Product: macOS, Notarization Tool: notarytool, Stapler Tool: xcrun stapler, Application: master-billing.app, DMG: master-billing.dmg I'm attempting to notarize and staple a macOS .dmg file containing a signed .app. Notarization completes successfully, but the stapling step fails with Error 65. All tools are up-to-date and I'm following the official Apple process. #!/bin/bash set -e APP="dist/mac-arm64/master-billing.app" DMG="dist/mac-arm64/master-billing.dmg" IDENTITY="Developer ID Application: NAME (TEAM ID)" PROFILE="notarysiva" VOLUME_NAME="MasterBilling" Sign binaries and frameworks find "$APP" -type f ( -name ".dylib" -or -name ".so" -or -name "*.node" -or -perm -u+x ) -exec codesign --force --options runtime --timestamp --sign "$IDENTITY" {} ; find "$APP" -type d ( -name ".app" -or -name ".framework" ) -exec codesign --force --options runtime --timestamp --sign "$IDENTITY" {} ; codesign --deep --force --options runtime --timestamp --sign "$IDENTITY" "$APP" Create DMG hdiutil create -volname "$VOLUME_NAME" -srcfolder "$APP" -ov -format UDZO "$DMG" Sign DMG codesign --sign "$IDENTITY" --timestamp "$DMG" Verify DMG signature codesign --verify --verbose=2 "$DMG" Submit for notarization xcrun notarytool submit "$DMG" --keychain-profile "$PROFILE" --wait Staple ticket xcrun stapler staple -v "$DMG" Signing all binaries, dylibs, and frameworks... . . ✅ App signing complete. 💽 Creating DMG... ...................................................................................... created: /Users/one/Documents/MASTER/bill-master/dist/mac-arm64/master-billing.dmg 🔏 Signing the DMG... ✅ Verifying DMG signature... dist/mac-arm64/master-billing.dmg: valid on disk dist/mac-arm64/master-billing.dmg: satisfies its Designated Requirement 📤 Submitting DMG for notarization... Conducting pre-submission checks for master-billing.dmg and initiating connection to the Apple notary service... Submission ID received id: 32927c3c-7459-42b4-a90c Upload progress: 100.00% (123 MB of 123 MB) Successfully uploaded file id: 32927c3c-7459-42b4-a90c path: /Users/one/Documents/MASTER/bill-master/dist/mac-arm64/master-billing.dmg Waiting for processing to complete. Current status: Accepted............ Processing complete id: 32927c3c-7459-42b4-a90c status: Accepted 📌 Stapling notarization ticket to DMG... Processing: /Users/one/Documents/MASTER/bill-master/dist/mac-arm64/master-billing.dmg . . . Downloaded ticket has been stored at file:///var/folders/1l/ht34h5y11mv3rhv8dlxy_g4c0000gp/T/5bb9e667-dfe1-4390-8354-56ced7f48fa0.ticket. Could not validate ticket for /Users/one/Documents/MASTER/bill-master/dist/mac-arm64/master-billing.dmg The staple and validate action failed! Error 65.

Hi all, I’m trying to notarize a Flutter macOS app built in CI (GitHub Actions). The app builds and signs fine locally—codesign --verify --deep --strict and spctl --assess both pass. However, Apple’s notarization service consistently rejects the app with errors like: The binary is not signed with a valid Developer ID certificate: file_picker.framework The binary is not signed with a valid Developer ID certificate: file_saver.framework The binary is not signed with a valid Developer ID certificate: url_launcher_macos.framework What I’ve tried: Explicitly re-signing all frameworks with my Developer ID Application certificate and --timestamp Removing existing signatures before re-signing Ensuring correct entitlements and bundle identifier Matching the app bundle name and identifier in all places Using both codesign --deep and manual signing of each binary Local validation always passes, but notarization fails in CI Certificate: I am using a “Developer ID Application” certificate (not a “Mac Developer” or “Apple Development” certificate). The output of codesign -dvv for the problematic frameworks shows: Authority=Developer ID Application: [My Name/Team] ([Team ID]) So I believe I am not making the common mistake of using the wrong certificate type. CI Environment: GitHub Actions, macos-latest runner Flutter 3.27.2, stable channel All secrets (cert, Apple ID, app-specific password, team ID) are set up Questions: Has anyone encountered this with Flutter plugins or CI builds? Are there known issues with signing Flutter plugin frameworks for notarization? Is there a way to get more detailed feedback from Apple’s notarization service? Any advice or pointers would be greatly appreciated. I’m happy to provide logs, scripts, or a minimal project if needed. Thanks!

