When building to macOS on GameMaker, I get the error "this identity cannot be used for signing code" when using the Developer ID Installer certificate. The certificate was neither expired nor revoked, but nonetheless I created new certificates to start fresh but am still getting that error. I don't get issues building to iOS via GameMaker, just to macOS. If it makes any difference, I only noticed this issue started happening after I converted my Apple Developer Program account from an individual account to an organizational account, although it was weeks to months before I built to macOS via GameMaker before then, so I don't know if it correlates with that.

In the LightweightCodeRequirements framework, there is a LaunchCodeRequirement object which can be used as a requirement object for a Process for example. What I don't understand (I admit my macOS low-level knowledge is limited) is that how can this be used in a secure way that doesn't fall victim of a Time-of-Check/Time-of-Use issue. e.g. I specify a LaunchCodeRequirement via Process.launchRequirement for my process, let's say /usr/local/bin/mycommandlinetool. The LaunchCodeRequirement specifies my development team and a developer ID certificate. The process must be started in some form, before a SecCode/SecTask object can be created, rather than a SecStaticCode object (which only guarantees its validity checks to be intact as long as the file is not modified). But if the process was started, then I have no tools in my set to prevent it from executing its initialization code or similar. Then, by the time I'm able to check via SecCode/SecTask functions the LaunchCodeRequirement, I might have already ran malicious code - if mycommandlinetool was maliciously replaced. Or does the operating system use a daemon to copy the executable specified for Process to a secure location, then creates the SecStaticCode object, assesses the LaunchCodeRequirement and if passed, launches the executable from that trusted location (which would make sure it is immutable for replacement by malicious actors)? I have a hard time understanding how this works under the hood - if I remember correctly these are private APIs.

Hi there, We've discovered a problem with our iOS app. We've been attempting to add a Driverkit driver to it, but any time we run the app through Testflight, the driver installs fine, but when we go to enable the driver toggle in the app's settings, the toggle stays on, but in the device logs I can see: could not insert bundle at <private> into manager: <private> As you would expect - this means the driver is not actually enabled and does not respond to a device being connected to the iPad. This does not happen when building & running the app locally, nor does it happen when installing an Ad Hoc build. We also have a different app, not yet shipped. We are able to add the driver to that app without issue. It works after going through Testflight. What we have discovered now is that everything works fine even if we just create an entirely new app with it's own bundle IDs. I should point out that in all cases, we're keeping the capabilities the same for each of these apps/IDs - including the managed capabilities. The bundle IDs that have this problem are older (5 years old or more). It seems like any newer ID will work, but trying to add the driver (and the associated managed capabilities) to an older app/ID results in this vague error message, with no further details. If we inspect the resulting dexts, we can also see that the "Internal requirements code size" is different on the ones that fail. The failing ones have a size of 204 bytes, whereas the working ones all have a size of 220 bytes. Not sure if that's related but it's strikingly consistent. Does this mean there is an issue with older app IDs, and we need Apple to manually refresh them in some way before the driverkit capabilities will work after going through Testflight? We have two apps in this state, both are of the same vintage (~5 years+). We've been battling this issue for months on and off, so would appreciate some help.

I’ve developed a macOS app, but I’ve had trouble using a script to fully codesign it and package it into a .dmg file. I was only able to complete codesigning using the third-party app itself—not via command-line scripts. Is it possible to write a script that automates the entire process of codesigning the app? To provide the best user experience for those downloading the app outside of the Mac App Store, is it correct to first package it as a .app and then wrap that into a .dmg file for distribution? Currently, the app is available on the web as a .dmg. When downloaded, it appears in a folder and can be double-clicked to launch. However, macOS displays a warning that it was downloaded from the internet. Can I use a script to remove that quarantine warning? If possible, I’d appreciate a step-by-step explanation and a sample command-line script to: Codesign the app properly Package it into a signed .dmg Remove the quarantine attribute for local testing or distribution Is the reason I was only able to codesign it inside the third-party app due to how that app was built, or can this always be done from the command line?

I am packaging an app with QtWebEngine in it, after codesign the app and the QtWebEngine Framework, the app can run properly. The codesign result is: valid on disk staisfies its Designated requirements Then I notarized and stapled the dmg file, after the dmg installed on Mac, gatekeeper still failed the check. Here is the result for spctl: spctl -a -t open -vvv --context context:primary-signatue Remote\ Graphics\ Workstation_.dmg Remote Graphics Workstation_.dmg: rejected source=Insufficient Context Need help to identify the codesign process and the root cause why gatekeeper fail here, thanks.

