How to add Additional capabilities in Certificates, Identifiers & Profiles on app store account to Enable the Tap to Pay on iPhone capability.
Demystify code signing and its importance in app development. Get help troubleshooting code signing issues and ensure your app is properly signed for distribution.
Post
Replies
Boosts
Views
Activity
When I build with Flutter, XCODE returns an error:error: exportArchive: "Runner.app" requires a provisioning profile with the Associated Domains and Push Notifications features.
I use the automatic management signing, and the provisioning profiles include related features. What should I do?
I have signed and notarized a single executable file command line tool developed outside Xcode, and distributed outside of the App store by way of a download from a website as follows below, but nevertheless gatekeeper blocks running the tool with the usual message, just like without signing or notarization.
If I remove the com.apple.quarantine xattr, the tool runs as it should without gatekeeper interference, as expected.
I have browsed countless posts here, with similar issues, but in the end I can't find what's wrong with the process.
From what I gather, as long as the target Mac is connected to the Internet, stapling should not be required (I do understand I can't staple a single file executable command line tool), although Gatekeeper would be expected to complain in the case of the first run being done without Internet connection.
The certificate is a "Developer Id Application" certificate, installed and valid on the machine doing the signing.
It is unclear to me what the distinction is between "Developer Id Application" and "Developer Id Installer" certificates, but it's confusing that using -t install with spctl will actually accept the app.
The app is open source and available on GitHub (although the full distribution packaging is done in a separate build environment with some additional logic). The app used below as the target for signing and notarization is available to download from https://www.axantum.com/ in a .tar.gz archive.
Here follows a log of commands and output:
XecretsCli.plist: (This was necessary to add to the signing to avoid corruption of the executable by the code signing)
codesign -s GCXRMT5SQC -f --timestamp -s 0CF6800E595AA6DE9EBB905066619A9BFDD17A77 --entitlements XecretsCli.plist -o runtime XecretsCli
codesign -d -vvv --entitlements :- XecretsCli
Executable=/Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli
Identifier=XecretsCli
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=271478 flags=0x10000(runtime) hashes=8473+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2
CandidateCDHashFull sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a
Hash choices=sha256
CMSDigest=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a
CMSDigestType=2
CDHash=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2
Signature size=8987
Authority=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jun 20, 2024 at 13:26:05
Info.plist=not bound
TeamIdentifier=GCXRMT5SQC
Runtime Version=13.1.0
Sealed Resources=none
Internal requirements count=1 size=172
Warning: Specifying ':' in the path is deprecated and will not work in a future release
codesign -v -vvv --strict --deep XecretsCli
XecretsCli: valid on disk
XecretsCli: satisfies its Designated Requirement
zip XecretsCli.zip XecretsCli
adding: XecretsCli (deflated 63%)
xcrun notarytool submit "XecretsCli.zip" --keychain-profile "Notarize" --wait
Conducting pre-submission checks for XecretsCli.zip and initiating connection to the Apple notary service...
Submission ID received
id: e5990902-3101-42de-a1a6-b9ea40b944b8
Upload progress: 100.00% (12.4 MB of 12.4 MB)
Successfully uploaded file
id: e5990902-3101-42de-a1a6-b9ea40b944b8
path: /Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli.zip
Waiting for processing to complete.
Current status: Accepted........
Processing complete
id: e5990902-3101-42de-a1a6-b9ea40b944b8
status: Accepted
spctl -a -vvv XecretsCli
XecretsCli: rejected (the code is valid but does not seem to be an app)
origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
spctl -a -vvv -t install XecretsCli
XecretsCli: accepted
source=Notarized Developer ID
origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
Trying to run the executable:
"XecretsCli" can't be opened
because the identity of the
developer cannot be confirmed.
Your security preferences allow
installation of only apps from the App
Store and identified developers.
Chrome downloaded this file today at
10:37.
OK
Hi,
I want to resign my app with a different certificate. Is it possible to keep the entitlements (including com.apple.application-identifier)? I want to resign the whole app including the plugins and frameworks, but I saw --deep was considered harmful.
Sorry, I'm a bit confused. Any help would be appreciated.
We're seeing an issue where our app builds that previously were working suddenly started failing to install through TestFlight. When the user hits Update in TestFlight, they get an error message "The profile can't be installed. Try again.". Double checked the certificates and provisioning profiles, rebuilt and deployed the app, still same issue.
