Hi, I am a newbie to this, I am trying to build my own ios phone app. I am using my own phone as the developers phone so its set to debug. Using Flutter I do flutter run. it get so far and always stops on : Could not build the precompiled application for the device. Error (Xcode): Unknown platform: "ios". /Users/admin/group2/ios/Runner/Assets.xcassets Error launching application on iPhone XS Max. I have tried everything, so I thought someone on here might have the answer. I am happy to share any files or anything that you might need to recreate the issue.

I'm working on an app that needs access to device activity. When I add device activity entitlement, I'm getting Provisioning profile "..." doesn't include the com.apple.developer.deviceactivity entitlement. This is failing for both, the main app and the extension, and both have entitlements added. It is not clear how to add it to the profile, the provisioning profile is created/managed by XCode. When I remove the entitlement, I can build my app but it won't be able to use device activity data I reached out to Developer Support, and they sent me here. What is the right way to add device activity entitlement? I'm also seeing another issue with XCode Cloud builds. When I remove device activity entitlement. I can build my app w/o any issue, and I can also install it directly on my iPhone. However, XCode Cloud builds fail wit Run command: 'xcodebuild -exportArchive -archivePath /Volumes/workspace/tmp/d41fc2f1-4f39-4906-8941-112488e75f6c.xcarchive -exportPath /Volumes/workspace/adhocexport -exportOptionsPlist /Volumes/workspace/ci/ad-hoc-exportoptions.plist '-DVTPortalRequest.Endpoint=http://172.16.68.193:8089' -DVTProvisioningIsManaged=YES -IDEDistributionLogDirectory=/Volumes/workspace/tmp/ad-hoc-export-archive-logs -DVTSkipCertificateValidityCheck=YES -DVTServicesLogLevel=3' I suspect that it could be related to my app having DeviceActivityExtension but no device activity entitlement is present. Thanks, Peter.

I am attempting to sign a *.pkg for distribution but I get "Could not find appropriate signing identity for 'Developer ID Application: CompanyName'. I'm calling this command to sign: productsign --sign 'Developer ID Application: CompanyName' "unsigned.pkg" "signed.pkg" I've downloaded the WWDR Intermediates, when I go through Keychain Access > Certificate Assistant > Evaluate on the cert and select "Code Signing" I get "Evaluation Status: Success" and "Certificate Status: Good". Additionally my certificate shows up as valid in my keychain. I'm at a loss for what is going on.

I have been notarizing the same program for 3 years now and it's usually completed in minutes. I have not changed anything on my end, is there a reason it's taking 24+ hours all of a sudden? I have seen the posts regarding this issue for new applications where it has to "learn", but I have been notarizing the same apps for 3 years now.

