I have a .NET 6 application that runs in the background. The installer is a .pkg file built using a third-party tool called "Packages". All .dylib and executable files are codesigned before packaging. The resulting .pkg file is notarized. The app uses these entitlements: com.apple.security.cs.allow-jit com.apple.security.cs.allow-unsigned-executable-memory com.apple.security.cs.allow-dyld-environment-variables com.apple.security.cs.disable-library-validation The app is built on a macbook Air 2015 running macOS 12.6 and it works without issues on that machine. On a macbook Pro M3 running macOS 14.6.1 the app fails to run even though the installation itself is successful. The only logs that I was able to find are related to syspolicyd (4 warnings): Unable to apply protection to app: 45, PST: (vuid: A78FF6C2-08D5-4DCC-B946-8836251AA0E7), (objid: 1873967), (team: (null)), (id: (null)), (bundle_id: (null)) Failed to register app bundle for protection: 45, PST: (vuid: A78FF6C2-08D5-4DCC-B946-8836251AA0E7), (objid: 1873967), (team: (null)), (id: (null)), (bundle_id: (null)) scan failed, finishing evaluation : PST: (vuid: A78FF6C2-08D5-4DCC-B946-8836251AA0E7), (objid: 1873967), (team: (null)), (id: (null)), (bundle_id: (null)) Terminating process due to Gatekeeper rejection: 95158, Unfortunately, verification commands such as sudo codesign --verify --deep --strict -vvv MyApplication.App spctl -a -vvv -t install MyApplicationInstaller.pkg do not indicate any issues. Are there any additional steps that need to be performed in order for my app to work properly on newer machines?

I'm currently befuddled by the entire signing and certificate process. I don't understand what I need, what the team admin needs to do, or how to go about doing it so that I can build the project. We've managed to have this working in the past but I guess the system has changed somewhat. Here's what we have going: A Unity project which hasn't changed from a few years ago. I build the project in unity, open the Xcode project and this: There's an issue with the Signing and Capabilities. If I choose automatic setup it shows an error saying that it requires a development team. I had the account admin add my Apple ID to the team so I'm not sure why that's an issue still. Do I need to pay the 99$ to be able to building Xcode? If I try to do it manually I select the provisioning profile that the account admin sent me and it auto selects the team associated with the provisioning profile I guess but then there's no singing certificate. The error says: There is no signing certificate "iOS Development" found. No "iOS Development" signing certificate matching team ID "V7D5YBZRMV" with a private key was found. So, if someone could explain to me like I'm 5 the entire signing and certificate process is and let me know what we're doing wrong with the team/provisioning profile/certificate setup I would be very much appreciative.

During the release of our macOS App, we encountered the following issue: We need to support dynamic code loading of WebAssembly (wasm) inside our App, mainly by loading WebAssembly (wasm) binary modules. We discovered a problem: a wasm file is neither an executable nor a bundle, so it cannot be code-signed. Since our App needs to pass notarization, we have not set the com.apple.security.cs.allow-unsigned-executable-memory entitlement. Without setting com.apple.security.cs.allow-unsigned-executable-memory, loading a wasm module results in an “unsigned code” error that causes the process to crash. Could you please advise on what we should do to avoid this problem? Is it possible to apply for a special entitlement to allow com.apple.security.cs.allow-unsigned-executable-memory?

Hello, We are experiencing an issue with the notarization queue and would appreciate your assistance. A few days ago, we helped another team submit their app for notarization. However, that submission has been stuck in the “In Progress” state for about three days now. Unfortunately, this also seems to have caused our own team’s notarization requests to get stuck as well. We ran the following command to review the submission history: xcrun notarytool history --apple-id "xxx" --team-id "xxx" --password "xxx" Successfully received submission history. Partial results: id: 0bafa66f-4f47-4327-811f-a05481be5d0b status: In Progress id: 2d00b75a-a17a-44fc-afa1-71e0e39ec2cd status: In Progress It appears that one of these belongs to another team’s app we helped submit, and the other is our own submission. Both have remained In Progress for several days, and we are now unable to proceed with any new notarization requests. Could you please help us clear or reset the stuck notarization queue so we can continue our submissions? Thank you very much for your help!

