No entry in manifest for file key.pem

I working on a app, both a wep-app, the prototype of the webapp is ready and i started don my IOS MVP for a couple of weeks ago. Since the SPA is written in ViteJs it was «easy» to think that RN was a good way of making the MVP. Since I just started its not so «hard» to change, and now I am wondering about doing that. After I upgraded from 0.75 to 0.76 problems is knocking on my door all the time, and my time is used for making Metro eg. run, rather then develop the app. I have a Oauth2 PKCE server running and over time other known Oauth2 providers will be implemented: google, apple eg. So since I am looking for other ways to develop it Swift came up. How is Oauth PKCE with Swift? Is it some libraries that is recommended to use is it any well known problems with Swift and PKCE? KR

When we transfer app A to app B, if we transfer the app but don't migrate the user to app B, will the user's previous tokens from app A be invalid? Is this failure real-time or will there be a buffer period to transfer users? If it is a live failure, we want to transfer some users during the transferation process to prevent accidents, and then test them. Is there a way to test it?

I have a use case where I want to retrieve a third-party access token and pass it between servers to allow different services to make API calls. But when looking through the third-party docs, I found this note: "One important aspect to understand about access tokens is that most tokens are portable. However, Apple does not allow moving tokens to servers." It's found here: https://developers.facebook.com/docs/facebook-login/guides/access-tokens#portabletokens Does anyone have more information on what this means? Has anyone had issues with passing tokens between clients/servers or servers/servers on Apple devices? Thanks!

I have a Mobile App developed in Objective C which has two SDK's writing to the keychain. The first SDK which is completely written in Swift, uses Swift to write and read the key chain and the second SDK uses Objective C to read and write to the SDK. When the first SDK reads from the keychain, the second SDK is not able to read from the keychain and it is getting the Keychain error of item not found. Both the SDK's are using different keys and so not sure why the second SDK is getting item not found. The weird thing with this error is it happens only on a Simulator and it is working fine on actual iPhone. I have also checked the Objective C to Swift bridging header and everything looks correct. Any help you can provide is highly appreciated.

Hi, I have recently encountered an app with some odd behaviour and wanted to clarify some details about the way sandboxing works with iOS apps installed on a Mac. I am unsure whether this is due to a misunderstanding of system behaviour or whether this is a bug. The app was installed from the Mac App Store, designed for iPad. The developer of the app informed me that in lieu of a sign-in process, the app tries to persistently store a UUID of the user on the device so that when the app is deleted and reinstalled, the user is automatically logged in again. The developer says that two mechanisms are being used: 1) NSUserDefaults (via Flutter shared prefs) and 2) identifierForVendor. In the case of 1), my understanding is that these are managed by cfprefsd. Using the 'defaults domain' command, the domain of the app appears. However, there are no keys or values stored. Using the 'defaults write' and 'defaults read' and 'defaults delete' commands on that bundle identifier works as expected, but since it starts out empty, it cannot be read or deleted. Furthermore, the app's data is supposed to be sandboxed in /Library/Containers. When the app is uninstalled from Launchpad, I have confirmed that the folder is missing. When reinstalled, the app's settings and data are missing, but crucially, the cloud identifier is still persistent and is evident after 'setup'. In the case of 2), the developer documentation states that identifierForVendor changes when all apps from a developer have been removed from a device. The app in question is the only app that was installed from this developer, so logically this identifier should have changed when the app was deleted and reinstalled. I have confirmed that iCloud drive is not being used to store this data as there is no data in iCloud for this app. In any case, when the app is uninstalled and reinstalled, the app automatically logs the user into the "account" it was previously logged into, along with all of that user's data in the cloud. I have a sense that this type of persistent identifier tracking is what sandboxing was meant to address, but I am unsure why I have been unable to remove the UUID tag from my system. Any insight would be greatly appreciated!

