Starting Point I recently transferred an app from an old to a new developer account. The transfer itself went smoothly with the app using the following capabilities: CoreData, CloudKit, Push Notifications, In-App Purchases Keychain is not used After completing the app transfer, I worked on a new update. For this, I set the new developer account as the development team of the project in Xcode. However, as soon as I try to install the new version locally on my physical test device, I get the following error message: application-identifier entitlement string ({new_team_id}.{bundle_id}) does not match installed application's application-identifier string ({old_team_id}.{bundle_id}); rejecting upgrade.` (Note: The test device has the latest production version installed, which was still published by the old developer account. The update can be installed without any problems if no previous version is installed. {new_team_id}, {old_team_id} and {bundle_id} are a substitute for the original content.) What I've tried so far I found a Technical Note on this topic and followed the steps suggested. However, the Apple Support wasn't able to provide me with the required Special Provisioning Profile. That's why I tested a different approach with a dummy application: I have completed an update as described above (new developer account selected as development team). Next, I uploaded it to App Store Connect and published it as a new version. I received the following warning during the upload process, but ignored it since I don't use the keychain: At first glance, the publication process appears to have gone smoothly. While the update caused the above error during local testing, the update via the App Store went smoothly. As the latest production version has now also been published from the new Apple Developer Account, further updates can now also be tested locally on a physical device without any problems. Questions Why is it that the update causes an error when tested locally, but works without problems via the App Store? Can this approach also be used without concern for an app with a large active user base, which also uses the capabilities described above (in particular CoreData & CloudKit) without causing problems? Thanks a lot for your support in advance!

如果你的 App 执行设备端收据验证，请确保你的 App 支持 SHA-256 算法。 我的APP接入了apple内购，我需要如何验证我的app支持 SHA-256 算法呢？

Xcode automatic signing consistently fails for the macOS target when adding the App Groups capability, even though the Developer Portal is correctly configured. Error: Provisioning profile “Mac Team Provisioning Profile: com.example.testapp.mobile” doesn’t support the App Groups capability. Setup: • Bundle ID: com.example.testapp.mobile • App Group: $(TeamIdentifierPrefix)group.com.example.testapp.mobile Troubleshooting Steps Tried (None Helped): • Changed bundle identifiers and deleted/recreated them in the Developer Portal • Deleted and recreated App Groups • Removed and re-added the developer account in Xcode • Deleted all provisioning profiles from the system • Cleared Derived Data and Xcode caches • Even tried on a clean macOS system This setup used to work previously. The issue seems to have started after the Apple Developer account was renewed.

My iOS version of the app is available on the App Store with a non-team ID prefix for its bundle ID. It has been available there for a long time and I am not sure why I chose a custom prefix for it. The Mac version of the same app is available on the Mac App Store with a different bundle ID and with a prefix that matches my team ID. I am currently looking to "merge" both apps into a single bundle ID. The plan is to stop using the current Mac app and release a new one as a universal app under the existing bundle ID for the iOS app. Unfortunately, it looks like that the Mac App Store does not actually allow any submissions that have a non-team ID for a prefix. I know that it is a very specific case but any suggestions would be welcomed.

Tried notarizing my app yesterday afternoon via Mac terminal, and when I came back to work this morning it was still "In Process...". I closed terminal, and checked appleid.apple.com, and it was asking me to reset my password- maybe because the notarization timed out? Either way, I reset my password, generated a new app-specific password and tried notarizing the app again, but it's now been 3 hours and it's still "In Process..." again. When I check the status via terminal, nothing seems off- and the status is In Progress. How can I determine if there's a bigger issue I need to fix before notarizing? UUID: e7ae29c8-2478-41a3-93b4-3f274de643d0

Hello, We are using automatic signing for a couple of projects, and we're struggling to get it to work in a CI with Xcode 16. It was working with Xcode 15 but with Xcode 16 we get the following errors : error: The operation couldn’t be completed. Unable to log in with account ''. The login details for account '' were rejected. error: Provisioning profile "iOS Team Provisioning Profile: com.bundleid.my" doesn't include signing certificate "Apple Development: Foobar (TEAMID)". Any ideas ?

We've been trying to get the CarPlay Navigation Entitlement for a couple years now without much luck. Did you have a similar experience? How did you succeed getting the entitlement? Part of the form requires us to submit Screenshots. Did you provide screenshots of your on-device experience or wireframe for CarPlay? How was your experience?

I found a post that submitted the same issue, but the solution was not made public. I didn't get a reply to my comment at the bottom of the post, so I'm pasting the content of the post here. I am a developer working on iOS apps. I would like to report an issue occurring in iOS 18 beta and iOS 18.1 beta. Our company has two Enterprise accounts, and we are developing two apps: A app / TeamId: ABCDEFG B app / TeamId: HIJKLMN When we distribute these apps, which have different TeamIds, and install them on a device running iOS 18 beta, both apps install successfully, but only one app will run. (Other app crashed immediately after being launched.) This issue does not occur on versions prior to iOS 18. I would like to know if this is a problem that will be resolved in future updates, or if it is a policy change.

