Hello, We recently resubmitted our Family Controls (Distribution) request with a much more detailed explanation after our previous declined. Our entire app (including an extension) depends on this capability, and right now we’re completely blocked from launching. Months of work are stuck at this final step and it’s honestly becoming very stressful with no visibility on the timeline. If anyone has experience with the approval timeline after resubmitting, or if someone from Apple could help look into it, it would truly mean a lot. 4C6XLQWZQY Y5JJ7GT6BP 3ZBSC333WU Thank you

I'm working on an app that needs access to device activity. When I add device activity entitlement, I'm getting Provisioning profile "..." doesn't include the com.apple.developer.deviceactivity entitlement. This is failing for both, the main app and the extension, and both have entitlements added. It is not clear how to add it to the profile, the provisioning profile is created/managed by XCode. When I remove the entitlement, I can build my app but it won't be able to use device activity data I reached out to Developer Support, and they sent me here. What is the right way to add device activity entitlement? I'm also seeing another issue with XCode Cloud builds. When I remove device activity entitlement. I can build my app w/o any issue, and I can also install it directly on my iPhone. However, XCode Cloud builds fail wit Run command: 'xcodebuild -exportArchive -archivePath /Volumes/workspace/tmp/d41fc2f1-4f39-4906-8941-112488e75f6c.xcarchive -exportPath /Volumes/workspace/adhocexport -exportOptionsPlist /Volumes/workspace/ci/ad-hoc-exportoptions.plist '-DVTPortalRequest.Endpoint=http://172.16.68.193:8089' -DVTProvisioningIsManaged=YES -IDEDistributionLogDirectory=/Volumes/workspace/tmp/ad-hoc-export-archive-logs -DVTSkipCertificateValidityCheck=YES -DVTServicesLogLevel=3' I suspect that it could be related to my app having DeviceActivityExtension but no device activity entitlement is present. Thanks, Peter.

I am distributing a macOS application outside the App Store using Developer ID and need to provide provisioning profiles to customers for installation during the package installation process. I have two questions: How can I package and provide the provisioning profile(s) so that the customer can install them easily during the application installation process? Are there any best practices or tools that could simplify this step? In my case, there are multiple provisioning profiles. Should I instruct the customer to install each profile individually, or is there a way to combine them and have them installed all at once? Any guidance on the best practices for this process would be greatly appreciated.

we have organization account I'm the admin of team. and i have additional resources: Additional Resources Access to Reports Access to Certificates, Identifiers & Profiles. Access to Cloud Managed Distribution Certificate Create Apps Generate Individual API Keys Issues: i can't find my team certificate in Xcode I don't have access to https://developer.apple.com/account/resources/

I tried to create a new IOS provisioning profile and re-apply it to the app using Xcode to build it, but I got into trouble. The build is good, but it bounces when running the app. I would appreciate it if you could let me know what to do.

My notarization submission been "In Progress" status for over 30 minutes now. I thought this process should be much faster.

I haven't been able to notarize my macOS app for the past two days. Now, I believe this is an issue with the notarization process because I've tried notarizing the default app that's provided whenever you open a new Swift application, but that completely failed as well. And I've been waiting for the past two days and it's been stuck on in progress. This is the second time this has happened to me in the past two months and oftentimes I have to wait more than a day or two for the notarization to occur. I just, I don't understand why it's deadlocked like this. I've done nothing. I haven't changed my certificates. I haven't done any different configurations within my Mac. The last time that this happened, the issue went away after two days, but my biggest concern right now is that if this happens whenever we need to urgently push updates, we can't. I have absolutely no idea what to do and I'm just extremely frustrated because this is happening right before our launch day. I've been stuck on notarizing again for the past two days and I've seen no progress, I've seen no responses from support emails and the ones that do aren't even applicable to my current scenario. ⁠

Hi All, Really weird one here... I have two bundle ids with the same reverse dns name... com.company.app1 com.company.app2 app1 was installed on the device a year ago. app2 was also installed on the device a year ago but I released a new updated version and pushed it to the device via Microsoft InTunes. A year ago the vendor Id's matched as the bundle id's were on the same domain of com.company. Now for some reason the new build of app2 or any new app I build isn't being recognised as on the same domain as app1 even though the bundle id should make it so and so the Vendor Id's do not match and it is causing me major problems as I rely on the Vendor Id to exchange data between the apps on a certain device. In an enterprise environment, does anyone know of any other reason or things that could affect the Vendor Id? According to Apple docs, it seems that only the bundle name affects the vendor id but it isn't following those rules in this instance.

