Hi, the documentation says that an application bundle for Mac OS X can have a Frameworks folder within Contents. Using a framework for console applications (no bundle) and GUI applications (bundle), I cannot load the console applications anymore on Ventura. Prior to Ventora I have tested and ran both on Mojave or earlier - I am not sure. To fix the issue, I have moved the frameworks within the application bundle to match the rpath for /Users/lothar/Library/Frameworks when I place the console into /Users/lothar/bin, the same rpath for application bundles works for those within the bin folder. Can I publish an application bundle with that modified layout or do I have to expect getting problems and do rather a Symlink pointing from /Users/lothar/Frameworks to /Users/lothar/Library/Frameworks? Thanks, Lothar

There does not seem to be a way to code sign a PAM module so that an XPC service can verify the signature with setCodeSigningRequirement. There should be a way to build a PAM module (dynamic Library ) so it can be code signed. Put in a bundle and code signing the bundle does not work .

We are developing an application for local file discovery and transfer. We applied to Apple for two permissions. One is com.apple.developer.networking.multicast, which supports the four provisioning profiles: Development, Ad hoc, App Store Connect, and Developer ID. The other is com.apple.developer.device-information.user-assigned-device-name, but Apple only approved it for Development and Ad hoc, without granting App Store Connect support. This prevents us from using the user-assigned-device-name permission in the archive. Could you please clarify the situation? How can we get user-assigned-device-name supported for App Store Connect?

We are facing following message "A timestamp was expected but was not found" during codesign for following .dylib and .pkg and it cause notarization process failed. We are facing this issue for last 3 days. we have access for timestamp.apple.com and 17.0.0.0/8 and we didn't change firewall settings. We are facing this issue randomly and not for all time(scenario is 3:1). We tried the below command to sign the package, codesign --verbose --deep --force --timestamp --options=runtime --sign "" Kindly let us know how to fix this probelm. traceroute timestamp.apple.com traceroute to timestamp.v.aaplimg.com (17.157.80.35), 64 hops max, 52 byte packets .... 10 17.0.9.19 (17.0.9.19) 185.693 ms 17.0.9.17 (17.0.9.17) 180.932 ms 189.060 ms 11 * * * 12 17.0.17.141 (17.0.17.141) 191.513 ms * 17.0.17.137 (17.0.17.137) 183.086 ms 13 * * * 14 * * *

