I have tried everything and still I am getting this. Just for a test I created a new app (Master-Detail template Xcode 11.5) I have created an entry in the iTunes Connect to receive the app upon archiving and uploading. I regenerated all new certificates for iOS Development and Distribution. I created all new Provisioning profiles. The Dev profile builds deploys and runs on my device The Dist profile builds but when I select the distribution profile I get the "Profile doesn't include the com.apple.application-identifier entitlement." error. When I download the profile within Xcode all looks good for the distribution profile: App ID: matches correctly Certificated: 1 Included includes the new signing certificate "iPhone Distribution...." Capabilities: 3 Included Includes Game Center, In-App Purchase, and Keychain Sharing Entitlements: 5 Included Includes application-identifier, keychain-access-groups, beta-reports-active, get-task-allow, and com.apple.developer.team-identifier. Im not sure what is going on. This is a standard process I have performed for quite a while. As a matter of fact I just submitted 3 applications last Sunday. Thank you for any suggestions.

Hello. I have an iOS app written in Xamarin, but this issue is not related to Xamarin or Visual Studio. I am trying to deploy my xamarin app onto an iOS device, but I am unable to get the iOS device to install the provisioning profile via Xcode. I work at a company with a decent variety of test devices and the result seems to be the same from iPads to iPods to iPhones of various ages. I have created a certificate and a provisioning profile. The certificate is associated with the provisioning profile on the developer portal. I have imported the certificate (including private keys) into my login keychain on MacOS. I have the .mobileprovision file downloaded to the machine. I am signed into Xcode with my apple developer account. In Xcode, i went to Window > Devices and Simulators and selected my device. I right clicked my device and selected "Show Provisioning Profiles". I clicked the plus and chose my .mobileprovision file. I get the same error on every device: Failed to install one or more provisioning profiles on the device. Please ensure the provisioning profile is configured for this device. If not, please try to generate a new profile.| this is an incredibly vague and unhelpful error. I'm not really sure what it means by "configured for this device". Not sure where to go from here

We have trying to programmatically send data to Final Cut Pro by using Apple Event as decribed in Sending Data Programmatically to Final Cut Pro : tell application "Final Cut Pro" activate open POSIX file "/Users/JohnDoe/Documents/UberMAM/MyEvents.fcpxml" end tell This works fine in Script Editor but we run into problems when trying to do the same in our macOS app. We found interesting information in Workflow Extensions SDK 1.0.2 Release Notes.pdf. A) Hardened runtime has "Apple Events Enabled" checked. B) Info.plist contains NSAppleEventsUsageDescription: <key>NSAppleEventsUsageDescription</key> <string>Test string</string> C) We added following entitlements: <key>com.apple.security.scripting-targets</key> <dict> <key>com.apple.FinalCut</key> <array> <string>com.apple.FinalCut.library.inspection</string> </array> <key>com.apple.FinalCutTrial</key> <array> <string>com.apple.FinalCut.library.inspection</string> </array> </dict> <key>com.apple.security.automation.apple-events</key> <true/> With this configuration in place, our app is able to call AppleScript to activate Final Cut Pro application but it is unable to open the file. Following error is returned: Error executing AppleScript: { NSAppleScriptErrorAppName = "Final Cut Pro Trial"; NSAppleScriptErrorBriefMessage = "A privilege violation occurred."; NSAppleScriptErrorMessage = "Final Cut Pro Trial got an error: A privilege violation occurred."; NSAppleScriptErrorNumber = "-10004"; NSAppleScriptErrorRange = "NSRange: {56, 64}"; } Also there is no prompt asking user to allow Automation from our app to Final Cut. I am not sure whether the prompt is to be expected when developing an application in Xcode. Our current workaround is to add (or even replace com.apple.security.scripting-targets with): com.apple.security.temporary-exception.apple-events entitlement like this <key>com.apple.security.temporary-exception.apple-events</key> <array> <key>com.apple.FinalCutTrial</key> </array> However while this approach might work in development we know this would probably prevent us from publishing the app to Mac App Store. I think we are missing something obvious. Could you help? :-)