After upgrading the virtual machines used for building and testing our macOS application, it seems that something new in Sequoia is preventing virtual machines from running anything signed with a Mac Development certificate. At first glance the issue seems very similar to this thread, but it could be unrelated. We are using the tart toolset to build and run our VMs. People seem to be having related issues there with Sequoia in particular. I have added the VM's hardware UUID to the Devices list of our account. I have included that device in the devices list of our Mac Development provisioning profile. I have re-downloaded the profile, ensured that it is properly getting built into the app, and ensured that the hardware UUID of the VM matches the embedded provisioning profile: Virtual-Machine App.app/Contents % system_profiler SPHardwareDataType | grep UUID Hardware UUID: 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 Virtual-Machine App.app/Contents % grep 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 ../../App.app/Contents/embedded.provisionprofile Binary file ../../App.app/Contents/embedded.provisionprofile matches However, when I try to run the application, it fails, and while I have searched the system logs to find a more informative error message, the only thing I can find is that the profile doesn't match the device somehow: Virtual-Machine App.app/Contents % open ../../App.app The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x6000039440f0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}} Virtual-Machine App.app/Contents % log show --info --debug --signpost --last 3m | grep -i embedded.provisionprofile 2025-01-21 16:33:32.369829+0000 0x65ba Error 0x0 2872 7 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] embedded provisioning profile not valid: file:///private/tmp/builds/app/.caches/Xcode/DerivedData/Build/Products/Debug/App.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.} I don't understand why the provisioning profile wouldn't allow the device if the hardware UUID matches. I have also attempted to add the Provisioning UDID in the devices list instead, but the form rejects that value because it's a different format (the form specifically requests a hardware UUID for macOS development, and a provisioning UDID for everything else). If there is any debugging tool that lets me check a provisioning profile against the running hardware and print a more verbose reason for why it's not allowed on the device, please let me know. Otherwise I'd have to conclude that, since I haven't experienced this issue before on an earlier OS, it has something to do with virtual machines running macOS Sequoia. (The same Mac Development-signed application runs just fine on my MacBook Pro running 15.2, as well as the VM host, which is also running 15.2.) I have also tried resetting the VM's hardware UUID and adding that one to the devices list, to no effect. This is obviously seriously impacting our CI/CD pipelines to allow for proper UI testing of our application. If anyone is aware of any workarounds, I would love to hear them!

In the LightweightCodeRequirements framework, there is a LaunchCodeRequirement object which can be used as a requirement object for a Process for example. What I don't understand (I admit my macOS low-level knowledge is limited) is that how can this be used in a secure way that doesn't fall victim of a Time-of-Check/Time-of-Use issue. e.g. I specify a LaunchCodeRequirement via Process.launchRequirement for my process, let's say /usr/local/bin/mycommandlinetool. The LaunchCodeRequirement specifies my development team and a developer ID certificate. The process must be started in some form, before a SecCode/SecTask object can be created, rather than a SecStaticCode object (which only guarantees its validity checks to be intact as long as the file is not modified). But if the process was started, then I have no tools in my set to prevent it from executing its initialization code or similar. Then, by the time I'm able to check via SecCode/SecTask functions the LaunchCodeRequirement, I might have already ran malicious code - if mycommandlinetool was maliciously replaced. Or does the operating system use a daemon to copy the executable specified for Process to a secure location, then creates the SecStaticCode object, assesses the LaunchCodeRequirement and if passed, launches the executable from that trusted location (which would make sure it is immutable for replacement by malicious actors)? I have a hard time understanding how this works under the hood - if I remember correctly these are private APIs.

The attached file bellow contains the full error error I clone this repo to my mac, change team id and group, and run it in Xcode: https://github.com/protonpass/ios-pass There's no issue when I ran it with the Debug configuration, but when I go to Product > Scheme > Edit Scheme and change the iOS target build configuration to Release then I got that error above. I have tried Archive and export the ipa, verify that the provisioning profile contains my Mac UDID, but when double clicking the ipa to install, I also got the error This app cannot be installed because its integrity could not be verified.

We were recently approved for the "User Assigned Device Name" for a specific app Identifier. The "Additional Capabilities" tab isn't present on that App ID. I am an admin in the developer portal, and this does not appear for the account holder as well. Any help would be appreciated.

