Exception: Failed to codesign /Users//Library/Developer/Xcode/DerivedData/Runner-/Build/Products/Debug-iphoneos/Flutter.framework/Flutter with identity I've followed all the instructions that I found online, like moving my project from cloud storage to my local hard drive, but nothing has worked. Thank you so much for your help!

We have a rather complex network of dependencies for our application stack and, from it, we create multiple unique executables that are placed into the Contents/MacOS directory of our bundle. MyApp.app `- Contents/ `- Frameworks/... `- MacOS/ `- exec_a `- exec_b `- Resources/... Both executables require the same dependencies (and use the same shared .dylib files built as targets in the same project) so it makes sense for them to be in the same place rather than in their own .app folder as I understand it. Qt Libs -> core_lib.dylib -> gui_lib.dylib -> exec_a `-> exec_b etc. We've confirmed build artifacts are correct and the rpath/dependencies are all clean. When in development, all executables run as expected and we can command exec_a (the executable we're listing in the primary Info.plist) to launch exec_b at any time. Once the bundle is signed, however, we cannot get exec_b to launch in any capacity. Even lldb dies right away because it can't attach to anything. We assume this is something in the gatekeeper area of blocking these additional executables. We get the following when trying to run those additional exes in any way: Trace/BPT trap: 5 We're using macdeployqt to finalize the bundle and bring in the correct packages - perhaps something it's doing is causing the additional executables to fail or we're missing an entitlement. We've submitted the app to TestFlights successfully even with these invalid executables to see if there was something the processing of the app would find but so far nothing. We've seen other example of applications with multiple executables in the same MacOS directory and are wondering what the difference is. Any hints or guidance would be great. Thank you!

from; tkinter; import * from; tkinter; import ttk import random import time import sqlite3 #Connect; to; the; database (create, if it doesnot exist) conn = sqlite3.connect("quiz_database.db") c = conn.cursor() Create the table if it doesnot exist c.execute(""'CREATE TABLE IF NOT EXISTS questions (id INTEGER PRIMARY KEY AUTOINCREMENT, question TEXT, answer1 TEXT, answer2 TEXT, correct_answer INTEGER)""') conn.commit() Sample data (replace with your own questions) sample_questions = [ ("Is the Earth flat?", "True", "False", 2), ("Do birds fly?", "True", "False", 1), ("Is water wet?", "True", "False", 1), ("Can humans breathe underwater?", "True", "False", 2), ] c.executemany("INSERT OR IGNORE INTO questions (question, answer1, answer2, correct_answer) VALUES (?, ?, ?, ?)", sample_questions) conn.commit() class QuizApp: def init(self, master): self.master = master master.title("True/False Quiz") # Initialize variables self.questions = [] self.current_question = 0 self.score = 0 self.start_time = 0 self.time_limit = 60 # Time limit in seconds # Get questions from the database self.load_questions() # Create GUI elements self.question_label = Label(master, text="", font=("Arial", 16)) self.question_label.pack(pady=20) self.true_button = Button(master, text="True", command=lambda: self.check_answer(1), width=15) self.true_button.pack(side=LEFT, padx=10) self.false_button = Button(master, text="False", command=lambda: self.check_answer(2), width=15) self.false_button.pack(side=RIGHT, padx=10) self.feedback_label = Label(master, text="", font=("Arial", 12)) self.feedback_label.pack(pady=10) self.timer_label = Label(master, text="Time Left: 60s", font=("Arial", 12)) self.timer_label.pack() self.progress_bar = ttk.Progressbar(master, orient=HORIZONTAL, length=200, mode="determinate") self.progress_bar.pack(pady=10) self.start_quiz() def load_questions(self): c.execute("SELECT * FROM questions") self.questions = c.fetchall() random.shuffle(self.questions) def start_quiz(self): self.start_time = time.time() self.display_question() self.update_timer() def display_question(self): if self.current_question < len(self.questions): question = self.questions[self.current_question] self.question_label.config(text=question[1]) # Display the question self.progress_bar["maximum"] = len(self.questions) self.progress_bar["value"] = self.current_question + 1 # Update progress bar def check_answer(self, selected_answer): correct_answer = self.questions[self.current_question][4] if selected_answer == correct_answer: self.feedback_label.config(text="Correct!", fg="green") self.score += 1 else: self.feedback_label.config(text="Incorrect!", fg="red") self.current_question += 1 if self.current_question < len(self.questions): self.display_question() else: self.end_quiz() def update_timer(self): elapsed_time = time.time() - self.start_time remaining_time = self.time_limit - elapsed_time if remaining_time > 0: self.timer_label.config(text=f"Time Left: {int(remaining_time)}s") self.master.after(1000, self.update_timer) else: self.end_quiz() def end_quiz(self): self.true_button.config(state=DISABLED) self.false_button.config(state=DISABLED) self.feedback_label.config(text=f"Quiz Over! Your score: {self.score}/{len(self.questions)}") Run the application root = Tk() app = QuizApp(root) root.mainloop() Close the database connection conn.close()