We subsequently tried side loading the ipa file using XCode hoping for more detail. The install failed there as well, with the following error message:
"Attempted to install a Beta profile without the proper entitlement."
Seems like a good lead but haven't found much. Our provisioning profiles have the "beta-reports-active: true" entitlement and anyway haven't changed since it was working previously.
Any idea what could be going on here?
Here's the full error from XCode:
Error installing 'APP.ipa', ERROR: Error Domain=com.apple.dt.CoreDeviceError Code=3002 "Failed to install the app on the device." UserInfo={NSLocalizedDescription=Failed to install the app on the device., NSURL=file:///APP.ipa, NSUnderlyingError=0x60000372ea00 {Error Domain=IXUserPresentableErrorDomain Code=14 "Unable to Install “APP”" UserInfo={NSUnderlyingError=0x60000372e5e0 {Error Domain=MIInstallerErrorDomain Code=13 "Failed to install embedded profile for com.domain.app : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)" UserInfo={FunctionName=-[MIInstallableBundle _installEmbeddedProfilesWithError:], LegacyErrorString=ApplicationVerificationFailed, SourceFileLine=308, LibMISErrorNumber=-402620385, NSLocalizedDescription=Failed to install embedded profile for com.domain.app : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)}}, NSLocalizedDescription=Unable to Install “APP”, NSLocalizedRecoverySuggestion=Failed to install embedded profile for com.domain.app : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.), NSLocalizedFailureReason=This app cannot be installed because its integrity could not be verified.}}}
Domain: com.apple.dt.DVTCoreDevice
Code: -1
User Info: {
DVTErrorCreationDateKey = "2024-06-19 19:40:04 +0000";
}
--
System Information
macOS Version 14.2.1 (Build 23C71)
Xcode 15.2 (22503) (Build 15C500b)
Timestamp: 2024-06-19T14:40:04-05:00
I encountered a signature issue, codesign -f -s "Developer ID Application: ***" /Users/leagsoft/Desktop/uninstall
/Users/leagsoft/Desktop/uninstall: replacing existing signature
Warning: unable to build chain to self-signed root for signer "Developer ID Application:***"
/Users/uninstall: errSecInternalComponent
but using Sodu can sign normally
Summary
We have a .net 8 application that consists of 2 components, a GUI app and a launch daemon. The .pkg file for the GUI app is created by Visual Studio, and this .pkg is then bundled with the launch daemon into one installer using the packagesbuild utility.
The problem we're facing is that our customer's MDM system is refusing to install the app because of a missing lock icon in the installer, which makes it look as if the app was not signed even though it is (shown on the right in the image below).
Installer package contents
The .pkg file created by packagesbuild contains the GUI app .pkg file shown on the left in the image above, signing of this file is handled by the .net build process.
It also contains two third party .dylib files (one for intel, the other for arm), which are re-signed with the following command:
codesign --sign "Developer ID Application: [...]" \
--force --options runtime --no-strict \
"<file-path>"
The launch daemon is build with .net and then signed using this command:
codesign --sign "Developer ID Application: [...]" \
--force --options runtime --no-strict \
--entitlements "<entitlements-path>" \
"<file-path>"
I don't know if it's relevant, but there are also several .plist and .json files.
Final package signing
The .pkg file created by packagesbuild is signed using:
productsign --sign "Developer ID Installer: [...]" \
--cert "Developer ID Installer: [...]" \
"com.optimidoc.cloudclient.pkg" \
"com.optimidoc.cloudclientsigned.pkg"
After signing, the package is notarised with xcrun notarytool.
Both the signing and notarisation finish without error, which I've validated by running pkgutil --check-signature "<file-path>"
Package "com.optimidoc.cloudclientsigned.pkg":
Status: signed by a developer certificate issued by Apple for distribution
Notarization: trusted by the Apple notary service
Signed with a trusted timestamp on: 2024-06-13 11:41:57 +0000
Certificate Chain:
1. Developer ID Installer: OptimiDoc s.r.o. (2YMBVCM8TM)
Expires: 2028-03-01 07:37:30 +0000
SHA256 Fingerprint:
02 E2 C1 A0 06 E1 C1 A2 FF 70 BD CD A5 47 43 B2 DB CF 62 BB 6D D4
90 69 3E 7C C8 A7 29 73 7D 69
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2031-09-17 00:00:00 +0000
SHA256 Fingerprint:
F1 6C D3 C5 4C 7F 83 CE A4 BF 1A 3E 6A 08 19 C8 AA A8 E4 A1 52 8F
D1 44 71 5F 35 06 43 D2 DF 3A
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24
What I've tried
I played around with the signing process for a few days but I was unable to figure out where the installer UI gets the certificate information from.