Hi Devs, i have a question concerning the security set-key-partition-list -S command. I want to use it to enable a code signing certificate being used by codesign and productbuild to sign without sudo or a password prompt. Some sources indicate i need to add codesign: as partition but some don't even mention this. So my question is what partitions are even possible to add? What does partitions in this context mean? How can i find out which i need for productbuild and codesign? Thanks in advance Paul

I've been given an Xcode project which produces a command line tool which links to a dylib. I have the dylib, but not its source code. I change the signing option for the command line tool target so it is signed automatically by my personal team. On an attempt to run the tool, it fails to load the dylib, because the dylib is signed with a different certificate. I manually codesign the dylib with the same certificate I am using for the command line app. Now, I can build the app, but not run it. If I try to do so, I see four dialogs telling me “libXXX.dylib” can’t be opened because Apple cannot check it for malicious software, then the console tells me "'/path/to/libXXX.dylib' not valid for use in process: library load disallowed by system policy)" I found an old document about Gatekeeper (https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html) which suggests that Gatekeeper just won't let me do this - I can't just put the dylib next to the executable, although the dynamic linker finds the dylib, Gatekeeper doesn't like it because the dylib isn't inside the app bundle (there is none), and isn't in one of the well-known places. I dealt with this by making a do-nothing app which I can sign with my personal certificate. Then I replace the signature on the dylib (and its dependent dylibs) with my own. I add the command line tool and all its dylib dependencies to the do-nothing app, then add those files into the Copy Bundle Resources phase of the do-nothing app. Now, the command line tool and its dylibs all live in do-nothing.app/Contents/Resources, and I can run the tool from there without Gatekeeper complaining. Is there an easier way (aside from asking my supplier for static libraries)? And if this is the only way, is Contents/Resources the right place to put command line tools and the dylibs they link to?

We have an iOS project that is configured with automatically managed signing. We cannot get automatic signing to work on our CI (GitHub Actions). To even get xcodebuild to archive we have to force it to not sign at all: xcrun xcodebuild \ -workspace app.xcworkspace \ -scheme prod \ -configuration 'Release' \ -destination generic/platform=iOS \ -archivePath ./build/prod.xcarchive \ CODE_SIGN_IDENTITY="" \ CODE_SIGNING_REQUIRED=NO \ CODE_SIGNING_ALLOWED=NO \ clean archive All our attempts to make xcodebuild archive do manual signing have failed. In order to have the app properly signed with the right entitlements we then call codesign: codesign -f \ -s Distribution \ --entitlements prod.entitlements \ ./build/prod.xcarchive/Products/Applications/prod.app Then we export the ipa: xcrun xcodebuild \ -exportArchive \ -archivePath ./build \ -exportOptionsPlist exportOptions.plist \ -exportPath ./build This seems to work so my question is: Is it supported to do manual signing this way? Is there a better way? If we omit the codesign step, the app will still be signed - by exportArchive we assume, but then the entitlements are missing.

I'm trying to upload my app with Tap to Pay on iPhone functionality. However, I'm getting error message "Profile doesn't include com.apple.developer.proximity-reader.payment.acceptance entitlement." I've confirmed many times that I have the distribution profile with this capability. Any idea what might be the issue? The development environment works perfectly. please check my post on apple forum. https://forums.developer.apple.com/forums/thread/755736

I need help, when I run code without a sandbox it works well. however, when I enabled it, it gave me (Thread 3: "launch path not accessible")! How can I fix that? let task = Process() task.launchPath = "/Users/alielzieny/Documents/TerrierSectraFix/TerrierSectraFix/Frameworks/python3" task.arguments = ["/Users/alielzieny/Documents/TerrierSectraFix/TerrierSectraFix/SectraFix.py", selectedDirectoryURL.path, destinationDirectoryURL.path] let pipe = Pipe() task.standardOutput = pipe task.launch() task.waitUntilExit() let data = pipe.fileHandleForReading.readDataToEndOfFile() if let output = String(data: data, encoding: .utf8) { print(output) }

