Ok so I've just swapped over from altool to notarytool and submitted my first app, notarytool tells me Successfully uploaded, and having waited 30mins (which would be some sort of record wait for altool) info tells me status:Accepted I notice elsewhere that there are comments that the first submission can take some time - even days - but as I've done A LOT of notarizing over the last couple of years I wouldnt classify myself as submitting my first request... or is that more properly "my first request with notarytool"? If so - happy to sit and wait for a couple of days this first time thru....

I have created a .Net MAUI application that I have written for Windows and MacCatalyst. In my entitlements.plist I have com.apple.security.app-sandbox = no. <PropertyGroup Condition="'$(Configuration)|$(TargetFramework)|$(Platform)'=='Debug|net7.0-maccatalyst|AnyCPU'"> <MtouchLink>SdkOnly</MtouchLink> <EnableCodeSigning>True</EnableCodeSigning> <EnablePackageSigning>true</EnablePackageSigning> <CreatePackage>true</CreatePackage> <CodesignKey>Developer ID Application: xxxxxxxxxx</CodesignKey> <CodesignProvision>xxxxxxxx</CodesignProvision> <CodesignEntitlements>Platforms\MacCatalyst\Entitlements.plist</CodesignEntitlements> <PackageSigningKey>Developer ID Installer: xxxxxxxxx</PackageSigningKey> <UseHardenedRuntime>true</UseHardenedRuntime> <RuntimeIdentifier>maccatalyst-arm64</RuntimeIdentifier> <MtouchInterpreter>-all</MtouchInterpreter> </PropertyGroup> I have a 3rd party executable that I manually codesigned: codesign --force --verify --verbose --sign xxxxxx 3rdpartyApp --timestamp --deep --options runtime Then I build the application in Visual Studio Mac. Everything is codesigned, etc. After building I am able to successfully notarize the pkg and then staple the the notarization to it. When I take that pkg and install it in a test environment, everything installs fine, no warning. I am able to start my application and do what I need to do But when it tries to run that 3rd party executable, it just fails. At first I checked exec permissions. I chmod it to +x. within the .app container and also all the way at the beginning, and rebuilt the application, resigned, re-notarized, etc. I am working to get some logging out to see why it failed, but having an issue with that at the moment. In the meantime I have taken the non-notarized pkg, forced the install in the test environment and the 3rd party executable runs successfully. So it seems the notarization process is causing this child process to fail?

When I run notarytool submit in my github workflow, I get what appears to be some kind of segmentation fault. Here's a direct link to the exception output: https://github.com/recyclarr/recyclarr/actions/runs/6594346352/job/17918152266#step:6:43 My project is open source, so you can also view the shell script I use in the workflow itself: https://github.com/recyclarr/recyclarr/blob/update-notary-tool/ci/notarize.sh The script above contains this: #!/usr/bin/env bash set -xe user="$1" pass="$2" teamId="$3" archivePath="$4" function submit() { xcrun notarytool submit --wait \ --apple-id "$user" \ --password "$pass" \ --team-id "$teamId" \ recyclarr.zip | \ awk '/id: / { print $2;exit; }' } function log() { xcrun notarytool log \ --apple-id "$user" \ --password "$pass" \ --team-id "$teamId" \ "$1" } tar -cvf recyclarr.tar "$archivePath" zip recyclarr.zip recyclarr.tar submissionId="$(submit)" rm recyclarr.zip recyclarr.tar if [[ -z "$submissionId" ]]; then exit 1 fi echo "Submission ID: $submissionId" until log "$submissionId" do sleep 2 done The error (from the workflow run) is: 2023-10-21 01:24:18.817 notarytool[4894:25434] *** Terminating app due to uncaught exception 'NSFileHandleOperationException', reason: '*** -[_NSStdIOFileHandle writeData:]: Broken pipe' *** First throw call stack: ( 0 CoreFoundation 0x00007ff8106c4773 __exceptionPreprocess + 242 1 libobjc.A.dylib 0x00007ff810424bc3 objc_exception_throw + 48 2 Foundation 0x00007ff8115b5962 -[NSConcreteFileHandle readDataUpToLength:error:] + 0 3 Foundation 0x00007ff811497590 -[NSConcreteFileHandle writeData:] + 263 4 notarytool 0x000000010bcff026 notarytool + 462886 5 notarytool 0x000000010bcb780d notarytool + 169997 6 notarytool 0x000000010bcd37c6 notarytool + 284614 7 notarytool 0x000000010bcea719 notarytool + 378649 8 notarytool 0x000000010bcd3d19 notarytool + 285977 9 notarytool 0x000000010bcd2a4e notarytool + 281166 10 notarytool 0x000000010bcd5009 notarytool + 290825 11 notarytool 0x000000010bc8fe66 notarytool + 7782 12 dyld 0x000000011781b52e start + 462 ) libc++abi: terminating with uncaught exception of type NSException I do not get this error when I run this script directly on my 2023 MBP. It only appears to happen in my github workflow. Is this a bug in notarytool? Notarization appears to still complete, and I also get a submission ID I can use for the notarytool log command I run after.

