I have an app (currently not released on App Store) which runs on both iOS and macOS. The app has widgets for both iOS and macOS which uses user preference (set in app) into account while showing data. Before upgrading to macOS 15 (until Sonoma) widgets were working fine and app was launching correctly, but after upgrading to macOS 15 Sequoia, every time I launch the app it give popup saying '“Kontest” would like to access data from other apps. Keeping app data separate makes it easier to manage your privacy and security.' and also widgets do not get user preferences and throw the same type of error on Console application when using logging. My App group for both iOS and macOS is 'group.com.xxxxxx.yyyyy'. I am calling it as 'UserDefaults(suiteName: Constants.userDefaultsGroupID)!.bool(forKey: "shouldFetchAllEventsFromCalendar")'. Can anyone tell, what am I doing wrong here?

Hi Team, There is situation in which I want to implement session Resumption in IOS. I am using Network Framework but I am unable to find a way, how to enable the resumption . It will more beneficial for me if you guys can help me in that. Regards,

A client asked why we can't detect other apps installed on a device without an MDM profile, we explained this isn't possible due to privacy and security restrictions on iOS. A regular app cannot find other apps that are installed unless part of the same group. The client then told us to download SpyBuster (on the App Store) which somehow is collecting a list of Bundle IDs or names of all installed apps somehow. We were skeptical, but sure enough, the app showed us a list of apps we had installed. How is it doing this?!?! No MDM profile associated with the app. No special permissions requested. No access to anything shown in privacy & security in settings. Is there a special entitlement we're not aware of? Just seems like they must be using a private API call to get this info but that would of course mean it should be pulled from the App Store. We'd love to have this capability in our apps if it's legit and accepted by App Store review. Thanks!

Hello, I am using the prf extension for passkeys that is available since ios 18 and macos15. I am using a fixed, hardcoded prf input when creating or geting the credentials. After creating a passkey, i try to get the credentials and retrieve the prf output, which works great, but i am getting different prf outputs for the same credential and same prf input used in the following scenarios: Logging in directly (platform authenticator) on my macbook/iphone/ipad i get "prf output X" consistently for the 3 devices When i use my iphone/ipad to scan the qr code on my macbook (cross-platform authenticator) i get "prf output Y" consistently with both my ipad and iphone. Is this intended? Is there a way to get deterministic prf output for both platform and cross-platform auth attachements while using the same credential and prf input?

I have code where we're evaluating SSL certificates in sec_protocol_options_set_verify_block. We have the following code: let secTrust = sec_trust_copy_ref(trust).takeRetainedValue() isValidCertificate = SecTrustEvaluateWithError(secTrust, &error) I'm getting the error that the maximum temporal validity period has been exceeded: Error Domain=NSOSStatusErrorDomain Code=-67901 "“server.com” certificate is not standards compliant" UserInfo={NSLocalizedDescription=“server.com” certificate is not standards compliant, NSUnderlyingError=0x300ddd350 {Error Domain=NSOSStatusErrorDomain Code=-67901 "Certificate 0 “server.com” has errors: Certificate exceeds maximum temporal validity period;" UserInfo={NSLocalizedDescription=Certificate 0 “server.com” has errors: Certificate exceeds maximum temporal validity period;}}} When I inspect the certificate, it's valid for 394 days (4/16/2024 through 5/15/2025) and other than being a wildcard certificate, should be fully trusted. I can't find any information about this specific error. Is Apple requiring SSL certs to be less than 398 days now? Which brings me to the second part - we're OK using this to workaround it var trustFailureExceptions: CFData? = SecTrustCopyExceptions(secTrust) SecTrustSetExceptions(secTrust, trustFailureExceptions) But I haven't found anyway to be able to inspect trustFailureExceptions to ensure it only is this specific error. I'm concerned that otherwise this is going to open up validity exceptions for any certificate problem, which is definitely not what I want to do.