Hello Apple Community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. The top-level app is built with Xcode 16.1 and it's written 100% in Swift6. For test purposes we are running the app on MacOS Sequoia 15.0, 15.1 and Sonoma 14.4. The app can be downloaded via TestFlight and Console app shows the next errors: Crash Reports python3.11 Application Specific Signatures: Unable to get bundle identifier for container id python3: Unable to get bundle identifier because Info.plist from code signature information has no value for kCFBundleIdentifierKey. tccd process error Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=62822, auid=502, euid=502, binary_path=[PATH TO SAMPLEAPP]]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=577, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, The next documents were helping a lot to reach the current state althought sometimes I was not sure how to apply them in this python interpreter context: Signing a daemon with a restricted entitlement Embedding a command-line tool in a sandboxed app XPC Rendezvous, com.apple.security.inherit and LaunchAgent Placing content in a bundle There are a lot of details that I will try to explain in the next lines. Once archived the app, it looks like this: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/Info.plist SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/Python.bundle And this is how Python.bundle looks like: Python.bundle/Contents Python.bundle/Contents/Info.plist Python.bundle/Contents/Resources Python.bundle/Contents/Resources/bin Python.bundle/Contents/Resources/bin/python3.11 <- Python executable Python.bundle/Contents/Resources/lib Python.bundle/Contents/Resources/lib/python3.11 <- Folder with python libraries This is the Info.plist associated with Python.bundle: <dict> <key>CFBundleIdentifier</key> <string>com.sampleapp.app.Python</string> <key>CFBundleName</key> <string>Python</string> <key>CFBundleVersion</key> <string>1.0</string> <key>CFBundlePackageType</key> <string>BNDL</string> </dict> For some reason Bundle Identifier is ignored. Created a Python target and added to the main app, I selected the Bundle template. In Python target I made the next customizations: Enabled the Skip Install (SKIP_INSTALL) build setting. Disabled the Code Signing Inject Base Entitlements Added entitlements com.apple.security.inherit to it, with a Boolean value of true. Tried to set Other Code Signing Flags (OTHER_CODE_SIGN_FLAGS) build setting to: $(inherited) -i $(PRODUCT_BUNDLE_IDENTIFIER) But I had to remove it because I could not get rid of this error "-i com.sampleapp.app.Python: No such file or directory" Created a python.plist and set it in the Packaging Build Settings section. I set Generate Info.plist File to No In this document: Embedding a command-line tool in a sandboxed app Says: "Add the ToolX executable to that build phase, making sure Code Sign On Copy is checked." But I could not do it to avoid duplicates, since the bundle itself contains the executable too. I'm not sure how to handle this case. Tried to add python3.11 executable in the bundle MacOS folder, but bundle executableURL returned nil and I could not use python from the code. This is how I get Python bundle from code: static var pythonBundle: Bundle? { if let bundlePath = Bundle.main.path(forResource: "Python", ofType: "bundle"), let bundle = Bundle(path: bundlePath) { return bundle } return nil } Created Python.entitlements with the next key-values: <key>com.apple.security.app-sandbox</key> <true/> and it is used in an Archive Post-action of SampleApp, in order to sign the python executable of Python.bundle as follows: codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$DEVELOPER_ID_APPLICATION" "$ARCHIVE_PATH" The reason of using an Archive Post-action is becauses signing from a Python.bundle Build phase was generating errors related to Sandboxing. These are the entitlements to codesign SampleApp: <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> Most probably I was mixing concepts and it seems created some confusion. We would really love to get some advice, Thanks!

Hi, I'm looking to update an old build for our app but we can't seem to download the certificate for Xcode. The button seems to be greyed out, not sure what to do to resolve this.

Several hours ago I've uploaded my simple Xcode Storyboard App on Apple Notarization Service. The upload process worked successfully and I could check the notarization status via xcrun notarytool info command. And a few minutes ago, I've met a following error when I execute the xcrun notarytool info command for checking the status of notarization: Error: internalError(statusCode: Optional(500), strData: nil, jsonData: Optional(["statusCode": 500, "errors": <__NSSingleObjectArrayI 0x600001d58ed0>( { code = "UNEXPECTED_ERROR"; detail = "<null>"; id = ISDIE4GVHVXLMO24V7L5LFUHXM; links = "<null>"; status = 500; title = "Uncaught server exception"; } How can I fix this error?

We are developing an application for local file discovery and transfer. We applied to Apple for two permissions. One is com.apple.developer.networking.multicast, which supports the four provisioning profiles: Development, Ad hoc, App Store Connect, and Developer ID. The other is com.apple.developer.device-information.user-assigned-device-name, but Apple only approved it for Development and Ad hoc, without granting App Store Connect support. This prevents us from using the user-assigned-device-name permission in the archive. Could you please clarify the situation? How can we get user-assigned-device-name supported for App Store Connect?

Hi. I'm an iOS developer, We are creating a Automaker Carplay app for an Automaker provider, but we are facing some troubles: Xcode error: Provisioning profile "iOS Team Provisioning Profile: BundleIdentifier" doesn't match the entitlements file's value for the com.apple.developer.carplay-protocols entitlement. We have the entitlements requested and approved by apple, but we cannot deploy the app in real devices. We don't know if we need to do an extra step. Thank you very much.

