We applied months ago for the NEAppPushProvider entitlement to do air gapped push notifications. The enterprise SA's we work with have been pushing the issue internally—but nothing has happened.
How do you actually get entitlements added to your profile? I could see a week time, but 3 or so months now is a bit crazy.
Demystify code signing and its importance in app development. Get help troubleshooting code signing issues and ensure your app is properly signed for distribution.
Post
Replies
Boosts
Views
Activity
"Since this app contains an App Clip, the com.apple.developer.associated-appclip-app-identifiers entitlement should be present and include the value of the App Clip's application identifier. Please add this entitlement, then resubmit". Added then also still I am getting the warning from TestFlight ? Please help to resolve the particular issue
We have an Enterprise Apple developer account “Cisco System, Inc. “STBU” - JBF29L28EJ”. We use it to make in-house distribution for QE testing. I found that development provisioning profile in this account includes new “relay” capability in the entitlement, but in-house distribution provisioning profile doesn’t have it.
Below is the entitlement list in in-house distribution provisioning profile that doesn't include "relay":
Entitlements
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>packet-tunnel-provider</string>
<string>dns-proxy</string>
<string>dns-settings</string>
</array>
<key>aps-environment</key>
<string>production</string>
We now cannot make in-house distribution build without this entitlement.
Since iOS 17 and Xcode 15, the following warning appears in Xcode when debugging on device:
"nw_parameters_set_source_application_by_bundle_id_internal Failed to convert from bundle ID ([Apps Bundle ID]) to UUID. This could lead to wrong data usage accounting."
What does that mean?
I'm using some CoreML models from C++. I've been trying to profile them using the CoreML Instrument in Instruments. It seems that that only works when I sign my binaries with the get-task-allow entitlement.
Is there an easier way? Ideally I'd like to be able to profile a Python program that calls my C++ code and I would rather not re-sign Python.
I signed my application in MacOS 13.4, and the signed objects include all the binary files I compiled myself, and notarizing also works. It can also run normally on my version 13.4 Mac. However, when I copied this application to a computer with Mac OS version 11.3, it couldn't run properly.
Dlopen will generate an error message, indicating that some of the dynamic libraries called by the program do not match the signature of the program itself. These dynamic libraries are from JRE, so I re-signed them and notarizing also works.
In MacOS 13.4, it still runs normally, but in MacOS 11.3, it will report another error:
Error occurred during initialization of VM
Could not reserve enough space for code cache
What is the reason for this and how should I handle it? Thank you in advance for any comments on this issue.
Hi, is it possible for a user to remove the implicit permission he or she gave to an app after opening a folder using a standard dialog? I'm asking this because a discussion took place with actual users reasonably arguing that the action may have been a mistake, not intentional at all, so at least we should give them a way to revert what was wrongly interpreted as intent. I believe that they are right and there should be a simple user-level way of doing that. So I looked for a way to remove the bookmark from the command line but to no avail. Thanks, Carlos.
Hi, how to re-sign an open ipa file with my developer account and install to my device for testing.
Thanks
I'm using the "notarytool store-credentials" command to store my access credentials for notarizing our apps from a build server through Jenkins.
The machine is a Mac Mini M1 running Ventura.
This works per se but for a reason I don't understand, I need to do this repeatedly.
When I store the credentials, it will work for the next hours but at some point the machine will "forget" the access credentials resulting in this error output:
Conducting pre-submission checks for <app name> and initiating connection to the Apple notary service...
Error: No Keychain password item found for profile: notarization
Run 'notarytool store-credentials' to create another credential profile.
I then have to run the store-credentials command again so I can use it again for the next few hours. This is obviously quite annoying especially since it's absolutely not obvious why it behaves that way.
The machine is on 24/7 and I don't see why the keychain item gets removed.
I'd appreciate any insight and would like to know what I have to do to store the credentials permanently.
Hi there,
I want to build an application that can be run on different macos machines. That app uses libpython3.11.dylib.
It could not be just linked with libpython because in out binary path to library may be different:
/System/Library/Frameworks/Python.framework/...
/usr/local/Cellar/python/3.X.Y/Frameworks/Python.framework/Versions/...
/Library/Frameworks/Python.framework/Versions/...
$(pyenv root)/versions/{VERSION}
....
I need to ensure that the application uses the Python library corresponding to the Python version that the user is using.
Attempted to make a workaround by creating a symlink to the current library and setting the library path to @executable_path/../lib/libpython3.11.dylib, but it did not work. Here's the error I encountered:
% /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11
dyld[92502]: Library not loaded: @executable_path/../lib/libpython3.11.dylib
Referenced from: <F6F408DC-F698-3545-9C75-82486ADA77BE> /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11
Reason: tried: '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS@executable_path/../lib/libpython3.11.dylib' (no such file), '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/usr/lib/libpython3.11.dylib' (no such file, not in dyld cache)
zsh: abort
I cannot distribute libpython within the application because it requires Python modules. Moreover, the application should use Python modules that are installed on the user's system.
What can I do to make this work properly? E.g. user have pythons installed:
/usr/local/Cellar/python/3.11.3/Frameworks/Python.framework/Versions/3.11...
/Library/Frameworks/Python.framework/Versions/3.11/...
Obviously, the user has only one active Python from this list. How can my application use the correct libpython?
I'm attempting to notarize and distribute a game built with Love2D. Love2D is an engine which runs games written in Lua and bundled into .love files, which are identical to .zip files. Packaging a game for Mac distribution involves cloning the Love2D Xcode project, providing your built game.love file (the zipped game content), and then signing and notarizing as with any other Mac app (see more on the Love2D wiki: https://love2d.org/wiki/Game_Distribution#Creating_a_macOS_Application).
