You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Background I've repeatedly run into codesigning (and missing provisioning profile) issues for my Ruby/Glimmer app and am looking for ways to troubleshoot this outside of Xcode. The app structure is as follows: PATHmanager.app └── Contents ├── Info.plist ├── MacOS │   └── PATHmanager ├── PkgInfo ├── Resources │   └── AppIcon.icns ├── _CodeSignature │   └── CodeResources └── embedded.provisionprofile Architecture I have a Mac mini Apple M2 Pro with macOS Ventura 13.4. Xcode is not used directly, but the underlying command line tools (e.g., codesign, productbuild, pkgutil, xcrun) are run from a custom Ruby script. xcodebuild -version Xcode 14.3.1 Build version 14E300c Questions Is the .app directory and file structure/naming sufficient? If not, can you point me in the direction of a minimal example that does not use Xcode? Info.plist is an XML text document (not binary), which I believe is in an acceptable format, but how do I lint this file and determine if it contains all of the necessary key/value pairs? <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CFBundleDevelopmentRegion</key> <string>en</string> <key>CFBundleDisplayName</key> <string>PATH manager</string> <key>CFBundleExecutable</key> <string>PATHmanager</string> <key>CFBundleIconFile</key> <string>AppIcon.icns</string> <key>CFBundleIdentifier</key> <string>com.chipcastle.pathmanager</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>PATHmanager</string> <key>CFBundlePackageType</key> <string>APPL</string> <key>CFBundleShortVersionString</key> <string>1.15</string> <key>CFBundleSupportedPlatforms</key> <array> <string>MacOSX</string> </array> <key>CFBundleVersion</key> <string>1.15</string> <key>ITSAppUsesNonExemptEncryption</key> <false/> <key>LSApplicationCategoryType</key> <string>public.app-category.developer-tools</string> <key>LSMinimumSystemVersion</key> <string>12.0</string> <key>LSUIElement</key> <false/> <key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <true/> </dict> <key>NSHumanReadableCopyright</key> <string>© 2025 Chip Castle Dot Com, Inc.</string> <key>NSMainNibFile</key> <string>MainMenu</string> <key>NSPrincipalClass</key> <string>NSApplication</string> </dict> </plist> PATHmanager is a Mach-O 64-bit executable arm64 file created by using Tebako. Does this executable need to be codesigned, or is codesigning the .app folder sufficient? Does the .app directory need an entitlements file? Here's how I codesign it: codesign --deep --force --verify --verbose=4 --options runtime --timestamp --sign 'Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' '/Users/chip/Desktop/distribution/PATHmanager.app' Does the PATHmanager binary need an entitlements file? Here's how I codesign it: codesign --deep --force --verify --verbose=4 --options runtime --timestamp --entitlements '/Users/chip/Desktop/PATHmanager.entitlements' --sign 'Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' '/Users/chip/Desktop/distribution/PATHmanager.app/Contents/MacOS/PATHmanager' How can I verify what entitlements, if any, are required for codesigning the binary? The PATHmanager.entitlements file is an XML text file containing only the following: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> </dict> </plist> Is the embedded.provisionprofile necessary, and if so, how do I know determine if it matches the certificate or entitlements that I'm using? Additionally, is it named and located properly? I submitted this to the AppStore several weeks ago and the reviewer reported that the executable would not load on their machine (even though it worked on mine.) Is it better for me to release via TestFlight for testing, and if so, do I need to following a separate process for codesigning (i.e., using different entitlements, profiles, certs, etc) when doing so? I've been playing whack-a-mole with this for too long to mention and am hoping to nail down a better deployment flow, so any suggestions for improvement will be greatly appreciated. Thank you in advance.