Hello, After my developer Id had expired after 5 years, I created a new one, codesigned the app successfully, but could not notarize: xcrun notarytool submit mac_release/flow5.zip --keychain-profile "XFLR5" --wait Conducting pre-submission checks for flow5.zip and initiating connection to the Apple notary service... Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct I don't think I was using an app specific password before, but the last time I went through this process was 5 years ago. Thanks in advance for any help.

I have a werid case that shouldn't happen according to https://forums.developer.apple.com/forums/thread/706390 I have an audio unit which runs in FCP and I want it to launch a sandboxed app as a child process. If I sign the child app with just "com.apple.security.app-sandbox" entitlement it crashes with SYSCALL_SET_PROFILE error. According to the article referenced above: "This indicates that the process tried to setup its sandbox profile but that failed, in this case because it already has a sandbox profile." This makes sense because audio units run in a sandboxed environment (in AUHostingService process). So I added "com.apple.security.inherit" to the entitlements plist and now I get "Process is not in an inherited sandbox." error. According to the article referenced above: "Another cause of a trap within _libsecinit_appsandbox is when a nonsandboxed process runs another program as a child process and that other program’s executable has the com.apple.security.app-sandbox and com.apple.security.inherit entitlements. That is, the child process wants to inherit its sandbox from its parent but there’s nothing to inherit." And this doesn't make sense at all. The first error indicates the child process is trying to create a sandboxed environment within a parent sandboxed environment while the second error indicates there's no a parent sandboxed environment... I specifically checked the child process has "com.apple.security.app-sandbox" and "com.apple.security.inherit" entitlements only. If I remove all entitlements from the child process it launches and runs fine from the audio unit plugin. And if I remove "com.apple.security.inherit" but leave "com.apple.security.app-sandbox" I can successfully launch the app in standalone mode (in Finder). For the testing puroses I use a simple Hello World desktop application generated by XCode (Obj-C). Does anybody have an idea what can be the reason for such a weird behavior?

Hello Apple Support, While attempting to staple a notarization ticket for our signed installer package, the stapler command fails with Error 65. Upon investigation, we found that connections to oscdn.apple.com present an SSL certificate issued to a248.e.akamai.net, which does not include oscdn.apple.com in its Subject Alternative Name (SAN). This mismatch prevents our macOS environment from validating tickets and completing the stapling process. Steps tried: Verified notarization status (Accepted). DNS flushed, tried different DNS (8.8.8.8, 1.1.1.1). curl to oscdn.apple.com consistently fails with SSL error 60. Please advise on resolving this certificate mismatch. also when I try to run the stapler command with my pkg "xcrun stapler staple/Users/mactest/Desktop/IPMPlus_Macos_Installer.signed.pkg" getting the output like :- Processing: /Users/mactest/Desktop/IPMPlus_Macos_Installer.signed.pkg Could not validate ticket for /Users/mac-test/Desktop/IPMPlus_Macos_Installer.signed.pkg The staple and validate action failed! Error 65. please help Thank you.