The notary service requires that all Mach-O images be linked against the macOS 10.9 SDK or later. This isn’t an arbitrary limitation. The hardened runtime, another notarisation requirement, relies on code signing features that were introduced along with macOS 10.9 and it uses the SDK version to check for their presence. Specifically, it checks the SDK version using the sdk field in the LC_BUILD_VERSION Mach-O load command (or the older LC_VERSION_MIN_MACOSX command). There are three common symptoms of this problem: When notarising your product, the notary service rejects a Mach-O image with the error The binary uses an SDK older than the 10.9 SDK. When loading a dynamic library, the system fails with the error mapped file has no cdhash, completely unsigned?. When displaying the code signature of a library, codesign prints this warning: % codesign -d vvv /path/to/your.dylib … Library validation warning=OS X SDK version before 10.9 does not support Library Validation … If you see any of these errors, read on… The best way to avoid this problem is to rebuild your code with modern tools. However, in some cases that’s not possible. Imagine if your app relies on the closed source libDodo.dylib library. That library’s vendor went out of business 10 years ago, and so the library hasn’t been updated since then. Indeed, the library was linked against the macOS 10.6 SDK. What can you do? The first thing to do is come up with a medium-term plan for breaking your dependency on libDodo.dylib. Relying on an unmaintained library is not something that’s sustainable in the long term. The history of the Mac is one of architecture transitions — 68K to PowerPC to Intel, 32- to 64-bit, and so on — and this unmaintained library will make it much harder to deal with the next transition. IMPORTANT I wrote the above prior to the announcement of the latest Apple architecture transition, Apple silicon. When you update your product to a universal binary, you might as well fix this problem on the Intel side as well. Do not delay that any further: While Apple silicon Macs are currently able to run Intel code using Rosetta 2, that’s not something you want to rely on in the long term. Heed this advice from About the Rosetta Translation Environment: Rosetta is meant to ease the transition to Apple silicon, giving you time to create a universal binary for your app. It is not a substitute for creating a native version of your app. But what about the short term? Historically I wasn’t able to offer any help on that front, but this has changed recently. Xcode 11 ships with a command-line tool, vtool, that can change the LC_BUILD_VERSION and LC_VERSION_MIN_MACOSX commands in a Mach-O. You can use this to change the sdk field of these commands, and thus make your Mach-O image ‘compatible’ with notarisation and the hardened runtime. Before doing this, consider these caveats: Any given Mach-O image has only a limited amount of space for load commands. When you use vtool to set or modify the SDK version, the Mach-O could run out of load command space. The tool will fail cleanly in this case but, if it that happens, this technique simply won’t work. Changing a Mach-O image’s load commands will break the seal on its code signature. If the image is signed, remove the signature before doing that. To do this run codesign with the --remove-signature argument. You must then re-sign the library as part of your normal development and distribution process. Remember that a Mach-O image might contain multiple architectures. All of the tools discussed here have an option to work with a specific architecture (usually -arch or --architecture). Keep in mind, however, that macOS 10.7 and later do not run on 32-bit Macs, so if your deployment target is 10.7 or later then it’s safe to drop any 32-bit code. If you’re dealing with a Mach-O image that includes 32-bit Intel code, or indeed PowerPC code, make your life simpler by removing it from the image. Use lipo for this; see its man page for details. It’s possible that changing a Mach-O image’s SDK version could break something. Indeed, many system components use the main executable’s SDK version as part of their backwards compatibility story. If you change a main executable’s SDK version, you might run into hard-to-debug compatibility problems. Test such a change extensively. It’s also possible, but much less likely, that changing the SDK version of a non-main executable Mach-O image might break something. Again, this is something you should test extensively. This list of caveats should make it clear that this is a technique of last resort. I strongly recommend that you build your code with modern tools, and work with your vendors to ensure that they do the same. Only use this technique as part of a short-term compatibility measure while you implement a proper solution in the medium term. For more details on vtool, read its man page. Also familiarise yourself with otool, and specifically the -l option which dumps a Mach-O image’s load commands. Read its man page for details. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Revision history: 2025-04-03 — Added a discussion of common symptoms. Made other minor editorial changes. 2022-05-09 — Updated with a note about Apple silicon. 2020-09-11 — First posted.

We have NFC capabilties enabled for our app ID - com.uob.mightyvn but our minimum deployment target is 15.0. We do not have an option deselect PACE from provisioning profile. Hence, the validation is failed for IPA. Invalid entitlement for core nfc framework. The sdk version '18.2' and min OS version '15.0' are not compatible for the entitlement 'com.apple.developer.nfc.readersession.formats' because 'NDEF is disallowed'

Hello, my team is trying to fix a code signing issue with our app. Our production build works, but our debug build broke after upgrading to macOS 15. This is because our app contains an app extension that can no longer access our app group container after the upgrade to macOS 15. It looks like this is due to ~/Library/Group Containers being protected by SIP now. We were not code signing our debug app, and now security is stricter. Because of historical reasons, we need to use a Makefile to build our app instead of just using Xcode. We are trying to determine the best way to sign our debug app. It looks like our app extension is able to access our app group container if we sign the app with a developer certificate. However, we are wondering if the developer certificate is required. We see that Xcode can sign debug builds with the “-” code signing identity. We tried doing this from our Makefile in the same way we sign with the developer certificate, but it doesn’t work. Is this expected behavior?