I've tried limiting the files included in the final .pkg file. First I tried only including the GUI app .pkg with a known good signature. I also tried only including the launch daemon executables. All to no avail.
In regard to the packagesbuild utility, I noticed the --identity option, but at the moment I'm stuck with an "unknown error" message:
The command is:
packagesbuild "com.optimidoc.cloudclient.pkgproj" -v \
--identity "Developer ID Installer: [...]" \
--keychain "/Library/Keychains/System.keychain"
And the output I get is:
Building Project (11:56:49) at path: [...]
------------------------------------------------------------------------------
Build Folder (done)
Package "com.optimidoc.cloudclient"
Payload
Assemble file hierarchy (done)
Split forks (done)
Create bill of material (done)
Create pax archive (done)
Scripts
Assemble file hierarchy (done)
Split forks (done)
Create pax archive (done)
PackageInfo (done)
Create xar archive
==============================================================================
ERROR:
Description:
Unknow Error
==============================================================================
Build Failed
I think the --identity option is the way forward, but I don't know how to debug the "unknown error" message. I've sunk a few days into this problem already, so any help would be greatly appreciated. I'll update the post if I have any news.
Hi, I'm getting the following error while uploading the iOS build from Xcode:
Profile doesn't include the com.apple.CommCenter.fine-grained entitlement. when uploading my app to App Store Connect.
The build is getting succeeded but I'm not able to upload it to app store connect.Any help or suggestions will mean a lot. Thanks!
App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.xx.pkg/Payload/xx.app//Contents/Resources/ss-local", "ccom.xx.pkg/Payload/xx.app//Contents/Resources/v2ray-plugin" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. (ID: ca7d4fde-0f0d-4a71-9eee-a01692797549)
Error:
{
“logFormatVersion”: 1,
“jobId”: “1654af2a-ff0e-46ff-8839-5c374e63228b”,
“status”: “Invalid”,
“statusSummary”: “Archive contains critical validation errors”,
“statusCode”: 4000,
“archiveFilename”: “LocalApp-macosx.zip”,
“uploadDate”: “2024-06-12T05:33:53.719Z”,
“sha256”: “28ffff0e2c33b2f57a9f1c25677e84232bfa04b1ef5341130afbbf18093ba0ab”,
“ticketContents”: null,
“issues”: [
{
“severity”: “error”,
“code”: null,
“path”: “LocalApp-macosx.zip/LocalApp-macosx.app/Contents/Resources/Java/Disk1/InstData/Resource1.zip/$BUILD_ROOT$/Desktop/collaborator.app_zg_ia_sf.jar/Contents/MacOS/applet”,
“message”: “The signature of the binary is invalid.”,
“docUrl”: "“Resolving common notarization issues | Apple Developer Documentation ",
“architecture”: “i386”
},
{
“severity”: “error”,
“code”: null,
“path”: “LocalApp-macosx.zip/LocalApp-macosx.app/Contents/Resources/Java/Disk1/InstData/Resource1.zip/$BUILD_ROOT$/Desktop/collaborator.app_zg_ia_sf.jar/Contents/MacOS/applet”,
“message”: “The signature of the binary is invalid.”,
“docUrl”: ““Resolving common notarization issues | Apple Developer Documentation”,
“architecture”: “x86_64”
}
]
}
Why is the binary regarded as invalid and what remedy is recommended?
Hello,I have released macOS version of my game before iOS Version,
after releasing macOS version, cannot run & debug my game on Xcode
getting error ;
Provisioning profile "iOS Team Provisioning Profile: com.codepad.motorush" doesn't include the com.apple.application-identifier entitlement.
please take a look to screenshot view.
I have a pretty simply macOS application which I've just been trying to fix since a long time ago. It's origin is really old, using the apple 802.11 framework located in
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Apple80211
and it's supposed to just scan the area and display information about the local networks nearby.
For some reason when I run the application and press the button to scan for local networks (wifi scan) It errors out and in the Xcode console I get
Process WiFiInfo is missing entitlement required for Wi-Fi user-client access: &lt;key&gt;com.apple.private.driverkit.driver-access&lt;/key&gt; &lt;string&gt;com.apple.private.wifi.driverkit&lt;/string&gt;
If I add those two lines to the entitlements, Xcode fails to sign my application and fails to build and run
Provisioning profile "Mac Team Provisioning Profile: com.troger.WiFiInfo" doesn't include the com.apple.private.driverkit.driver-access entitlement.