I've made a simple command line app that requires Screen recording permission. When I ran it from Xcode, it prompts for a permission and once I allowed it from the settings, it runs well. #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <CoreGraphics/CGDisplayStream.h> int main() { printf("# Start #\n"); if (CGPreflightScreenCaptureAccess()) { printf("# Permitted.\n"); } else { printf("# Not permitted.\n"); if (CGRequestScreenCaptureAccess() == false) { printf("# CGRequestScreenCaptureAccess() returning false\n"); } } size_t output_width = 1280; size_t output_height = 720; dispatch_queue_t dq = dispatch_queue_create("com.domain.screengrabber", DISPATCH_QUEUE_SERIAL); CGError err; CGDisplayStreamRef sref = CGDisplayStreamCreateWithDispatchQueue( 1, output_width, output_height, 'BGRA', NULL, dq, ^( CGDisplayStreamFrameStatus status, uint64_t time, IOSurfaceRef frame, CGDisplayStreamUpdateRef ref ) { printf("Got frame: %llu, FrameStatus:%d \n", time, status); } ); err = CGDisplayStreamStart(sref); if (kCGErrorSuccess != err) { printf("Error: failed to start streaming the display. %d\n", err); exit(EXIT_FAILURE); } while (true) { usleep(1e5); } CGDisplayStreamStop(sref); printf("\n\n"); return 0; } Now I want to execute this from terminal, so I went to the build folder and typed the app name. cd /Users/klee/Library/Developer/Xcode/DerivedData/ScreenStreamTest-ezddqbkzhndhakadslymnvpowtig/Build/Products/Debug ./ScreenStreamTest But I am getting following output without any prompt for permission. # Start # # Not permitted. # CGRequestScreenCaptureAccess() returning false Error: failed to start streaming the display. 1001 Is there a something I need to consider for this type of command line app?

I'm seeing some odd behavior which may be a bug. I've broken it down to a least common denominator to reproduce it. But maybe I'm doing something wrong. I am opening a file read-write. I'm then mapping the file read-only and private: void* pointer = mmap(NULL, 17, PROT_READ, MAP_FILE | MAP_PRIVATE, fd, 0); I then unmap the memory and close the file. After the close, eslogger shows me this: {"close":{"modified":false,[...],"was_mapped_writable":false}} Which makes sense. I then change the mmap statement to: void* pointer = mmap(NULL, 17, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0); I run the new code and and the close looks like: {"close":{"modified":false, [....], "was_mapped_writable":true}} Which also makes sense. I then run the original again (ie, with MAP_PRIVATE vs. MAP_SHARED) and the close looks like: {"close":{"modified":false,"was_mapped_writable":true,[...]} Which doesn't appear to be correct. Now if I just open and close the file (again, read-write) and don't mmap anything the close still shows: {"close":{ [...], "was_mapped_writable":true,"modified":false}} And the same is true if I open the file read-only. It will remain that way until I delete the file. If I recreate the file and try again, everything is good until I map it MAP_SHARED. I tried this with macOS 13.6.7 and macOS 15.0.1.

Is there any particular reason why ASWebAuthenticationSession doesn't have support for async/await? (example below) do { let callbackURL = try await webAuthSession.start() } catch { // handle error } I'm curious if this style of integration doesn't exist for architectural reasons? Or is the legacy completion handler style preserved in order to prevent existing integrations from breaking?

Our desktop app for macos will be released in 2 channels appstore dmg package on our official website for users to download and install Now when we debug with passkey, we find that the package name of the appstore can normally arouse passkey, but the package name of the non-App Store can not arouse the passkey interface I need your help. Thank you

Hello, I have an application which uses a helper[1] to download[2] files. When files download is a DMG and user mounts the image to run the application from this DMG it doesn't pass Gatekeeper. It presents the "Application XYZ.app can't be opened.". Same file downloaded via Safari shows a different dialog, the "XYZ.app is an app downloaded from the internet. Are you sure you want to open it?" In the system log I see this line: exec of /Volumes/SampleApp/SampleApp.app/Contents/MacOS/SampleApp denied since it was quarantined by Download\x20Helper and created without user consent, qtn-flags was 0x00000187 The application is running sandboxed and hardened, the main application has com.apple.security.files.downloads.read-write entitlement. Everything is signed by DeveloperID and passes all checks[3]. I tried to check the responsible process[4] of the helper. Then trivial stuff like download folder access in System Settings/Privacy & Security/Files & Folders. Everything seems to be fine. For what it worths the value of quarantine attribute is following: com.apple.quarantine: 0087;6723b80e;My App; The Safari downloaded one posses: com.apple.quarantine: 0083;6723b9fa;Safari;02162070-2561-42BE-B30B-19A0E94FE7CA Also tried a few more ways and got to 0081 with Edge and 0082 with a sample app with similar setup. Not sure if that has any meaning. What could I be doing wrong that Gatekeeper right away refuses to run the application from DMG instead of showing the dialog like in other cases? [1] The executable is in application bundle located in Contents/Helpers/DownloadHelper.app in the main application bundle. [2] Nothing fancy, curl + regular POSIX file operations [3] codesign, syspolicy_check, spctl [4] launchctl procinfo pid

We recently transferred our app from one developer account to a new one, internally. We're trying to transfer our sign in with apple users, but have hit a snag on the first step. I'm following the instructions here to "Obtain the user access token": https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team This is my request as created in postman: curl --location 'https://appleid.apple.com/auth/token/' --form 'grant_type="client_credentials"' --form 'scope="user.migration"' --form 'client_id="com.XXXXX"' --form 'client_secret="XXXXX"' No matter what I try, I always receive invalid_client. I've uploaded example JWTs in FB15648650.