Hi all, I'm using xcode 13.2.1. I go to Product>Archive. The app builds and creates an archive, but there's no data for "version, identifier, type, team, architecture, etc." It's just creating a "generic xcode archive." When I go to "distribute content" it doesn't give the typical distribution methods like "App store Connect, Adhoc, Enterprise, or Development." What am I doing wrong? Thank you, Thomas

Hello Apple Community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. The top-level app is built with Xcode 16.1 and it's written 100% in Swift6. For test purposes we are running the app on MacOS Sequoia 15.0, 15.1 and Sonoma 14.4. The app can be downloaded via TestFlight and Console app shows the next errors: Crash Reports python3.11 Application Specific Signatures: Unable to get bundle identifier for container id python3: Unable to get bundle identifier because Info.plist from code signature information has no value for kCFBundleIdentifierKey. tccd process error Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=62822, auid=502, euid=502, binary_path=[PATH TO SAMPLEAPP]]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=577, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, The next documents were helping a lot to reach the current state althought sometimes I was not sure how to apply them in this python interpreter context: Signing a daemon with a restricted entitlement Embedding a command-line tool in a sandboxed app XPC Rendezvous, com.apple.security.inherit and LaunchAgent Placing content in a bundle There are a lot of details that I will try to explain in the next lines. Once archived the app, it looks like this: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/Info.plist SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/Python.bundle And this is how Python.bundle looks like: Python.bundle/Contents Python.bundle/Contents/Info.plist Python.bundle/Contents/Resources Python.bundle/Contents/Resources/bin Python.bundle/Contents/Resources/bin/python3.11 <- Python executable Python.bundle/Contents/Resources/lib Python.bundle/Contents/Resources/lib/python3.11 <- Folder with python libraries This is the Info.plist associated with Python.bundle: <dict> <key>CFBundleIdentifier</key> <string>com.sampleapp.app.Python</string> <key>CFBundleName</key> <string>Python</string> <key>CFBundleVersion</key> <string>1.0</string> <key>CFBundlePackageType</key> <string>BNDL</string> </dict> For some reason Bundle Identifier is ignored. Created a Python target and added to the main app, I selected the Bundle template. In Python target I made the next customizations: Enabled the Skip Install (SKIP_INSTALL) build setting. Disabled the Code Signing Inject Base Entitlements Added entitlements com.apple.security.inherit to it, with a Boolean value of true. Tried to set Other Code Signing Flags (OTHER_CODE_SIGN_FLAGS) build setting to: $(inherited) -i $(PRODUCT_BUNDLE_IDENTIFIER) But I had to remove it because I could not get rid of this error "-i com.sampleapp.app.Python: No such file or directory" Created a python.plist and set it in the Packaging Build Settings section. I set Generate Info.plist File to No In this document: Embedding a command-line tool in a sandboxed app Says: "Add the ToolX executable to that build phase, making sure Code Sign On Copy is checked." But I could not do it to avoid duplicates, since the bundle itself contains the executable too. I'm not sure how to handle this case. Tried to add python3.11 executable in the bundle MacOS folder, but bundle executableURL returned nil and I could not use python from the code. This is how I get Python bundle from code: static var pythonBundle: Bundle? { if let bundlePath = Bundle.main.path(forResource: "Python", ofType: "bundle"), let bundle = Bundle(path: bundlePath) { return bundle } return nil } Created Python.entitlements with the next key-values: <key>com.apple.security.app-sandbox</key> <true/> and it is used in an Archive Post-action of SampleApp, in order to sign the python executable of Python.bundle as follows: codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$DEVELOPER_ID_APPLICATION" "$ARCHIVE_PATH" The reason of using an Archive Post-action is becauses signing from a Python.bundle Build phase was generating errors related to Sandboxing. These are the entitlements to codesign SampleApp: <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> Most probably I was mixing concepts and it seems created some confusion. We would really love to get some advice, Thanks!

I've been successfully notarizing my apps for a year or so now, with intermittent releases every so often, usually succeeding with notarization in a couple of minutes. These apps are all written in Python, but I worked through all the jank required to get them to notarize cleanly a while ago and have no issues since. Today I submitted a couple of builds which have been stuck for hours. They're just "in progress", so no logs I can look at, no emails or anything on my developer account page. How can I begin to debug this? Successfully received submission info createdDate: 2025-06-24T18:43:37.140Z id: 8d1a1ca9-f0ad-426f-a714-89aaf9e01a07 name: pinpal-2025.6.25.for-notarizing.app.zip status: In Progress I should note that in addition to the comment added within 10 minutes of creation of this issue, within the last day, we also have: https://developer.apple.com/forums/thread/789389 https://developer.apple.com/forums/thread/789599 https://developer.apple.com/forums/thread/789995 So it seems pretty likely something is going on on the backend.

