You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

In Xcode, under Signing & Capabilities (Release) for our bundle ID the selected provisioning profile does include the entitlement: com.apple.developer.payment-pass-provisioning However, when we upload a new build to TestFlight, the Build Metadata → Entitlements section for the same bundle ID does not include com.apple.developer.payment-pass-provisioning. Because of this, PKAddPaymentPassViewController does not open in TestFlight builds. This suggests that while the entitlement is enabled for the App ID and visible in Xcode, it may not yet be propagated to App Store Connect’s signing service for TestFlight/App Store builds. Please Note: The Wallet Entitlements team had confirmed that they had granted entitlements for our team and the apple IDs Xcode : 26.0.1 Profile being used: Distribution Profile

I'm submitting my first macOS app (an Electron app, signed with Developer ID Application certificate and hardened runtime) for notarization using xcrun notarytool submit with App Store Connect API key authentication. All 6 of my submissions have been stuck at "In Progress" for over 24 hours now. The oldest submission is 27+ hours old. None have transitioned to Accepted or Invalid. Here's what I've verified: Code signing is valid: codesign --verify --deep --strict passes Hardened runtime is enabled Uploads succeed: Each submission receives a valid submission ID and the file uploads successfully to Apple's servers API key auth is working: Using App Store Connect API key (.p8 file), Key ID, and Issuer ID Tried both locally and via GitHub Actions CI — same result Polling Apple's status endpoint eventually times out with NSURLErrorDomain Code=-1001 "The request timed out" when checking https://appstoreconnect.apple.com/notary/v2/submissions/<id> Logs are not available (notarytool log returns "not yet available" for all submissions) Apple Developer System Status shows "Developer ID Notary Service" as Available Submission history: createdDate: 2026-02-04T20:27:16Z — status: In Progress createdDate: 2026-02-04T16:45:18Z — status: In Progress createdDate: 2026-02-04T13:40:23Z — status: In Progress createdDate: 2026-02-04T12:29:52Z — status: In Progress createdDate: 2026-02-04T11:26:36Z — status: In Progress createdDate: 2026-02-04T11:21:39Z — status: In Progress Entitlements used: com.apple.security.cs.allow-jit com.apple.security.cs.allow-unsigned-executable-memory com.apple.security.cs.disable-library-validation com.apple.security.network.client com.apple.security.files.user-selected.read-write This is my first time notarizing any app on this developer account. I've seen other threads mentioning that first-time submissions can be "held for in-depth analysis," but 24+ hours with no feedback at all seems excessive. Is anyone else currently experiencing this? Is there anything I can do to unblock my account's notarization queue, or do I just need to wait? Any guidance from DTS would be greatly appreciated. I've also emailed Apple Developer Support but haven't received a response yet.

Okay, I just pushed a release and notarized. Works great on my test laptop (macOS 26.2) and my test desktop (macOS 14.x) But it seems to fail for a friend who's running macOS 15. I've been using the same GitHub actions successfully for months. How can notarization work for macOS 14 and 26, but not for macOS 15? I think everything looks okay as far as the signing? I've checked codesign -dvv Executable=/Applications/Avogadro2.app/Contents/MacOS/Avogadro2 Identifier=cc.avogadro Format=app bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=11607 flags=0x10000(runtime) hashes=352+7 location=embedded Signature size=8986 Authority=Developer ID Application: Geoffrey Hutchison (…..) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Feb 5, 2026 at 8:47:21 PM Info.plist entries=24 TeamIdentifier=….. Runtime Version=15.5.0 Sealed Resources version=2 rules=13 files=3306 Internal requirements count=1 size=172 And from spctl -a -vv /Applications/Avogadro2.app: accepted source=Notarized Developer ID origin=Developer ID Application: Geoffrey Hutchison (….)