Good day, I have an application that opens links in various browsers available on the device. For this reason, I want to make the app eligible to be chosen as the default browser. To do this, I reviewed the Apple article at this link: https://developer.apple.com/documentation/xcode/preparing-your-app-to-be-the-default-browser. However, unfortunately, I still haven't figured out how to do it. The article mentions that you need to send an email request. I sent an email, but my message was ignored. Dear colleagues or Apple staff, could you please explain in the most detailed and step-by-step manner how I can make my app available to be set as the default browser? I would greatly appreciate it because, unfortunately, this question isn't widely discussed in the community, and there are no videos with step-by-step guides. Thank you very much!

Hi, I'm looking for a way to allow two TeamID in a PPPC predicate. When an app move from one company to another (different TeamIDs) PPPC configuration profiles need to cover the transition period. However those profiles do not allow duplicated path-based entries. Then the binary /usr/bin/local/sample can have only one PPPC payload for full disk access authorizations. To solve this problem I'd like to use an OR operator in the predicate, such as: identifier Sample and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and (certificate leaf[subject.OU] = TEAMID001 or certificate leaf[subject.OU] = TEAMID002) But I cannot find any documented information about the supported syntax. Does anybody already did this before ?

Hi, After spending two months trying to launch this app I decided to start from scratch, and regenerate everything from code signing requests, certs, apps, appIDs, App Store entries, EVERYTHING, and at the end of all of it, I get exactly the same problem I've had for months: "Invalid Provisioning Profile. The provisioning profile included in the bundle com.chiltonwebb.secretprojectname [com.chiltonwebb.secretprojectname.pkg/Payload/secretprojectname.app] is invalid. [Invalid 'com.apple.application-identifier' entitlement value.] For more information, visit the macOS Developer Portal. (ID: 723cede2-3c9f-4069-b4fa-581ebd3468b9)" I'm tired of guessing. I've tried everything I can find in these forums. What is the official way to diagnose this problem? -Chilton

I wrote my app with the entitlement "com.apple.developer.submerged-shallow-depth-and-pressure" and also with underwater-depth for WKBackgroundMode. All is working fine when I tested the app. When I want to put the app in the store I got the following error: **Missing entitlement. The Info.plist for the watchOS app bundle at “Watch App.app” uses the underwater-depth value for WKBackgroundModes without the com.apple.developer.submerged-depth-and-pressure entitlement signed into the bundle. ** I wonder why the entitlement in the error message is without -shallow- and why I get this message.

Good morning, I have a new version of an app which is on the App Store already, but I would like to send it to others using TestFlight first. I have created a new version for the app on the Apple Connect website. I have confirmed the new version number in Xcode for this app, but when I upload it through the archive process in Xcode I get this response: "App record with bundle identifier "" not found on App Store Connect. Create an app record on App Store Connect, or distribute the app from Xcode, and then try again." That was the default setting for App Store Connect. If I use the custom setting (and change the SKU because it is written as the bundle id identifier) I get this response: The app identifier "com.DefaultCompany.MyAppName" cannot be registered to your development team because it is not available. Change your bundle identifier to a unique string to try again. Can someone please help me resolve this. A task that was supposed to take thirty minutes has extended to over four hours, and I have not found a solution to this problem. All documentation on the apple developer site assumes an app will ve updated to a new version without sharing first through TestFlight. All of this seems really counter intuitive to what should be a relatively straightforward process.

I have created Apple Development Signing Certificate for my macbook-air device with my developer account email here and when i export the certificate to view details but I found this then, How can I convert it to human readable language or any other better than this to see its content?

I've developed and distributed a plugin for Unreal Engine (builds as a .dylib). The plugin dynamically loads an external library that is a .bundle The plugin has been notarized successfully. (Both the .dylib and the .bundle were signed with a Developer Application ID certificate.) When the plugin is downloaded, both the .dylib and the .bundle get flagged with the quarantine attribute, however because it was notarized, the plugin is able to be loaded inside of Unreal Engine with no problem. The issue occurs when the user moves the Unreal Engine project (with said plugin) to an external drive. In this case, once the project is opened and tries to load the plugin, an error saying is "***.bundle is damaged and can’t be opened. You should move it to the Trash." I'm wondering if this is an Unreal Engine issue, or a MacOS(notarization/signing/entitlements/etc) issue. Feels like if the .bundle is placed on an external drive, the OS does not check for notarization. If i move the project back to the HD of the laptop, everything works as expected. If i move the project to an external drive AND manually remove the com.apple.quarantine attribue (via terminal), then everything works as expected.

Hello, I am read some binaries are "SIP protected". SIP means System Integrity Protection. I know this is a security mechanism under macOS. But i don't understand what is a "SIP protected binary". Is it a binary located in a specific folder ? Is it a binary signed with "hardened runtime" ? Thanks

I have created a mechanism for TAP TO PAY in my app and it seems to be working fine while testing locally. I have added the additional capabilities in appstoreconnect for the app as development profile. However, when I try to submit the app to the appstore for testflight I am getting an error which seems to be beacause of the development profile for TAP TO PAY CAPABILITY. I am not sure how to convert the capability to distribution and need help.