Hi, I developed a Flutter app that works well in the iOS simulator, but that fails to deploy on my physical iPhone 13 Pro Max. Here is the error I get: Target debug_unpack_ios failed: Exception: Failed to codesign /Users//Library/Developer/Xcode/DerivedData/Runner-/Build/Products/Debug-iphoneos/Flutter.framework/Flutter with identity I've followed all the instructions that I found online, like moving my project from cloud storage to my local hard drive, but nothing has worked. Thank you so much for your help!

Hello, I've been developing a mac app built with Electron Builder. In August, I was successfully notarizing my app and able to send it to testers without them receiving a malware warning. I took a two month break. When I came back in October, I am not able to distribute my app without the malware warning. I can't for the life of me figure out what I could be missing, unless my developer account was flagged by Apple for some reason. All the diagnostics I run on my app package show that it is properly signed, notarized, and stapled. Here are some diagnostics I have run on the app: Command: codesign -dv --verbose=4 "/Volumes/Form Desktop 1/Form.app" Output: Executable=/Volumes/Form Desktop 1/Form.app/Contents/MacOS/Form Identifier=co.Form.desktop Format=app bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=763 flags=0x10000(runtime) hashes=13+7 location=embedded VersionPlatform=1 VersionMin=720896 VersionSDK=917504 Hash type=sha256 size=32 CandidateCDHash sha256=cedcaef933c003c01b4d9ef6925a413fe6b4a585 CandidateCDHashFull sha256=cedcaef933c003c01b4d9ef6925a413fe6b4a585bf61e19751e8158775600b00 Hash choices=sha256 CMSDigest=cedcaef933c003c01b4d9ef6925a413fe6b4a585bf61e19751e8158775600b00 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=16384 Executable Segment flags=0x1 Page size=4096 CDHash=cedcaef933c003c01b4d9ef6925a413fe6b4a585 Signature size=8973 Authority=Developer ID Application: Jacob LEELAND (92D98F49FU) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Nov 14, 2025 at 8:25:09 PM Notarization Ticket=stapled Info.plist entries=30 TeamIdentifier=92D98F49FU Runtime Version=14.0.0 Sealed Resources version=2 rules=13 files=35090 Internal requirements count=1 size=176 RESULT: ✅ SIGNED WITH DEVELOPER ID ✅ NOTARIZATION TICKET STAPLED ✅ HARDENED RUNTIME ENABLED ---------------------------------------------------------------- Command: spctl --assess --verbose=4 --type execute "/Volumes/Form Desktop 1/Form.app" Output: /Volumes/Form Desktop 1/Form.app: accepted source=Notarized Developer ID RESULT: ✅ GATEKEEPER ACCEPTS APPLICATION ---------------------------------------------------------------- Command: xattr -l "/Volumes/Form Desktop 1/Form.app" Output: (No extended attributes) ---------------------------------------------------------------- Command: stapler validate "/Volumes/Form Desktop 1/Form.app" Output: Processing: /Volumes/Form Desktop 1/Form.app The validate action worked! RESULT: ✅ NOTARIZATION TICKET VALID [signing-verification-report.txt](https://developer.apple.com/forums/content/attachment/45b41936-6e7a-4f4f-8e80-bc1e3136c84e) code-block I have attached a more complete diagnostic text file as well. I have tried notarizing the .dmg in addition to the app bundle, but no combination seems to work as far as I can tell. I appreciate any help or point in the right direction. I've wasted many days of development time on this, lol.

