I started the notarization process for my electron app (just a browser window loading a URL) yesterday (26/03/2025) at around 05:23 GMT. I noticed in a couple of posts here in the forum that it may sometimes take a day to notarize the first app submitted by a team, but it has been over 30 hours now. Here's the log from xcrun notarytool history. createdDate: 2025-03-26T05:23:11.102Z id: ddcb3fca-4667-4acb-8fd1-3298a7c244cc name: xolock-browser.zip status: In Progress Do help me out here, I have zero idea why this is taking so long. Thanks in advance!

Xcode is prompting I enter a codesign login password when I am archiving my project. My password seems incorrect since there is no action after I enter my password and tap allow. what could be the problem?

I followed the instruction on Preparing your app to be the default browser or email client. I have acquired the permission from Apple. The entitlement is included in the provisioning profile. mailto is specified in URL Schemes. But I downloaded my app from TestFlight and enter Setting > MyApp, the switch that could enable my app to be the default email app was not there. I have no clue what I did it wrong. Does anyone know how to configure the app properly?

I'm trying to renew our Distribution Certificate, but when I request a certificate from a certificate authority as described and create the certificate via developer.apple.com and install it, it is installed without a private key, so I can't export it to .p12. What am I doing wrong? Last year this went without any problems. Please help me out, because I have to renew the certificate before 12-12-2024.

Hi everyone, I'm following up on this post I made earlier about an issue I'm having with FamilyControls and the DeviceActivityMonitor extension not working for external TestFlight testers. To briefly recap: I have official Apple approval for the com.apple.developer.family-controls entitlement (distribution) The entitlement is added to both my main app and the DeviceActivityMonitor extension The App Group is correctly configured for both targets On internal TestFlight builds, everything works as expected: app blocking works, the extension runs, and selected apps are shielded. On external TestFlight builds, users get the Screen Time permission prompt, can select apps to block, but nothing is blocked. Since that post, I submitted a Code Level Support request, and Apple asked me to file a bug report via Feedback Assistant. I did that almost a month ago. The only reply I’ve received since is that they can’t give a timeframe or guarantee it will be resolved. I'm stuck in limbo with no updates and no fix. This feature is critical to my app and I cannot launch without it. I’ve reached out to other developers who use app blocking, and none of them have run into this issue. My setup seems correct, and Apple has not said otherwise. If anyone has experienced something similar, found a workaround, or knows how to get real movement on a bug report like this, I would really appreciate any help. It’s been weeks, and I just want to launch my app. Thanks so much.

I am trying to build/deploy app to my phone however I get this message: "provisioning profile doesn't include the currently selected device" My developer account is pretty old one and used to be one the paid-version one. My understanding is that I should be able to deploy apps using free account but I don't see where I can add or delete devices....stuck in the loop over here! :-) I've created support request via email but I don't know if that is being worked or not...four days since I put it in. I suppose my other options are new apple-id or pay $99 and hope apple pays attention then? Any other suggestions?

I have a pass type id that expired. I created a CSR in keychain access on my Mac. I uploaded the CSR and generated a new cert. I downloaded the new cert and imported into keychain access. I don't see the associated private key and I cannot export a .p12 certificate. It's possible I started with the wrong key to generate the CSR or maybe I inadvertently deleted key while trying to locate the cert after importing. I'm not sure how to determine which. I do still have the private key from the cert that expired. But, I cannot figure out how to sign a cert again, my only option now is download. I've been searching the forum and while there may be an answer, I may just be looking for the wrong thing. I could use some help if anybody would be so kind.

The actual error: pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (DeveloperID)”. I'm trying to sign a program written with gfortran. The steps worked the last time (Mar 23) I built this code. The steps to error: a) xcrun notarytool store-credentials --apple-id "***" --team-id "yyy" Giving Profile Name zzz and App-specific password b) codesign --force --timestamp --options=runtime -s "Developer ID Application: My Name (yyy)" AppName c) pkgbuild --root ROOT --identifier org.aaa.bbb --version "1.1.1" --sign "Developer ID installer: My Name (yyy)" AppName.pkg ROOT contains the package contents At this point I get the error pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (yyy)” Are there steps that have changed. Any suggestions? Thanks, David

Hey everyone, I’m wondering if anyone has run into any issues with this. Before I uploaded, I guess maybe 20 assets of 1080 x 720, my notarization was taking around 2-3 minutes almost instant. Now I’m looking at 30 minutes. I have no idea when the notarization is going to end. I’m wondering if asset size has any impact on notarization speed, and if so, is this going to be a one-time thing or is this going to happen with all my following builds? Let me know if anyone has run into anything similar or if the notarization service is just down right now. ⁠

