I am trying to export my AppleScript as an application and have enabled my developer ID to sign it. I, however, get an error the following error: Any ideas? Thank you and best regards, pd NOTE: macOS Sonoma 14.7.

Is it correct to codesign dylib/framewoks with entitlements? My understanding is that only executables need to have the entitlement and the dylibs loaded in that process will automatically inherit those entitlements. However, I am seeing a lot of scripts on the internet that are signing dylibs as well with entitlements. For eg - # sign *.dylibs find "$APP_BUNDLE" -type f -name "*.dylib" -exec codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "$ENTITLEMENTS_FILE" --sign "$SIGNING_IDENTITY" {} \; Is this even allowed? I know of at least one app that has passed notarization checks as well. If allowed, can a dylib have more entitlements than the process that loaded it?

Hi! I'm having troubles to sign my Xamarin Forms application, im getting the following error "Error : Could not find any available provisioning profiles for MyProject.iOS on iOS.". I've recently cleaned my Provisioning profiles folder ~/Library/MobileDevice/Provisioning Profiles since it wasn't being updated with my latest provisioning profile for my app. But now my provisioning profiles are not being downloaded, I'm not getting any other error on downloading profiles. I've tried from Xcode -> Settings -> Account -> Download manual profiles. Tried too open the profile downloaded from the Apple Developer Portal, also tried copy manually the provisioning profile downloaded to the previous mentioned path, none of those works. The user that im logged in on Xcode is the admin/owner so is not a permissions issue. IDK what can be wrong or what can I try. So I'm going to be grateful for your help :(

Hi all, Occasionally, our systems grind to a halt because an agreement needs signed. As you can imagine this always happens at an inconvenient time. Is there a programmatic way we can know about this, before it happens? How is everyone else handling this? From a search through threads here and documentation, I don't see anything and thus I don't think this is possible to script, but wanted to double check. If not possible, what kind of grace period is there between when developer.apple.com mentions something will need signed, and when it stops working? I'm not the one who can sign, so can a non-signer see this? This part is basically asking: How often does someone have to log on to "poll" for this and can this be me or does it have to be the person with access to sign the agreements. Does the system maybe send out an email to the signer about these (in advance), that he's maybe not seeing? Thanks!

I've updated Xcode to 16.1, then I've created a new provisioning profile in developer.apple.com, successfully built and signed my application. It was on monday, 2024-11-04. Two or three days later I was asked to add more devices and I had to create a new profile. I've noticed a new feature to control profile's name (yeah, cool!), had to accept new agreements. Then, have created a new profile, downloaded it, but could not add it with double-click to Xcode or import to Keychain Access - "Failed to install one or more provisioning profiles on the device". And whatever I tried, I couldn't register any new profiles since. Therefore, my app cannot be signed and tested anymore. This is quite weird as nothing has changed on the system throughout the week. Is this a known issue or is there any fix for that?

I have the latest version of xcode

Hi, I'm trying to ssh into another machine, copy an app into that machine and codesign it using my "Dev ID Application" certificate, then copy it back to my original machine. I'm getting the "errSecInternalComponent" error when running codesign. This is the bash script I'm running: ssh ${REMOTE_SERVER} "security -v unlock-keychain -p <REDACTED> /Users/<REDACTED>/Library/keychains/login.keychain-db" ssh ${REMOTE_SERVER} "codesign -vvv --deep --force --verify --verbose --timestamp --options runtime --sign \"Developer ID Application: <REDACTED>\" \"/tmp/$BUILD_ID/ui-app/<APP_NAME>.app\"" ssh ${REMOTE_SERVER} "codesign -dv --verbose=4 /tmp/$BUILD_ID/ui-app/<APP_NAME>.app" I've tried to follow all the available info found online, managed to sign it successfully through the machine's UI, set the ACL of the private key to ALLOW ALL, restarted the keychain service, tried with the system keychain, approved all pop ups through the UI. Still with no luck through the SSH session. Any help would be greatly appreciated. Thanks!