Hello, I'm developing a feature for my app, that allows users to challenge their friends. The friend request functionality is built using Universal Links, but I've run into a significant issue. The Universal Links are correctly deep-linking into the app. However, once the app opens, nothing happens—the friend request acceptance or rejection flow does not occur. This prevents users from completing friend requests and building their friend list. Here are examples of the Universal Links I'm generating: https://www.strike-force.app/invite?type=invite&userID=... https://www.strike-force.app/invite?type=invite&friendRequestID=... https://www.strike-force.app/profile?userID=... I've recently updated my cloudflare-worker.js to serve a paths array of ["*"] in the AASA file, so I believe the links themselves should be valid. Technical Details & Error Logs In the console, I am consistently seeing the following error message: Cannot issue sandbox extension for URL:https://www.strike-force.app/invite?token=7EF1E439-090B-4DF2-BE64-9904F50A3F8B Received port for identifier response: <(null)> with error:Error Domain=RBSServiceErrorDomain Code=1 "Client not entitled" UserInfo={RBSEntitlement=com.apple.runningboard.process-state, NSLocalizedFailureReason=Client not entitled, RBSPermanent=false} elapsedCPUTimeForFrontBoard couldn't generate a task port This error appears to be related to entitlements and process state, but I am not sure if it's the root cause of the Universal Link issue or a separate problem. The 'Client not entitled' error on line 3 has had me chasing down entitlements issues. But, I've added the Associated Domains entitlement with the proper applink URLs and verified this in my Developer Portal. I've regenerated my provisioning profile, manually installed it, and selected/de-selected Automatically Manage Signing. As well I've verified my AASA file and it's correctly being served via HTTPS and returning a 200. curl -i https://strike-force.app/.well-known/apple-app-site-association curl -i https://www.strike-force.app/.well-known/apple-app-site-association I am looking for guidance on why the friend request flow is not being triggered after a successful deep-link and how I can fix the related error. Any insights or suggestions would be greatly appreciated.

I had submitted my app for notarization and it shows the below error - "status": "Rejected", "statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.", "statusCode": 7000, I have raised a ticket in the support but no reply yet. Kindly help ASAP

I have a macOS app that captures screen images. The first time I run this application, a dialog is shown directing the user to give my app Screen Recording permission. Is there a way I can trigger this dialog earlier and detect whether the permission was granted?

My app has been attempting to notarize for almost 3 hours now. The status page shows everything is ok: https://developer.apple.com/system-status/ Anyone else experiencing this? Anything I can do to expedite the process? xcrun notarytool history Successfully received submission history. history -------------------------------------------------- createdDate: 2024-12-29T01:20:45.358Z id: 449ebcdd-60eb-41e3-87a7-8107fe6276c3 name: Scourhead.zip status: In Progress -------------------------------------------------- createdDate: 2024-12-29T00:51:10.641Z id: 0054eebd-ddcc-4eb3-928f-86ce2182dbfe name: Scourhead.zip status: In Progress

Is it possible to have some additional content at Versions/A/ in a macOS Framework bundle that is not in any of the standard folders? Will there be any side-effects during signing and notarization? The reason is it'd be a lot easier in my use case to be able to put content here instead of the Resources folder.

Hello Engineers My app was rejected with the message below, BUT I don't have this entitlements in my project! I already removed all Xcode files under ${HOME}/Developer/Xcode, but the problem still alive! Guideline 2.4.5(i) - Performance In order to continue reviewing your app, we require additional information. Your app uses one or more entitlements which do not appear to have matching functionality within the app. Please reply to this message in App Store Connect and describe how and where the app uses the following entitlements. You will not need to upload a new binary to provide this information. Apps should have only the minimum set of entitlements necessary for the app to function properly. If there are entitlements that are not needed, please remove them and submit an updated binary. You will need to Developer Reject the app to upload an updated version. "com.apple.security.assets.pictures.read-write" "com.apple.security.assets.movies.read-write" "com.apple.security.assets.music.read-write" "com.apple.security.files.downloads.read-write" Here my entitlements: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.org.eof.apps</string> </array> <key>com.apple.security.files.user-selected.read-write</key> <true/> </dict> </plist> code-block Who or where are these entitlements inserted? Which button should be clicked to deactivate them? Link to my project: DRFXBuilder Regards

I have a mac app which has a launch agent. I signed it with my account, but it always shows as my personal 'XX XXX" in the login items of mac settings. Actually this is the reason I switched my personal account to a company account. But now it is still shown as 'XX XXX' in the login items after I signed up again with this company account. Do you know how I can change this? The identity I also tried to create a new one with the team, but it does not allow me to create a new one. Chatgpt recommends revoking the current one, but this will affect our old release.