I'm getting this error when uploading a build of my macOS app to App Store Connect. It has always worked before, and nothing changed about my use of app groups, and the iOS build uploaded without any problems. Cleaning the build folder and derived data folder doesn't help. I'm using automatically managed signing in Xcode. Invalid code signing entitlements. Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “[group.]” value for the com.apple.security.application-groups key in “.pkg/Payload/.app/Contents/MacOS/” isn’t supported. This value should be a string or an array of strings, where each string is the “group” value or your Team ID, followed by a dot (“.”), followed by the group name. If you're using the “group” prefix, verify that the provisioning profile used to sign the app contains the com.apple.security.application-groups entitlement and its associated value(s).

I've been trying to notarize an installer (.pkg file) on a new laptop. Previous versions have been notarized successfully on a previous Mac. However, in spite of having the required certificates (same as the old Mac, generated for the new Mac) the submission gets stuck at "In Progress". Doing it multiple times (even hours apart) doesn't help. Is there a FAQ / suggested list of steps to help resolve this issue? Here's what I see: xcrun notarytool history --keychain-profile "(my profile name)" results in (problem started with v4, the first version I've tried on this new Mac): createdDate: 2023-10-17T01:34:36.911Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-17T01:33:59.191Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-16T21:01:25.832Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-16T19:57:44.776Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-02T14:17:34.108Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v3.pkg status: Accepted -------------------------------------------------- createdDate: 2023-09-28T14:04:46.211Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v2.pkg status: Accepted -------------------------------------------------- createdDate: 2023-09-20T17:28:46.168Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v1.pkg status: Accepted -------------------------------------------------- xcrun notarytool log xxxxxxxxxxxxxxxxxxxx --keychain-profile "(my profile name)" results in: Submission log is not yet available or submissionId does not exist id: xxxxxxxxxxxxxxxxxxxxxxxx

I've tried to notarize my app recently and got the error:{ "logFormatVersion": 1, "jobId": "...", "status": "Rejected", "statusSummary": "Team is not yet configured for notarization", "statusCode": 7000, "archiveFilename": "myapp.dmg", "uploadDate": "2019-06-20T06:24:53Z", "sha256": "...", "ticketContents": null, "issues": null }I've never heard about "team configuration for notarization" previously. What are the steps to resolve that issue?Thanks in advance.

Hello, I am trying without luck to create a .dmg or .pkg for my electron app that can be opened by any user on a mac. Every time I fail. All is happening by the same pattern. Here is the last try with creating a .pkg instead of .dmg. The app is built and it is signed correctly (I suppose) codesign --verify --verbose=1 dist/mac-universal/VIVIDTIME.app dist/mac-universal/VIVIDTIME.app: valid on disk dist/mac-universal/VIVIDTIME.app: satisfies its Designated Requirement I created a .pkg pkgbuild --root "dist/mac-universal/VIVIDTIME.app" \ --install-location "/Applications/VIVIDTIME.app" \ --identifier "app.vividtime.mac" \ --version "1.1.0" \ --sign "Developer ID Installer: Pavel Bochkov-Rastopchin (2QKDCTR5Y3)" \ dist/VIVIDTIME.pkg pkgbuild: Inferring bundle components from contents of dist/mac-universal/VIVIDTIME.app pkgbuild: Adding component at Contents/Frameworks/Mantle.framework pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper.app pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper (GPU).app pkgbuild: Adding component at Contents/Frameworks/Electron Framework.framework pkgbuild: Adding component at Contents/Frameworks/Squirrel.framework pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper (Renderer).app pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper (Plugin).app pkgbuild: Adding component at Contents/Frameworks/ReactiveObjC.framework pkgbuild: Using timestamp authority for signature pkgbuild: Signing package with identity "Developer ID Installer: Pavel Bochkov-Rastopchin (2QKDCTR5Y3)" from keychain /Users/innrvoice/Library/Keychains/login.keychain-db pkgbuild: Adding certificate "Developer ID Certification Authority" pkgbuild: Adding certificate "Apple Root CA" pkgbuild: Wrote package to dist/VIVIDTIME.pkg

