Hello there! I found the page on Docs about Editing provisioning profiles: https://developer.apple.com/help/account/manage-profiles/edit-download-or-delete-profiles/ but there, are showed only cases where one should edit it or when it is expired. It is not showed the case where the profile IS ABOUT to expire. What If it is about to expire and I want to act before expiring? Somewhere on the forum I read that clicking "save" with no changes could be enough, but it is not clear to me if I need to choose something more about it. I add a screenshot since It seems to me the UI changed a bit recently. using Enterprise developer program, in-house distribution I can see no certificate with dec 31 2025 (+ - 1 day) on my dev page certificates list. but I have, among my certificates, an iOS distribution certificate with exactly nov 23 2026 es expiration date. why are two choices present with two different expiration dates? with which criteria should I pick one or the other? if I have no need to change something, what should I do or do not in this screen at renewal time? (I.E. at beginning of December 2024?) app Id should be the bundle id, is it so? but in this moment app and id are different, shouldn't they be the same?

Hello,I have been using Apple’s notarization services for some time, but for some reason, it has been failing for the last two days. Please find the command and it's output. Conducting pre-submission checks for Espressif-IDE-macosx-cocoa-aarch64.dmg and initiating connection to the Apple notary service... Submission ID received id: bde93f95-4208-45c2-b238-1bcf629648c7 Error: abortedUpload(resumeRequest: SotoS3.S3.ResumeMultipartUploadRequest(uploadRequest: SotoS3.S3.CreateMultipartUploadRequest(acl: nil, bucket: "notary-submissions-prod", bucketKeyEnabled: nil, cacheControl: nil, contentDisposition: nil, contentEncoding: nil, contentLanguage: nil, contentType: nil, expectedBucketOwner: nil, _expires: SotoCore.OptionalCustomCoding<SotoCore.HTTPHeaderDateCoder>(value: nil), grantFullControl: nil, grantRead: nil, grantReadACP: nil, grantWriteACP: nil, key: "prod/AROARQRX7CZS3PRF6ZA5L:bde93f95-4208-45c2-b238-1bcf629648c7", metadata: nil, objectLockLegalHoldStatus: nil, objectLockMode: nil, _objectLockRetainUntilDate: SotoCore.OptionalCustomCoding<SotoCore.ISO8601DateCoder>(value: nil), requestPayer: nil, serverSideEncryption: nil, sSECustomerAlgorithm: nil, sSECustomerKey: nil, sSECustomerKeyMD5: nil, sSEKMSEncryptionContext: nil, sSEKMSKeyId: nil, storageClass: nil, tagging: nil, websiteRedirectLocation: nil), uploadId: "C18xItDUHLkciEHQt_ctoMujceWSoVDz6_V8GRjSPhb2JI4YghXecKH3AVdBVKfTiPXInPr_TbF1aIfWJVKGkuIPtmKm6yzybc1mXTJDWlO.306kjAf5sNxO2H5ksNuy6Jqluc9gXAt3FFJKJZrf1CO3g_mIdfwGNUvQsAP3NpyoOWyDX6E4Ti36IdEZrlOj", completedParts: [SotoS3.S3.CompletedPart(eTag: Optional("\"089a88c4fb3c6844234dc2a89c027da7\""), partNumber: Optional(1)), SotoS3.S3.CompletedPart(eTag: Optional("\"e0e74de26a56733b7a1a5dd48e1f4184\""), partNumber: Optional(2))]), error: The operation couldn’t be completed. (Network.NWError error 54 - Connection reset by peer)) [log.txt](https://developer.apple.com/forums/content/attachment/ccc54854-9f87-4b44-bcac-8fd5efb53e81)

Hello. Last night, I was working on notarizing my macOS application. It succeeded for the first several requests, where I was submitting zipped applications. Then I tried to notarize a .pkg file. It has been in progress for 9+ hours, and the subsequent requests seem to be all waiting. Is there anything wrong with the notary service now? Is it true that subsequent requests will not proceed until the previous request is finished? Here's the log: createdDate: 2024-10-03T14:39:48.607Z id: 9739a538-1426-4036-971d-850f202306e0 name: <Redacted> status: In Progress -------------------------------------------------- createdDate: 2024-10-03T14:34:17.276Z id: c12e54d8-f362-4301-b099-ffcd51c27a91 name: <Redacted> status: In Progress -------------------------------------------------- createdDate: 2024-10-03T14:28:43.293Z id: 9a5b5c6b-37af-4761-944c-8ada884f6714 name: <Redacted> status: In Progress -------------------------------------------------- createdDate: 2024-10-03T13:56:35.675Z id: 32d46395-c5e3-4af5-9e02-01c1d8ae4865 name: <Redacted> status: In Progress -------------------------------------------------- createdDate: 2024-10-03T05:08:17.658Z id: 2c042894-79c8-4cc9-ab2b-a08920158023 name: <Redacted> status: In Progress