Hi our team is looking into feasibilities of appending customized data to personalized installer, so that we can make new users onboarding experience better. I did some investigations. Append token data to xattr to a dmg, I went though this smoothly. I can successfully retrieve the data back, and the app can still be launched successfully. Want to make sure this doesn't require the dmg to be re-signed and re-notarized, and I didn't miss any steps in between I created a fake simulation app try to sign and notarize. Signing the dmg seems to be successful, but when I notarize, it gave me back Invalid status. Is there anything wrong? This is the signature: Executable=/Users/myname/myname/poc/MySimulation.dmg Identifier=MySimulation Format=disk image CodeDirectory v=20200 size=304 flags=0x0(none) hashes=1+6 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=e2a149614f6e0e3939db3a 4c762adda0e8c24 CandidateCDHashFull sha256=e2a149614f6e0e3939db3a3054adda0e8c24f597ddf4c4503cd27fb83821 Hash choices=sha256 CMSDigest=e2a149614f6e0e3939dba3054c62adda0e8c24f597ddf4c4503cd27fb83821 CMSDigestType=2 CDHash=e2a149614f6e0e39393a3054c762adda0e8c24 Signature size=4789 Authority=Apple Development: myId (someId) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=Oct 14, 2024 at 3:46:08 PM Info.plist=not bound TeamIdentifier=W3TC3HXUZC Sealed Resources=none Internal requirements count=1 size=188 Do you have any other recommendations for us to append some data that doesn't break signing / notarization?

App is signed, notarized and stapled, I send that dmg file with file transfer tool, it can open correctly on other mac without any warning or error. However, if I send that dmg file through IM to the same mac, it will produces the "cannot check it for malicious software" error. I check the transfered dmg with spctl -a -t open -vvv --context context:primary-signature MyApp.dmg, it show source=Notarized Developer ID; origin=*** How can I resolve this issue?

We have a native ARM64 application. The application is a development environment and native compiler for the language Common Lisp. CL has a foreign function interface, which allows loading of .dylib files into CL and calling functions in them from CL. For this reason, we add certain entitlements. See below. It is notarized and installed on macOS 14.7. When I run spctl on it I get this: $ spctl --assess -v /Applications/AllegroCL64.app /Applications/AllegroCL64.app: rejected (the code is valid but does not seem to be an app) That’s before I run it. Which is odd because the app is notarized. When I run the app, it asks for a license file and installs it into /Applications/AllegroCL64.app/Contents/Resources/ and after that, the spctl shows this: $ spctl --assess -v /Applications/AllegroCL64.app /Applications/AllegroCL64.app: a sealed resource is missing or invalid I assume the mere act of copying the license (a file called devel.lic which is a small text file) is causing this. Why does it say it “does not seem to be an app”? This self-modification of the files in the Contents/Resources directory is a huge feature. We allow downloading of patches, which add features and fix bugs in the product. Is this going to be a problem, going forward? I don’t remember seeing this result from spctl before and I have a feeling it’s a new , due to tightening of security policies, etc. All of this is quite worrying to us. More details of the app: $ codesign -vvvv mlisp mlisp: valid on disk mlisp: satisfies its Designated Requirement $ codesign -d --entitlements - /Applications/AllegroCL64.app Executable=/Applications/AllegroCL64.app/Contents/MacOS/AllegroCL64 [Dict] [Key] com.apple.security.cs.allow-dyld-environment-variables [Value] [Bool] true [Key] com.apple.security.cs.allow-jit [Value] [Bool] true [Key] com.apple.security.cs.disable-library-validation [Value] [Bool] true [Key] com.apple.security.get-task-allow [Value] [Bool] true $ Other details: The app was built with the Command Line tools version 2395 on macOS 12.x.

I found a post that submitted the same issue, but the solution was not made public. I didn't get a reply to my comment at the bottom of the post, so I'm pasting the content of the post here. I am a developer working on iOS apps. I would like to report an issue occurring in iOS 18 beta and iOS 18.1 beta. Our company has two Enterprise accounts, and we are developing two apps: A app / TeamId: ABCDEFG B app / TeamId: HIJKLMN When we distribute these apps, which have different TeamIds, and install them on a device running iOS 18 beta, both apps install successfully, but only one app will run. (Other app crashed immediately after being launched.) This issue does not occur on versions prior to iOS 18. I would like to know if this is a problem that will be resolved in future updates, or if it is a policy change.