Hi, I have created a conda python environment which I have packaged into a .tar.gz (using conda-pack) and which runs correctly when extracted (in this example, it only contains the scipy package). However, when I sign the necessary files within the environment (i.e. the binaries, the dylibs, the .so files), attempting to load scipy.sparse now fails with the error "mapped file has no cdhash, completely unsigned" about one of the .so files. Furthermore, I believe that this file does in fact have a cdhash. The signing process represented by my example below has been working for about a year, and I am unsure why it has suddenly stopped working. I am on a 2020 MacBook Pro with an i7 processor and running Sequoia 15.1.1. Here is a minimal example showing the creating of the conda environment, codesigning, and the error message. Many thanks in advance! # Create and activate conda env > conda create -y -n mwe_env python=3.10 > conda activate mwe_env # Verify scipy not initially installed (mwe_env) > python Python 3.10.16 (main, Dec 11 2024, 10:24:41) [Clang 14.0.6 ] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import scipy Traceback (most recent call last): File "<stdin>", line 1, in <module> ModuleNotFoundError: No module named 'scipy' (mwe_env) > pip install scipy Collecting scipy Downloading scipy-1.15.2-cp310-cp310-macosx_14_0_x86_64.whl.metadata (61 kB) Collecting numpy<2.5,>=1.23.5 (from scipy) Downloading numpy-2.2.4-cp310-cp310-macosx_14_0_x86_64.whl.metadata (62 kB) Downloading scipy-1.15.2-cp310-cp310-macosx_14_0_x86_64.whl (25.1 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 25.1/25.1 MB 17.3 MB/s eta 0:00:00 Downloading numpy-2.2.4-cp310-cp310-macosx_14_0_x86_64.whl (7.0 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 7.0/7.0 MB 16.4 MB/s eta 0:00:00 Installing collected packages: numpy, scipy Successfully installed numpy-2.2.4 scipy-1.15.2 (mwe_env) > python Python 3.10.16 (main, Dec 11 2024, 10:24:41) [Clang 14.0.6 ] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import scipy.sparse >>> # success! # Package conda env (mwe_env) > conda-pack --output mwe_env.tar.gz --name mwe_env Collecting packages... Packing environment at '/path/to/my/conda/envs/mwe_env' to 'mwe_env.tar.gz' [########################################] | 100% Completed | 7.8s (mwe_env) > conda deactivate > mkdir mwe_dir && cd mwe_dir > tar -xzvf ../mwe_env.tar.gz > source bin/activate (mwe_dir) > python Python 3.10.16 (main, Dec 11 2024, 10:24:41) [Clang 14.0.6 ] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import scipy.sparse >>> # success! # Sign the binaries and .dylibs and .so files (mwe_dir) > find bin -type f | xargs -n1 xcrun codesign -f -o runtime --timestamp --sign "Developer ID Application: MY_TEAM_ID" (mwe_dir) > find . -name "*.dylib" -o -name "*.so" -type f | xargs -n1 xcrun codesign -f -o runtime --timestamp --sign "Developer ID Application: MY_TEAM_ID" # the second command prints many lines saying it is "replacing existing signature" (mwe_dir) > python Python 3.10.16 (main, Dec 11 2024, 10:24:41) [Clang 14.0.6 ] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import scipy.sparse Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/__init__.py", line 315, in <module> from . import csgraph File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/csgraph/__init__.py", line 187, in <module> from ._laplacian import laplacian File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/csgraph/_laplacian.py", line 7, in <module> from scipy.sparse.linalg import LinearOperator File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/__init__.py", line 134, in <module> from ._eigen import * File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/__init__.py", line 9, in <module> from .arpack import * File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/__init__.py", line 20, in <module> from .arpack import * File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/arpack.py", line 50, in <module> from . import _arpack ImportError: dlopen(/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so, 0x0002): tried: '/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so' (code signature in <5DD8FC01-7360-3DB9-8273-C8A45ABB19A9> '/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so' not valid for use in process: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.), '/System/Volumes/Preboot/Cryptexes/OS/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so' (no such file), '/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so' (code signature in <5DD8FC01-7360-3DB9-8273-C8A45ABB19A9> '/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so' not valid for use in process: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.) # But: (mwe_dir) > xcrun codesign -dvvv /path/to/mwe_dir/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so Executable=/path/to/mwe_dir/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so Identifier=_arpack.cpython-310-darwin Format=Mach-O thin (x86_64) CodeDirectory v=20400 size=4318 flags=0x10000(runtime) hashes=129+2 location=embedded Library validation warning=OS X SDK version before 10.9 does not support Library Validation Hash type=sha256 size=32 CandidateCDHash sha256=816731ecd1ad01b38555cbfef8c000628696d0ca CandidateCDHashFull sha256=816731ecd1ad01b38555cbfef8c000628696d0ca53376aebf6fae28d8c02f519 Hash choices=sha256 CMSDigest=816731ecd1ad01b38555cbfef8c000628696d0ca53376aebf6fae28d8c02f519 CMSDigestType=2 CDHash=816731ecd1ad01b38555cbfef8c000628696d0ca Signature size=9000 Authority=Developer ID Application: MY_TEAM_ID Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=2 Apr 2025 at 16:24:52 Info.plist=not bound TeamIdentifier=MY_TEAM_ID Sealed Resources=none Internal requirements count=1 size=188