Hi, I've recently observed a sudden increase in support requests for one of my apps on the Mac App Store, reporting the error " is damaged and can't be opened. Please re-download it from the Mac App Store", all on different systems: macOS 12, macOS 13, and macOS 15 Sequoia. Re-downloading does not resolve the issue most of the time. One user reported that being connected to the internet resolved it - perhaps this is an OCSP issue again? I myself cannot reproduce this issue. Has there been a change in code-signing recently? Have some certificates changed? Anything else I should be aware of? What is the best course of action to have users take who experience this, when re-downloading the app from the Mac App Store does not work? Thank you, – Matthias

Starting Point I recently transferred an app from an old to a new developer account. The transfer itself went smoothly with the app using the following capabilities: CoreData, CloudKit, Push Notifications, In-App Purchases Keychain is not used After completing the app transfer, I worked on a new update. For this, I set the new developer account as the development team of the project in Xcode. However, as soon as I try to install the new version locally on my physical test device, I get the following error message: application-identifier entitlement string ({new_team_id}.{bundle_id}) does not match installed application's application-identifier string ({old_team_id}.{bundle_id}); rejecting upgrade.` (Note: The test device has the latest production version installed, which was still published by the old developer account. The update can be installed without any problems if no previous version is installed. {new_team_id}, {old_team_id} and {bundle_id} are a substitute for the original content.) What I've tried so far I found a Technical Note on this topic and followed the steps suggested. However, the Apple Support wasn't able to provide me with the required Special Provisioning Profile. That's why I tested a different approach with a dummy application: I have completed an update as described above (new developer account selected as development team). Next, I uploaded it to App Store Connect and published it as a new version. I received the following warning during the upload process, but ignored it since I don't use the keychain: At first glance, the publication process appears to have gone smoothly. While the update caused the above error during local testing, the update via the App Store went smoothly. As the latest production version has now also been published from the new Apple Developer Account, further updates can now also be tested locally on a physical device without any problems. Questions Why is it that the update causes an error when tested locally, but works without problems via the App Store? Can this approach also be used without concern for an app with a large active user base, which also uses the capabilities described above (in particular CoreData & CloudKit) without causing problems? Thanks a lot for your support in advance!

We want to make an app for the customers to install ipa files without use of third party apps or Other devices like Xcode, ITunes

Hi, I have an Electron app that I build, sign, notarize, and staple using electron-builder. It includes Sound Exchange (SoX), which I was invoking from the homebrew installed version. It builds a dmg and works fine. However, my users are non-technical, thus cannot be expected to install dev tools, homebrew, and sox from the command line and set paths. Therefore, I need to include a SoX binary in my app. I have a static SoX binary that works. However, when I try to run it from my electron app, I get Error: spawn / <path>/sox EACCES. Electron-builder is signing the SoX binary codesign --sign <sign number> --force --timestamp --options runtime --entitlements dist/entitlements/entitlements.mac.plist /<app path>Contents/Resources/bin/sox/sox The app sign/notarize works fine, the dmg mounts, and the app runs until I try to invoke SoX. Also, I verified the sox binary and entire app are signed and the app staple is valid. I am running the app from /Applications. Please help me!

The actual error: pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (DeveloperID)”. I'm trying to sign a program written with gfortran. The steps worked the last time (Mar 23) I built this code. The steps to error: a) xcrun notarytool store-credentials --apple-id "***" --team-id "yyy" Giving Profile Name zzz and App-specific password b) codesign --force --timestamp --options=runtime -s "Developer ID Application: My Name (yyy)" AppName c) pkgbuild --root ROOT --identifier org.aaa.bbb --version "1.1.1" --sign "Developer ID installer: My Name (yyy)" AppName.pkg ROOT contains the package contents At this point I get the error pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (yyy)” Are there steps that have changed. Any suggestions? Thanks, David

My mac os is 15.0.1. Using .p12 file (included ios developer and ios distribution), to keychain login tried to register iPhone Developer and iPhone Distribution. But iPhone Distribution is not displayed.