Hi, I've been working to build Apple sign in into my application using a low code tool called GeneXus. The instructions seem pretty straight forward however it's not working when I try signing in from the app. See GeneXus instructions here: https://wiki.genexus.com/commwiki/wiki?44478,GAM+-+Apple+Authentication+type The only section that I didn't do was to verify the domain which according to the instructions is required for apple sign in to work. This was backed up by the GeneXus support team. I can't find how to verify the domain though? The support team seem to think Apple will send me the domain association file detailed in the link below and I simply add that to the server: https://developer.apple.com/documentation/xcode/supporting-associated-domains#Add-the-associated-domains-entitlement-to-your-app However I can't find where this file would be generated? I also can't see the button to register the domain in the first place!

Hello everyone, We recently transferred an iOS app but didn’t generate the transfer identifier before initiating the transfer. Is it still possible to generate the transfer identifier after the transfer has been completed? If not, are there any alternative solutions or steps we can take to resolve this issue? Thank you for any guidance!

Hello, I started looking to implement SSO with Apple on my website using this tutorial : https://developers.appcharge.com/docs/apple-sso-login However, when going to https://developer.apple.com/account/resources/identifiers/list to generate a new Key, i'm getting the error : "Unable to find a team with the given Team ID 'XXXXXXXX' to which you belong. Please contact Apple Developer Program Support". It was a breeze to implement Google SSO, but not for Apple. I can't find much help online, could you guide me ? Regards

What Starting from macOS Sequoia 15.1, a terminal app (KiTTY) installed via Nix fails to launch apparently due to new hardening mechanism in CoreServices introduced in 24B83 Seems this is triggered not every time. If I create new volume and copy the same path with KiTTY on it, it worked on the first occasion but I failed to make it work reproducibly. @Eskimo I would kindly appreciate if you could highlight more about Secure Launch and related spawn constraints. Anyway, this is blocker issue for me so I'm rolling back to 15.0.1 ❯ open /nix/var/nix/profiles/default/Applications/kitty.app _LSOpenURLsWithCompletionHandler() failed with error -54. Logs ❯ log stream | grep kitty ... 2024-10-30 09:38:56.005739+0100 0x9383 Error 0x45fac 584 0 CoreServicesUIAgent: (LaunchServices) [com.apple.launchservices:open] LAUNCH: Launch requires secure launch with spawn constraints, but none are present or valid, so returning permErr for <FSNode 0x600001e656c0> { isDir = ?, path = '/nix/store/wiindrplkcj1mn22x6nbl8clpnz7adpm-kitty-0.36.4/Applications/kitty.app' } 2024-10-30 09:38:56.005837+0100 0x9383 Error 0x45fac 584 0 CoreServicesUIAgent: (LaunchServices) [com.apple.launchservices:open] LAUNCH: Launch failure with -54/permErr <FSNode 0x600001e778e0> { isDir = y, path = '/nix/store/wiindrplkcj1mn22x6nbl8clpnz7adpm-kitty-0.36.4/Applications/kitty.app' } 2024-10-30 09:38:56.006106+0100 0x9383 Default 0x45fac 584 0 CoreServicesUIAgent: (libxpc.dylib) [com.apple.xpc:connection] [0x600002148d20] activating connection: mach=true listener=false peer=false name=com.apple.coreservices.quarantine-resolver 2024-10-30 09:38:56.006440+0100 0x9383 Error 0x45fac 584 0 CoreServicesUIAgent: (LaunchServices) [com.apple.launchservices:default] LAUNCH: Launch failed in CSUI with error Error Domain=NSOSStatusErrorDomain Code=-54 "permErr: permissions error (on file open)" UserInfo={_LSLine=4224, _LSFunction=_LSOpenStuffCallLocal} 2024-10-30 09:38:56.007039+0100 0x9381 Default 0x45fac 584 0 CoreServicesUIAgent: (libxpc.dylib) [com.apple.xpc:connection] [0x14f00fca0] activating connection: mach=false listener=false peer=true name=com.apple.coreservices.quarantine-resolver.peer[584].0x14f00fca0 2024-10-30 09:38:56.007602+0100 0x9381 Error 0x45fac 584 0 CoreServicesUIAgent: [com.apple.launchservices:uiagent] handle LS launch error: status=-54 {\n Action = odoc;\n AppPath = "/nix/store/wiindrplkcj1mn22x6nbl8clpnz7adpm-kitty-0.36.4/Applications/kitty.app";\n Documents = (\n "kitty.app"\n );\n ErrorCode = "-54";\n FullPaths = (\n "/nix/store/h33cy9y53p6dnyzx41a1dfxsr0df8i4c-system/Applications/kitty.app"\n );\n} Environment ❯ uname -a Darwin airstation.local 24.1.0 Darwin Kernel Version 24.1.0: Thu Oct 10 21:05:14 PDT 2024; root:xnu-11215.41.3~2/RELEASE_ARM64_T8103 arm64 ~ ❯ sw_vers ProductName: macOS ProductVersion: 15.1 BuildVersion: 24B83 ❯ arch arm64