All of my notarization submissions have been stuck at "In Progress" for over a week. I have 6 submissions spanning from March 4 to March 10, 2026, and none of them have completed or returned any errors. Affected submissions: 685708f6 — MeetingRecorder-1.5.0.dmg (submitted Mar 10) — In Progress 6ade1490 — MeetingRecorder-1.5.0.dmg (submitted Mar 10) — In Progress 99d39bd0 — MeetingRecorder-1.4.12.dmg (submitted Mar 6) — In Progress e65f95e1 — MeetingRecorder-1.4.9.dmg (submitted Mar 6) — In Progress eb51b220 — MeetingRecorder-1.4.9.dmg (submitted Mar 5) — In Progress 9cc33cfd — MeetingRecorder-1.4.9.dmg (submitted Mar 4) — In Progress Running notarytool log returns "Submission log is not yet available." Team ID: HXVLV4P425 The app is a macOS menu bar application for meeting recording and transcription. It is signed with a valid Developer ID certificate and has been built with hardened runtime enabled. I've tried resubmitting multiple times across different builds (1.4.9, 1.4.12, 1.5.0), but all submissions remain stuck. Could someone from the notarization team please investigate? Thank you.

I have an existing app in App Store Connect. I added the SharedWithYou functionality to the app code and tested it on several devices. Everything is working as expected. One of the first steps was to add the com.apple.developer.shared-with-you entitlement to the Entitlements.plist file. This required a round of updates for app identifiers and provisioning profiles. When I upload the production build for testing in TestFlight I receive the following error: 90919: Invalid entitlement. The “” bundle has the com.apple.developer.shared-with-you entitlement, but it doesn’t use the Shared with You framework. Please remove the entitlement and upload a new build. I'm using SWHighlight, SWHighlightCenter, and SWAttributionView in several places throughout my app... I filed an issue in the Feedback Assistant but so far, have not received any response.

Hello! We built a macOS .pkg using pkgbuild (contains a DMG + postinstall bash script). The pkg works locally on the build machine but fails on other devices manually / via MDM unless signed. We tried signing with a Developer ID Installer certificate, but: security find-identity -p codesigning -v → 0 valid identities security find-identity -v → shows the cert Private key is present in Keychain OpenSSL check shows: X509v3 Extended Key Usage: Critical (Expected one might be: Code Signing) We recreated CSR + cert multiple times (G2 Sub-CA), ensured Login keychain, unlocked keychain, etc., but same result. Question: Why is the Developer ID Installer cert missing Code Signing usage and not recognized for signing? Is there any account restriction or step we might be missing? Any recommendations on resolving this issue. Thanks!