In the past, I used to export a developer-signed test version of my macOS app in Xcode, create a zip archive from the Finder, upload it to my website and share the link to the testers. The last time I did this with macOS 14 the tester was still able to download the test app and run it. But it seems that with macOS 15 the trick to open the context menu on the downloaded app and click Open to bypass the macOS warning that the app couldn't be checked when simply double-clicking it, doesn't work anymore. Now I'm always shown an alert that macOS couldn't check the app for malware, and pushes me to move it to the bin. In this StackOverflow topic from 10 years ago they suggested to use ditto and tar to compress and uncompress the app, but neither worked for me. How can I share macOS apps that I signed myself with testers without physically handing them a drive containing the uncompressed app?

I'll do my best to explain my situation. Basically I have a plugin I'm trying to sign notarize and staple. My plugin is a .component but right now it is currently not bundled so its a .component folder. I cant open it in Xcode to bundle it and therefore cannot successfully bundle it that way. other things I've tried are failing with the error message logs showing the following messages. - "The signature does not include a secure timestamp." -"The binary is not signed." -"The signature of the binary is invalid." Those messages repeat several times and the very last one I receive is -"The contents of the package at ***** could not be extracted." So what I'd like to know is what can I do to my .component folder (all contents are in it so I can successfully sign it, timestamp it and submit successfully using notarytool? Thank you!

Project Background: I developed a Mac project using Electron and VSCode Successfully uploaded the packaged pkg using Transporter, However, I will receive an email informing me that there are some issues with the project: ITMS-90296: App sandbox not enabled - The following executors must include the 'com. apple. security. app sandbox' entitlement with a Boolean value of true in the entitlement property list: [[com. electron. iflyrecclient. pkg/Payload/iFlytek Listen. app/Contents/MacOS/iFlytek Listen]] ITMS-90886: 'Cannot be used with TestFlight because the signature for the bundle at' iFlytek hears. app 'is missing an application identifier but has an application identifier in the provisioning profile for the bundle.' Bundles with application identifiers in the provisioning profile are expected to have the same identifier signed into the bundle in order to be eligible for TestFlight.' Here is my packaging process: Generate an app using the electron packager tool Sign the app using @ electron osx sign (version 1.3.1) After signing, use productbuild - component Yourappname App/Applications - sign "3rd Party Mac Developer Installer: * * * * * (XXXXXXXXXX)" Yourappname. pkg command generates pkg PS： For the second step, I have set sand box=true in both entitlents.plist and entitlents.macinheriting. plist. And after signing, using codesign -dvvv -- entitiements - /path to view the app file shows' checkbox=true ', and the [iFlytek Listen. app/Contents/MacOS/iFlytek Listen] file in the issue also exists. Using the Suspicious Package software to view pkg also has sandbox=true. A few months ago, I uploaded it once and the issues mentioned in the email did not appear. The only changes were the macOS system version number and the replacement of the signature with provisionprofileprovisionprofile. I have reviewed similar issues on the Apple Developer Forums, but have not been resolved

...and some more simple command line utilities. I've code signed all executables and binary libraries I could find. This has got rid of most errors already. Now I'm struggling with the "hardened runtime" requirements. I understand I can somehow add entitlements - but have no clue how to do that, and what to add. Somewhere there was reference to PCRE - I don't think Perl uses that itself, but certainly does deal with regexes a lot. How would I add eg. the JIT entitlement (if that was required)? Most documents refer to .mobileprovision files or similar - but I'm dealing with a desktop application. And as all of this is rather non-standard, we don't use Xcode at all. So I wouldn't even know how to use Xcode to create a profile for an an app which is managed completely "outside" of a normal macOS development environment.

I'm working on a system extension leveraging endpoint security entitlement. However, while in development, is there a way to continue working and testing locally without having the endpoint security entitlement approved or needing the extension signed. I got these errors running a build: Provisioning profile "Mac Team Provisioning Profile: "com.xxxxx.extension" doesn't include the com.apple.developer.endpoint-security.client entitlement.

My non-cloud Developer ID certificate will expire soon, and my account also has a cloud-managed Developer ID Certificate. My Mac application build workflow uses Archiving, so the cloud cert should be fine for that. But my workflow also signs bundled apps, such as Sparkle framwork's Autodupate app, using the codesign tool. Is it correct that codesign only uses certificates from the local Keychain, and so cannot use a Cloud-managed Developer ID certificate? Before I manually renew the non-cloud Developer ID certificate, I want to make sure I'm not missing some easier method. Thanks.