I am developing and distributing an XCFramework, and I want to ensure that it remains valid for as long as possible. I have some questions regarding certificate expiration and revocation: I understand that if an XCFramework is signed with a timestamp, it remains valid even after the signing certificate expires. However, if the signing certificate is revoked, the XCFramework immediately becomes unusable. As far as I know, Apple allows a maximum of two active distribution certificates at the same time. I assume that once a certificate expires, it will eventually need to be revoked in order to issue a third certificate. Is this correct? If an expired certificate is later revoked, will the XCFrameworks signed with that certificate also become invalid, even though they were timestamped? I want to ensure that released XCFrameworks remain valid for as long as possible. What is the best approach to achieve this? If anyone has insights or official documentation references on how to manage signing certificates for long-term XCFramework validity, I would appreciate your guidance. Thank you!

i was complete my program, and export a mac app already it work ok in my macmini, but if i want send it to app store, that i have no way now i still do not know how to make this app perfect like, when i use pyinstaller to build this app, is there any info or elements need make with? i can sign my app now, even i use codesign -dvvv my.app to check the sign, it is also ok, there no any feedback said it anything wrong. so, any master know fix app sign or any infoplist please tech me... help

We are using SHC to compile on macOS to convert the .sh script to a binary file. This binary file is then digitally signed by the Apple developer account and then notarised. After that, it will work on the same system where we follow this process. But if we share this file to another system, then it gets quarantined (com.apple.quarantine) while downloading. Is there any way to prevent it by getting quarantine on another system or something I'm missing, any clues?