Incremental builds using xcodebuild are very slow, around 3x slower when compared to the same build using Xcode. Recently, I discovered that CODE_SIGNING_ALLOWED=NO" fixed the issue, but of course, I can't then run iOS app. It seems like automatic signing using xcodebuild is somehow broken. Therefore, I think I could set CODE_SIGNING_ALLOWED=NO" and sign it manually later. However, I'm not sure how to do that. I checked what Xcode does and it's: /usr/bin/codesign --force --sign - --entitlements /Users/wkulik/Library/Developer/Xcode/DerivedData/XYZ-hblnhsksxjrctzekqmlevcflnsji/Build/Intermediates.noindex/XYZ.build/Debug-iphonesimulator/XYZ.build/XYZ.app.xcent --timestamp\=none --generate-entitlement-der /Users/wkulik/Library/Developer/Xcode/DerivedData/XYZ-hblnhsksxjrctzekqmlevcflnsji/Build/Products/Debug-iphonesimulator/XYZ.app However, if I run xcodebuild with disabled signing I don't have XYZ.app.xcent required by this command. I also tried: codesign --force --deep --sign "Apple Development: John Snow (XYZ)" /Users/wkulik/Library/Developer/Xcode/DerivedData/XYZ-hblnhsksxjrctzekqmlevcflnsji/Build/Products/Debug-iphonesimulator/XYZ.app but the app immediately terminates (the same way like when unsigned). Could anyone help with that?

Hi, I just updated my machine to macOS 15, and while developing and running my app (with Xcode), I keep getting messages about my app "would like to access data from other apps". This happens even from Xcode Previews, so it's pretty annoying. My production app doesn't seem to be affected by this problem; the system prompt just pops when running the debug version. I came across something about App Groups in macOS and how something has changed in macOS15 regarding system permissions. I use the "group.***" prefix in my macOS app, without the team prefix. Is that the problem here? But why is my production app working fine, but the development app is triggering the prompt repeatedly? Would love any feedback or workarounds. Thanks.

Hello Apple Developer Community, I've been working on notarizing my macOS application, Deep Focus, built using Electron, but I'm encountering persistent issues with binary signatures being reported as invalid during the notarization process. I followed Apple's notarization documentation and ensured that all necessary configurations are in place, but I'm still seeing multiple "Invalid" errors in the notarization log. Here’s the process I've followed so far: 1. System and Tools Setup: macOS version: Apple M1 Pro Sonoma 14.5 macOS SDK: macOS 15.0 Xcode version: Version 16.0 (16A242d) (Using VSCode instead of XCode since this is an Electron /JavaScript project.) Link to source code for inspection 2. Notarization Process: Successfully stored credentials in Keychain using xcrun notarytool store-credentials. Signed all app components, including frameworks, using the command: for framework in "dist/Deep Focus-darwin-arm64/Deep Focus.app/Contents/Frameworks/"*.framework; do codesign --force --deep --options runtime --timestamp --sign "Developer ID Application: Timeo Williams (3Y4F3KTSJA)" "$framework" done Verified that Hardened Runtime is enabled and included the required entitlements. 3. Verification: Checked code signatures with codesign -vvv --deep --strict Deep Focus.app, which returned valid results for all components. Verified the presence of the _CodeSignature directory for each framework and confirmed proper entitlements using: codesign -d --entitlements - Deep Focus.app 4. Notarization Submission Compressed the app into a .zip file and submitted it with xcrun notarytool submit --keychain-profile "notary" --wait. Although the notarization log provided detailed error messages, it still reported the following issues: "The signature of the binary is invalid" for several frameworks, including Electron, ReactiveObjC, and Mantle. { "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "issues": [ { "path": "Deep Focus.zip/Deep Focus.app/Contents/Frameworks/Electron Framework.framework/Electron Framework", "message": "The signature of the binary is invalid.", "architecture": "arm64" }, ... ] } I've double-checked the signing process and attempted re-signing the frameworks, but the notarization continues to fail due to these invalid signatures. I’m not sure what’s causing the _CodeSignature file to be missing for some frameworks even after signing. [I also installed the Signet app to test verification. My Questions: What could be causing the binary signatures to be reported as invalid during notarization, despite the app satisfying its designated requirements according to codesign? Is there a specific way I should be handling Electron-based apps for macOS notarization that differs from standard macOS apps? Could the issue be related to the use of ARM64 architecture, and are there any additional steps required for signing on ARM-based systems? Are there any known compatibility issues with frameworks like ReactiveObjC, Mantle, or Squirrel that could affect the notarization process? Any guidance or troubleshooting steps would be greatly appreciated. Thank you in advance!

