Hello Apple team, We're having a problem submitting one of our apps to TestFlight via Xcode Cloud. We have over 10 apps with the same codebase and all of them build successfully. However, one application fails to build in Xcode Cloud, although there is no problem with manual build. We would appreciate your help in resolving this situation. Can you please help us resolve this issue? We are ready to provide additional information or logs to clarify the causes of the error. Sincerely, Anton Babich Xcode Cloud Archive - iOS encountered a failure that caused the build to fail. Prepare Build for App Store Connect Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “moBiel Live.app/Frameworks/grpcpp.framework/grpcpp” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing. Prepare Build for App Store Connect Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “moBiel Live.app/Frameworks/Braintree.framework/Braintree” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing.

Do we need to generate a distribution certificate for each app we create? Or can we use one distribution certificate for multible apps?

Hello, I am attempting to use Xcode Cloud to build my application (specifically running the 'xcode archive' command); however, have been running into an issue relating to certificate signing. All the questions/documentation surrounding this issue seem to be related to local builds. For the project, I'm using automatic signing with my org as the 'Team' without a Provisioning Profile. I have 'Apple Development' set as the 'Code Signing Identity' with 'Code Signing Style' set to 'Automatic'. The error I'm getting: No signing certificate "iOS Development" found: No "iOS Development" signing certificate matching team ID "<TEAM_ID>" with a private key was found. (in target '<PROJECT_NAME>' from project '<PROJECT_NAME>') Any would would be greatly appreciated. Thanks!

Hello, I have been running into this issue with locating the java runtime I am installing with brew while attempting to run a gradle command. Has anyone found any issues relating to this? If I can't use a java runtime I won't be able to use Xcode Cloud entirely is seems. Thanks

I have a pipeline to build my company's ionic cordova app to an produce IPA file. The xcode archive step just started failing on the following errors. /Users/runner/work/1/s/platforms/ios/xxxxx.xcodeproj: error: Provisioning profile "Aaron_Dev_2" has platforms "watchOS and iOS", which does not match the current platform "macOS". (in target 'xxxxx' from project 'xxxxx') /Users/runner/work/1/s/platforms/ios/xxxxx.xcodeproj: error: Provisioning profile "Aaron_Dev_2" doesn't include the com.apple.security.get-task-allow entitlement. Profile qualification is using entitlement definitions that may be out of date. Connect to network to update. (in target 'xxxxx' from project 'xxxxx') /Users/runner/work/1/s/platforms/ios/xxxxx.xcodeproj: error: Provisioning profile "Aaron_Dev_2" doesn't include the currently selected device "Mac-1689862983816.local" (identifier 4203018E-580F-C1B5-9525-B745CECA79EB). (in target 'xxxxx' from project 'xxxxx') The script being ran is xcodebuild -workspace ./platforms/ios/SSEAirtricity.xcworkspace -scheme SSEAirtricity archive -archivePath $(Build.SourcesDirectory)/output/SSEAirtricity.xcarchive And is run in Azure pipelines using a macOS pool. I have created new profiles and certificates but they always give the same error. Nothing has changed with the profiles to cause the pipeline to suddenly fail so I'm wondering if it could be something to do with the Xcode version, although the same version was being used when the pipeline last ran successfully, 14.2. I have read here of a similar error to my second error that can be rsolved by using manual signing but I don't know how to change it from automatic to manual. https://developer.apple.com/forums/thread/733011 I have also checked the entitlements on the profile and get-task-allow is included. Any suggestions would be most welcome. Thanks, Aaron