Code signing uses various different identifier types, and I’ve seen a lot of folks confused as to which is which. This post is my attempt to clear up that confusion. If you have questions or comments, put them in a new thread, using the same topic area and tags as this post. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Code Signing Identifiers Explained An identifier is a short string that uniquely identifies a resource. Apple’s code-signing infrastructure uses identifiers for various different resource types. These identifiers typically use one of a small selection of formats, so it’s not always clear what type of identifier you’re looking at. This post lists the common identifiers used by code signing, shows the expected format, and gives references to further reading. Unless otherwise noted, any information about iOS applies to iOS, iPadOS, tvOS, visionOS, and watchOS. Formats The code-signing identifiers discussed here a number of different formats: 10-character This is composed of 10 ASCII characters. For example, Team IDs use this format, as illustrated by the Team ID of one of Apple’s test teams: Z7P62XVNWC. Reverse-DNS This is composed of labels separated by a dot. For example, bundle IDs use this format, as illustrated by the bundle ID of the test app associated with this post: com.example.tn3NNNapp. UUID This is a standard universally unique identifier. For example, the App Store Connect API key associated with this post has a issuer UUID of c055ca8c-e5a8-4836-b61d-aa5794eeb3f4. Email or phone See the Apple Account section below for more on this. Decimal number This is a simple decimal number. For example, the Apple ID for Apple Configurator is 1037126344. The Domain Name System has strict rules about domain names, in terms of overall length, label length, text encoding, and case sensitivity. The reverse-DNS identifiers used by code signing may or may not have similar limits. When in doubt, consult the documentation for the specific identifier type. Reverse-DNS names are just a convenient way to format a string. You don’t have to control the corresponding DNS name. You can, for example, use com.<SomeCompany>.my-app as your bundle ID regardless of whether you control the <SomeCompany>.com domain name. To securely associate your app with a domain, use associated domains. For more on that, see Supporting associated domains. IMPORTANT Don’t use com.apple. in your reverse-DNS identifiers. That can yield unexpected results. Identifiers The following table summarises the identifiers covered below: Name | Format | Example | Notes ---- | ------ | ------- | ----- Team ID | 10-character | `Z7P62XVNWC` | Identifies a developer team User ID | 10-character | `UT376R4K29` | Identifies a developer Team Member ID | 10-character | `EW7W773AA7` | Identifies a developer in a team Bundle ID | reverse-DNS | `com.example.tn3NNNapp` | Identifies an app App ID prefix | 10-character | `Z7P62XVNWC` | Part of an App ID | | `VYRRC68ZE6` | App ID | mixed | `Z7P62XVNWC.com.example.tn3NNNNapp` | Connects an app and its provisioning profile | | `VYRRC68ZE6.com.example.tn3NNNNappB` | Code-signing identifier | reverse-DNS | `com.example.tn3NNNapp` | Identifies code to macOS | | `tn3NNNtool` | App group ID | reverse DNS | `group.tn3NNNapp.shared` | Identifies an app group | reverse DNS | `Z7P62XVNWC.tn3NNNapp.shared` | Identifies an macOS-style app group Managed capability request ID | 10-character | `M79GVA97FK` | Identifies a request for a managed capability App Store Connect API key ID | 10-character | `T9GPZ92M7K` | Identifies a key used for App Store Connect API authentication App Store Connect API issuer | UUID | `c055ca8c-e5a8-4836-b61d-aa5794eeb3f4` | Identifies a key issuer in the App Store Connect API Apple Account | email or phone | `user@example.com` | Identifies a user to the Developer website and App Store Connect Apple ID | decimal number | 1037126344 | Identifies an app in App Store Connect As you can see, there’s no clear way to distinguish a Team ID, User ID, Team Member ID, and an App ID prefix. You have to determine that based on the context. In contrast, you choose your own bundle ID and app group ID values, so choose values that make it easier to keep things straight. Team ID When you set up a team on the Developer website, it generates a unique Team ID for that team. This uses the 10-character format. For example, Z7P62XVNWC is the Team ID for an Apple test team. When the Developer website issues a certificate to a team, or a user within a team, it sets the Subject Name > Organisational Unit field to the Team ID. When the Developer website issues a certificate to a team, as opposed to a user in that team, it embeds the Team ID in the Subject > Common Name field. For example, a Developer ID Application certificate for the Team ID Z7P62XVNWC has the name Developer ID Application: <TeamName> (Z7P62XVNWC). User ID When you first sign in to the Developer website, it generates a unique User ID for your Apple Account. This User ID uses the 10-character format. For example, UT376R4K29 is the User ID for an Apple test user. When the Developer website issues a certificate to a user, it sets the Subject Name > User ID field to that user’s User ID. It uses the same value for that user in all teams. Team Member ID When you join a team on the Developer website, it generates a unique Team Member ID to track your association with that team. This uses the 10-character format. For example, EW7W773AA7 is the Team Member ID for User ID UT376R4K29 in Team ID