Any way I can fix this? I would really like to get this application back up to its running state as it once was before but am completely lost on how to fix this
Hello everyone,
I'm encountering an issue with Xcode's automatic signing feature. I've enabled "Automatically manage signing" and selected my development team, but instead of displaying the team ID, Xcode shows a star (*) in its place.
Here's a bit more context:
"Automatically manage signing" is enabled in the project settings.
The selected team works perfectly in other projects.
I've double-checked that the team is properly set up and has valid signing certificates.
Despite these steps, Xcode still displays a star (*) instead of the actual team ID. This issue is preventing me from proceeding with my project. Has anyone else experienced this problem or have any suggestions on how to fix it?
Hello, I've just got a new computer and now I want to transfer my developer account (certificates, keys etc.) to the new computer. Right now my developer membership has expired since I'm not doing any apps right now, but I might start again in the future.
I'm not sure if I need to transfer anything, or if I will just get new certificates and keys when (if) I restart my membership?
What do I need do, before I reset my old computer? I have developed apps for both for iOS and macOS.
A few months ago I requested access to the com.apple.developer.contacts.notes entitlement, which I now have access to.
While running on 'Debug' build configuration, everything works as expected.
When creating a 'Release' build, however, the entitlement does not appear to be included with the app, as the console reports that fetching the note for each contact fails.
When I try to add the "Contact Notes" capability in Xcode, under the 'Release' tab in the project settings, the capability appears for a few seconds, then disappears when I move to a different tab and return. This does not happen for the 'Debug' configuration.
Attempted Resolutions:
Changing the signing configuraiton from 'Automatic' to 'Manual', using a manually generated provisioning profile. I manually inspected the provisioning profile using the terminal to ensure it included the entitlement.
Creating a separate entitlement file with com.apple.developer.contacts.notes, adding it to the root of the project. Ensuring that the path to this file is correct on the 'Release' configuration.
Ensuring 'Contacts Notes Field Access' is enabled under 'Additional Capabilities' in the Developer portal.
Adding the capability on Xcode.
Below is the inspector displaying the provisioning profile for the 'Debug' Configuration:
And the following image below shows the inspector details for the 'Release' Configuration provisioning profile:
When I use a manual provisioning profile and an entitlements file at the root of the project, Xcode displays this strange error:
I developed it as Unity. Originally, I updated Unity to the latest version to fix the problem of not being able to log in to Apple. That's when I found out my team ID had changed.
The current Apple membership team ID is HBEMGSUAQ3, When I check "Automatically manage sing" in Xcode Selected with the team ID "ESB392LR64". Where did this team come from all of a sudden? I've only used "HVEMGSUAQ3" for a very long time. The change in ID was a test build while developing another project yesterday, but it changed then.
If I manually select the provisioning profile of my project "Failed to install embedded profile for : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)" This error appears and the test installation is not possible..
So I created a new certificate, identifier, and profile. However, it continues to be created with the ID of "ESB392LR64". Keychain registration is also naturally registered with "ESB392LR64" status. Again, my team ID is "HVEMGSUAQ3" and there is no way to check "ESB392LR64" on my dev page...
This situation suddenly appeared when my certificates were updated with the ID of "ESB392LR64" on June 12, and What I suspect is that I updated my MacBook to the latest version of OS on the day of the issue.
Please let me know what's going on. I'm hoping it's not a big deal....
Greetings to all. I have purchased my developer account and encountered an error message stating "Team is not yet configured for notarization" when attempting to sign my software. Despite my efforts to get in touch with Developer Programs over the past month through numerous phone calls and emails, the only response I receive is that they are unable to assist me at the moment. This situation has become quite distressing. We are encountering obstacles in releasing our software as Apple is impeding our progress. Users are experiencing an "unidentified developer" error message when trying to download it. I am unsure who to reach out to for assistance, especially when Apple support seems unresponsive despite being quick to accept payments.
Hello, we have a pkg file which used to be easily notarized using a particular apple id, but after we shifted to another account it is taking like forever.
We have created an app-specific-password and made use of it. Anything that we have done incorrectly?
Current status: In Progress........................................................[12:12:27.335Z] Info [API] Waiting 20 seconds before next poll...