Hi guys, I am new to the Apple Developer Program (enrolled a few days ago) and this is my first app notarization attempt. I've been experiencing significant delays - all submissions have been stuck at "In Progress" for over 24 hours. Details: macOS app signed with Developer ID Application certificate Using xcrun notarytool with app-specific password Hardened runtime enabled codesign --verify --deep --strict passes Team ID: QVHM976XC5 Submission IDs (all stuck "In Progress"): 5f494a89-0db0-4cc6-944f-ca2fe399e870 (latest - 8+ hours) 938f6b8d-0d00-45f5-861d-68fe470df6c2 d0edcbfe-8464-455f-b077-bebaa5b9aab7 I understand new developers may experience longer initial processing, but 24+ hours seems excessive. Is there anything I should check or any additional steps required for new accounts? Any guidance appreciated.

We are experiencing notarization submissions that remain in the “In Progress” state for an extended period (over 24 hours), with no status transition and no submission log available. This is occurring in an automated CI environment using the Notary REST API (non-interactive submission and polling). Re-submitting the same package only results in additional submissions also stuck in “In Progress”. There does not appear to be any API mechanism to cancel, clear, or expire these submissions once they are created. We have already opened an Apple Developer Support case regarding this issue (Case ID: 102818066745 & 102819008943), but have not yet received clarification on what is causing these long-running “In Progress” states. This issue is impacting our production release pipeline, as we are unable to reliably complete notarization for signed packages within an expected timeframe. Based on other reports in this forum (including thread 811968), this behavior appears similar to cases where notarization requests were delayed due to backend backlog or in-depth analysis. We would appreciate clarification on the following: Is it expected behavior for notarization submissions to remain in “In Progress” for such a long period without logs? Is client-side timeout and re-submission the recommended handling for CI workflows? Are there known service-side conditions (e.g. analysis backlog) that could explain this behavior? Any guidance from Apple DTS or others who have encountered this would be greatly appreciated.

I'm currently observing a problem similar to this thread https://developer.apple.com/forums/thread/737334 The difference is that this is happening after updating a system extension. Basically same error, sysextd complains it can not check that the system extension is notarized: macOS Error 3 + Error code=-67050. I think macOS (Sequoia 15.3.2 or 15.7.2 if it matters) is wrong in this case for the following reasons: when using spctl assess -t install, the system extension is reported to be correctly notarized. when restarting the Mac, the updated system extension is correctly checked and staged. if I run spctl assess before sysextd tries to check the system extension, it works. I'm currently thinking of 2 reasons why the check does not work: sysextd is somehow trying to work with a cached assessment that has become invalid after the system extension was updated. macOS needs way more time between the update of the files and the request to update the staged extension. I tried adding a 5-second delay. This does not seem to work or at least reliably. I tried just touching the system extension, no positive result. Unfortunately, in macOS Sequoia, it is not possible anymore to reset-default using spctl and see if it solves the issue, at least the next time the update is performed. [Q] Is there some magic operation that would help macOS correctly check the notarization of an updated system extension?

Hello, I'm experiencing a persistent issue where all my notarization submissions remain stuck in "In Progress" indefinitely. This has been happening for the past several days, affecting multiple submissions. Environment: macOS 26.2 (Build 25C56) Using xcrun notarytool submit for submissions Team ID: M3FN25UQK2 Timeline of the issue: Starting from January 2nd, 2026, my submissions began getting stuck in "In Progress" As of January 6th, I have 6+ submissions that have been "In Progress" for 24-72+ hours Prior to this, notarization was working normally (I have multiple "Accepted" submissions from January 1st) What I've tried: Verified my Developer ID Application certificate is valid and properly installed Checked Apple Developer System Status page (shows "Operational") Verified code signatures using codesign -vvv --deep --strict Contacted Apple Developer Support (no response yet) Checked my Apple Developer account for any pending agreements or warnings (none found) Is there any known issue affecting notarization processing, or could my Team ID be rate-limited/flagged? Any guidance on how to resolve this would be greatly appreciated. Thank you!