In order to facilitate management, we integrate some SDKs such as Firebase into one of our own internally used SDKs. Recently, when submitted to the appstore, we were prompted that FirebaseCrashing included in the SDK lacked the necessary signature (ITMS-91065). The information that can be confirmed is that after packaging the SDK through secondary packaging, the original signature is lost. And we have a static reference. So what I want to ask is whether we can only manually sign our secondary packaging sdk (the signature is our own certificate different from the original Firebase) to solve this ITMS-91065 problem. According to the description of the Apple Developer Conference, Apple only verifies the consistency and security of the SDK and does not record the signature of each SDK on Apple's servers. Therefore, you should only need to ensure that the SDK is in a signed state to comply with Apple's review requirements. (My guess is still being verified)

Hi! I am fairly new to Mac/ Python development. I have written a python script that includes the lovely customTkinter Library. the app works, I have checked it extensively, but after creating an executable with both Pyinstaller and Py2app, my app keeps failing notarization. I have the developer account, I have the Developer ID application: Name (xxxxxxxxxx). My last attempt with py2app, I try to codesign the .app bundle with : codesign --deep --force --verbose --options=runtime --timestamp --sign "Developer ID Application: Lennert Esser (5823RMSZ52)" XYZ\ 2\ OSC.app if I do that, I receive a clean message that XYZ 2 OSC.app: signed app bundle with Mach-O universal (x86_64 arm64) [com.myname.appname.app] the verify of the code signature gives nice messages as well: --prepared:/Users/lennert/Documents/SoftwareDevelopment/PythonLocal/Pozyx/dist/XYZ 2 OSC.app/Contents/MacOS/python --validated:/Users/lennert/Documents/SoftwareDevelopment/PythonLocal/Pozyx/dist/XYZ 2 OSC.app/Contents/MacOS/python .... XYZ 2 OSC.app: valid on disk XYZ 2 OSC.app: satisfies its Designated Requirement So I would say, so far so good...? BUT.... if I try to notarize my archived .app bundle. the notarization fails, with looadddssss of errors, with both: "The signature does not include a secure timestamp." and "The binary is not signed with a valid Developer ID certificate." I am completely stuck. Believe me, I have tried everything. Google, ChatGTP, multiple tries to codesign everything separately with: find /path/to/my/app/contents -type f -exec codesign -s "Developer ID application: Name (xxxxxxxxxx)" {} ; please, please someone help me explain what I am doing wrong....

I have been working with a framework to add multiplayer support to my app. The app runs on test devices, simulators, and archives perfectly fine and the app is fine without the framework. But when I go to distribute the app, I see get this error related to the multiplayer framework I have added. I have tried updating the minimumOSVersion to 9.0, 10.0, 12.0, and 13.0 everywhere (info.plist, deployment info, build settings, etc) and they all match with each build/archive but no matter what I can't get fix this error. This error only shows up when I go to distribute the app to the store. Any ideas on what to try or how to fix this issue? I've attached a screenshot of the issue below.

I am pretty much at a loss here... In the past I used altool which worked. Not sure of related though, been a while since. But the same build script I use, just replaced altool with notarytool I first codesigen `MYNAME@MYMACNAME ~ % codesign --verbose --force --options runtime --timestamp --sign "COMPANYSIGN" "/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app" /Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app: replacing existing signature /Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app: signed app bundle with Mach-O thin (x86_64) [com.MYCOMPANY.MYPRODNAME] MYNAME@MYMACNAME ~ % ` Then display entitlements: MYNAME@MYMACNAME ~ % codesign --verbose --display --entitlements :- "/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app" Executable=/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app/Contents/MacOS/MYPRODNAME Identifier=com.MYCOMPANY.MYPRODNAME Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20500 size=127176 flags=0x10000(runtime) hashes=3967+3 location=embedded Signature size=9057 Timestamp=16 May 2024 at 11.49.11 Info.plist entries=17 TeamIdentifier=MYTEAMID Runtime Version=10.16.0 Sealed Resources version=2 rules=13 files=279 Internal requirements count=1 size=188 MYNAME@MYMACNAME ~ % Then I try do notarization (see next post)

Hi, I wanted to use Siri Capability for a WatchOS app, however in xcode on a WatchOS project, the option to add Siri is not present. In an IOS project this is visible but if you are not part of the ADP or ADEP you do not have access to it, this message appears in red if you try to select it as a personal team. I am considering paying to join the ADP but I am unsure if it will unlock the ability to use Siri capability on WatchOS. It looks like it is completely unsupported as it cannot be even selected from the capabilities section in xcode , even though Apple states it is supported under ADP and ADEP on their website. I am a little confused. Does anyone else have this issue, or is Siri present under capabilities for you in a WatchOS project?