Using .p12 file (included ios developer and ios distribution), to keychain login tried to register iPhone Developer and iPhone Distribution. But iPhone Distribution is not displayed. MacOS: 15.0.1

Hi Apple community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. We have tried compiling the project with Xcode 16.0 and 16.1 beta 2 over MacOS Sequoia 15.0 and 15.1. The project is 100% developed in Swift6. This is how the project looks like: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/MacOS/bin SampleApp.app/Contents/MacOS/bin/python3.11 SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/lib SampleApp.app/Contents/Resources/lib/python3.11 SampleApp.app/Contents/Resources/Info.plist Since we want to 'initially' distribute the app directly, Python binary is signed as follows: codesign --deep --force --options runtime --timestamp --sign "$DEVELOPER_ID_APPLICATION" "$BINARY_PATH" App entitlements contain the next entries: &lt;key&gt;com.apple.security.app-sandbox&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.files.downloads.read-write&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.files.user-selected.read-only&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.files.user-selected.read-write&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.client&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.server&lt;/key&gt; &lt;true/&gt; The resulting app is signed with entitlements, notarised and stapled. Once the app is running, we can see the next errors on Console: Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=58826, auid=502, euid=502, binary_path=[PATH]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=824, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, Python process runs for some seconds and then the process disappears. We can not see any AMFI message on Console. Then we add to Signing and Capabilities 'Apple Events' from Hardened Runtime section. The resulting app gets signed, notarised and stapled, but when running we get only the next errors: error 09:42:32.787744+0200 SampleApp Can't find or decode reasons error 09:42:32.787832+0200 SampleApp Failed to get or decode unavailable reasons Just in case it is relevant, this is how the app interacts with Python: process.executableURL = URL(fileURLWithPath: [PATH_TO_PYTHON_BINARIE]) process.environment = environment process.arguments = arguments process.standardOutput = pipe try process.run() process.waitUntilExit() We truly appreciate any guidance, help or advice. Thanks!!

After adding com.apple.developer.persistent-content-capture entitlement the app crashes on macOS 10.13.6 with following crash report Process: Remote for Mac [20489] Path: /Applications/Remote for Mac.app/Contents/MacOS/Remote for Mac Identifier: com.cherpake.macrc.server Version: ??? Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: Remote for Mac [20489] User ID: 501 Date/Time: 2024-10-09 09:28:35.482 +0300 OS Version: Mac OS X 10.13.6 (17G14042) Report Version: 12 Anonymous UUID: A2BB761B-2A18-0E9E-2470-21BD6C22E7A8 Time Awake Since Boot: 780000 seconds System Integrity Protection: enabled Crashed Thread: 0 Exception Type: EXC_CRASH (Code Signature Invalid) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace CODESIGNING, Code 0x1 kernel messages: VM Regions Near 0 (cr2): --> __TEXT 0000000105bdc000-0000000105cdd000 [ 1028K] r-x/r-x SM=COW Thread 0 Crashed: 0 ??? 0x00000001099bb19c _dyld_start + 0 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000 rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffeea023c10 r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000 r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 rip: 0x00000001099bb19c rfl: 0x0000000000000200 cr2: 0x0000000000000000 Logical CPU: 0 Error Code: 0x00000000 Trap Number: 0 Binary Images: 0x105bdc000 - 0x105cdcff7 +??? (0) <AB898262-B28C-3B3E-881C-31A6363FF1F6> (null) 0x1099ba000 - 0x109a04adf +??? (551.5) <CB9BFB56-4511-36F1-A546-891FF770C01C> (null) External Modification Summary: Calls made by other processes targeting this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by all processes on this machine: task_for_pid: 332075 thread_create: 0 thread_set_state: 0 VM Region Summary: ReadOnly portion of Libraries: Total=1584K resident=0K(0%) swapped_out_or_unallocated=1584K(100%) Writable regions: Total=8408K written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=8408K(100%) VIRTUAL REGION REGION TYPE SIZE COUNT (non-coalesced) =========== ======= ======= STACK GUARD 56.0M 2 Stack 8192K 2 __DATA 528K 5 __LINKEDIT 268K 4 __TEXT 1328K 3 shared memory 8K 3 =========== ======= ======= TOTAL 66.1M 13 Download link https://dl.cherpake.com/Remote-for-Mac-7962.pkg.zip