*** Error: ERROR: [ContentDelivery.Uploader] Validation failed (409) Invalid Provisioning Profile. The provisioning profile included in the com.baiyun-shuniu.scss bundle [Payload/HBuilder.app] is invalid. [Missing code-signing certificate]. A distribution provisioning profile should be used when uploading apps to App Store Connect. (ID: e21c7a63-520f-49c5-8298-9afa3aa14dd5) 2025-05-13 09:23:20.382 INFO: [ContentDelivery.Uploader]

Hi folks, I'm trying to generate a provisioning profile that includes both Healthkit and MusicKit entitlements. The healthKit pieces if fine, and included in the profile. However, despite selecting Musickit under services in the ID setup, the entitlement doesn't seem to be included in the profile. Other steps taken: Setup the app in App Store Connect, generated a media ID and Key. Tried both automatic and manual signing. Are there specifics tricks to getting this one to work?

I have been approved for family controls entitlements and see them in my apple certificates for my bundle identifier. I see them listed for Distribution in my Runner, however, when I try to distribute I get the error that I do not have the right permissions. Do I need to get the entitlements for each extension I have as well? I have three extensions that use the family controls.

Hi, We've created a new version of our macOS version of our app, but when I now try to upload the generated .pkg to App Store Connect via Xcode or Transporter we get this error message: ITMS-90286: Invalid code signing entitlements - Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “AppIDPrefix.my.bundle.name” value for the com.apple.application-identifier key in “my.bundlename.pkg/Payload/appname.app/Contents/MacOS/appname” isn’t supported. This value should be a string that starts with your Team ID, followed by a dot (“.”), followed by the bundle ID. Setting the code signing to automatic or does not make a difference. Our app has a different App ID Prefix as our Team ID and when I try to upload the app to App Store Connect I get this error message, does anyone know how we can fix this issue? We used to be able to upload the apps without issues.

Hey all, I’m experiencing a consistent issue with notarizing a signed .pkg file that contains a macOS screen saver (.saver) bundle. Nothing online so far except 1 thread on the form from the altool time pre-2023 so i thought it worth another update. Here is what I did: I signed the .saver bundle using my Developer ID Application certificate. I packaged it into a .pkg using pkgbuild with my Developer ID Installer certificate: I submitted the resulting .pkg via xcrun notarytool: xcrun notarytool submit saver-name.pkg --apple-id email@email.com --password [app-specific-password] --team-id xxxxxxxxx The submission appears to be accepted and uploads successfully. However, the notarization status remains stuck at “In Progress” for hours (over 12h), with no update. I also tried: Repackaging the .pkg with a new name using a zip Resubmitting it under a new submission ID All attempts are stuck in the same “In Progress” state indefinitely. Did anyone solve this yet?

Hello, I am normally a windows programmer, but I am trying to get my PySide/Qt app into the app store. I'm almost there, I just have a couple of questions about the signing process. I have two laptops, one intel silicon, one mac silicon. I created 2 CSR's, one on each laptop and used them to generate 2 Mac Installer Distribution certificates and 2 Mac App Distribution certificates. When it came to downloading the provisioning profile, I selected one Mac App Distrbution Certificate on the interface at developer.apple.com, saved it and then downloaded to the appropriate laptop. I then switched the provisioning profile to the other Mac App Distribution Certificate and downloaded it to the other laptop. I then built the app and uploaded everything using xcrun altool. On the intel machine only(which has the first provisioning profile) I successfully uploaded the package but I get an email identifying lots of similar errors of the type (Lets call it error1): ITMS-90284: Invalid Code Signing - The executable XXXXX must be signed with the certificate that is contained in the provisioning profile. On the ARM machine only i get the following error (Lets call it error2): ITMS-91109: Invalid package contents - The package contains one or more files with the com.apple.quarantine extended file attribute, such as XXXXXXXX embedded.provisionprofile”. This attribute isn’t permitted in macOS apps distributed on TestFlight or the App Store. Please remove the attribute from all files within your app and upload again. On both I get the following error lets call it error3: ITMS-90886: 'Cannot be used with TestFlight because the signature for the bundle at XXXXX is missing an application identifier but has an application identifier in the provisioning profile for the bundle. Bundles with application identifiers in the provisioning profile are expected to have the same identifier signed into the bundle in order to be eligible for TestFlight.' My first inclination is that all the error1's are coming from having two sets of CSRs, Mac Distribution certificates, provisioning profiles etc. Should I have only used one CSR and made one each of the Certificates? I don't know why I have error2. I don't know where the quarantine attribute is coming from and why it would affect the mac silicon and not the intel. Any ideas? my entitlements file has the following: <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.device.bluetooth</key> Error3 is the one where I need to try a few things but knowing what is expected will help. In the provisioning profile when viewed at developer.apple.com it has the APP ID listed as the 10 digit id followed by the bundle ID but I sometimes see just the 10 digit app ID being used and sometimes the bundle ID. I know that it's up to me to figure out how to get it into the build, but knowing what it should be would be helpful. On the other hand the text "Bundles with application identifiers in the provisioning profile ..." indicates that if the application identifier was not in the provisioning profile i might get away with it, but this might be grasping at straws. If you have made it this far, thank you for reading.