I'm encountering an issue because my game contains compiled C binaries which the game loads at runtime. These binaries are compiled for MacOS x86 and arm64, and work perfectly in development. I am able to successfully build and sign the game with my Developer ID Application certificate and provisioning profile, but notarization of the game fails because the compiled C binaries are not signed; below is an excerpt from the audit log:
{
"severity": "error",
"code": null,
"path": "Bang_Average_Football.zip/love.app/Contents/Resources/game.love/deps/gifcatlib_arm64.so",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
I can sign these binaries using codesign and the same certificate as the Mac app like so (with the correct name):
codesign --sign "Developer ID Application: Firstname Lastname" --verbose=4 gifcatlib_arm64.so
After signing the binaries, the app successfully builds, and is notarized successfully without reporting any code signing issues. Hooray! The issue is that the app doesn't actually run and crashes as soon as it attempts to use any of the now-signed binaries complaining that they haven't been signed correctly. Here's a link to the full crash log; the specific error is below:
Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Exception Codes: UNKNOWN_0x32 at 0x000000010a9c8000
Exception Codes: 0x0000000000000032, 0x000000010a9c8000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 2
The same error occurs even with Hardened Runtime disabled and 'Disable Library Validation' enabled.
Is there a likely cause of this crash? Why does notarization succeed but the app essentially instacrashes? Have I signed the binaries incorrectly? Is what I'm attempting not actually possible? (can signed and unsigned binaries not really be hotswapped like this?)
Please let me know if there's any more information I should provide.
Thanks,
Ruairi
I'm trying to use App Groups capability to enable file sharing between my multiple apps. But i'm wondering which app will be counted as the disk space occupier when I write a file to the shared path?
Thanks for your consideration.
Hello.
I am doing a migration from altool to notarytool.
I am doing the above on an enterprise network which is not able to communicate with the outside world except for some URLs, ports.
Previously, when I was using altool to execute notarize, I requested the administrator to open url, port by referring to the document below, and so far, it is proceeding without any problem.
[https://support.apple.com/en-us/HT210060]
The problem is that when I use notarytool to notarize, it tries to access a new domain called appstoreconnect.apple.com, which is not in the documentation above.
Did I need to ask my network administrator to allow only the above URL or the other? Or is there another way to do notarize without accessing that URL?
If there is any additional documentation on opening hosts and ports that I am not aware of, I would appreciate it if you could point me to it.
We are launching a commandline golang binary as daemon. However, SecKeyCreateRandomKey does not return in macos Sonoma.
We tried to attach entitlement to the daemon, but it's still not working. The same commandline golang binary works when we launch it as a user process.
We would like to get your support to fix this issue.
Hello,
I have read com.apple.security.app-sandbox entitlement is required for macOS applications distributed through appstore.
If so, how can it be possible for an application like Microsoft Word to read/write files in Documents folder ? It should be forbidden, due to sandbox ?
Thanks
Hi,
We applied for Tap to Pay on iPhone entitlement and were approved, but on distribution support it's only showing Development.
We can build and debug Tap to Pay on development, but unable to build release.
We opened ticket with Apple support but they were saying it was configured correctly. I attached screenshot of our developer account entitlement for Tap to Pay. It clearly said Development only.
If I make a certsigningrequest to get a certificate in the developer account, it is not uploaded , i uploaded it but does not appeared it , can you help me ?
Dear Sirs,
I've written a Swift App, a C++ application and a Driver Extension using DriverKit and AudioDriverKit. As it works on my development machine now I'd like to give it to some other users and so I'm trying to make a Release Build. I've created a Signing Certificate for "Apple Distribution" which I can use for my Swift App and the C++ application which also both use "com.apple.developer.driverkit.userclient-access". I've been given this entitlement and the "Distribution Support" is for "Development, Ad hoc, App Store, Developer ID". For my Driver Extension I'm using the entitlements "com.apple.developer.driverkit" and "com.apple.developer.driverkit.family.audio" which I've also been given and which show the identical "Distribution Support". But when I try to use my Signing Certificate XCode refuses to use the provisioning profile for the Dext and says "Xcode 14 and later requires a DriverKit development profile enabled for iOS and macOS. Visit the developer website to create or download a DriverKit profile." On the other hand I have to use the same Signing Certificate for my Swift App that embeds the Dext and the Dext itself. How can I create a Signing Certificate for Release mode that works for both, the Swift App and the Dext?
Thanks and best regards,
Johannes
Hi there,
I'm in a process to move from altool to notarytool, following information found at TN3147.
First, TN3147 says the team-id is optional if my account has only one team membership, which is the case, but the notarytool says it's mandatory and I do have to use it (not an issue).
Now, the issue I face:
$ security unlock-keychain -p prorogue-stake-unused /Users/comp/Library/Keychains/my.keychain
$ xcrun altool --username $APPLEID --password "@keychain:MYPASSWORD" --notarization-history 0
.. it displays the notarization history as expected ..
but:
$ xcrun notarytool history --apple-id $APPLEID --team-id $TEAMID --password "@keychain:MYPASSWORD"
Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.
The password is supposed work with both tools, according to TN3147. What am I missing?
Besr regards,
My development certificate is configured with SensitiveContentAnalysis, and this configuration has also been added to xcode. Error after running:
MAD request(1) returns error: Error Domain=NSOSStatusErrorDomain Code=-18 "User Safety either not entitled for client or not enabled" UserInfo={NSLocalizedDescription=User Safety either not entitled for client or not enabled}