Is it possible to directly distribute a macOS app with a Developer ID Certificate that belongs to a different team? I am trying to resolve issues that arise when distributing a macOS app with a Network Extension (Packet Tunnel) outside the App Store using a Developer ID Certificate from a different team than the app’s provisioning profiles and entitlements. I started by attempting Direct Distribution in Xcode with automatic signing. However, it fails with the following message: Provisioning profile "Mac Team Direct Provisioning Profile: ” failed qualification checks: Profile doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. I suspect the issue is that the provisioning profile allows "packet-tunnel-provider-systemextension", whereas the entitlements generated by Xcode contain "packet-tunnel-provider". When I manually modify the .entitlements file to include the -systemextension suffix, the project fails to build because Xcode does not recognize the modified entitlement. If there is a workaround for this issue, please let me know. Due to these issues, I resorted to manually creating a signed and notarized app. My process is as follows: Export the .app from the Xcode archive. Since the exported .app does not contain the necessary entitlements or provisioning profile for direct distribution, I replace Contents/embedded.provisioningprofile in both the .app and the .appex network extension. Sign the app and its components in the following order: codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/Frameworks/<fw>.framework/ codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>"<app>.app/Contents/PlugIns/<netext>.appex/Contents/Frameworks/<fw>.framework/Versions/A/<fw> codesign --force --options runtime --entitlements dist-vpn.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/PlugIns/<netext>.appex/ codesign --force --options runtime --entitlements dist.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app Verify the code signature: codesign --verify --deep --strict --verbose=4 <app>.app - <app>.app: valid on disk - <app>.app: satisfies its Designated Requirement Create a ZIP archive using: ditto -c -k --sequesterRsrc --keepParent <app>.app <app>.zip Notarize the app with notarytool and staple it. The notarization completes successfully with errors: nil. Package the notarized app into a DMG, notarize, and staple the DMG. The app runs successfully on the development machine. However, when moved to another machine and placed in /Applications, it fails to open. Inspecting Console.app reveals Gatekeeper is blocking the launch:
 taskgated-helper <bundleid>: Unsatisfied entitlements: com.apple.developer.networking.networkextension, com.apple.developer.team-identifier taskgated-helper entitlements: { "com.apple.developer.networking.networkextension" = ("packet-tunnel-provider-systemextension"); "com.apple.developer.team-identifier" = <teamid>; } As mentioned earlier, the Developer ID Certificate used for signing belongs to a different team. We are a third-party developer and do not have access to the Developer ID Certificate of the team assigned as the team-identifier. When I changed the bundle identifier (app ID), team, entitlements, and provisioning profiles to match the team associated with the Developer ID Certificate, the app worked. My question is:
 Is this failure caused by using a Developer ID Certificate from a different team, or should it still work if the provisioning profiles and entitlements are correctly set? Could there be an issue elsewhere in the provisioning profiles or entitlements for the original app ID?

Hello, We are currently facing an issue with the Apple Notary Service that is completely blocking our production pipeline. For the past three days, every single submission has been stuck in the "In Progress" state indefinitely. Some submissions have been pending for over 48 hours, and none of them ever proceed to analysis. When checking the status via xcrun notarytool history, all entries show "In Progress". Attempting to retrieve logs with xcrun notarytool log always returns: Submission log is not yet available. This strongly suggests that the processing hasn't even started. This issue occurs consistently from my local machine (MacBook Air M3) and Our GitHub Actions CI workflow. Both environments are properly configured with Electron + Electron-Builder, and the app is correctly signed and uploaded each time. We have verified multiple times all credentials and code signing settings, no exceptions so far or problems in the pipeline. Here are a few stuck submission IDs: This is not a normal delay, it looks like a backend issue affecting our account or this specific App ID. Please escalate this case as soon as possible. We appreciate your urgent attention. Best

After I upgraded to macOS 15.3, all of my current Xcode project have the signing issue, I spent half day and I didn't make any progress, I tried two projects, one is Swift AppKit App calling one C++ dylib, another one is a pure Swift AppKit app, when I build, there will be error: Warning: unable to build chain to self-signed root for signer "Apple Development: Steven Tang (XXXXX)" /Volumes/TwoTSSD/steventang/Library/Developer/Xcode/DerivedData/ImageEnhancement-ddbilgyraofrdyfeljyuknusunza/Build/Products/Release/ImageEnhancement.app: errSecInternalComponent I tried remove account, add account back in Xcode, none of it worked, also tried ChatGPT's WWDR updating and it won't help.

I have a macOS app that captures screen images. The first time I run this application, a dialog is shown directing the user to give my app Screen Recording permission. Is there a way I can trigger this dialog earlier and detect whether the permission was granted?

I've tried to notarize my app recently and got the error:{ "logFormatVersion": 1, "jobId": "...", "status": "Rejected", "statusSummary": "Team is not yet configured for notarization", "statusCode": 7000, "archiveFilename": "myapp.dmg", "uploadDate": "2019-06-20T06:24:53Z", "sha256": "...", "ticketContents": null, "issues": null }I've never heard about "team configuration for notarization" previously. What are the steps to resolve that issue?Thanks in advance.