Hi Apple community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. We have tried compiling the project with Xcode 16.0 and 16.1 beta 2 over MacOS Sequoia 15.0 and 15.1 This is how the project looks like: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/MacOS/bin SampleApp.app/Contents/MacOS/bin/python3.11 SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/lib SampleApp.app/Contents/Resources/lib/python3.11 SampleApp.app/Contents/Resources/Info.plist Since we want to 'initially' distribute the app directly, Python binary is signed as follows: codesign --deep --force --options runtime --timestamp --sign "$DEVELOPER_ID_APPLICATION" "$BINARY_PATH" App entitlements contain the next entries: &amp;lt;key&amp;gt;com.apple.security.app-sandbox&amp;lt;/key&amp;gt; &amp;lt;true/&amp;gt; &amp;lt;key&amp;gt;com.apple.security.files.downloads.read-write&amp;lt;/key&amp;gt; &amp;lt;true/&amp;gt; &amp;lt;key&amp;gt;com.apple.security.files.user-selected.read-only&amp;lt;/key&amp;gt; &amp;lt;true/&amp;gt; &amp;lt;key&amp;gt;com.apple.security.files.user-selected.read-write&amp;lt;/key&amp;gt; &amp;lt;true/&amp;gt; &amp;lt;key&amp;gt;com.apple.security.network.client&amp;lt;/key&amp;gt; &amp;lt;true/&amp;gt; &amp;lt;key&amp;gt;com.apple.security.network.server&amp;lt;/key&amp;gt; &amp;lt;true/&amp;gt; The resulting app is signed with entitlements, notarised and stapled. Once the app is running, we can see the next error on Console: Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=58826, auid=502, euid=502, binary_path=[PATH]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=824, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, Python process is not running, we can't see any AMFI message. Next we added to Signing and Capabilities 'Apple Events' from Hardened Runtime section. The resulting app gets signed, notarised and stapled, but when running we get only the next errors: error 09:42:32.787744+0200 SampleApp Can't find or decode reasons error 09:42:32.787832+0200 SampleApp Failed to get or decode unavailable reasons Just in case it is relevant, this is how the app interacts with Python: process.executableURL = URL(fileURLWithPath: [PATH_TO_PYTHON_BIN]) process.environment = environment process.arguments = arguments process.standardOutput = pipe try process.run() process.waitUntilExit() We truly appreciate any guidance, help or advice. Thanks!!