I am responsible for the mobile app and thus also of the apple developer and app store connect accounts of a company. An external freelancer developed a software package for us which we aim to offer for installation and use on macOS systems of our customers; distributed exclusively outside of the Apple App Store. The software package has nothing to do with the mobile app. MacOS' Gatekeeper currently warns or even prevents our customers regarding the installation of the package on their device; pretty much as described here: https://developer.apple.com/developer-id/. According to a previous talk with Apple's Support, the software package (.app) the Freelancer developed must be signed with one of our own certificates. As we cannot grant selective app store connect access to third persons (only for the concerned certificates), we prefer to not provide access to our entire apple developer account to the freelancer, for the sole reason of the certificate & signing process. According to previous attempts with Apples' support regarding the most feasible solution in this case, they recommended me to manage the signing of the package of the freelancer, and simply request the package from the freelancer. I've thus generated an according Developer ID Certificate, but regarding the signing process, I'm confused. I know how signing works with mobile apps in XCode, but regarding software that is not distributed throughout the App Store on macOS, I'm unsure about the process. Also, as far as I know, the entitlements of the application are involved in the signing process. So my concern is that simply having the software package (.app) from the freelancer is not really enough to complete the signing + notarization process? Won't I need further information about the app's entitlements etc.? I would like to have a clear solution about the procedure that is required in these cases, as online documentations and / or forums as well as previous talks with your non-technical support from Apple did not resolve the issue.

I've successfully distributed a Java-based app .dmg from my intel iMac, but am trying to port over the signing authority ( Certificate and Identity) to an M2. I'm following the "backup your Identities" recipe to make a .p12 file, but I can't complete the Export. The .p12 file format option is greyed out (while .pem and .cer are offered). What could be causing this? I can sign my .dmg installers from this computer, so codesign is happy with what it is seeing in the Keychain.

I’m facing an issue with my macOS app after code signing and notarization. The app is signed with my Developer ID and notarized using xcrun notarytool. Everything works fine on the machine where the signing was done — Gatekeeper accepts it, no warning appears, and codesign/spctl checks pass. However, when running the same .app on other Macs, users receive a Gatekeeper warning saying the app is "malicious software and cannot be opened". The signature is valid and the notarization log shows status: Accepted. What I've tried: Verified signature with codesign --verify --deep --strict --verbose=2 Checked notarization status via xcrun notarytool log Assessed Gatekeeper trust with spctl --assess --type execute Everything passes successfully on the development machine. Why would the app be treated as malicious on other systems even after notarization? I'm happy to share logs and technical details if needed.

The problem is described in full with log output in #16844 We are having an issue with TCC prompting users for access to the app group container despite signing with entitlements following all guidelines. This is a regression from the Feb 2025 Changes discussed in App Groups: macOS vs iOS: Working Towards Harmony The problem can only be reproduced with Xcode 16.0 and later. The entitlements for the app include access for the group container with [Key] com.apple.security.application-groups [Value] [Array] [String] G69SCX94XU.duck The documentation notes the group name can be arbitrary, e.g. <team identifier>.<group name>. Cyberduck uses G69SCX94XU.duck by default. Interestingly enough the alert is not shown when a group name matching the bundle identifier is used, e.g. G69SCX94XU.ch.sudo.cyberduck.