Hello, I've notarised my app like this: ` codesign codesign --force --deep --entitlements "/Users/username/myapp/myapp.app/Contents/app.entitlements" --sign "Developer ID Application: Username (my team id)" "/Users/username/myapp/myapp.app" codesign -v /Users/username/myapp/myapp.app ` ` create .zip file ditto -c -k --keepParent "myapp.app" "myapp.zip" ` ` submit binary to Apple xcrun notarytool submit Shalloville.zip --apple-id "my icloud" --password "xxxx-xxxx-xxxx-xxxx" --team-id "my team id" ` Is there anything wrong? I submitted the .zip file on 27/11 and it's still "In Progress". Successfully received submission history. history -------------------------------------------------- createdDate: 2024-11-29T16:05:44.609Z id: eccf6248-4f2f-4cc1-bb90-88cf13aa08a0 name: Shalloville.zip status: In Progress -------------------------------------------------- createdDate: 2024-11-27T08:57:56.373Z id: 7d9887dc-6bf8-4e39-bcbe-0f22d02dce4f name: Shalloville.zip status: In Progress -------------------------------------------------- createdDate: 2024-11-27T07:05:05.544Z id: 84c08d62-189d-48b2-80d9-170ddc3edb67 name: Shalloville.zip status: In Progress

Hi all, I'm developing a simple Finder Sync Extension, using Xcode 16.3. When running in Debug with Xcode, everything works fine. Instead, when compiling in Release and launching the containing app (by double-clicking on it), the Extension is not recognized (neither loaded) by the system. The only difference between Debug and Release stands in Signing configuration: Debug: Release: As you can see, in Release I'm using a Provisiong Profile, configured with my company's Developer ID. I'm wondering if Capabilities and Entitlements are not what is needed by my app. Anyway, I have no idea what the issue is. Any suggestion will be appreciated. Thank you in advance _Alex

Hey there, I'm experiencing an issue with notarization of my macOS application, which is blocking a release. We have signing/notarization hooked up to our CI process, both for prior releases as well as development builds (at the trunk tip). The notarization process has typically taken anywhere from a few minutes to a few tens of minutes, but for our most recent release, it's taking an unreasonably long time. I've compiled the submission info for each build (+ reattempted notarizations) below. What's interesting is that the oldest one was accepted- however, it timed out our CI process, so we never actually released it. Subsequent builds are more or less identical in terms of their content, however, they've been stewing in the notarization process for over 13 hours in some cases. % xcrun notarytool info 67413dae-64f5-4372-972d-e0ac158e18e3 Successfully received submission info createdDate: 2025-04-02T16:28:25.999Z id: 67413dae-64f5-4372-972d-e0ac158e18e3 name: Warp Vault.app.zip status: In Progress % xcrun notarytool info 0c72b243-4a8d-4976-a97b-75689d7e2497 Successfully received submission info createdDate: 2025-04-02T05:49:05.861Z id: 0c72b243-4a8d-4976-a97b-75689d7e2497 name: Warp Vault.app.zip status: In Progress % xcrun notarytool info 8e2edfc2-58bc-4b33-bc8e-078155759a81 Successfully received submission info createdDate: 2025-04-02T05:23:28.870Z id: 8e2edfc2-58bc-4b33-bc8e-078155759a81 name: Warp Vault.app.zip status: In Progress % xcrun notarytool info 8fb17b0c-ace4-4b6f-bef8-68d22696814d Successfully received submission info createdDate: 2025-04-02T05:07:48.187Z id: 8fb17b0c-ace4-4b6f-bef8-68d22696814d name: Warp Vault.app.zip status: Accepted At the time of checking, the UTC date was: % TZ="UTC" date Wed Apr 2 18:42:14 UTC 2025 It's interesting to me that the notarization process is taking this long. We've notarized many development builds (with debugging flags enabled) in the time between our last public release and our attempt to notarize this one. What's more, the original build for this release was notarized within the span of about 15 minutes, but subsequent submissions of the same build have hung for tens of hours. My two questions are: How can I get our pending notarizations "unstuck"?, and To prevent these types of hangs in the future, should I also routinely build/sign/notarize non-debug builds of my application during the development process? Best regards and many thanks, Charlton