I'm trying to setup a macOS 26 build environment in a VM (using UTM and the virtualization framework Apple provides). I have Xcode 26 installed and have logged into my Apple ID and verified that the team and other configuration looks fine in Xcode settings. When trying to build the macOS app, I see errors saying the VM's device ID has not been registered. I have confirmed that the device ID is registered both in the Provisioning portal AND the downloaded .provisionprofiles (in Library > Developer > Xcode > UserData). This problem appears on multiple targets (e.g. the main app and extensions). If I try to manually provision the app, using the Provisioning portal, I can build the product, but it will not launch because of Gatekeeper issues. Finally, signing to run locally doesn't work either. As the app launches, frameworks refuse to load because Team IDs don't match. With ad hoc provisioning, there are no Team IDs. I've come to the conclusion that this just isn't possible. Which is a shame because I need to support products with a build environment on macOS 15 and cannot move over to macOS 26 yet. I suspect many developers outside of Apple are in a similar position.

I am a developer working on iOS apps. I would like to report an issue occurring in iOS 18 beta and iOS 18.1 beta. Our company has two Enterprise accounts, and we are developing two apps: A app / TeamId: ABCDEFG B app / TeamId: HIJKLMN When we distribute these apps, which have different TeamIds, and install them on a device running iOS 18 beta, both apps install successfully, but only one app will run. (Other app crashed immediately after being launched.) This issue does not occur on versions prior to iOS 18. I would like to know if this is a problem that will be resolved in future updates, or if it is a policy change.

I have a DriverKit system extension (dext) that uses PCIDriverKit. I would like to get the build environment straightened out to successfully distribute the dext and associated software to end users. There are three types of software involved: The Dext-hosting application - this is the application that must be installed to /Applications/, and will perform the registration of the dext. The dext is deployed "within" this application, and can be found in the /Contents/Library/SystemExtensions folder of the app bundle. The dext itself - this is the actual binary system extension, which will be registered by its owning application, and will operate in its own application space independent of the hosting application. Additional applications that communicate with the dext - these are applications which will connect to the dext through user clients, but these applications do not contain the dext themselves. There are multiple locations where settings need to be exactly correct for each type of software to be signed, provisioned, and notarized properly in order to be distributed to users: developer.apple.com - where "identifiers" and "provisioning profiles" are managed. Note that there are differences in access between "Team Agent", "Admin", and "Developer" at this site. Xcode project's Target "Signing & Capabilities" tab - this is where "automatically manage signing" can be selected, as well as team selection, provisioning profile selection, and capabilities can be modified. Xcode project's Target "Build Settings" tab - this is where code signing identity, code signing development team, code signing entitlements file selection, Info.plist options and file selection, and provisioning profile selection. Xcode's Organizer window, which is where you manage archives and select for distribution. In this case, I am interested in "Developer ID" Direct Distribution - I want the software signed with our company's credentials (Team Developer ID) so that users know they can trust the software. Choosing "automatically manage signing" does not work for deployment. The debug versions of software include DriverKit (development) capability (under App ID configuration at developer.apple.com), and this apparently must not be present in distributable provisioning. I believe this means that different provisioning needs to occur between debug and release builds? I have tried many iterations of selections at all the locations, for all three types of binaries, and rather than post everything that does not work, I am asking, "what is supposed to work?"

Hi, overnight I'm getting "HTTP status code: 403. Invalid or inaccessible developer team ID for the provided Apple ID. Ensure the Team ID is correct and that you are a member of that team." in my pipeline running notarytool store-credentials. I'm getting --apple-id, --team-id and --password from CI variables. Double checked the values (even though they shouldn't change). Tried a new app specific password I did not change anything to cause this and my apple developer account is active. Really scratching my head what's going on here. Some assistance would be greatly appreciated!