Z7P62XVNWC. When the Developer website issues a certificate to a user on a team, it embeds the Team Member ID in the Subject > Common Name field. For example, an Apple Development certificate for User ID UT376R4K29 on Team ID Z7P62XVNWC has the name Apple Development: <UserName> (EW7W773AA7). IMPORTANT This naming system is a common source of confusion. Developers see this ID and wonder why it doesn’t match their Team ID. The advantage of this naming scheme is that each certificate gets a unique name even if the team has multiple members with the same name. The John Smiths of this world appreciate this very much. Bundle ID A bundle ID is a reverse-DNS identifier that identifies a single app throughout Apple’s ecosystem. For example, the test app associated with this post has a bundle ID of com.example.tn3NNNapp. If two apps have the same bundle ID, they are considered to be the same app. Bundle IDs have strict limits on their format. For the details, see CFBundleIdentifier. If your macOS code consumes bundle IDs — for example, you’re creating a security product that checks the identity of code — be warned that not all bundle IDs conform to the documented format. And non-bundled code, like a command-line tool or dynamic library, typically doesn’t have a bundle ID. Moreover, malicious code might use arbitrary bytes as the bundle ID, bytes that don’t parse as either ASCII or UTF-8. WARNING On macOS, don’t assume that a bundle ID follows the documented format, is UTF-8, or is even text at all. Do not assume that a bundle ID that starts with com.apple. represents Apple code. A better way to identify code on macOS is with its designated requirement, as explained in TN3127 Inside Code Signing: Requirements. On iOS this isn’t a problem because the Developer website checks the bundle ID format when you register your App ID. App ID prefix An App ID prefix forms part of an App ID (see below). It’s a 10-character identifier that’s either: The Team ID of the app’s team A unique App ID prefix Note Historically a unique App ID prefix was called a Bundle Seed ID. A unique App ID prefix is a 10-character identifier generated by Apple and allocated to your team, different from your Team ID. For example, Team ID Z7P62XVNWC has been allocated the unique App ID prefix of VYRRC68ZE6. Unique App ID prefixes are effectively deprecated: You can’t create a new App ID prefix. So, unless your team is very old, you don’t have to worry about unique App ID prefixes at all. If a unique App ID prefix is available to your team, it’s possible to create a new App ID with that prefix. But doing so prevents that app from sharing state with other apps from your team. Unique app ID prefixes are not supported on macOS. If your app uses a unique App ID prefix, you can request that it be migrated to use your Team ID by contacting Apple > Developer > Contact Us. If you app has embedded app extensions that also use your unique App ID prefix, include all those App IDs in your migration request. WARNING Before migrating from a unique App ID prefix, read App ID Prefix Change and Keychain Access. App ID An App ID ties your app to its provisioning profile. Specifically: You allocate an App ID on the Developer website. You sign your app with an entitlement that claims your App ID. When you launch the app, the system looks for a profile that authorises that claim. App IDs are critical on iOS. On macOS, App IDs are only necessary when your app claims a restricted entitlement. See TN3125 Inside Code Signing: Provisioning Profiles for more about this. App IDs have the format <Prefix>.<BundleOrWildcard>, where: <Prefix> is the App ID prefix, discussed above. <BundleOrWildcard> is either a bundle ID, for an explicit App ID, or a wildcard, for a wildcard App ID. The wildcard follows bundle ID conventions except that it must end with a star (*). For example: Z7P62XVNWC.com.example.tn3NNNNapp is an explicit App ID for Team ID Z7P62XVNWC. Z7P62XVNWC.com.example.* is a wildcard App ID for Team ID Z7P62XVNWC. VYRRC68ZE6.com.example.tn3NNNNappB is an explicit App ID with the unique App ID prefix of VYRRC68ZE6. Provisioning profiles created for an explicit App ID authorise the claim of just that App ID. Provisioning profiles created for a wildcard App ID authorise the claim of any App IDs whose bundle ID matches the wildcard, where the star (*) matches zero or more arbitrary characters. Wildcard App IDs are helpful for quick tests. Most production apps claim an explicit App ID, because various features rely on that. For example, in-app purchase requires an explicit App ID. Code-signing identifier A code-signing identifier is a string chosen by the code’s signer to uniquely identify their code. IMPORTANT Don’t confuse this with a code-signing identity, which is a digital identity used for code signing. For more about code-signing identities, see TN3161 Inside Code Signing: Certificates. Code-signing identifiers exist on iOS but they don’t do anything useful. On iOS, all third-party code must be bundled, and the system ensures that the code’s code-signing identifier matches its bundle ID. On macOS, code-signing identifiers play an important role in code-signing requirements. For more on that topic, see TN3127 Inside Code Signing: Requirements. When signing code, see Creating distribution-signed code for macOS for advice on how to select a code-signing identifier. If your macOS code consumes code-signing identifiers — for example, you’re creating a security product that checks the identity of code — be warned that these