From time to time I see folks run into error 65 when stapling a ticket to their notarised Mac software. This post explains the two common causes of that error. If you have questions or comments, start a new thread here on the forums. Put it in the Code Signing > Notarization topic area so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Resolving Error 65 When Stapling If you directly distribute Mac software, you must sign and notarise your product so that it passes Gatekeeper. For information on how to do this, see: Notarizing macOS software before distribution, if you use Xcode Creating distribution-signed code for macOS, Packaging Mac software for distribution, and Customizing the notarization workflow otherwise The last step of that process is to staple a ticket to your notarised product. This can fail with error 65. There are two common causes of that failure: No appropriate ticket Trust issues The following sections explain how to recognise and resolve these issues. Note You are not absolutely required to staple your product. See The Pros and Cons of Stapling for more on that topic. No Appropriate Ticket Consider the following stapling error: % stapler staple "TestError65.dmg" Processing: /Users/quinn/Desktop/TestError65 2025-03-03 22-12-47/TestError65.dmg CloudKit query for TestError65.dmg (2/d812985247c75e94fd603f026991f96144a031af) failed due to "Record not found". Could not find base64 encoded ticket in response for 2/d812985247c75e94fd603f026991f96144a031af The staple and validate action failed! Error 65. Note the Record not found message. This indicates that the stapling operation failed because there’s no appropriate ticket. To investigate this, look at the notary log: % notarytool-log b53042b6-4cbb-4cef-ade4-dae034a69947 { … "status": "Accepted", … "sha256": "f012735a6d53b17082c088627da4249c9988111d17e7a90c49aa64ebc6bae22e", "ticketContents": [ { "path": "TestError65.dmg/TestError65.app", "digestAlgorithm": "SHA-256", "cdhash": "abc27b0f2daee77b9316de3c6844fbd9e234621c", "arch": "x86_64" }, { "path": "TestError65.dmg/TestError65.app", "digestAlgorithm": "SHA-256", "cdhash": "9627c72e53d44ae77513613e2ce33314bd5ef41e", "arch": "arm64" }, { "path": "TestError65.dmg/TestError65.app/Contents/MacOS/TestError65", "digestAlgorithm": "SHA-256", "cdhash": "abc27b0f2daee77b9316de3c6844fbd9e234621c", "arch": "x86_64" }, { "path": "TestError65.dmg/TestError65.app/Contents/MacOS/TestError65", "digestAlgorithm": "SHA-256", "cdhash": "9627c72e53d44ae77513613e2ce33314bd5ef41e", "arch": "arm64" }, { "path": "TestError65.dmg", "digestAlgorithm": "SHA-256", "cdhash": "01a553c91ee389764971767f5082ab8c7dcece02" } ], "issues": null } First, make sure that the status field is Accepted. If there’s some other value, the notary service didn’t generate a ticket at all! To understand why, look at the rest of the notary log for errors and warnings. Assuming that your notarisation request was successful, look through the log for cdhash values. These represent the contents of the ticket generated by the notary service. Compare that list to the cdhash values of the code being signed: % hdiutil attach "TestError65.dmg" … … /Volumes/Install TestError65 % codesign -d -vvv --arch arm64 "/Volumes/Install TestError65/TestError65.app" … CDHash=9627c72e53d44ae77513613e2ce33314bd5ef41e … % codesign -d -vvv --arch x86_64 "/Volumes/Install TestError65/TestError65.app" … CDHash=abc27b0f2daee77b9316de3c6844fbd9e234621c … Those are all present in the ticket. However, consider the cdhash of the disk image itself: % codesign -d -vvv "TestError65.dmg" … CDHash=d812985247c75e94fd603f026991f96144a031af … That’s the cdhash that stapler is looking for: CloudKit query for TestError65.dmg (2/d812985247c75e94fd603f026991f96144a031af) failed due to "Record not found". But it’s not present in the notarised ticket. Note The term cdhash stands for code directory hash. If you’re curious what that’s about, see TN3126 Inside Code Signing: Hashes and the Notarisation Fundamentals DevForums post. What happened here is: I built the app. I signed it with my Developer ID code-signing identity. I created a disk image from that app. I signed that with my Developer ID code-signing identity. I notarised that. I then re-signed the disk image. This changes the cdhash in the code signature. Now the disk image’s cdhash doesn’t match the cdhash in the ticket, so stapling fails. To resolve this problem, make sure you’re stapling exactly the file that you submitted to the notary service. One good option is to compare the SHA-256 hash of the file you’re working on with the sha256 field in the notary log. Trust Issues Now consider this stapling error: % stapler staple "TestError65.dmg" Processing: /Users/quinn/TestError65.dmg Could not validate ticket for /Users/quinn/TestError65.dmg The staple and validate action failed! Error 65. Note how it’s different from the previous one. Rather than saying that the ticket was not found, it says Could not validate ticket. So, stapler found the ticket for the file and then tried to validate it before doing the staple operation. That validation failed, and thus this error. The most common cause of this problem is folks messing around with trust settings. Consider this: % security dump-trust-settings SecTrustSettingsCopyCertificates: No Trust Settings were found. % security dump-trust-settings -d SecTrustSettingsCopyCertificates: No Trust Settings were found. Contrast it with this: % security dump-trust-settings SecTrustSettingsCopyCertificates: No Trust Settings were found. % security dump-trust-settings -d Number of trusted certs = 1 Cert 0: Apple Root CA - G3 Number of trust settings : 10 … Someone has tweaked the trust settings for the Apple Root CA - G3 anchor. In fact, I used Keychain Access to mark the certificate as Always Trust. You’d think that’d avoid problems, but you’d be wrong. Our code signing machinery expects Apple’s anchor and intermediate certificates to have the default trust settings. IMPORTANT Some trust settings overrides are fine. For example, on my main work Mac there are trust settings overrides for Apple internal anchors. This problem occurs when there are trust settings overrides for Apple’s standard anchor and intermediate certificates. To fix this: In Terminal, run the dump-trust-settings commands shown above and build a list of Apple certificates with trust settings overrides. In Keychain Access, find the first problematic certificate in your list. Note that there may be multiple instances of the certificate in different keychains. If that’s the case, follow these steps for each copy of the certificate. Double click the certificate to open it in a window. If the Trust section is collapsed, expand it. Ensure that all the popups are set to their default values (Use System Defaults for the first, “no value specified” for the rest). If they are, close the window and move on to step 8. If not, set the popups to the default values and close the window. Closing the window may require authentication to save the trust settings. Repeat steps until 2 through 7 for each of the problematic certificates you found in step 1. When you’re done, run the dump-trust-settings commands again to confirm that your changes took effect.