I've been developing a solution that has an embedded USB driver. I can build and run my solution just fine but I cannot pass verification for uploading to App Store Correct and TestFlight The problem is that the provisioning profile I am using (for development) does not have the explicit Vendor ID (idVendor) but is using the development value of asterisk "*". I've created a release version of my entitlements file with the proper Vendor ID and I have a distribution certificate for iOS. Further, I've created a provisioning profile for app-store distribution (not development) and imported it via Xcode. When I select this provisioning profile, I get the following errors from Xcode: Xcode 14 and later requires a DriverKit development profile enabled for iOS and macOS. Visit the developer website to create or download a DriverKit profile. Provisioning profile "MyProvisioningProfile - App Store" doesn't match the entitlements file's value for the com.apple.developer.driverkit.transport.usb entitlement. If I create and use a DriverKit profile, The Xcode UI errors go away on the "Signing & Capabilities" page. However, these profiles seem to be for development only. I then get an error, during compilation, telling me that the app and extension have two different signers, one for development (DEXT) and one for distribution (App). To sum up, using a DriverKit profile fails during the build process and using a distribution profile is a non-starter for Xcode. I can't even build. What do I need to do to get this to work?

Trying to install a mobile provision on my iPad from Windows 10 using iTunes. The error message is as above. I've checked and rechecked the mobile provision. The UUID of my device is contained within my mobile provision. I also tried on MacOS with the same error code. I'm not sure what else to try. I tried making a new mobile provision, I tried readding my device (which isn't possible since it's just the same UUID as an already existing device. I updated iTunes to the latest verison, I've upgraded my iPad OS to the latest version (17.5)

I've added my Vendor ID to the appropriate entitlement files but my binary fails validation when trying to upload it to the store for distribution. The embeded.mobileprovision file in the generated archive shows an asterisk instead of my approved Vendor ID. How can I make sure the embedded provisioning file has my Vendor ID?

Hello, we use apple ID as a sign-up/log-in method, when we released our appstore version, did the switch from beta to market app. Our bundle ids have changed, now we are wondering that is there any way to help users to reach their old accounts using the market app with a different bundle id or any smart idea to approach to to this problem

Hi, I am trying to create a new Identifier for my app. When I write down the Bundle ID I am getting this popup: An attribute in the provided entity has invalid value An App ID with Identifier 'de.{domain}.app is not available. Please enter a different string. Can anyone please help? The domain is mine and no apps have been released yet. I can't find a solution for this

Hello, I've been trying to update my application since days, tried everything, all my environment is unchanged except update to the latest xcode version, I only fixed a bug in my code, and updated my expired certifacates with the same IDs. I've also been able to test the app with testflight. The app is built successfuly, validated, uploaded to the apple connect, submited for review, accepted and published online on the mac app store. I've been able to update the application with the mac app store. Now here is the problem: if I delete the application, and try to reinstall it from the app store, it says: unable to install, try again later - then the mac app store is stuck, I need to quit / restart to be able to try a new install. I also distribute my application outside of the mac app store, I've also signed and notarized my app successfully, with my developer id certificate, I tried with organizer, and also with xcrun notary on the command line, all is ok, but when I run the exported application, it says that the application is damaged (so right click/open works, and the app works well). The only thing that I can see is this (compared with my previous version): spctl -a -vvv -t install myapp.app: myapp.app: rejected (invalid destination for symbolic link in bundle) I don't have the error on my previous version. I've checked all the links inside the package, I don't see any problem or invalid link (and the app can run perfectly.... ) I've also check the logs.json file after the notary result, no problem appears. the whole structure of the application and files inside the .app is exactly the same between the previous version, and the new one with that problem. hope that someone could help me to solve this problem :)

Hello, We currently have an IOS Mobile app using the ad-hoc provisioning profile with a distribution certificate. We are wanting to renew the ad-hoc provisioning profile BEFORE it expires. How do i do this without causing the application to break AND prevent the user from having to re-trust the. Can i simply create a new ad-hoc provisioning profile associated with the old certificate, rebuild the app, and send the link to the user?