Hi Apple Developer Relations / Notary Service Team, CRITICAL: All notarization submissions stuck "In Progress" since Feb 1, 2026 (5+ days). Blocking product release. Latest (PRIORITY): 9bf1e3ca-33ed-4185-816c-2e06ff539f25 Stuck submissions: a9f1abf6-04a1-462c-b7d1-91e834b44c1a 94a172f8-4aa6-475c-a7ec-fd83c8cfc49a e2c033da-a1d0-480c-a3b5-5401a8dd3d03 eecefd87-8bf9-496c-86c8-c6f0d6a550e0 b1d27d30-7111-4cc7-9f0e-3f44aac43a97 Details: Team ID: JA8C8B5W34 App: 323MB DMG (codesign verified) notarytool log: "not available" (In Progress) Status page: Green Requests: Process 9bf1e3ca-33ed-4185-816c-2e06ff539f25 Queue status / ETA? @Quinn or Notary team - production blocker!

Hi, we are sending MacOS apps packaged in a ZIP archive or DMG disk image to the Notary Service. Before we send the app for notarization, we check the code signature via command codesign -vvv --deep --strict /path/to/app_or_bundle The result is positive and it does not provide any gaps. (And yes, we are following the inside out code signing approach, mentioned at Using the codesign Tool's --deep Option Correctly) Unfortunately, the result of the Notary service provided that one file has no signature, which was not detected by the signature verification command. The path of the binary was in <app_name>.app.zip/<app_name>.app/Contents/Resources/inst/<binary> How I can be verify like a the Notary service does it on our side? Best regards, Stefan

I'm trying to enable Music Kit for my key however I keep seeing this message "There are no identifiers available that can be associated with the key" even though my identifier has music kit enabled. Can someone help out with this?

Hello, We are currently using Apple Notarization (notarytool) for distributing a macOS app, and we are experiencing very long notarization times for large app bundles. [Issue] For apps with large binary sizes, notarization consistently takes around 3.5 to 4.5 hours from submission to completion. This delay is causing practical issues in our release pipeline, especially when: A hotfix or urgent update is required Multiple builds must be notarized in a short time CI/CD-based distribution is expected to complete within a predictable timeframe [Environment] Platform: macOS Notarization method: notarytool Distribution: Outside Mac App Store App size: 100 GB~ (compressed ZIP) Signing: Hardened Runtime enabled, codesigned correctly Submission status: Successfully accepted, but processing time is very long [What we have confirmed] The notarization eventually succeeds (no failures) Re-submitting the same build shows similar processing times Network upload itself completes normally; the delay is in Apple-side processing Smaller apps complete notarization much faster [Questions] Is a 3–4+ hour notarization time expected behavior for large macOS apps? Are there recommended best practices to reduce notarization processing time for large binaries? For example, splitting components, adjusting packaging, or specific signing strategies Is there any official guidance or limitation regarding notarization queueing or processing based on app size? Are there known service-side delays or regional differences that could affect processing time? Any insight or confirmation would be greatly appreciated, as this directly impacts our production release workflow. Thank you.

I've signed an app, zipped it, and uploaded it to github. When I download it on another Mac, I get "it can't be opened because it could not be verified for malware". But on that computer, I can verify it with codesign, and it appears to be correct (as far as I can tell). I can copy/paste the app from my other Mac, and that copy will run without problem. sys_policy, however, gives: Notary Ticket Missing File: ReView.app Severity: Fatal Full Error: A Notarization ticket is not stapled to this application. Type: Distribution Error This is the same for the copy that runs, and the copy that doesn't. The difference between them appears to be a quarantine xattr. I can delete this, and the app launches without incident. Is this expected? Why should a signed app be quarantined just because it's been downloaded? The whole point of paying the fee is to avoid the security obstacles...! ;-)

These have been stuck in progress for a long time. Usually this process is fairly quick for this app: id: 92caae7f-1796-4928-bb35-72f5f2667786 id: 3645e93f-a8ac-4826-8a4a-690f980dde8e id: 3645e93f-a8ac-4826-8a4a-690f980dde8e What can be done, it is holding back deployments :(

I’m working on an iOS VPN app and looking into using NETunnelProvider (Packet Tunnel) for the VPN implementation. From the documentation it seems that Packet Tunnel is required for VPN protocols like OpenVPN, but the Packet Tunnel capability doesn’t appear to be available by default. Does using NETunnelProvider / Packet Tunnel require a special entitlement to be enabled by Apple for App Store apps? If so, what is the general process for requesting or enabling that entitlement?