I have a .NET MAUI iOS app where its provisioning profiles at first expired a few days ago. So I created new "Apple Development" and "Apple Distribution" certificates using an existing certificate signing request created on 19 October 2023 at 11:46 AM, included the new certificates in the expired provisioning profiles, regenerated and downloaded the provisioning profiles. In the "bundle signing" section of the "project properties" window of Visual Studio for Mac version 17.6.14 (build 413), I have made the following settings: Configuration: release Platform: any CPU Signing identity is not set to automatic I have selected the correct provisioning profile, but when deploying the app in release mode, the following error message is thrown so the app cannot be deployed to the device: ERROR: Failed to install the app on the device. (com.apple.dt.CoreDeviceError error 3002.) NSURL = file:///Users/intelligenthosting/Desktop/IMA-Attendance-App/maui/maui/bin/Release/net7.0-ios/ios-arm64/maui.app/ ---------------------------------------- Unable to Install ?IMA Attendance? (IXUserPresentableErrorDomain error 14.) NSLocalizedRecoverySuggestion = Failed to install embedded profile for com.imaedu.attendanceapp : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.) NSLocalizedFailureReason = This app cannot be installed because its integrity could not be verified. ---------------------------------------- Failed to install embedded profile for com.imaedu.attendanceapp : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.) (MIInstallerErrorDomain error 13.) SourceFileLine = 308 FunctionName = -[MIInstallableBundle _installEmbeddedProfilesWithError:] LibMISErrorNumber = -402620385 LegacyErrorString = ApplicationVerificationFailed 1%... 2%... 3%... 4%... 5%... 6%... 7%... 8%... 9%... 10%... 11%... 12%... 13%... 14%... 15%... 16%... 18%... 19%... 20%... 21%... 22%... 23%... 24%... 25%... 26%... 27%... 28%... 30%... 31%... 32%... 33%... 34%... 35%... 36%... 37%... 38%... 39%... 40%... 41%... 42%... 43%... 44%... 45%... 46%... 47%... 48%... 49%... 50%... 51%... 52%... 53%... 54%... 55%... 56%... 57%... 59%... 60%... 62%... 66%... 68%... error MT1045: Failed to execute 'devicectl': 'devicectl -j /var/folders/ny/qt1fm9zx063__j1b_nglx8pw0000gn/T/tmpFalYTp.tmp device install app --device "iPad (3)" /Users/intelligenthosting/Desktop/IMA-Attendance-App/maui/maui/bin/Release/net7.0-ios/ios-arm64/maui.app' returned the exit code 1. Application could not be uploaded to the device. What have I done wrong in the above process? What is the most appropriate method to update expired provisioning profiles? Thanks in advance

Hi, When I try to create an App ID for my app, I get the following message: "An App ID with Identifier '' is not available. Please enter a different string. I have not manually created an App ID under my team with this bundle identifier. I have 'Automatic Signing' checked in Xcode but am unable to upload or register an app with the same bundler Identifier through Xcode as well. I am not a member of any other team so this bundle identifier should be unique and should not have been used before. Would appreciate any help. Thanks.

I have an App in production and want to add new capabilities to the app. Will adding additional capabilities cause the production App to break?

I need to get the distribution certificate SHA-1 and public key in order to apply an official filing, but the certificate in deveoper account page is not downloadble. could someone help me on this? how to download certicate or to get SHA-1 and pubkey of the cert? thanks.