identifiers look like bundle IDs but they are not the same as bundle IDs. While bundled code typically uses the bundled ID as the code-signing identifier, macOS doesn’t enforce that convention. And non-bundled code, like a command-line tool or dynamic library, often uses the file name as the code-signing identifier. Moreover, malicious code might use arbitrary bytes as the code-signing identifier, bytes that don’t parse as either ASCII or UTF-8. WARNING On macOS, don’t assume that a code-signing identifier is a well-formed bundle ID, UTF-8, or even text at all. Don’t assume that a code-signing identifier that starts with com.apple. represents Apple code. A better way to identify code on macOS is with its designated requirement, as explained in TN3127 Inside Code Signing: Requirements. App Group ID An app group ID identifies an app group, that is, a mechanism to share state between multiple apps from the same team. For more about app groups, see App Groups Entitlement and App Groups: macOS vs iOS: Working Towards Harmony. App group IDs use two different forms of reverse-DNS identifiers: iOS-style This has the format group.<GroupName>, for example, group.tn3NNNapp.shared. macOS-style This has the format <TeamID>.<GroupName>, for example, Z7P62XVNWC.tn3NNNapp.shared. The first form originated on iOS but is now supported on macOS as well. The second form is only supported on macOS. iOS-style app group IDs must be registered with the Developer website. That ensures that the ID is unique and that the <GroupName> follows bundle ID rules. macOS-style app group IDs are less constrained. When choosing such a macOS-style app group ID, follow bundle ID rules for the group name. If your macOS code consumes app group IDs, be warned that not all macOS-style app group IDs follow bundle ID format. Indeed, malicious code might use arbitrary bytes as the app group ID, bytes that don’t parse as either ASCII or UTF-8. WARNING Don’t assume that a macOS-style app group ID follows bundle ID rules, is UTF-8, or is even text at all. Don’t assume that a macOS-style app group ID where the group name starts with com.apple. represents Apple in any way. Some developers use app group IDs of the form <TeamID>.group.<GroupName>. There’s nothing special about this format. It’s just a macOS-style app group ID where the first label in the group name just happens to be group Starting in Feb 2025, iOS-style app group IDs are fully supported on macOS. If you’re writing new code that uses app groups, use an iOS-style app group ID. This allows sharing between different product types, for example, between a native macOS app and an iOS app running on the Mac. Managed Capability Request ID Managed capabilities must be assigned to your account by Apple before you can use them. You apply for these using the Capability Requests tab on the Developer website. For more details, see New Capabilities Request Tab in Certificates, Identifiers & Profiles. When you make such a request, the Developer website assigns it a request ID, using the 10-character format. For example, M79GVA97FK is the request ID for an Apple test request. These request IDs are purely administrative; they have no build-time or run-time impact. App Store Connect API Keys The App Store Connect API authenticates requests using API keys. For the details, see Creating API Keys for App Store Connect API. Each API key has an associated issuer and key ID. The issuer is a UUID, for example, c055ca8c-e5a8-4836-b61d-aa5794eeb3f4. The key ID uses the 10-character format, for example, T9GPZ92M7K. These identifiers have no run-time impact, but they might be relevant when you’re building your app. For example: If your continuous integration (CI) uses the App Store Connect API, it will need an API key and its associated identifiers. If you notarise a Mac product, you might choose to authenticate using an App Store Connect API key and its associated identifiers. For an example of how to do that with notarytool, see TN3147 Migrating to the latest notarization tool. Apple Account An Apple Account is the personal account you use to access Apple services, including the Developer website and App Store Connect. Historically this was an email address, but nowadays you can also use a phone number. For more about Apple Accounts, see the Apple Account website. Your Apple Account was previously know as your Apple ID, which was confusingly similar to the next identifier. Apple ID In App Store Connect, an Apple ID refers to a decimal number that identifies your app. For example, the Apple ID for Apple Configurator is 1037126344. To see this in App Store Connect, navigate to the app record, select App Information on the left, and look for the Apple ID field. It’s a decimal number, usually around 10 digits long. You can also find this embedded in the App Store URL for the app. For example, the Apple Store URL for Apple Configurator is https://apps.apple.com/us/app/apple-configurator-2/id1037126344, which ends with its Apple ID. Note In some very obscure cases you might see this referred to as an Adam ID. Your app’s Apple ID is not used at runtime, but you may need to know it to accomplish administrative tasks. For example, most managed capability submission forms ask for your app’s Apple ID. Revision History 2026-03-05 Added the Apple Account and Apple ID sections. 2026-02-25 Added the Managed Capability Request ID and App Store Connect API Keys sections. Added UUID to the list of format. 2026-02-17 Corrected a minor formatting problem. 2026-01-06 First posted.