This has been going on for at least a couple of hours for us: notarizing doesn't complete. Our last job ran for over 90 minutes before CircleCI timed it out. We're using xcrun notarytool submit with the --wait option; it contined to say "Current status: In Progress" for, as I said, 90 minutes or so. (Normally it takes about 70 seconds.) https://developer.apple.com/system-status/ says everything is normal. This does not seem to be the case for us. 😄

I'm into packaging up my Mac game and want to submit it to the Mac App Store via XCode -> Product -> Archive -> Distribute App. I'm getting the following error: Validation failed The installer package includes files that are only readable by the root user. This will prevent verification of the application's code signature when your app is run. Ensure that non-root users can read the files in your app. I've created post build and post package hooks in xcode that list out the files do a debug log file, but there is no single file that is root only or having not 755 as rights. Any idea what I can change to fix this? Is this even something I can influence? Or is this a App Store connect issue? Thanks Martin

We are using an app distributed via an iOS enterprise certificate. There is an exceptional user who could normally use the app signed with this certificate before upgrading to iOS 18. However, after updating to iOS 18 (currently on version 18.3), the app crashes immediately upon launch. Real-time logs indicate that the application fails to start. This issue is unique to this user, as other users on the same iOS 18.3 system do not experience the problem. console log

This is a lengthy one. I have basically compiled a Rust binary into a dylib and packaged into a .xcframework that contains per arch .frameworks. This loads correctly when run from Xcode into a real iOS device. However, when deployed to TestFlight the app crashes. Here is what is a bit different, the dylib is not fully self-contained. It tries to reach in an use C functions I have exposed in my library code. Calling functions that are just within the dylib and just return works fine, but the moment it tries to call one of the exposed functions it crashes. A full in-depth step by step of how I packaged the binaries can be found in my website: https://ospfranco.com/complete-guide-to-dylibs-in-ios-and-android When I look at the TestFlight crash report there are no symbols but the termination cause via WatchDog is: Termination Reason: CODESIGNING 2 Invalid Page I have declared my functions as such: OBJC_EXTERN void ios_prepare_request(const char *url) #define EXPORT __attribute__((visibility("default"), used, retain)) extern "C" { EXPORT void ios_prepare_request(const char *url) { NSString *urlString = [NSString stringWithUTF8String:url]; request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:urlString]]; } } // Function used to prevent optimization void force_symbol_registration() { // Force these symbols to be included in the binary by referencing them volatile void *ptrs[] = {(void *)ios_prepare_request,}; // Prevent compiler from optimizing away the array (void)ptrs; } And I load my framework as: opacity::force_symbol_registration(); // NSBundle *dylib_bundle = // [NSBundle bundleWithIdentifier:@"com.opacitylabs.sdk"]; // NSString *dylib_path = [dylib_bundle pathForResource:@"sdk" ofType:@""]; // // Load the dynamic library // void *handle = dlopen([dylib_path UTF8String], RTLD_NOW | RTLD_GLOBAL); // if (!handle) { // NSString *errorMessage = [NSString stringWithUTF8String:dlerror()]; // *error = // [NSError errorWithDomain:@"OpacitySDKDylibError" // code:1002 // userInfo:@{NSLocalizedDescriptionKey : // errorMessage}]; // return -1; // or appropriate error code // } // Make sure the main executable's symbols are available dlopen(NULL, RTLD_NOW | RTLD_GLOBAL); NSBundle *frameworkBundle = [NSBundle bundleWithIdentifier:@"com.opacitylabs.sdk"]; if (![frameworkBundle isLoaded]) { BOOL success = [frameworkBundle load]; if (!success) { NSString *errorMessage = @"Failed to load framework"; *error = [NSError errorWithDomain:@"OpacitySDKDylibError" code:1002 userInfo:@{NSLocalizedDescriptionKey : errorMessage}]; return -1; } } As you can see, I have also tried dlopen both work when run from Xcode but crash when deployed on testflight. I have tried re-signing the xcframework/frameworks on a pre build step but it doesn't work As stated, I can call the functions inside the dylib, but once they try to call my exposed code it crashes Is this achievable at all or just a limitation of the iOS sandbox?