Hello, I had a successful attempt at notarization earlier today in my build pipeline. I've been using the same system for building my macOS application for over a year now. However, subsequent builds seemed to fail. I found a couple similar topics which makes this seem not not an isolated incident: https://developer.apple.com/forums/thread/782950 https://developer.apple.com/forums/thread/783347 https://developer.apple.com/forums/thread/783283 In my case I use the following command to submit the notarization: xcrun notarytool submit FilePath.dmg --apple-id "myappleid@gmail.com" --password "redacted_obviously" --team-id "my-team-id" --wait I left a previous run go for over an hour and the "Current status: In Progress.................. etc" filled the whole terminal. I manually checked the progress of the submissions using the command below: xcrun notarytool log --apple-id "myappleid@gmail.com" --password "redacted_obviously_again" --team-id "my-team-id" [run id] And they all result in the following output: Submission log is not yet available or submissionId does not exist Is anyone else experiencing this? Are there any possible solutions?

Hi the best community! When I try to submit the app to Testflight I receive the following error: "codesign command failed (/var/folders/j9/yh_rkh114rbgvmglf4gycj8w0000gn/T/XcodeDistPipeline.~~~OW0Dwk/Root/Payload/Application.app/Frameworks/Alamofire.framework: replacing existing signature /var/folders/j9/yh_rkh114rbgvmglf4gycj8w0000gn/T/XcodeDistPipeline.~~~OW0Dwk/Root/Payload/Application.app/Frameworks/Alamofire.framework: invalid or corrupted code requirement(s) Requirement syntax error(s): line 1:155: unexpected token: NPH )" I have never stuck with this issue before. Xcode Version 16.0 I assume that there is something related to code signing and our company name in App Store connect: Medical Institution “NPH” (The company name has been anonymized for privacy purposes.) Appreciate any help. Thank you!

we have organization account I'm the admin of team. and i have additional resources: Additional Resources Access to Reports Access to Certificates, Identifiers & Profiles. Access to Cloud Managed Distribution Certificate Create Apps Generate Individual API Keys Issues: i can't find my team certificate in Xcode I don't have access to https://developer.apple.com/account/resources/

I am running into this error with productbuild in github actions where the program hangs with a specific developer id. I have verified that my certification files are properly uploaded etc. and i am able to run this without the --sign command online and with --sign offline. if i sign with a "3rd party mac developer installer: ***" it will run but then crash on stapling because this isn't the actual org i want to staple and don't really need to verify that i could staple with this other license since it is my personal license and i will be leaving this job soon so setting up all my other certs is a waste of time since it doesn't solve the problem. When i use my bosses/org "Developer ID Installer: ***" productbuild just hangs. I am at a loss here... the acutal command running is productbuild --resources ./resources --distribution distribution.xml --sign "${{ secrets.DEVELOPER_ID_INSTALLER }}" --timestamp "${{ env.ARTIFACT_NAME }}.pkg" I have confirmed that my distribution file is fine etc. because I can productbuild without signing fine. Any suggestions on where to go?

I’ve been wrestling with this for nearly a week now and none of the proposed fixes have worked. I’m trying to resign an app via Jenkins and have done the following: Created a custom keychain Imported the required .p12 certificates Installed the Apple WWDR certificate in the System keychain Made the login keychain my default Added my development keychain, the login keychain and the System keychain to the user keychain list Unlocked my development keychain Confirmed my signing identity is present Granted the appropriate partition list access to the keychain "security set-key-partition-list -S apple-tool:,codesign: -k pwd /Users/ec2-user/Library/Keychains/development.keychain-db" Yet when I invoke Fastlane’s resign action, I still see: _floatsignTemp/Payload/EverMerge.app/Frameworks/AppLovinSDK.framework: replacing existing signature _floatsignTemp/Payload/EverMerge.app/Frameworks/AppLovinSDK.framework: errSecInternalComponent Encountered an error, aborting! Any guidance on what might be causing this errSecInternalComponent failure or how to get the resign step to succeed would be highly appreciated.