I’m trying to notarize an Electron app for distribution outside the Mac App Store, but every submission is rejected with error 7000. Team Details: Team ID: P3HATASMP9 Organization: Rose Ai Labs, Inc. Role: Account Holder Apple Developer Program: Active membership Certificate: Type: Developer ID Application Identity: “Developer ID Application: Rose Ai Labs, Inc. (P3HATASMP9)” Status: Valid in Keychain Access with full certificate chain App Details: Platform: macOS (Electron) Hardened runtime: Enabled Code signing: Successful (codesign -v passes) Submission History (all rejected with same error): Jan 20, 2026: d2f5e812-d443-4858-895e-ca9828f65d6b Jan 20, 2026: 4864e851-99d4-49df-87b8-22a6b280f4fc Jan 21, 2026: 69b177bd-5f08-4363-a2bb-1d286dd9f047 Jan 21, 2026: a181071b-e874-4794-90f3-c172b112900e Jan 21, 2026: ae3ec87f-60da-4826-91df-a247cd4fd46f Jan 21, 2026: b7165e2f-19a8-4d4a-9e00-21e85550ec8b Jan 24, 2026: 2b83d46d-6606-450f-9ffe-cbfa0f0bf179 Jan 27, 2026: ed8ba49c-b24f-422b-9271-44dff805fb61 Error from notarytool log: status: Rejected statusCode: 7000 statusSummary: Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions. What I’ve verified: Developer ID certificate is valid and trusted Apple Worldwide Developer Relations Certification Authority chain is complete App is properly code-signed with hardened runtime Using notarytool with valid credentials (submission uploads successfully) Account Holder role with full permissions Existing support case: 102808512705 I’ve had this issue for over a week with no resolution. The error message says “Team is not yet configured for notarization” which suggests something needs to be enabled on Apple’s side. Has anyone encountered this and found a resolution?

i am creating a app on "appmysite" while it runs its build test an error message pops up saying build failed. "it seems your app build has encountered an issue. the certificate used to generate the uploaded provisioning profile does not match the uploaded certificate." I understand why its saying it because the uploaded certificate had to be uploaded as ".p12". The certificate in the provisioning profile is made of ".cert". I am using a apple mac book and a xenovo windows computer. Im simply trying to figure out how to put the ".p12" certificate into the provisioning profile? whenever i go to my developer account and try to create a new provisioning account with the new ".p12" certificate. The only options that pop up for me to select are only the certificates that are in ".cert" form. I've tried exporting through "key access" and they show up in my files but no way to transfer to my developer account to combine it with a provisioning account. Any help is greatly appreciated, this is literally the only thing keeping my app from being ready for submission to review. ive been stuck on this for 3 days.

I have been trying to package a FileMaker 18 runtime app* for Mac distribution for - oh - a year and a half on and off (the Windows version was packaged in an afternoon). I succeeded - or thought I had - until I updated to Tahoe. Now my packaging process does everything it did formerly (creates the DMG, etc.), but when opened, fails to see/load a third-party plugin (BaseElements.fmplugin). Does anyone know why this should be? I have attached 4 of my build files in the hope that someone can point me in the right direction. Thanks in advance for any advice you may provide. Regards, L *Claris deprecated the runtime feature years ago, but it still runs and is useful for proof of concept. P.S. A contributor to an earlier query kindly suggested I go down the zip file or pkg installer route, rather than the DMG route. I tried doing as much but found both as susceptible to Mac spaghetti signage. build_all.txt repair_and_sign.txt build_dmg.txt notarize_dmg.txt

We have an application which keeps throwing the error "application is damaged and cannot be opened. You should move it to Trash" I have already referred to the documentation: https://developer.apple.com/forums/thread/706379 and https://developer.apple.com/forums/thread/706442 I have checked the following possible root causes: Codesign of the application using the codesign command Notarization of the application using the spctl command Executable permissions Checked for the presence of "com.apple.quarantine" flag for the application using xattr -l <path to executables" Checked the bundle structure None of the above listed items seemed to be a problem and are as expected. Can you please help us understand what could cause this issue and how to resolve this without recommending an uninstall/reinstall of the application?