My company has an Azure pipeline to build our ionc cordova application and produce an IPA file. The Xcode archive step has suddenly started failing with the following errors. /Users/runner/work/1/s/platforms/ios/xxxxx.xcodeproj: error: Provisioning profile "Aaron_Dev_2" has platforms "watchOS and iOS", which does not match the current platform "macOS". (in target 'xxxxx' from project 'xxxxx') /Users/runner/work/1/s/platforms/ios/xxxxx.xcodeproj: error: Provisioning profile "Aaron_Dev_2" doesn't include the com.apple.security.get-task-allow entitlement. Profile qualification is using entitlement definitions that may be out of date. Connect to network to update. (in target 'xxxxx' from project 'xxxxx') /Users/runner/work/1/s/platforms/ios/xxxxx.xcodeproj: error: Provisioning profile "Aaron_Dev_2" doesn't include the currently selected device "Mac-1689862983816.local" (identifier 4203018E-580F-C1B5-9525-B745CECA79EB). (in target 'xxxxx' from project 'xxxxx') The script being run is: xcodebuild -workspace ./platforms/ios/xxxxx.xcworkspace -scheme xxxxx archive -archivePath $(Build.SourcesDirectory)/output/xxxxx.xcarchive And is being run in Azure pipeline using a macOS pool. I have seen a post with a similar error to my second error saying to change the signing from manual to automatic but I'm not sure how to do that. I have also checked the entitlements on the provisioning profile and it does include get-task-allow. Nothing has changed with the profile since it started failing and the version of Xcode being used in the build is the same as when the pipeline was running successfully. Any suggestions would be appreciated. Thanks, Aaron

We changed from Enterprise to a regular developer account and understood our existing apps in the wild signed under the Enterprise account would be fine. However as of this morning it seems those certificates were revoked and attempts to launch are informing users that the application will harm their computer. Can this be undone so they work and avoid thousands of people needing to get a new dmg and re-install??

As I am aware in ios 14 and later version, Applications which are using broadcasting and multicasting needs to add multicast entitlement into their profile. Our organization have an app in App Store that was deployed in 2017 which was using multicast and broadcast in which it needs to detect a device. Now onwards, They have started the development on that application again and I had to build the code for that app, I tried deploying it in ios 16 and it was not able to detect the device. As I think I need to add the multicast entitlement in it, But when I downloaded our app from AppStore which was deployed in 2017, It was able to detect the required device and working well (off course some UI got messed up which I have to fix but detection is working fine.) So I am not able to make sense out of this thing and one more thing arises once the ios 14 came some years back, So there were many apps who were using broadcast without having this entitlement, So did all of them stopped working in ios? or they all immediately had to give the release with this?

Hi, Our project utilizes push notifications via OneSignal SDK. Everything looks correct and conforms with the documentation: The Push Notifications capability is enabled in XCode. The entitlements do contain the "aps-environment" key with the "production" value. I unpacked the resulting IPA and explored embedded.mobileprovision file - it does contain the "aps-environment" key with the "production" value in the Entitlements section too. The App ID and provision profiles used do include the Push Notification capability. So there's literally nothing to fix. Despite of that, when uploading the IPA to AppStore Connect, we receive an email with the warning "ITMS-90078: Missing Push Notification Entitlement..." that says there's no "aps-environment" entry. Moreover, the OneSignal dashboard indicates "Missing Push Capabilities" for all the iOS devices that run our application. Consequently, the push messages are not received. What could be wrong with the IPA and where to look at? Thanks in advance!

Hi, I'd like to understand better the differences between the entitlements "com.apple.security.cs.debugger" and "task_for_pid-allow." According to documentation, both entitlements authorize the application to call "task_for_pid()." Is that correct? What are the limitations that differentiate these entitlements? Will the application be able to call "task_for_pid()" for any third-party and unsigned application? Or are there any other conditions? (such as specific entitlements for the target application). Would it be necessary to run the application as root? And lastly, I wondered if any other entitlements enable using "task_for_pid()"? Thank you for your help!

I am implementing the NFC feature from the iOS side and wanted to know that can we read the data from mentioned technologies here NfcA, MifareClassic, and NdefFormatable. can we implement NFC using core NFC that can read the data from MifareClassic tags?