I am working on releasing my macOS arm64 app. My problem is that after the user downloads the dmg, double-clicking my.app in the dmg, a Gatekeeper pop-up box will appear with a warning that the developer cannot be verified. Question: Can an application signed with "com.apple.security.cs.disable-library-validation" be published as trusted? If yes, what steps have I missed? If not, can I get an official response from Apple? （Because I referred to this post, it seems to mention that it is possible to publish trusted software.I have looked up similar questions on the forum and tried many things, but nothing works. ） Here are my steps: Use the codesign to sign my.app. Because my app needs to access third-party dynamic libraries, entitlements.plist contains a "com.apple.security.cs.disable-library-validation". After the "codesign -dvvv" check, the signature was successful.✅ Use the "xcrun notarytool" command to notarize my app, and the status is displayed as accepted.✅ Use "xcrun stapler staple" to attach the notarization to my app, and it returns success.✅ Use the "spctl -a -v " command to verify whether my app has passed Gatekeeper, and it returns that it has passed.✅ Then I packaged my.app into a dmg, and then attached the notarization mark to the dmg, which was successful.✅ I completed the above steps and distributed the dmg. When I downloaded the dmg as a user test and double-clicked my.app in it, the Gatekeeper pop-up box still appeared, and the developer cannot be verified.❌

After signing and notarizing our application, the entitlement “com.apple.security.get-task-allow” is removed. However, we want this entitlement to remain and we want to be able to create a corefile when needed. Is it possible to make the “com.apple.security.get-task-allow” entitlement persistent after signing and notarizing, so that our application can create a corefile?

Hi, I've code-signed my app and notarized it, and created a DMG, and when I slacked it or airdropped it to someone for testing the FIRST time they open it, they get a warning that it was Slacked or airdropped to them and do they want to open it. if they say yes everything is fine. So looking through here someone said I need to sign the app and then make a dmg and sign the dmg and then send that for notorization and then staple that. So I did, and I still get a warning the first tie someone try's to run it. What am I doing wrong? I know I can buy software and not get a warning from apple. so how do I get my app to work correctly like that?

Hi, I'm getting error 65 upon stapling and I am suspecting that non-default trust settings may be the reason as outlined here: Unfortunately whatever I do, I can't seem to reset the trust settings to their default values (removing the blue/white "+"), I'm not being asked for credentials upon closing the certificate window. I have also tried to unlock the System Roots key chain, to no avail. Also, when running security dump-trust-settings -d I get Number of trust settings : 0 for all certificates. Any ideas as to what I may be doing wrong? Is there any other setting that may be involved? Thanks!

Hi, I am working on a personal HIDDriverKit project. The documentation suggests that you do not need the entitlements from Apple to do local development - that all you need to do is turn of SIP, enable developer mode, and turn signing to "Sign to Run Locally". However, I have followed all of these steps, and am still running into the error that to build, I need to have a provisioning profile with the DriverKit (development) feature (MacOS 15.2 Xcode 16.2). Am I missing something here regarding the steps for local development? Does one need to request a development version of the entitlements even for local development? Do I need a paid developer account to do this? Thank-you in advance.

mac .cer证书不能导出.p12证书 不知道那个步骤出错

Hi at all, is there a way to count how many files have been marked with the codesign? Thanks in advance

Hi everyone, I’ve been struggling for days with a recurring issue in my iOS app build. The build fails with the following error: Provisioning profile "iOS Team Provisioning Profile: com.myapp.bundleid" doesn't include the com.apple.InAppPurchase entitlement. Here’s what I’ve already tried: Created a new Bundle ID with correct capabilities (In-App Purchase, Push Notifications, Sign in with Apple). Created a new provisioning profile manually from Apple Developer Console. Used EAS CLI (Expo) and Xcode to regenerate all certificates and provisioning profiles. Ensured that the In-App Purchase capability is enabled in the App ID (it's greyed out but enabled). Made sure all subscriptions and products in App Store Connect are “Ready to Submit”. Followed all steps from RevenueCat and Apple documentation. Cleaned entitlements in .entitlements file and tried both and variations. Tried building both locally and with EAS – same error every time. Sent multiple tickets to Apple Developer Support, but no helpful reply yet. Extra Notes: I'm using react-native-purchases and RevenueCat, already integrated and working before this started. The error began randomly; before that, I was able to build successfully with in-app purchases. Even creating a completely fresh app from scratch results in the same entitlement missing error. Has anyone faced this exact problem where the provisioning profile fails to include com.apple.InAppPurchase, even though everything is correctly set up? Any help or insights would be greatly appreciated. Thanks in advance!