I have an internal customer who is trying to submit an IPA to TestFlight via a Jenkins pipeline, and they are submitting their IPA to our central code signing service first. But they're seeing failures in their logs such as: { "id" : "bb07c32d-b4d6-48c4-abfe-390a46dec3ca", "status" : "409", "code" : "STATE_ERROR.VALIDATION_ERROR.90179", "title" : "Asset validation failed", "detail" : "Invalid Code Signing. The executable 'Payload/their.app/Frameworks/Pods_their.framework/Pods_their' must be signed with the certificate that is contained in the provisioning profile." } I obtained the signed IPA file, and examined one of the items flagged as incorrectly signed with "codesign -d -vvvv". I see the correct team identifier in the output, along with the correct ("Distribution") authority. I unbundled the IPA with "ditto -xk", extracted the plist from the embedded provisioning file with "security cms -D -i", and examined the lone developer certificate with "plutil -extract DevelopCertificates.0" and "certtool d". The subject name fields correspond to the correct cert: "Other name" and "OrgUnit" contain "our" team name, "Org" has our company name, "Common Name" has the name of the authority mentioned above. In short, it looks like we're signing it properly, but Apple notarization is refusing it. (For the record, something on Apple's side complained about using "altool" instead of "notarytool". I don't know if that's our problem or not.) What else should I be doing to confirm the status of the signatures? I'm missing something, but I have no idea what.

I have built a flutter desktop app and I notarized it. I have to distribute it directly as I cannot turn on App Sandboxing due to the functions included in the application. I created a build of the app from Xcode and then uploaded it for notarization and it was successfully notarized. If I compress that app into a .zip and share it over the internet, it successfully opens on any computer. But when I create a dmg using appdmg from npm and I try to distribute it, it does not open and shows me the option to either move to bin or cancel. When I notarize the dmg using the command: xcrun notarytool submit "YourApp.dmg" --apple-id "email" --password "app-specific-password" --team-id "YOUR_TEAM_ID" --wait It notarizes successfully. I have also done: xcrun stapler staple "YourApp.dmg" And validated it but it does not seem to work when I distribute it over the internet by uploading on my website. It is a bit strange that when I distribute the notarized app, it does not show any error when distributed over the internet by uploading on my website and then downloading but for a notarized dmg, which is properly signed, it gives that error that wether move to bin or do nothing. Would love someone's help on this!

It has been 3 days and it is still in progress. As you can see in the history, I retried a few hours after the initial attempt, both are stuck. For what it's worth, this is my first notary attempt on this Apple Developer Account, I am aware that first-time submission can take longer. What should I do at this point? Wait another few days? Is there a human in the loop that needs to manually allow my submission? I have seen posts about this for the last 2 years. Seems like Apple is not going to do anything about it, xcrun notarytool history --keychain-profile '[redacted]' Successfully received submission history. history -------------------------------------------------- createdDate: 2024-11-30T01:59:08.408Z id: 3de4f35a-a950-4b34-8a74-21252b3e49a4 name: Notes.ai.zip status: In Progress -------------------------------------------------- createdDate: 2024-11-29T20:49:53.437Z id: 268e5416-640c-419f-b22a-efe55212b50a name: Notes.ai.zip status: In Progress

I'm building an app that uses the Screen Time API and DeviceActivityMonitoring Framework. It works when I run the simulator build on iPhone 16 but when I try to launch it on my own iPhone, I get these errors. Provisioning profile "iOS Team Provisioning Profile: Kanso- Digital-Wellness.Kanso-v2" doesn't include the com.apple.developer.device-activity.monitoring entitlement. KansoMonitorExtension 1 issue x Provisioning profile "iOS Team Provisioning Profile: Kanso-Digital-Wellness.Kanso-v2.KansoMonitorExtension" doesn't include the com.apple.developer.device-activity.monitoring en... Read something online that said a reboot would fix this, but I tried and no luck. Any ideas? I'm not very technical, so would pay someone to fix this for me :)

When I make ipa by commond tools,Some errors have occurred.Has anyone encountered it before？ Ps:debug mode is ok，release mode is not ok. error: exportArchive: Code signing "FBAEMKit.framework" failed. Error Domain=IDEDistributionPipelineErrorDomain Code=0 "Code signing "FBAEMKit.framework" failed." UserInfo={NSLocalizedDescription=Code signing "FBAEMKit.framework" failed., NSLocalizedRecoverySuggestion=View distribution logs for more information.}

ad hoc和enterprise都不行 Team "tao yang (Personal Team)" is not enrolled in the Apple Developer Program.

After the ios background creates the group and adds it to the Identifiers, an error is displayed at xcode signing. Error: An Application group with Identifier 'group.xx' is not available. Please enter a different string. Looking at Figure 1 and Figure 2, you can see that I have created in the background, but it will not succeed in XCODE. Does anyone know the reason I started to think that the account and certificate problems, but after the replacement is not successful How to solve this problem, thank you