Trying to flesh out an idea for an application which would rely on Endpoint Security Framework and Network Extension Framework, where intend the application to: Forward certain ESF events to a backend (on a separate server) Forward certain Unified logs to a backend (on a separate server) Forwarding various DNS queries and responses (on a separate server) Retrieve configuration from the backend to set Network Extension Filters Are there any limitations and/or reasons not to bundle all this functionality into a single system extension? I know of other applications where system extension is very thin and main application (daemon) communicates over xpc with the system extension, would this be considered best practice?

Hello there, we have implemented the Apple sign in our site, everything is working good except from two edge cases when the JWT returned by Apple sign in does not contain the user email, these cases are: When users choose Hide My Email when creating their account and later manually change their settings and turning off the email forwarding (Tested). For Apple at Work & School users. i.e. younger students may not have an email address. According to Apple docs, email could be empty for Sign in with Apple at Work & School users (Not tested). The problem is that we use the email to confirm the user authentication, but when the email is not present in the JWT, our system won't be able to find the registered user. We're currently working on a workaround for this, but we would like to confirm that these edge cases are known by apple and also ask some questions: Is it correct to say that: Turning off the email forwarding will cause that Apple's identity token (JWT) does not include the user's email address? Apple at Work & School users: is there a way to identify that someone is using this type of account? Is there any other known edge case when the email could be empty in the JWT? Thanks in advance!

So I’m (extremely) new to developing for iOS, and I’m looking to implement the “Sign in With Apple“ feature for an application that interacts with a server I’ve built. Following the guide I’m able to get a user’s email and name. When I send that information to my server to create a user account, do I need to do anything else (like validating that the email is actually associated with an Apple account or that the user actually owns it, etc)? I looked at the Sign in With Apple from the web article and it doesn’t seem like it’s relevant to my use case. Is it standard practice to just trust the client in the iOS world?

Hello, Following a company split we are planning to transfer one of our apps, which has Sign in With Apple enabled, to another team. We want to provide a smooth migration experience for the users by minimizing downtime and avoiding the duplication of accounts in our database. In our backend we generate a client secret using the transferring team’s ID. We then use this client secret with the “https://appleid.apple.com/auth/token” endpoint which returns the identity token. With the above in mind, I have the following questions: If we don’t update the team ID immediately after the transfer in our backend, will the identity token returned by the endpoint above contain the transferring team user ID in the sub field or, will it contain the recipient team user ID? Is there any possibility that we will ever receive an identity token containing a transferring team user ID in the sub field after we accept the transfer? Thanks, Bruno

Hi, I have implemented Sign in with Apple on Android four months ago, and it work perfectly. We are using React Native with expo, using expo-auth-session and firebase function to get code back to start the token validation process. However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on firestore without issue, which confuses us. According to https://developer.apple.com/documentation/technotes/tn3107-resolving-sign-in-with-apple-response-errors, the common reasons that I receive invalid_grant are: The client_id does not match the client for which the code was issued. The code has expired or has been previously consumed by the validation server. Is there any way I could differentiate whether is client_secret wrong or the code was used or any other reasons?

We noticed that the APNs Profile we downloaded on https://developer.apple.com/bug-reporting/profiles-and-logs/ is mentioning "Facetime and Call Activity Logging". Is it expected ?