I am implementing iOS APP with to read NFC tag with these mentioned technologies NfcA, MifareClassic, NdefFormatable so is there a way that I can access these types of tags. Can I access MifareClassic tags with iOS using coreNFC ?

I have an App bundle that I signed with the certificate I received from my boss. despite signing and verifying it. it doesn't run on our test Mac without changing the trust settings. It gives an error saying that apple cannot check it for malicious software and software needs to be updated. this is the result of running the code sign verification: `codesign --display --requirements - --verbose=4 ./myapp.app Executable=/Users/*removed*/Documents/test/myapp.app/Contents/MacOS/app Identifier=com.*removed*.*removed*/ Format=app bundle with Mach-O thin (arm64) CodeDirectory v=20400 size=582872 flags=0x0(none) hashes=18208+3 location=embedded VersionPlatform=1 VersionMin=851968 VersionSDK=852736 Hash type=sha256 size=32 CandidateCDHash sha256=*removed* CandidateCDHashFull *removed* Hash choices=sha256 CMSDigest=*removed* CMSDigestType=2 Executable Segment base=0 Executable Segment limit=48218112 Executable Segment flags=0x1 Page size=4096 Launch Constraints: None CDHash=*removed* Signature size=9060 Authority=Developer ID Application: *removed* Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=*Removed* Info.plist entries=15 TeamIdentifier=*Removed* Sealed Resources version=2 rules=13 files=475 designated =&amp;gt; identifier "com.*removed*.*removed*" and anchor apple generic and certificate 1[*removed*] /* exists */ and certificate leaf[*removed*] /* exists */ and certificate leaf[subject.OU] = *removed*` I removed some info as I'm not sure if it'd be safe to share online. I apologize. The projector is written in c++ and uses wxWidgets for GUI