This post is part of a cluster of posts related to the trusted execution system. If you found your way here directly, I recommend that you start at the top. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Resolving Gatekeeper Problems Gatekeeper strives to ensure that only trusted software runs on a user’s Mac. It’s important that your code pass Gatekeeper. If not, you’re likely to lose a lot of customers, and your users’ hard-won trust. There are four common Gatekeeper problems: App blocked by a dangling load command path Broken code signature Lack of notarisation Command-line tool blocked by Gatekeeper The first problem is by far the most common. For the details, see Resolving Gatekeeper Problems Caused by Dangling Load Command Paths. For general information about Gatekeeper, read Apple > Developer > Signing Mac Software with Developer ID and Apple > Support > Safely open apps on your Mac. IMPORTANT This post focuses on Developer ID-signed code. Gatekeeper should not block App Store apps. If an app downloaded from the App Store fails to run, it’s likely to be some other trusted execution issue. For more about this, read Resolving Trusted Execution Problems. macOS 14 introduced gktool, a very minimal interface to Gatekeeper. Run the tool with the help argument to learn more: % gktool help Verify Your Signature A good first step in any Gatekeeper investigation is to verify that your code is signed correctly. Use the codesign tool for this: % codesign -v -vvv --strict --deep MyApp.app The -vvv options increase verbosity to the point where codesign will give you useful diagnostics. For example: % codesign -v -vvv --strict --deep "Munged.app" Munged.app: a sealed resource is missing or invalid file added: …/Munged.app/Contents/Resources/names/Adam.txt file modified: …/Munged.app/Contents/Resources/names/Morgan.txt file missing: …/Munged.app/Contents/Resources/names/Rhonda.txt This app was changed after it was signed in three different ways: Adam.txt was added. Morgan.txt was modified. Rhonda.txt was removed. You might see some results that make no sense. For example: Start with an app with a valid code signature: % codesign -v -vvv --strict --deep "NotNormal.app" NotNormal.app: valid on disk NotNormal.app: satisfies its Designated Requirement Use the Finder to create a zip archive (File > Compress). Use the Finder to unpack that archive. Check the code signature of the unpacked file: % codesign -v -vvv --strict --deep "NotNormal 2.app" NotNormal 2.app: a sealed resource is missing or invalid file added: …/NotNormal 2.app/Contents/Resources/names/Zoë Schrödinger.txt file missing: …/NotNormal 2.app/Contents/Resources/names/Zoë Schrödinger.txt There are two things to note here. First, just compressing and decompressing the app broke its code signature. Weird! Second, look at the error messages. It seems that the Zoë Schrödinger.txt file is was both added and removed. Weirder! To see what’s going on here you have to look at a hex dump of the file name: % ls "NotNormal.app/Contents/Resources/names" | xxd 00000000: 5a6f c3ab 2053 6368 726f cc88 6469 6e67 Zo.. Schro..ding 00000010: 6572 2e74 7874 0a er.txt. % ls "NotNormal 2.app/Contents/Resources/names" | xxd 00000000: 5a6f 65cc 8820 5363 6872 6fcc 8864 696e Zoe.. Schro..din 00000010: 6765 722e 7478 740a ger.txt. The names are not the same! The app started out with the ë in precomposed form and the ö in decomposed form. Compressing and decompressing the app converted the ë to its decomposed form, and that change broke the code signature. Programs that deal with Unicode are expected to ignore differences in normalisation. Sadly, Apple’s code signing implementation missed that memo (r. 68829319). For more details see this post but the executive summary is that it’s best to stick to ASCII when naming files in a bundle. Identify a Notarisation Problem Gatekeeper requires that your app be notarised. If not, it will block the execution of your app with a generic, user-level message. If you find your app blocked by Gatekeeper, check if this is a notarisation issue by looking in the system log for an entry like this: type: info time: 2022-05-11 14:57:21.812176 -0700 process: syspolicyd subsystem: com.apple.syspolicy category: default message: ticket not available: 2/2/8b7410713591e6c79ea98f0132136f0faa55d22a Note If the ticket details show as <private>, enable private data in the system log. For information on how to do that, see Recording Private Data in the System Log. For general information about the system log, see Your Friend the System Log. The long hex number is the code directory hash, or cdhash, of the offending code. In this example, it’s the cdhash of the app itself: % codesign -d -vvv /Applications/NotNotarised.app … CDHash=8b7410713591e6c79ea98f0132136f0faa55d22a … However, in some cases it may be the cdhash of some library referenced by the app. For more information about cdhashes, see TN3126 Inside Code Signing: Hashes. Resolve a Notarisation Problem The obvious cause of this problem is that you haven’t notarised your app. For information on how to do that, see Notarizing macOS Software Before Distribution. If you have notarised your app and yet you still see this problem, something more subtle is happening. For example, your app might reference a dynamic library that wasn’t seen by the notary service. To investigate this: Fetch the notary log for your app. For advice on that, see Fetching the Notary Log. Confirm that the notary log matches the app you installed. Look in the notary log for the sha256 property. Its value is a SHA-256 hash of the file received by the notary service. Check that this matches the SHA-256 hash of the file you used to install your app. If not, see Hash Mismatch, below. Search the notary log for the cdhash value from the Gatekeeper log message. If the notary log doesn’t contain that cdhash, that code wasn’t included in the notarised ticket. It’s possible that you failed to submit the code to the notary service, that it was switched out with a different version after you notarised your app, that it was package in some way that the notary service couldn’t see it, or that something went wrong within the notary service. Hash Mismatch If you stapled your notarised ticket to the file used to install your app then the hashes in step 2 of the previous section won’t match. What to do depends on the file type: If the file used to install your app was a zip archive (.zip), you definitely have the wrong file. Zip archives don’t support stapling. If the file used to install your app was a signed disk image (.dmg), compare the disk image’s cdhash with the cdhash for the disk image in the notary log. If those match, you know you’re working with the same disk image. To dump a disk image’s cdhash, run the codesign tool as follows: % codesign -d -vvv DISK_IMAGE … CDHash=d963af703ac2e54af6609e9ad309abee7b66fae2 … Replace DISK_IMAGE with the path to your disk image. If the file used to install your app was a disk image but it wasn’t signed, switch to a signed disk image. It’s generally a better option. If the file used to install your app was an installer package (.pkg), there’s no good way to know if this is the correct package. In this case, modify your notarisation workflow to retain a copy of the file before it was modified by stapler. Tool Blocked by Gatekeeper If your product includes a command-line tool, you might notice this behaviour: When you double click the tool in Finder, it’s blocked by Gatekeeper. When you run the tool from within Terminal, it works. This is a known bug in macOS (r. 58097824). The issue is that, when you double click a tool in the Finder, it doesn’t run Gatekeeper’s standard execution logic. Rather, the Finder passes the tool to Terminal as a document and that opens a window (and associated shell) in which to run that document. This triggers Gatekeeper’s document logic, and that logic always blocks the tool. There are two ways around this: Embed your tool in an application. If the user runs the application first, Gatekeeper runs its normal application check. If the user allows the app to run, Gatekeeper records that decision and applies it to the app and any code within the app, including your tool. Install your tool using an installer package. When the user goes to install the package, Gatekeeper checks it. Assuming that check passes, Gatekeeper does no further checks on the content it installed. Revision History 2024-11-11 Added a mention of gktool. 2022-05-20 Added the Verify Your Signature section. Made other minor editorial changes.