I have implemented Sign in with Apple on website one weeks ago, and it work perfectly. However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on IOS app without issue.... in ios app site , we used bundle id for client_id. in web site , we used service id for client_id; I try to create a new privateKey for web site and add redirect_uri params to /auth/token, but still error.... I tested it like this, i got authorization code using Service ID i tried authorization code with Service ID using browser : successfully got the code and requested access_token immately 2 and then, i tried validate the authorization grant code to obtain tokens curl like this curl -X POST https://appleid.apple.com/auth/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "client_id=my_service_id" \ -d "client_secret=my_client_secret" \ -d "code=sent_from_frontend" \ -d "grant_type=authorization_code" \ -d "redirect_uri=my_redirect_uri" then get fail and no error_description error_code is 400 invalid_grant is not invalid_client error, and client secret is not expired too My decoded token looks like the following : { "alg": "ES256", "typ": "JWT", "kid": "my_kid" } { "aud": "https://appleid.apple.com", "sub": "my_service_id", "iss": "team_id", "exp": 1744012650, "iat": 1728460650 }

After upgrading to 15.1, SSIDs can no longer be scanned. In my main application, there is a wifiAccess.app in the LaunchService folder that is killed by embbed. This app is the root process that is placed under launchDaemon and loaded by launchd CLLocationManager *locationManager = [[CLLocationManager alloc] init]; if (@available(macOS 10.15, *)) { [locationManager requestAlwaysAuthorization]; } else { // erlier version do not need localtion permission } NSError *error; NSData *ssidStrData = [ssid dataUsingEncoding:NSUTF8StringEncoding]; CWInterface *interface = [[CWWiFiClient sharedWiFiClient] interface]; NSSet<CWNetwork *> *networks = [interface scanForNetworksWithSSID:ssidStrData error:nil]; However, the obtained networks do not have ssid. {(<CWNetwork: 0x600000368680> [ssid=(null), bssid=(null), security=WPA2 Enterprise, rssi=-49, channel=<CWChannel: 0x600000370bd0> [channelNumber=44(5GHz), channelWidth={20MHz}], ibss=0], <CWNetwork: 0x600000370b30> [ssid=(null), bssid=(null), security=WPA2 Enterprise, rssi=-73, channel=<CWChannel: 0x600000370b00> [channelNumber=6(2GHz), channelWidth={20MHz}], ibss=0], <CWNetwork: 0x600000370be0> [ssid=(null), bssid=(null), security=WPA2 Enterprise, rssi=-44, channel=<CWChannel: 0x600000370c60> [channelNumber=165(5GHz), channelWidth={20MHz}], ibss=0] }, the main program has granted the location permission, but the location authorization has not responded in this wifiaccess process. And (lldb) po [locationManager authorizationStatus] kCLAuthorizationStatusNotDetermined. The output authorization is always unauthorized, but only the authorization option of the main application can be seen in the system Settings location permissions setting, wifiaccess.app is not present on the list

I have existing macOS application(pkg distribution) and now I need to release App Store version I need to move all files from "Documents/My App" to app container however container migration doesn't work in some cases I've tested TestFlight build: migration works fine if Mac uses Local Documents folder migration doesn't work if Mac uses iCloud Documents and Desktop folders Is there some way to fix this? container-migration.plist: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Move</key> <array> <string>${Documents}/My App</string> </array> </dict> </plist>

Hello, I have been testing my app with iOS 18 beta and noticing an issue with the triggering of Local Network privacy prompt. My app uses this permission to make a request to a local network address. Prior to iOS upgrade to 18 beta, the privacy prompt used to get triggered upon making the request and only after tapping on 'Allow', the subsequent requests used to succeed. If the user turned off the toggle for 'Local Network' in the app settings, then this functionality used to break as expected. Issues observed with 18 beta: The privacy prompt is not getting triggered upon making the request to local network and the request is succeeding. The app already seems to have this access granted but I do not see the permission toggle in the app settings. Upon device restart, the prompt got triggered but even on disallowing the access (tapping Don't Allow), the app is able to make requests to the local network. The permission toggle appears in the app settings, but its state does not impact the app's functionality. Has something changes in this flow? Can someone please help with what might be causing this behaviour?