I added a new device and it's not recognizing the device model. This causes a message saying "Unable to verify" when signing an app. Has anyone else encountered this issue? This only happens with this one device, not others.

Our team (AI Eesti OU, Team ID: W4WXCM4DLL) submitted our first app for notarization and both submissions have been stuck "In Progress" for over 20 hours. Submission IDs: 7433a69a-af1a-463a-a9fc-c80526eb6eab (submitted 2026-04-06 19:11 UTC) d033e2f1-9b33-4b7d-8f8d-271c99f1c61c (submitted 2026-04-06 21:03 UTC) The app is signed with Developer ID Application, hardened runtime enabled, and codesign --verify --deep --strict passes. This is our first notarization submission as a new team. Is this expected for first-time submissions, or is something stuck?

Team ID: LA64G2ZMY2. Submission f28e6a62-5a46-4554-a4b9-666269b3017f has been "In Progress" for over 24 hours. App is signed with hardened runtime, valid Developer ID certificate, HFS+ DMG format (not APFS - aware of DTS r. 134264492). Codesign verifies clean. All requirements met per Apple documentation. Is notarization provisioning needed for new accounts?

Hello everyone, I'm facing a critical build issue related to Family Controls entitlements and would appreciate any insights or help from the community or Apple engineers. My Goal: I am trying to build and run my app on a physical device to test my DeviceActivityMonitor and ShieldConfigurationExtension. I have already been approved for the Family Controls (Development) entitlement. The Problem: When I try to build, Xcode fails with the following errors, preventing me from testing: For my DeviceActivityMonitor target: Provisioning profile "..." doesn't include the com.apple.developer.deviceactivity entitlement. For my SOSAppShieldExtension target: Provisioning profile "..." doesn't include the com.apple.developer.screen-time-api entitlement. The Core Evidence: This seems to be a server-side issue with how the provisioning profiles are generated. I have used the security cms -D -i command to inspect the downloaded .mobileprovision files. The inspection reveals that the profiles do contain the parent com.apple.developer.family-controls entitlement. However, they are missing the required child entitlements: The profile for my monitor extension is missing com.apple.developer.deviceactivity. The profile for my shield extension is missing com.apple.developer.screen-time-api. Troubleshooting Steps I've Already Taken: I believe I have exhausted all possible client-side fixes. Here is what I have tried over the past few days: Confirmed Approval: I am fully approved for the Family Controls (Development) entitlement. Enabled Capabilities: The "Family Controls" capability is checked and enabled for all three relevant App IDs (main app, monitor extension, shield extension) on the developer portal. Profile Regeneration: I have deleted and regenerated all provisioning profiles for all targets multiple times. Forcing a Server Refresh: I have toggled the "Family Controls" capability off, saved, and then toggled it back on and saved again for each App ID. Creating New Identifiers: I created a brand new, clean App ID for the DeviceActivityMonitor extension (com.sosapp.ios.devicemonitor) and created a new profile for it, but the error persists. Xcode Configuration: I am using manual signing in Xcode and have double-checked that each target is pointing to the correct, newly downloaded provisioning profile. I have also cleaned the build folder and deleted Derived Data multiple times. My Question: Given that my account is approved and the capability is enabled, but the generated profiles are provably missing the necessary child entitlements, this points directly to a bug in the profile generation service on Apple's backend. Has anyone else experienced this specific issue where the parent entitlement is present but the required child entitlements are missing? Is there a known workaround, or can an Apple engineer please investigate the profile generation for my Team ID? Any help would be greatly appreciated. Thank you!

All notarization submissions remain stuck "In Progress" and never complete. Tested both DMG and ZIP formats — same result. This has been consistent across 5+ attempts on March 29, 2026. App: Electron desktop app (arm64), signed with Developer ID Application, hardened runtime enabled, secure timestamp present. DMG submissions (all stuck): 568cc9c3-e711-41ba-99ce-6af5a1860ae9 (10 min timeout) e0a345c3-ddf8-4771-bdda-e0bc133ff723 (20 min timeout) 6757e5a9-d95b-45b3-95d5-41cb23384bea (20 min timeout) ZIP submission (.app bundle via ditto, ~207MB): Also stuck "In Progress" for 10+ minutes notarytool log returns "Submission log is not yet available" for all submissions. Developer ID Notary Service shows "Available" on System Status page. Environment: macOS GitHub Actions runner (macos-latest), latest Xcode, xcrun notarytool. Seeing similar reports from other developers this week. Is there a known service issue?