I have a macOS app that I have been distributing for free outside the app store for more than 15 years, without notarization, without sandboxing, and without hardened runtime, all with no problems. If I understand correctly, macOS will soon be modified so that it will not launch any developer-distributed apps that are not notarized. Notarization will require both hardened runtime and sandboxing, and unhappily, my app will not run when notarized -- I have added sandboxing and hardened runtime, than gotten it notarized and tried -- and that is because it will not run when sandboxed. Thus I have two questions: Will there be some means, that I perhaps have missed, for my users to run my app as is, in un-notarized form with no sandboxing and no hardened runtime? (Assume that they are willing to click "Okay" on any macOS popups of the form "Abandon hope, all ye who enter here.") Perhaps I have missed something about the signing or distribution process ... ? If not, is there some entitlement I can obtain to allow my app to run when sandboxed? Perhaps the question is even "Should there be such an entitlement?" And to that end, I must now explain why it cannot run sandboxed: My app is a parallel processing system: To work properly it must open multiple copies of itself -- that's right, there will be multiple instances of the app window visible on the console, distinguished by tint, title and location so the user can tell which is which, and multiple app badges in the dock, similarly distinguished. Doing so is easy -- I use the c++ "system" function to call the Unix executable that is buried within the ".app" folder, passing it a command tail whereby the launched copy can tell how to distinguish itself. I build up the text string for the call piece by piece, but the result looks rather like this: system("&lt;path-to-my-app&gt;/MyApp.app/Contents/MacOS/MyApp -tail-item-1 -tail-item-2 ... &amp;"); The app is written in mixed C++ and Objective C. The usual "Main.mm" file contains the entry point for the program, a "main()" function that does nothing but call "NSApplicationMain()", but I have added code to "main()" that runs before the call of NSApplicationMain(). That code uses C function "getopt()" to look for the extra command-tail items. If any are present, the app acts appropriately -- generally assigning non-default values to global variables that are used later in initialization. The first instance of the app that is called -- presumably by the user mousing on an icon somewhere -- knows by the absence of extra command-tail items that it is the first one launched, and thus knows to launch multiple additional instances of itself using this mechanism. The launched instances know by the presence of extra command-tail items that they are not the first one launched, and act differently, based on the command-tail items themselves. All this has been working fine for over a decade when the app is not sandboxed and does not have a hardened runtime. For what it is worth, the app will run with hardened runtime, provided the option "Disable Executable Memory Protection" is checked. Furthermore, when it is also sandboxed and I open it with no extra copies of itself launched (the number to launch is a preferences option), that single app instance runs fine. I have instrumented the code, and what seems to be happening is that the system call to launch another app returns zero -- implying it succeeded -- but has no effect: It is as if someone had special-cased "system" to do nothing, but to report success nonetheless. That is an entirely reasonable feature of a hardened runtime -- allowing arbitrary system calls would be a security disaster looking for a place to happen. The point is that my app would not be making an arbitrary system call -- it would be trying to open one specific app -- itself -- which would be sandboxed with a hardened runtime, and notarized. That is not likely to be a huge security problem. Incidentally, not all system calls fail this way -- I can do system("osascript -e 'tell app \"Safari\" to activate';"); or system( "open -a \"Safari\" &lt;path to a help file located in MyApp's Resources&gt;"); with impunity. Also incidentally, using AppleScript to launch another copy of MyApp from within itself doesn't do what I want: The system notices that MyApp is already running and just makes it active instead of launching a new copy, and there is no way to pass in a command tail anyway. I don't wish to appear to be advertising, so I won't identify my app, but a little more detail might be useful: It is a parallel program interpreter. The language implemented is the "Scheme" dialect of Lisp. Each instance running is a complete read/eval/print loop embedded in an application window where the user can read and type. The first instance of the app launched mmaps a large memory area for the Lisp system's main memory: That works kind of like a big heap in more conventional programs. It is not executable code, it contains Lisp data structures that an application instance can access. The other instances launched use the same mmapped area. The shared memory has lots of lock bits. I use low-level "lockless coding" -- hand-coded assembler with the Intel "lock" prefix or the more complicated arm64 stuff -- to keep simultaneous access by different app instances from corrupting the shared memory. Parallel Scheme has many uses, which include debugging and monitoring of running Scheme programs, and having multiple tail-recursive "actors" (Lisp jargon) operate on the same data at the same time. Enough said. I would like to be able to notarize this app so that users who obtained it outside the app store could understand that Apple had checked it for dangerous code. If that were possible, I might even try submitting it to the app store -- but that would be another story. Do I have any hope of keeping this product available?

Hi, I'm developing my own PCIe device driver, the log shows error message below when driver executing. 2023-07-31 13:43:47.031012+0800 0x1d41ce Error 0x0 12158 0 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] com.asix.dext.pciedevice: Unsatisfied entitlements: com.apple.developer.driverkit.transport.pci 2023-07-31 13:43:47.031048+0800 0x1d41ce Error 0x0 12158 0 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] Disallowing: com.asix.dext.pciedevice 2023-07-31 13:43:47.062775+0800 0x1d436e Error 0x0 103 0 kernelmanagerd: Error occurred while handling request "DextLaunch(arguments: Optional(["Check In Token": 12087, "kOSBundleDextUniqueIdentifier": <04642bc8 90788071 c2a02259 c624ba81 3bebbf55 f9f2db7e f9fbbdd5 1f2ed99d>, "Driver Extension Server Tag": 4294982732, "DriverKit Reslide Shared Cache": 0, "Driver Extension Server Name": com.asix.dext.pciedevice, "CFBundleIdentifier": com.asix.dext.pciedevice]))": Error Domain=NSPOSIXErrorDomain Code=8 "Exec format error" **How to match device's PID & VID to driver and make it work successfully? Please help me, Thanks** errorcode.txt

While trying to create a new Distribution (iOS) certificate after the old one expired I came across the situation that we do not have the root certificate that was originally created. It was created on a mac of an employee that no longer works for us and which is not cooperative anymore. Is there any way around this, or to create a new root certificate that enables us to create trusted certificates to release updates for our app? I'm new to this whole certificate workflow so I'd be very thankful for any input that lets us progress. Best Regards, Hans