Hello Apple Community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. The top-level app is built with Xcode 16.1 and it's written 100% in Swift6. For test purposes we are running the app on MacOS Sequoia 15.0, 15.1 and Sonoma 14.4. The app can be downloaded via TestFlight and Console app shows the next errors: Crash Reports python3.11 Application Specific Signatures: Unable to get bundle identifier for container id python3: Unable to get bundle identifier because Info.plist from code signature information has no value for kCFBundleIdentifierKey. tccd process error Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=62822, auid=502, euid=502, binary_path=[PATH TO SAMPLEAPP]]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=577, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, The next documents were helping a lot to reach the current state althought sometimes I was not sure how to apply them in this python interpreter context: Signing a daemon with a restricted entitlement Embedding a command-line tool in a sandboxed app XPC Rendezvous, com.apple.security.inherit and LaunchAgent Placing content in a bundle There are a lot of details that I will try to explain in the next lines. Once archived the app, it looks like this: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/Info.plist SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/Python.bundle And this is how Python.bundle looks like: Python.bundle/Contents Python.bundle/Contents/Info.plist Python.bundle/Contents/Resources Python.bundle/Contents/Resources/bin Python.bundle/Contents/Resources/bin/python3.11 <- Python executable Python.bundle/Contents/Resources/lib Python.bundle/Contents/Resources/lib/python3.11 <- Folder with python libraries This is the Info.plist associated with Python.bundle: <dict> <key>CFBundleIdentifier</key> <string>com.sampleapp.app.Python</string> <key>CFBundleName</key> <string>Python</string> <key>CFBundleVersion</key> <string>1.0</string> <key>CFBundlePackageType</key> <string>BNDL</string> </dict> For some reason Bundle Identifier is ignored. Created a Python target and added to the main app, I selected the Bundle template. In Python target I made the next customizations: Enabled the Skip Install (SKIP_INSTALL) build setting. Disabled the Code Signing Inject Base Entitlements Added entitlements com.apple.security.inherit to it, with a Boolean value of true. Tried to set Other Code Signing Flags (OTHER_CODE_SIGN_FLAGS) build setting to: $(inherited) -i $(PRODUCT_BUNDLE_IDENTIFIER) But I had to remove it because I could not get rid of this error "-i com.sampleapp.app.Python: No such file or directory" Created a python.plist and set it in the Packaging Build Settings section. I set Generate Info.plist File to No In this document: Embedding a command-line tool in a sandboxed app Says: "Add the ToolX executable to that build phase, making sure Code Sign On Copy is checked." But I could not do it to avoid duplicates, since the bundle itself contains the executable too. I'm not sure how to handle this case. Tried to add python3.11 executable in the bundle MacOS folder, but bundle executableURL returned nil and I could not use python from the code. This is how I get Python bundle from code: static var pythonBundle: Bundle? { if let bundlePath = Bundle.main.path(forResource: "Python", ofType: "bundle"), let bundle = Bundle(path: bundlePath) { return bundle } return nil } Created Python.entitlements with the next key-values: <key>com.apple.security.app-sandbox</key> <true/> and it is used in an Archive Post-action of SampleApp, in order to sign the python executable of Python.bundle as follows: codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$DEVELOPER_ID_APPLICATION" "$ARCHIVE_PATH" The reason of using an Archive Post-action is becauses signing from a Python.bundle Build phase was generating errors related to Sandboxing. These are the entitlements to codesign SampleApp: <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> Most probably I was mixing concepts and it seems created some confusion. We would really love to get some advice, Thanks!

2022-07-24 16:43:30.074 *** Error: Notarization failed for '/var/folders/r1/3j8rdbl95l9csz588j1nc6xc0000gn/T/electron-notarize-gGm3Fr/git-icons.zip'. 2022-07-24 16:43:30.075 *** Error: You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id bb96a1a8-c3c3-4ded-a3c8-2abe369d8881 You do not have required contracts to perform an operation (-19208) { NSLocalizedDescription = "You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id bb96a1a8-c3c3-4ded-a3c8-2abe369d8881"; NSLocalizedFailureReason = "You do not have required contracts to perform an operation"; }