I have two System extensions in my application. App proxy provider ( app-proxy-provider-systemextension) Endpoint Security (com.apple.developer.endpoint-security.client) But now, on one of my customer's computer, when it launched app proxy provider, the sysextd process said that /Applications/XXXXXX.app/Contents/Library/SystemExtensions/com.***.AppProxy.systemextension: entitlement com.apple.developer.endpoint-security.client not present or not true. As a network system extension, my app proxy provider was asking for an Endpoint Security entitlement, that is a very strange. I don't know how to debug it. Any ideas and help?

If I understand correctly, Apple Distribution certificate type aims to replace the separate platform-specific certificate types. (Please don't jump me, I know this is a very simplified way to put it :D) I am 100% sure Apple Distribution certificate can be used instead of a "Mac App Distribution" certificate, but I'm not sure whether the same is true for installers, namely the "Mac Installer Distribution" certificate. I have read eskimo's great articles on packaging (https://developer.apple.com/forums/thread/701581) and signing (https://developer.apple.com/forums/thread/128166) but I have not seen a definite answer to this question in those. Our command line builds started to fail with a 'no certificate of type Mac Installer Distribution is found' without any actual apparent change to the build process, so I'm just trying to understand this certificate type better. I see no sign of this certificate ever having existed in developer.apple.com under Certificates tab. We use the xcodebuild -exportArchive command with an -exportOptionsPlist that has the following content: <dict> <key>[redacted]</key> <string>[redacted]</string> <key>[redacted]</key> <string>[redacted]</string> </dict> <key>installerSigningCertificate</key> <string>3rd Party Mac Developer Installer</string> <key>signingCertificate</key> <string>Mac App Distribution</string> and this has not changed at all either between the last successful build and the failing ones. I listed the existing code signing identities with security find-identity -p codesigning and only an Apple Distribution certificate shows up, not Mac Installer Distribution certificate.

Hey guys, I'm trying to build a game using GameMaker Studios for iOS but running into this automatic signing issue - I haven't had this issue on past builds, so it's confusing as to what this is. Any ideas of what I could try to solve this? I've tried many solutions but with my limited knowledge I haven't gotten very far - thank you!

Hello, I currently am designing a data backup solution, and have an unsandboxed launch agent written in DotNet 6 that needs read access to files in order to back them up. It is configured together with its own App Group (with the sandboxed GUI). However, this Launch Agent cannot access files or enumerate directories in ~/Library/Group Containers/com.apple.notes whatsoever (even after enabling full disk access for the calling app, the files are not restricted either). I am trying to access the NoteStore.sqlite and similar files so that the Launch Agent can read the file and upload it to S3. Is there some entitlement I need to add, or access prompt? It seems like there is additional security layers for Sandboxed folders for apps that I'm trying to bypass. What is the recommended solution for my use case? (For Ventura and Sonoma users)

On Sonoma I develop with gcloud and python2.7 and python3.9 from MacPorts. I always get MULTIPLE dialogue pop-ups when starting the python webserver in Terminal.app Choices are not remembered (neither block nor allow!!) I tried to solve that with socketfilterfw and codesign but it has NO effect at all. Questions like this creep around since 10 years on Stackexchange. I am searching since several hours for a solution of this problem. Is there any solution? 20 : /opt/local/Library/Frameworks/Python.framework/Versions/3.9/Resources/Python.app ( Allow incoming connections ) 21 : /opt/local/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app ( Allow incoming connections ) sudo codesign -s - -f /opt/local/Library/Frameworks/Python.framework/Versions/3.9/Resources/Python.app

Hi, I have developed a MacOS app I'd like to distribute outside app store. I am an indie developer, there is no company, just me. If I disable gatekeeper, app installs and runs fine. But to distribute, it seems I now have to sign the app (notarise etc) - which means joining Apple Developer Program and paying $99 p.a. for the pleasure. But before I sign up, I wanted to check what will be shown on the certificate? I'd prefer not to show my (fairly unique) name/surname for privacy reasons. Will I be able to specify CN etc for the certificate or am I doomed to publicise my name with the app? Thanks

We requested the In-App Provisioning entitlement and received the email from Apple said： “The entitlement for In-App Provisioning has been assigned to your account, and you can now configure this capability for eligible apps. ” Then we enabled the In-App Provisioning capability in the Additional Capabilities tab of App ID Configuration, and according to Apple’s instruction, there should be an entitlements drop-down menu in the provision profile edition page，but we‘ve never seen such menu in our provision profile. So is there any suggestion about this problem？

Hello fellow developers, I hope you're all doing well. I've encountered an issue that I'm hoping someone here might have some insights on. When I try to package my IPA for the production version, I receive a notification that the provisioning profile doesn't match the private key certificate. However, when packaging for the test version, everything works perfectly. I've ensured that I'm using the provisioning profile for the production version and even exported the key for this profile, but they still don't seem to match. Upon further inspection, I noticed that when I applied for the production version of the mobileprovision, the Certificate Name automatically changed to the company name. Has anyone else experienced this issue? If so, how did you resolve it? Any guidance would be greatly appreciated. Thank you in advance for your time and assistance. Best regards