I’m having issues trying to codesign a .app file. We generated the Developer ID Application certificate using the organization owner’s account. I downloaded the certificate to my Mac and imported it into my keychain, but when I run the codesign command below, I get the following error. Could you help me? What am I doing wrong? Is there any other way to sign the .app executable? From what I’ve seen in other posts, it looks like the certificate needs to have a private key, but the certificate I download from the developer portal doesn’t include the key. Also, about exporting it as a .p12 — I couldn’t quite understand if that’s considered a safe practice, since the organization owner’s private key would be included in this certificate that we plan to use in our pipeline.

I do have background Modes added to Xcode. How can I fix this? Automatic signing failed Xcode failed to provision this target. Please file a bug report at https://feedbackassistant.apple.com and include the Update Signing report from the Report navigator. Provisioning profile "iOS Team Provisioning Profile: com.designoverhaul.bladerunner" doesn't include the com.apple.developer.background-modes entitlement. I emailed Dev Support but they said they cant help. Thank you.

Dear Apple support, Since the last couple of days, we have some (very) long running notarization requests. Similar requests were done normally under 1 minute. This behavior is unexpected to us, and we did not see it before. The issue occurs for a small CLI tool submitted as a ZIP archive. Checking the documentation, I come across the section about "Avoid long notarization response times and size limits" (https://developer.apple.com/documentation/security/customizing-the-notarization-workflow#Avoid-long-notarization-response-times-and-size-limits). One fact is mentioned “Limit notarizations to 75 per day.” What is behavior if that limitation is reached? Is that limitation per Apple ID or per team ID? Are there some known issues about Notarization Service? Best regards, Stefan

I haven't been able to notarize my macOS app for the past two days. Now, I believe this is an issue with the notarization process because I've tried notarizing the default app that's provided whenever you open a new Swift application, but that completely failed as well. And I've been waiting for the past two days and it's been stuck on in progress. This is the second time this has happened to me in the past two months and oftentimes I have to wait more than a day or two for the notarization to occur. I just, I don't understand why it's deadlocked like this. I've done nothing. I haven't changed my certificates. I haven't done any different configurations within my Mac. The last time that this happened, the issue went away after two days, but my biggest concern right now is that if this happens whenever we need to urgently push updates, we can't. I have absolutely no idea what to do and I'm just extremely frustrated because this is happening right before our launch day. I've been stuck on notarizing again for the past two days and I've seen no progress, I've seen no responses from support emails and the ones that do aren't even applicable to my current scenario. ⁠

Is it possible to have some additional content at Versions/A/ in a macOS Framework bundle that is not in any of the standard folders? Will there be any side-effects during signing and notarization? The reason is it'd be a lot easier in my use case to be able to put content here instead of the Resources folder.

hey, trying to notarize my mac app rn. maybe servers are down. earlier today super fast but now slow and i need to ship. anyone having similar issue?

Hi Developers, I'm encountering persistent validation errors in Xcode 16.3 (16E140) on macOS 15.4.1 (24E263) with M1 when archiving and distributing a macOS app (Developer ID signing + notarization). App Structure: A native Swift/Obj-C wrapper app that launches a nested .app inside its Resources. The nested app is built with PyInstaller and includes: A Python core Custom C++ binaries Many bundled .so libraries (e.g., from OpenCV, PyQt/PySide) Issues During Validation: App Sandbox Not Enabled Error: App Sandbox missing for NestedApp.app/Contents/MacOS/NestedExecutable. Question: For Developer ID (not App Store), is sandboxing strictly required for nested PyInstaller apps? If the wrapper is sandboxed, must the nested app be as well? Given the PyInstaller app's nature (requiring broad system access), how should entitlements be managed? Upload Symbols Failed Errors for missing .dSYM files for: The nested app’s executable Custom C++ binaries .so files (OpenCV, PyQt, etc.) These are either third-party or built without DWARF data, making .dSYM generation impractical post-build. Question: Are these symbol errors critical for Developer ID notarization (not App Store)? Can notarization succeed despite them? Is lack of symbol upload a known limitation with PyInstaller apps? Any best practices?