Notarization step fails: New AppID and password created: xcrun notarytool submit “.dmg” --apple-id “” --team-id “” --password “” --verbose --wait Error: HTTP status code: 401. Your Apple ID has been locked. Visit iForgot to reset your account (https://iforgot.apple.com), then generate a new app-specific password. Ensure that all authentication arguments are correct. I have reset app password many times, not result. Codesigning completes normally: Mac OS 11.5.2 Xcode 13.2.1

Following https://developer.apple.com/documentation/coremotion/accessing_submersion_data I'm trying to "just get it started". I have a provisioning profile with the Shallow Depth and Pressure active, I have set the com.apple.developer.submerged-depth-and-pressure to true in the entitlements file, and get no errors or warning when compiling and starting the app on my Apple Watch Ultra. When my view appears, I init the submersion manager with the following code: guard CMWaterSubmersionManager.waterSubmersionAvailable else { return } submersionManager = CMWaterSubmersionManager() submersionManager?.delegate = self Logger.shared.info("SubmersionManager initialized") I get the printout SubmersionManager initialized, but then I get: An error occurred: The operation couldn’t be completed. (CMErrorDomain error 110.) Googling this error tells me this error means: CMErrorNotEntitled And I cannot find WHY the app is not entitled.. I find no information that this entitlement is not publicly available or anything.

I have a Flutter app that should be sandboxed for Appstore and this app should run a binary that I build with make. I sign that binary with Developer ID certificate: codesign -v -f --options=runtime --entitlements "./macos/Runner/binary_sandboxed.entitlements" --sign "Developer ID Application: ..." ./path/to/binary here is binary_sandboxed.entitlements: &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;com.apple.security.app-sandbox&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.inherit&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.application-groups&lt;/key&gt; &lt;array&gt; &lt;string&gt;$(TEAM_ID).$(PRODUCT_BUNDLE_IDENTIFIER)&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.security.cs.allow-jit&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.server&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.client&lt;/key&gt; &lt;true/&gt; &lt;/dict&gt; &lt;/plist&gt; and the main app runned with entitlements: &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;com.apple.security.app-sandbox&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.inherit&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.application-groups&lt;/key&gt; &lt;array&gt; &lt;string&gt;Q7Q43CUMWT.$(PRODUCT_BUNDLE_IDENTIFIER)&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.security.cs.allow-jit&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.server&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.client&lt;/key&gt; &lt;true/&gt; &lt;key&gt;keychain-access-groups&lt;/key&gt; &lt;array&gt; &lt;string&gt;$(AppIdentifierPrefix)$(PRODUCT_BUNDLE_IDENTIFIER)&lt;/string&gt; &lt;/array&gt; &lt;/dict&gt; &lt;/plist&gt; When I run app I get an error ProcessException: Operation not permitted In console log I see this message: denied since it was quarantined by Main app and created without user consent, qtn-flags was 0x00000086 if delete quarantine flag binary in Containers xattr -d com.apple.quarantine /Users/appuser/Library/Containers/com.bin/Data/Library/Application Support/com.bin/binary I got an error when run binary zsh: illegal hardware instruction failed: Unable to get bundle identifier because code signature information has no Info.Plist. What did I do wrong? And what should I do?

Hi to all, a few years ago I worked with PhoneGap developing apps. As for then I did all the deploys so never got the need to have the answer to my current issue. The problem is.. we have a 3rd party company developing us a Flutter App and we want for some of our company's members to test it by being them to deploy using our certificates so the tests can be done. However generating the development certificate always makes it's name to be the same that belongs to the account that generated it. I believe it would work but how could I make it more manageable by setting it's name as the 3rd party company's name (let's say company's name is "XPTO")? Is there a better way to accomplish this, deploying to testflight so our colleges can test it?