Hello all, I am attempting to notarize my newly made Mac OS application using the notarization command in VS Code. "/Users/teejgotit/Desktop/Cursor Workspace/Rust CutContour v2/cutcontour-app/src-tauri/target/release/bundle/dmg/CC Studio_0.1.0_aarch64.dmg" \ --key "/Users/teejgotit/AppleCerts/AuthKey_MATVLX3.p8" \ --key-id "MATVLX9" \ --issuer "887ba428-aa39-4fb3-a3dc-f83b9145cab0" \ --wait Only to be met with a continual "Current State: In Progress.." for what has been about 1 day and 16 hours now. Current status: In Progress........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ My app and project are rather small and was curious if this is a normal thing for this to day takes for a first time notarization? Would love any help or feedback.

Some capabilities include distribution restriction. For example, you might be able to use the capability for day-to-day development but have to get additional approval to publish an app using that capability to the App Store. To tell if a capability has such a restriction: Go to Developer > Account. At the top right, make sure you’re logged in as the right team. Under Certificates, IDs & Profiles, click Identifiers. Find the App ID you’re working with and click it. IMPORTANT Some managed capabilities are granted on a per-App ID basis, so make sure you choose the right App ID here. This brings up the App ID editor. In the Capabilities tab, locate the capability you’re working with. Click the little info (i) button next to the capability. The resulting popover lists the supported platforms and distribution channels for that capability. For example, the following shows that the standard Family Controls (Development) capability, which authorises use of the com.apple.developer.family-controls entitlement, is only enabled for development on iOS and visionOS. In contrast, if you’ve been granted distribution access to this capability, you’ll see a different Family Controls (Distribution) capability. Its popover shows that you can use the capability for App Store Connect and Ad Hoc distribution, as well as day-to-day development, on both iOS and visionOS. In the Family Controls example the development-only capability is available to all developers. However, restrictions like this can apply to initially managed capabilities, that is, managed capabilities where you have to apply to use the capability just to get started with your development. For example, when you apply for the Endpoint Security capability, which authorises use of the com.apple.developer.endpoint-security.client entitlement, it’s typically granted for development only. If you want to distribute a product using that capability, you must re-apply for another capability that authorises Developer ID distribution [1]. Some folks encounter problems like this because their managed capability was incorrectly granted. For example, you might have applied for a managed capability from an Organization team but it was granted as if you were an Enterprise team. In this case the popover will show In House where you’d expect it to show App Store Connect. If you’ve believe that you were granted a managed capability for the wrong distribution channel, contact the folks who granted you that capability. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" [1] Endpoint Security clients must use independent distribution; they are not accepted in the Mac App Store. Revision History 2026-03-10 Updated to account for changes on the Apple Developer website. 2022-12-09 First posted.

Hi, I currently have multiple notarization submissions that have been stuck in "In Progress" status for many hours without any updates. Here are several examples from my recent submissions: Submission IDs: 01f7a80e-a9cc-49b3-bb93-94b126cf3124 (a.dmg) 7af2b25f-e131-40a4-bcd3-0f7583ebbdc2 (a.dmg) 2b35ec79-d851-41d6-a900-788d4201a273 (b.dmg) 8194b1af-a270-4de9-92f1-ce2a8d4782f2 (c.dmg) 2608dcfc-7652-4efa-97e3-1749e7130dcb (d.zip) These submissions were created between March 11 and March 12, and all of them remain stuck in the "In Progress" state indefinitely. When checking using: xcrun notarytool history all recent submissions appear as: status: In Progress Additionally: No logs are available for these submissions. notarytool --wait eventually times out after 30 minutes with exit code 124. The app bundles are signed with a valid Developer ID Application certificate. All embedded frameworks and dylibs are individually signed using: --options runtime --timestamp Earlier submissions on the same day (for example df41010c-a3c6-4e2d-a455-b657693e8541) were successfully notarized and returned Accepted, so the signing configuration appears to be correct. Because many submissions across different files (DMG and ZIP) are stuck in the same state, it seems possible that the notarization service queue may be stalled. Could you please help confirm: Whether these notarization submissions are stuck on the Apple notarization service side If there is currently a service issue affecting notarization processing Whether I should cancel and resubmit these uploads Any guidance would be greatly appreciated. Thank you.