Hi guys, New to publishing apps on Apple Store. I encounter some notarization error before and resolved it in this post. By solving the previous issue, I updated the Trust setting from "Always Trust" to "Use System Defaults" for Apple certificates. The codesign and notarization no longer give me any problem. But now, I encountered another issue. When I ran the .app on my local Macbook, it now gives me "zsh: trace trap" error. Dive a little further and check the crash report, I found the some details as following. Process: my_app [30652] Path: /Users/USER/my_app_path Identifier: my_app Version: 0.0.0 (???) Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 501 Date/Time: 2025-07-15 14:57:58.9874 -0400 OS Version: macOS 15.5 (24F74) Report Version: 12 Anonymous UUID: 2335F0B6-A26E-6446-6074-0FCE620C4B6A Time Awake Since Boot: 6000 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid)) Exception Codes: UNKNOWN_0x32 at 0x00000001064b4000 Exception Codes: 0x0000000000000032, 0x00000001064b4000 Termination Reason: Namespace CODESIGNING, Code 2 Invalid Page VM Region Info: 0x1064b4000 is in 0x1064b4000-0x1064b8000; bytes after start: 0 bytes before end: 16383 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL mapped file 1064ac000-1064b4000 [ 32K] r-x/rwx SM=COW Object_id=d2a02fbf ---> VM_ALLOCATE 1064b4000-1064b8000 [ 16K] r-x/rwx SM=PRV __TEXT 1064b8000-1068a4000 [ 4016K] r-x/rwx SM=COW my_app.app/Contents/Frameworks/Python.framework/Versions/3.12/Python I can tell it's about codesign and signature invalid. I have tried to rebuild, re-codesign and re-notarize. But the error still persists. Could someone help me? Thanks!

I am building an application using .NET and Avalonia UI. The application is cross-platform. One of the tasks of the application is to coordinate data collection that is then routed into a Docker container for analysis. Everything works as expected in Windows. Everything works as expected in macOS on the development workstation and before packaging. After I package/codesign into a hardened runtime, I start seeing crashes at the moment when I try to execute the system calls to Docker. I am reasonably confident that this has something to do with an entitlement flag or some other permissions issue. I have been trying to sort this on my own for a while. I am only hoping someone can nudge me in the right direction. Thanks, Kevin

I'm building a custom macOS installer for my software, primarily using the builtin tools of codesign, pkgbuild, productbuild and xcrun. My product consist of a list of plugins and a CEP extension for the Adobe After Effect app. All of my bundles and binaries are properly signed using a trusted Apple Developer certificate I've generated, of type Developer ID Application. My installer is a "distribution" pkg, and has this structure(expanding it using pkgutil --expand): SceneTools-3.4.4-osx-installer ├── Distribution ├── miscellaneous.pkg ├── plugins.aftereffects2022.pkg ├── plugins.aftereffects2023.pkg ├── plugins.aftereffects2024.pkg ├── plugins.aftereffects2025.pkg ├── preinstall.pkg ├── Resources ├── scenebuilder.pkg └── uninstaller.pkg Each "child" pkg would install parts of my product in different locations in the target macOS disk(this is why I'm using that kind of style of building the custom installer). Signing each and every bundle or binary of my product, signing the "child" pkg's, then notarizing them works well with no issues, in addition signing the "final" "distribution" using productbuild --sign option also works well, but when trying to notarize the "final" pkg, the notary service fails with this error: { "logFormatVersion": 1, "jobId": "5fb38df9-ef97-4bd3-955e-7783c37ac4a8", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "SceneTools-3.4.4-osx-installer.pkg", "uploadDate": "2025-06-26T14:14:41.507Z", "sha256": "621de5d887b06ad11214255c6e91ebd9eeffb18ad8f940365f4539bd1902fe9a", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "SceneTools-3.4.4-osx-installer.pkg", "message": "Package SceneTools-3.4.4-osx-installer.pkg has no signed executables or bundles. No tickets can be generated.", "docUrl": null, "architecture": null }, { "severity": "warning", "code": null, "path": "SceneTools-3.4.4-osx-installer.pkg", "message": "The contents of the package at SceneTools-3.4.4-osx-installer.pkg could not be extracted.", "docUrl": null, "architecture": null } ] } My final pkg indeed doesn't contain any bundles or binaries directly, but that's how it should be - a container of "child" pkg. I tried various ways of working-around this issue, like: Notarizing the dmg that contains this final pkg - worked, but when opening the pkg, GateKeeper blocks the users from opening it. Wrapping the pkg inside an .app and notarizing the .app - same as above. What am I doing wrong? Does those kind of pkg like my "final" pkg aren't meant to be notarized? if so - how can I solve this GateKeeper blocks? Should I build my final pkg in a different way?