Hi support, Currently we are in a process of migrating our Qt application for MAC OS - ventura -v13.4. There is a specific feature in our application in which client tries to communicate with server (Socket communication) using Qt's QsslSocket Apis . To achieve this we are using self signed Ca certificate (.pem ) generated by using openSSl commands which uses IP address of the server. We are manually installing the certificate inside MAC OS - keychain and trusting it manually as well after installing . This is working fine in XCode environment in debug mode in MAC OS and client -server handshake is happening successfully. How ever after creating .dmg file (installer) the same handshake is not happening and we are getting error -Connection time out. Upon investigating this online, we got to know there has to be codesigning (both app bundle and the dmg file )along with notarization of the .dmg file in order to access keychain of MAC OS at runtime to access the self signed certificate installed. Now we have 2 queries here. Is code signing mandatory if we want to verify our app through keychain with .dmg file ? If yes, whats the best way to achieve this ? We have tried 2 options without any luck. option1 - Trying to build our specific target among 'ALL_BUILD' with signing key settings inside xcode where we are providing developer provisional certificate with apple team ID . After that we are trying to archive to generate dmg file which is code signed. We are failing here as the signed dmg is not getting installed due to other app related dependencies are missing . option 2- Code signing the dmg and the app bundle manually outside the environment of xcode with developer certificate and team ID. We are failing here as notarization needs to be done it seems to access keychain for certificate verification If Code signing is not mandatory then whats the best possible way to achieve this considering manually installation of certificate inside keychain with adding trust option is not working at the moment. Please specify the best solution if possible.

p12证书导出是灰色的，一直导出不了 ![]（“https://developer.apple.com/forums/content/attachment/36357e8a-bbb0-4661-a57c-720d41c3d9aa” “title=微信截图_20241119125858.png;宽度=962;高度=273”）

I have app developed in electron.js and python and it works in ios 15 after codesigning but not in ios 14 or below I need to understand if theres a specific instruction that we need to while building the app or do I need to codesign in lower version? what can I do solve this issue??

Hi everyone, I am doing my app playground, when I change the development team or try to clear it, this bug happend? So I wonder do I have to remove it when I submit my work or just leave it there. Signing for "myapp" requires a development team. Select a development team in the Signing & Capabilities editor.

Hi Developer Community, I'm encountering persistent code signing failures on macOS Sonoma 15.3 with a valid Developer ID Application certificate. The error occurs consistently across multiple certificate regenerations and various troubleshooting approaches. Environment macOS Version: Sonoma 15.3 Developer Account Type: Developer ID Certificate Type: Developer ID Application Certificate Details: Developer ID Application certificate valid until 2027 Using SHA-256 with RSA Encryption Certificate shows as valid in Keychain Access with associated private key Error Message Warning: unable to build chain to self-signed root for signer "Developer ID Application: [my certificate]" [filename]: errSecInternalComponent Steps to Reproduce Install certificate chain in order: Apple Root CA (System keychain) Apple WWDR CA (System keychain) Developer ID CA (System keychain) Developer ID Application certificate (Login keychain) Verify certificate installation: security find-identity -v -p codesigning Result shows valid identity. Attempt code signing with any binary: codesign -s "Developer ID Application: [my certificate]" -f --timestamp --options runtime [filename] Results in errSecInternalComponent error Troubleshooting Already Attempted Regenerated Developer ID Application certificate multiple times from Developer Portal Completely removed and reinstalled entire certificate chain Verified trust settings on all certificates (set to "Always Trust" for code signing) Tried multiple codesign command variations including --no-strict flag Verified keychain integrity Installed latest Apple CA certificates from apple.com/certificateauthority Verified certificate chain is properly recognized by security verify-cert Additional Information All certificates show as valid in Keychain Access Private key is properly associated with Developer ID Application certificate Trust settings are correctly configured for all certificates in the chain Problem persists after clean certificate installations Error occurs with any binary I try to sign Has anyone else encountered this issue on Sonoma 15.3? Any suggestions for resolving this system-level certificate trust chain issue would be greatly appreciated. Thanks in advance!

Hi, I have built a MacOS application that I intend to distribute directly. I have created a disk image and code-signed successfully with the following response. xcrun notarytool info --apple-id "" --password "" --team-id "" I have also submitted the app for notarisation which says it's accepted. equipp@equipps-MacBook-Pro dist % xcrun notarytool submit SendFiles.dmg --keychain-profile "Sendfiles-Notarisation" --wait Conducting pre-submission checks for SendFiles.dmg and initiating connection to the Apple notary service... Submission ID received id: a2941225-b036-47b3-a010-547b0dce6a1a Upload progress: 100.00% (79.0 MB of 79.0 MB) Successfully uploaded file id: a2941225-b036-47b3-a010-547b0dce6a1a path: /Users/equipp/Documents/GitHub/sendfiles/dist/SendFiles.dmg Waiting for processing to complete. Current status: Accepted................ Processing complete id: a2941225-b036-47b3-a010-547b0dce6a1a status: Accepted When I run the application on a clean mac, I am still getting the error that this application is from an unidentified developer and might contain malware.(There's internet connection) However, when I try to staple the application, I am getting an error 65. Unsure what's going wrong with the notarisation. equipp@equipps-MacBook-Pro dist % xcrun stapler staple SendFiles.dmg Processing: /Users/equipp/Documents/GitHub/sendfiles/dist/SendFiles.dmg Could not validate ticket for /Users/equipp/Documents/GitHub/sendfiles/dist/SendFiles.dmg The staple and validate action failed! Error 65. equipp@equipps-MacBook-Pro dist % Can you please help?