Hey, There are two apps, App A and App B. Both apps do not have Sign in with Apple configured currently, so there are no Sign in with Apple users to transfer. I want to configure this for both apps. App A is on developer team A. App B is on developer team B. They are not on the same developer accounts. It is my understanding that both accounts need to be on the same developer team/account to get the same unique identifiers (e.g. sub id and private relay email address) for privacy reasons. Desired Behavior: When a single user logs into either app A or app B with the newly exposed Sign in with Apple functionality, I need apple to return me the same unique identifiers (e.g. sub and email), so that I can uniquely identify the same user across app A and app B. How can I do this without ANY customer impact.

Our product uses the “Sign in with Apple” feature, and now we need to transfer it to Apple. After reading the documentation, I still have questions and would like to get answers. Q1:Transfer App: After the receiving team receives the App, is the unique identifier obtained by the client App program login the original one? Or is it newly generated? If it is newly generated, from what point in time will it be newly generated? Q2:Transfer App: Is there any validity period for the transfer identifier? About how long? What will happen after the transfer identifier is expired? Q3:When does the transfer identifier (transfer identifier) start to be generated, when the transfer request is initiated or when the transfer is completed, and when I get the transfer identifier, can I directly exchange it for the receiving team's unique identifier? Looking forward to a reply, thanks!

Hello I have a problem with provisionprofile file. I have created Identifier with Sign in with Apple capability turned on, created Profile with Developer ID selected and now I try to export archive with generated Developer ID provision file but it says "Profile doesn't support Sign in with Apple" Also interesting thing that default provisions like macOS App Development Mac App Store Connect don't show such error when I try to export archive Maybe this problem is only related to Developer ID provision and Direct Distribution doesn't support Sign in with Apple, but I havent found proves about this idea

Hi, I have a certificate, how can I display the certificate content in my Mac app just like Keychain Access app does. Can I popup the certificate content dialog just like Keychain Access app?

Private relay emails are ending up in the spam folder, even though SPF and DKIM are set up correctly.

In our application, we store user information (Username, Password, accessToken, Refresh token, etc.) in the keychain. However, after performing a hard reboot (unplugging and plugging back in), when we attempt to retrieve the ‘refresh token’ or ‘access token’ from the keychain, we receive the old token instead of the newly saved one.

Hi there, I'm currently working on a compatibility feature for Apple that allows the user to manage their keys and certificates from within our internal API. For this I need to retrieve all the items contained within keychains. I am looking at the documentation for SecItem API but so far I have not really found an obvious way to link these items together. My best guess so far is to perform two queries, grabbing all SecKeys from the keychains, pairing them up with public keys through SecKeyCopyPublicKey, then downloading all CertItems and pairing them with public keys with SecCertificateCopyKey, and then join the two using public keys. This sounds however somewhat involved and I was wondering if there was a better way of going about the process?

Hi everyone, I'm having a recurring issue with the "Sign in with Apple" integration in my web app, and I’m hoping someone here can help or share insights. Here’s the situation: I implemented "Sign in with Apple" following the official documentation, and it worked perfectly at first. After about two weeks, I started getting the "invalid_client" error when redirecting to the authentication page. I reviewed everything and discovered I hadn’t set up the email configuration properly in the Apple Developer Console. Once I fixed that, it worked fine again. Now, the same error ("invalid_client") has returned, and I’ve triple-checked every part of my configuration: The service ID, redirect URIs, and domain settings match exactly. The client_secret is generated correctly with all required fields (iss, iat, exp, aud, and sub) and signed with ES256. My server time is synchronized. Nothing has changed in my code or configuration since it last worked. This seems to be an issue on Apple’s end because everything was functioning perfectly before, and I’ve already resolved this once by updating settings in the Developer Console. Has anyone else faced this issue? Is there something I might be missing, or could this be a problem with Apple’s service? Any advice or guidance would be greatly appreciated!

Hi, ASCredentialProvider had been almost identically implemented on both iOS and macOS so far, but the ProvidesTextToInsert feature was only added to iOS. It would have been a crucial point to make Credential Providers available in all textfields, without users having to rely on developers correctly setting roles for their Text Fields. It's right now impossible to paste credentials into Notes, or some other non-password text box both in web and desktop apps for example, in a seamless, OS-supported way without abusing Accessibility APIs which are understandably disallowed in Mac App Store apps. Or just pasting an SSH key, or anything. On macOS this has so many possibilities. It could even have a terminal command. It's even more interesting that "Passwords..." is an option in macOS's AutoFill context menu, just like on iOS, however Credential Providers did not gain this feature on macOS, only on iOS. Is this an upcoming feature, or should we find alternatives? Or should I file a feature request? If it's already in the works, it's pointless to file it.