Hello, builds we've submitted for notarization have been stuck in the In-Progress stage for a while now. The process has taken less than 10 minutes in the past. The latest of which is id: 86916f85-b82f-4a95-982b-1232387a92e1. We haven't made any stark changes so we're not clear on what the issue is. Is the best way forward to submit a support ticket?

CodeSign /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app (in target 'App' from project 'App') cd /Users/abc007/Documents/WorkSpace/RegulusIT/Release_Oct_2024/UI\ Backup/ios/App Signing Identity: "Apple Development: Yatin Ghat (JS84GYN3O4)" Provisioning Profile: "iOS Team Provisioning Profile: www.rightschool.net" (bdc0759d-b9d0-4470-8e3f-b5b67d3c2586) /usr/bin/codesign --force --sign 82C0E5904219E333688CE627A21522F732446038 --entitlements /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/IntermediateBuildFilesPath/App.build/Release-iphoneos/App.build/App.app.xcent --generate-entitlement-der /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app: errSecInternalComponent Command CodeSign failed with a nonzero exit code

Hi, the documentation says that an application bundle for Mac OS X can have a Frameworks folder within Contents. Using a framework for console applications (no bundle) and GUI applications (bundle), I cannot load the console applications anymore on Ventura. Prior to Ventora I have tested and ran both on Mojave or earlier - I am not sure. To fix the issue, I have moved the frameworks within the application bundle to match the rpath for /Users/lothar/Library/Frameworks when I place the console into /Users/lothar/bin, the same rpath for application bundles works for those within the bin folder. Can I publish an application bundle with that modified layout or do I have to expect getting problems and do rather a Symlink pointing from /Users/lothar/Frameworks to /Users/lothar/Library/Frameworks? Thanks, Lothar

We are developing an application for local file discovery and transfer. We applied to Apple for two permissions. One is com.apple.developer.networking.multicast, which supports the four provisioning profiles: Development, Ad hoc, App Store Connect, and Developer ID. The other is com.apple.developer.device-information.user-assigned-device-name, but Apple only approved it for Development and Ad hoc, without granting App Store Connect support. This prevents us from using the user-assigned-device-name permission in the archive. Could you please clarify the situation? How can we get user-assigned-device-name supported for App Store Connect?

There does not seem to be a way to code sign a PAM module so that an XPC service can verify the signature with setCodeSigningRequirement. There should be a way to build a PAM module (dynamic Library ) so it can be code signed. Put in a bundle and code signing the bundle does not work .

We're having failures reported back to us from the notarization service as of the 4th of September. It's complaining about binaries inside .jar files, saying some aren't signed and others aren't signed with a valid developer certificate. These are third party jars; we unzip the unsigned binaries from these jars, sign them then put them back in using "jar -ufv". Notarizing is only complaining about binaries inside jars and not anything else, which implies our certificates are valid. Nothing has changed regarding these jars between the notarizing service accepting and rejecting our app. To confirm our suspicions that the notarizing service may be behaving differently, we sent it an app package that previously had succeeded in notarizing. Now the notarizing service fails, citing issues with the same jars as described above. Are you able to confirm whether anything has changed? Any ideas on what we could look at?