Hi everyone. Sorry if this is not an appropriate forum section for this question. I'm making a game engine and it doesn't launch on my colleague's MacBook, although it does launch on mine. There's an application file, let's say, Sample.app. And along with it in the same folder there's Engine.dylib. If we look at the app-file structure, the executable file's path is Contents/MacOS/Sample. So for the executable file the library is located at the path ../../../Engine.dylib. But when my colleague runs the Sample.app file, he gets an error "Library not loaded: @executable_path/../../../Engine.dylib". Although the path is correct and on my MacBook it works. Are there any ideas how to fix it?

Using .p12 file (included ios developer and ios distribution), to keychain login tried to register iPhone Developer and iPhone Distribution. But iPhone Distribution is not displayed. MacOS: 15.0.1

I need to get the distribution certificate SHA-1 and public key in order to apply an official filing, but the certificate in deveoper account page is not downloadble. could someone help me on this? how to download certicate or to get SHA-1 and pubkey of the cert? thanks.

Hi, I am trying to upload the Certificate Signing Request but its failing and showing this error: CSR algorithm/size incorrect. Expected: RSA(2048)

I try to notarize my package, everything works except one signature of a binary. But the output of codesign seems fine. Notary log: "logFormatVersion": 1, "jobId": "350315e0-38ae-4224-a13b-1c4dc20c1cb7", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "VocalNet_Installer.pkg", "uploadDate": "2024-11-26T18:07:57.042Z", "sha256": "fc59a3c2c3669f641a18d6e6df9b91e9369f8cf9cd827d5a75762beb99dfbcfe", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "VocalNet_Installer.pkg/SLink.pkg Contents/Payload/Applications/SLink.app/Contents/MacOS/SLink", "message": "The signature of the binary is invalid.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735", "architecture": "arm64" } ] } Codesign output: Executable=/Users/200gaga/Main/VocalNet/SLink.app/Contents/MacOS/SLink Identifier=SLink Format=app bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=319089 flags=0x10000(runtime) hashes=9965+3 location=embedded VersionPlatform=1 VersionMin=720896 VersionSDK=720896 Hash type=sha256 size=32 CandidateCDHash sha256=26dc42451d203f54e29de37a5f74b8d9f9ab30c2 CandidateCDHashFull sha256=26dc42451d203f54e29de37a5f74b8d9f9ab30c26bb1dcde85d3db13fcb9ab4f Hash choices=sha256 CMSDigest=26dc42451d203f54e29de37a5f74b8d9f9ab30c26bb1dcde85d3db13fcb9ab4f CMSDigestType=2 Executable Segment base=0 Executable Segment limit=81920 Executable Segment flags=0x1 Page size=4096 CDHash=26dc42451d203f54e29de37a5f74b8d9f9ab30c2 Signature size=9058 Authority=Developer ID Application: SESSION LOOPS, INC. (29DGL5KQ37) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Nov 26, 2024 at 13:04:23 Info.plist entries=9 TeamIdentifier=29DGL5KQ37 Runtime Version=11.0.0 Sealed Resources version=2 rules=13 files=5060 Internal requirements count=1 size=168