Keys can vary; an account is not necessary, as only Team Keys are suitable for notarization. It seems that Developer role is sufficient for notarization. We have tried both keys and roles of Developer and Account Manager - the behavior is the same. Multiline There are two types of API keys: Team Access to all apps, with varying levels of access based on selected roles. Individual Access and roles of the associated user. Individual kevs aren't able to use Provisioning endpoints, access Sales and Finance, or notaryTool. BlockQuote Here are the parameters used for notarization via API key: `-k, --key key-path    App Store Connect API key. File system path to the private key. -d, --key-id key-id    App Store Connect API Key ID. For most teams this will be a 10 character alphanumeric string. -i, --issuer issuer    App Store Connect API Issuer ID. The issuer ID is a UUID format string.` The notarization result shows as successful, and on the same machine, the package appears as notarized. However, when the package is transferred to another system, it is displayed as not notarized.

Hello I build an application in Xcode for MacOS. But the exported app I cannot open on different Mac systems. I get the message 'The application X can't be opened'. I can only run the application on the Mac where Xcode is installed. I used different signing certificates: Apple Distribution, Developer ID application (this should be the one), Mac App Distribution. I archive the application, then use Direct Distribution, then after complished the notary service, I export the app.

How can I modify bundleID of an app after building ipa file? I try to modify the bundle id in my app by : unzip ipa modify bundle id in info.plist within app resign app with entitlements 4.zip ipa but ipa appeared to not be able to install on iphone is that any way to modify bundle id after building ipa file? Thanks for your Support

I tried building the React App for Any iOS device (Arm64) but I get error. Although I can build successfully for any iOS Simulators In the codesigning step I get the following error, "Warning: unable to build chain to self-signed root for signer "Apple Development: my email address ( ... ) " I don't have paid membership of Apple Developer Program, does that cause this failure? Also, to archive also do I need Apple Developer Program paid membership?

Hello! I've been facing an issue with notarizing a macOS app with an Enterprise API Key. Due to some misunderstanding setting up the project some years ago, the notarization step was using a developer's accounts API Key. I am looking to fix it to have everything centralized in the Enterprise account we work with, but I get "Debug [JWT] Generating new JWT for key ID" with the new key. This is using the xcrun notarytool directly to get more input. Using Fastlane it fails as: Error polling for notarization info: [11:29:25]: unexpected token at '' The project is deployed via MDM, so we need it to prevent the security warning. I used this documentation to create the key: https://developer.apple.com/documentation/enterpriseprogramapi/creating-api-keys-for-enterprise-program-api I have tried a Developer and an Admin access key, and the Account Holder has also created an Admin key but the errors keep the same. I just updated my Fastlane script to use the new key with the updated values. The old developer account key still works. I am not sure if I am missing any steps in the documentation or if this is not achievable. Important to add that all the profiles and certificates were already set up properly in the Enterprise account, the only error was using an App Store Connect Key instead of an Enterprise Key. Thanks in advance for the help.

Hi, I'm currently developing a Flutter app that utilizes Push Notifications. The Android implementation is working flawlessly, but I'm encountering compilation issues in Xcode. Specifically, I'm receiving the following error: Cannot create a iOS App Development provisioning profile for "dk.ceniconsulting.alarm". Personal development teams, including "Henrik Thystrup", do not support the Push Notifications capability. No profiles for 'dk.ceniconsulting.alarm' were found Xcode couldn't find any iOS App Development provisioning profiles matching 'dk.ceniconsulting.alarm'. This error seems to be a common issue, but I haven't been able to find a definitive solution. I've already generated a certificate, identifier, and installed them, but the problem persists. Does anyone have any insights or suggestions on how to resolve this issue? Or perhaps a link to a resource that addresses this specific problem?

Hello, my team is trying to fix a code signing issue with our app. Our production build works, but our debug build broke after upgrading to macOS 15. This is because our app contains an app extension that can no longer access our app group container after the upgrade to macOS 15. It looks like this is due to ~/Library/Group Containers being protected by SIP now. We were not code signing our debug app, and now security is stricter. Because of historical reasons, we need to use a Makefile to build our app instead of just using Xcode. We are trying to determine the best way to sign our debug app. It looks like our app extension is able to access our app group container if we sign the app with a developer certificate. However, we are wondering if the developer certificate is required. We see that Xcode can sign debug builds with the “-” code signing identity. We tried doing this from our Makefile in the same way we sign with the developer certificate, but it doesn’t work. Is this expected behavior?