[12:12:47.337Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/submissions/***-xxxxxx?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[12:12:47.338Z] Debug [AUTHENTICATION] Using cached token value for app-specific password request: xxxxx:xxxxx@***
[12:12:47.338Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/submissions/***-xxxxxx' with WebServices Token. AppleID: xxxx@***, Team ID: xxxxxxxxxx, Token: private<String>
[12:12:47.339Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[12:12:47.886Z] Debug [API] Received response status code: 200, message: no error, URL: https://appstoreconnect.apple.com/notary/v2/submissions/***-xxxxxx?, Correlation Key: GBCZEFTI5NQ3263GKRANCEPD4I
[12:12:47.887Z] Debug [TASKMANAGER] Completed Task with ID 58 has received a parsable response.
[12:12:47.887Z] Debug [TASKMANAGER] Ending Task Manager loop.
[12:12:47.888Z] Info [API] Received new status: In Progress
Hello, I've developed an application using ElectronNET with C# and Blazor Server. I have managed to deploy to both Windows and the web but having trouble deploying the application to my Mac users.
It's my first time deploying an application for Mac but feel like I'm stuck at the last hurdle and out of ideas so I'm reaching out for help.
My application is successfully signing but during the build and when my Notarize.js is running it seems to get stuck indefinitely.
I can check and see the status of the Notarize attempts but they seem to be stuck "In Progress". Here are the logs.
Successfully received submission history.
history
--------------------------------------------------
createdDate: 2024-06-12T22:16:35.362Z
id: 26192605-001b-46ae-b622-9a79c20e1e93
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T18:51:21.772Z
id: 6a34501c-8f48-4986-ae5e-82a99320dcbc
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T15:13:44.722Z
id: ea5cd928-8207-4d25-b74a-45b04960dbe0
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T14:24:48.776Z
id: 00ccd1f9-daa4-4bba-9a86-9f577c51f26b
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T14:07:43.116Z
id: bf5dfa9c-9702-413b-8fbb-94017e930bcf
name: CustomerSupportDashboard.zip
status: In Progress
These have been running for over 6hours now and it's my understanding it should take minutes, correct me if I'm wrong?
Here is my Notarize script if it helps diagnose what might be happening. Although the requests seem to be going through ok so it doesn't seem likely.
const { join } = require('path');
const fs = require('fs-extra');
exports.default = async function notarizing(context) {
const { electronPlatformName, appOutDir } = context;
if (electronPlatformName !== 'darwin') {
console.log("Not a macOS platform, skipping notarization.");
return;
}
const appName = context.packager.appInfo.productFilename;
const appPath = `${appOutDir}/${appName}.app`;
const zipPath = `${appOutDir}/${appName}.zip`;
console.log(`Zipping the app at path: ${appPath} to: ${zipPath}`);
// Zip the app
await new Promise((resolve, reject) => {
execFile('zip', ['-r', zipPath, appPath], (error, stdout, stderr) => {
if (error) {
console.error(`Failed to zip app: ${stderr || stdout}`);
reject(new Error(`Failed to zip app: ${stderr || stdout}`));
} else {
console.log(`Successfully zipped app: ${stdout}`);
resolve();
}
});
});
console.log(`Notarizing the app with Apple ID: *************.*****@*******.****`);
await new Promise((resolve, reject) => {
execFile('xcrun', [
'notarytool',
'submit',
zipPath,
'--apple-id', '*************.*****@*******.****',
'--password', '****-****-****-****',
'--team-id', '**********',
'--wait',
'--output-format', 'json'
], (error, stdout, stderr) => {
if (error) {
console.error(`Notarization failed: ${stderr || stdout}`);
reject(new Error(`Notarization failed: ${stderr || stdout}`));
} else {
console.log(`Successfully notarized: ${stdout}`);
resolve();
}
});
});
}; ```
I developed an iOS app for a customer and would like to upload it to his store page. I was given admin permissions , however I failed to upload the iOS build to his AppStore page. My account isn't being recognized as part of his developer team.
After some googling, it appears that in order to upload an iOS build for someone else, that someone must enroll as an organisation to give me the proper certificates.
My customer tried to enroll as an organisation, however he was rejected by Apple due to "Your legal structure is a Proprietorship. Apple states “If you are a Sole Proprietorship/Single Person Company, enroll as an individual.”
Is there a way for me to upload the app to his Appstore page?