This issue keeps cropping up on the forums and so I decided to write up a single post with all the details. If you have questions or comments: If you were referred here from an existing thread, reply on that thread. If not, feel free to start a new thread. Use whatever topic and subtopic is appropriate for your question, but also add the Entitlements tag so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Determining if an entitlement is real In recent months there’s been a spate of forums threads involving ‘hallucinated’ entitlements. This typically pans out as follows: The developer, or an agent working on behalf of the developer, changes their .entitlements file to claim an entitlement that’s not real. That is, the entitlement key is a value that is not, and never has been, supported in any way. Xcode’s code signing machinery tries to find or create a provisioning profile to authorise this claim. That’s impossible, because the entitlement isn’t a real entitlement. Xcode reports this as a code signing error. The developer misinterprets that error [1] in one of two ways: As a generic Xcode code signing failure, and so they start a forums thread asking about how to fix that problem. As an indication that the entitlement is managed — that is, requires authorisation from Apple to use — and so they start a forums thread asking how to request such authorisation. The fundamental problem is step 1. Once you start claiming entitlements that aren’t real, you’re on a path to confusion. Note If you’re curious about how provisioning profiles authorise entitlement claims, read TN3125 Inside Code Signing: Provisioning Profiles. There are a couple of ways to check whether an entitlement is real. My preferred option is to create a new test project and use Xcode’s Signing & Capabilities editor to add the corresponding capability to it. Then look at what Xcode did. You might find that Xcode claimed a different entitlement, or added an Info.plist key, or did nothing at all. IMPORTANT If you can’t find the correct capability in the Signing & Capabilities editor, it’s likely that this feature is available to all apps, that is, it’s not gated by an entitlement or anything else. Another thing you can do is search the documentation. The vast majority of real entitlements are documented in Bundle Resources > Entitlements. IMPORTANT When you search for documentation, focus on the Apple documentation. If, for example, you search the Apple Developer Forums, you might be mislead by other folks who are similarly confused. If you find that you’re mistakenly trying to claim a hallucinated entitlement, the fix is trivial: Remove it from your .entitlements file so that your app starts to build again. Then add the capability using Xcode’s Signing & Capabilities editor. This will do the right thing. If you continue to have problems, feel free to ask for help here on the forums. See the top of this post for advice on how to do that. [1] It’d be nice if the Xcode errors were more clear in this case (r. 155327166). Commonly Hallucinated Entitlements This section lists some of the more commonly hallucinated entitlements: com.apple.developer.push-notifications — The correct entitlement is aps-environment (com.apple.developer.aps-environment on macOS), documented here. There’s also the remote-notification value in the UIBackgroundModes property. com.apple.developer.in-app-purchase — There’s no entitlement for in-app purchase. Rather, in-app purchase is available to all apps with an explicit App ID (as opposed to a wildcard App ID). com.apple.InAppPurchase — Likewise. com.apple.developer.app-groups — The correct entitlement is com.apple.security.application-groups, documented here. And if you’re working on the Mac, see App Groups: macOS vs iOS: Working Towards Harmony. com.apple.developer.background-modes — Background modes are controlled by the UIBackgroundModes key in your Info.plist, documented here. UIBackgroundModes — See the previous point. com.apple.developer.voip-push-notification — There’s no entitlement for this. VoIP is gated by the voip value in the UIBackgroundModes property. com.apple.developer.family-controls.user-authorization — The correct entitlement is com.apple.developer.family-controls, documented here. IMPORTANT As explained in the docs, this entitlement is available to all developers during development but you must request authorisation for distribution. com.apple.developer.device-activity — The DeviceActivity framework has the same restrictions as Family Controls. com.apple.developer.managed-settings — If you’re trying to use the ManagedSettings framework, that has the same restrictions as Family Controls. If you’re trying to use the ManagedApp framework, that’s not gated by an entitlement. com.apple.developer.callkit.call-directory — There’s no entitlement for the Call Directory app extension feature. com.apple.developer.nearby-interaction — There’s no entitlement for the Nearby interaction framework. com.apple.developer.secure-enclave — On iOS and its child platforms, there’s no entitlement required to use the Secure Enclave. For macOS specifically, any program that has access to the data protection keychain also has access to the Secure Enclave [1]. See TN3137 On Mac keychain APIs and implementations for more about the data protection keychain. com.apple.developer.networking.configuration — If you’re trying to configure the Wi-Fi network on iOS, the correct entitlement is com.apple.developer.networking.HotspotConfiguration, documented here. [1] While technically these are different features, they are closely associated and it turns out that, if you have access to the data protection keychain, you also have access to the SE. Revision History 2025-09-05 Added com.apple.developer.device-activity. 2025-09-02 First posted.

I am building an electron app bundled with python. My code signing was fast, but when it came to notarization, it has already taken over 6+ hours. How can I speed things up?