After upgrading the virtual machines used for building and testing our macOS application, it seems that something new in Sequoia is preventing virtual machines from running anything signed with a Mac Development certificate. At first glance the issue seems very similar to this thread, but it could be unrelated. We are using the tart toolset to build and run our VMs. People seem to be having related issues there with Sequoia in particular. I have added the VM's hardware UUID to the Devices list of our account. I have included that device in the devices list of our Mac Development provisioning profile. I have re-downloaded the profile, ensured that it is properly getting built into the app, and ensured that the hardware UUID of the VM matches the embedded provisioning profile: Virtual-Machine App.app/Contents % system_profiler SPHardwareDataType | grep UUID Hardware UUID: 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 Virtual-Machine App.app/Contents % grep 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 ../../App.app/Contents/embedded.provisionprofile Binary file ../../App.app/Contents/embedded.provisionprofile matches However, when I try to run the application, it fails, and while I have searched the system logs to find a more informative error message, the only thing I can find is that the profile doesn't match the device somehow: Virtual-Machine App.app/Contents % open ../../App.app The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x6000039440f0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}} Virtual-Machine App.app/Contents % log show --info --debug --signpost --last 3m | grep -i embedded.provisionprofile 2025-01-21 16:33:32.369829+0000 0x65ba Error 0x0 2872 7 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] embedded provisioning profile not valid: file:///private/tmp/builds/app/.caches/Xcode/DerivedData/Build/Products/Debug/App.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.} I don't understand why the provisioning profile wouldn't allow the device if the hardware UUID matches. I have also attempted to add the Provisioning UDID in the devices list instead, but the form rejects that value because it's a different format (the form specifically requests a hardware UUID for macOS development, and a provisioning UDID for everything else). If there is any debugging tool that lets me check a provisioning profile against the running hardware and print a more verbose reason for why it's not allowed on the device, please let me know. Otherwise I'd have to conclude that, since I haven't experienced this issue before on an earlier OS, it has something to do with virtual machines running macOS Sequoia. (The same Mac Development-signed application runs just fine on my MacBook Pro running 15.2, as well as the VM host, which is also running 15.2.) I have also tried resetting the VM's hardware UUID and adding that one to the devices list, to no effect. This is obviously seriously impacting our CI/CD pipelines to allow for proper UI testing of our application. If anyone is aware of any workarounds, I would love to hear them!

Hello, For my macOS app, on Xcode version 15.4 (15F31d) on macOS 14.5 (23F79) I follow Organizer > Distribute App > Direct Distribution, and I get a Notary Error "The operation couldn't be completed. (SotoS3.S3ErrorType.multipart error 1.)" It's been happening since 3 days. In the IDEDistribution.verbose.log file I see: https://gist.github.com/atacan/5dec7a5e26dde0ec06a5bc4eb3607461

We have a Mac that is used to sign and notarize our installers. This Mac will be going away soon, so I have to setup a new Mac to do that work. I've been able to install all the tools, but I can't get them to work. The certificates are in the keychain, but don't show up in the "My Certificates", probably because the related keys don't exist in the "Keys" list. I'm using the same Apple Dev ID that I used on the other machine. HOW do I get things setup on the new machine to work? There must be some way to get key/certificate pairs to work. (I am very definitely NOT a Mac expert, barely even a novice.)

We're having failures reported back to us from the notarization service as of the 4th of September. It's complaining about binaries inside .jar files, saying some aren't signed and others aren't signed with a valid developer certificate. These are third party jars; we unzip the unsigned binaries from these jars, sign them then put them back in using "jar -ufv". Notarizing is only complaining about binaries inside jars and not anything else, which implies our certificates are valid. Nothing has changed regarding these jars between the notarizing service accepting and rejecting our app. To confirm our suspicions that the notarizing service may be behaving differently, we sent it an app package that previously had succeeded in notarizing. Now the notarizing service fails, citing issues with the same jars as described above. Are you able to confirm whether anything has changed? Any ideas on what we could look at?

Normally I get a response from a submit via notarytool within 30 seconds. Today - with a process that worked a few days ago - I don't get any answer, although the system status claims that the service is up and work. Anybody else, or is it only me?