I am trying to sign a enterprise app with provisioning profile which shows the tap to pay entitlement on Dev portal, but when downloaded on Xcode, it says the profile is missing the tap to pay capability and entitlement The capability was enabled by apple already, it was working fine until the provisioning profile got renewed.

The capability associated with "FAMILY_CONTROLS" could not be determined. Please file a bug report at https://feedbackassistant.apple.com and include the Update Signing report from the Report navigator.

I'm trying to get an app notarized, which fails with this error: The signature of the binary is invalid. However, locally checking the signature does succeed: $ codesign -vvv --deep --strict TheApp.app […] TheApp.app: valid on disk TheApp.app: satisfies its Designated Requirement Performing this check on every single item in the app's MacOS folder also succeeds. Context: embedded prebuilt binaries Now, the app has something unusual about it: it embeds prebuilt binaries, arranged in various nested folders. So, the app bundle's MacOS folder actually contains another folder with a whole tree of executables and libraries: Removing these (before building) does fix the notarization issue, but obviously I'd like to keep them in. I did my best to properly sign these items: At build time, they're copied into the product by a Copy Files phase (but not signed), then signed by a script phase That signing uses the same signing identity as the running Xcode build, and enables the hardened runtime The app builds and runs correctly, even as a release build The app has runtime hardening and app sandbox enabled How should I go about diagnosing the notarization issue?

Hi everyone, I’ve been struggling for days with a recurring issue in my iOS app build. The build fails with the following error: Provisioning profile "iOS Team Provisioning Profile: com.myapp.bundleid" doesn't include the com.apple.InAppPurchase entitlement. Here’s what I’ve already tried: Created a new Bundle ID with correct capabilities (In-App Purchase, Push Notifications, Sign in with Apple). Created a new provisioning profile manually from Apple Developer Console. Used EAS CLI (Expo) and Xcode to regenerate all certificates and provisioning profiles. Ensured that the In-App Purchase capability is enabled in the App ID (it's greyed out but enabled). Made sure all subscriptions and products in App Store Connect are “Ready to Submit”. Followed all steps from RevenueCat and Apple documentation. Cleaned entitlements in .entitlements file and tried both and variations. Tried building both locally and with EAS – same error every time. Sent multiple tickets to Apple Developer Support, but no helpful reply yet. Extra Notes: I'm using react-native-purchases and RevenueCat, already integrated and working before this started. The error began randomly; before that, I was able to build successfully with in-app purchases. Even creating a completely fresh app from scratch results in the same entitlement missing error. Has anyone faced this exact problem where the provisioning profile fails to include com.apple.InAppPurchase, even though everything is correctly set up? Any help or insights would be greatly appreciated. Thanks in advance!

I’m having trouble with the notary step of our electron app. It sometimes says “In progress” for days on end, where other times, it only takes 15-20 minutes. For the last few weeks, I’ve noticed that it will take longer than the 20 minutes if our app was using a not latest version of the electron module -- https://www.npmjs.com/package/electron. I would then update our codebase to build using the latest version, and then try to sign and notarize the app again, and it would work till a new version was released. This was the first time that that process didn’t work. Everything is on latest, and we’re still getting stuck “in progress” for days on end. We have been signing and Notarizing this app for years now, so it's not the first time we're trying to do this process To make matters stranger, I have two branches of the same exact code base – same dependencies, same source code, same everything – there is no difference. One sign and notarize works 100% of the time where the other one hasn’t worked yet. Any ideas would be helpful. I'm not really sure where to begin to debug this. Thanks!

I submitted a mac app for Notarization. For the first few tries the Notarization failed with an error "Team is not yet configured for Notarization" but few days after my account started to show "ENROLL" option again even though my membership was set to expire on 2026. I am doubting my account has been suspended. I have not received any emails from apple regarding the suspension. I have contacted support but no help yet ! This was the second year, i was paying for the membership. Could you please help me to - Help me get the account unsuspended (if it is, as there is no notification or information regarding this) If the account is suspended due to my app being submitted for Notarization then help me identify the reason so that i can fix them. Mac App is Time Tracking application that runs in background and capture periodic screenshot(NOTE - I am doing this after taking user consent)

Context: large platform-agnostic CLI tool built as a handcrafted bundle (not via an Xcode project) that has been successfully codesigned, stapled, and zipped; macOS 14.7.5 syspolicy_check reports App passed all pre-distribution checks and is ready for distribution. However, running the executable in the Terminal produces a "cannot be opened because the developer cannot be verified" popup. The executable does succeed after manually clearing its quarantine attribute. Having worked through Resolving Gatekeeper Problems, the only detail logged in the Console is Adding Gatekeeper denial breadcrumb (direct): ... bundle_id: NOT_A_BUNDLE. Experimental observations: a minimized trivial CLI executable with a similar bundle layout and name successfully executes without being rejected, and oddly, renaming the original bundle from "name" to "name.suffix" allows it to be successfully executed. It's unclear why the bundle name would affect Gatekeeper only in some circumstances, and we'd greatly prefer not to rename the bundle for compatibility reasons, so it would be good if there were some way to get further diagnostic detail leading to a workaround - thank you.

I submitted a mac app for Notarization. For the first few tries the Notarization failed with an error "Team is not yet configured for Notarization" but few days after my account started to show "ENROLL" option again even though my membership was set to expire on 2026. I am doubting my account has been suspended. I have not received any emails from apple regarding the suspension. I have contacted support but no help yet ! This was the second year, i was paying for the membership. Could you please help me to - Help me get the account unsuspended (if it is, as there is no notification or information regarding this) If the account is suspended due to my app being submitted for Notarization then help me identify the reason so that i can fix them. Mac App is Time Tracking application that runs in background and capture periodic screenshot backlsh.com (NOTE - I am doing this after taking user consent)

Hi everyone, I applied for CarPlay Entitlements on [Date 04. 26, 2024] using CarPlay is Case ID "13045151". I haven't received any updates or responses regarding my application yet. It's been 7 days since the application. My service requires CarPlay integration with a Black Box device. The primary purpose of this integration is to allow users to configure device settings through CarPlay. Furthermore, we plan to utilize the "Communication" category of Entitlements to notify users of parking incidents detected by the Black Box device while parked. This functionality is crucial for alerting drivers to potential issues affecting their vehicles. Could anyone share their experience with the typical turnaround time for CarPlay Entitlements, especially for applications involving device integration and the "Communication" category? Is this delay normal? Is there any way to check the application status or contact the appropriate team to inquire about its progress? Thank you for any insights or advice you can provide! Sincerely,

The Codesign command adds extended attributes to files that previously had no extended attributes. In my case codesign add following extended attributes to text file in Frrameworks folder: com.apple.cs.CodeDirectory com.apple.cs.CodeRequirements com.apple.cs.CodeRequirements-1 com.apple.cs.CodeSignature Can I somehow prevent this behavior? Thank you.

I have a macOS application that was previously distributed under my personal Apple Developer account using a Developer ID certificate. We’ve recently transitioned distribution to our company’s Apple Developer account. The app’s bundle identifier has been successfully transferred, and I’ve signed a new build of the app using the company’s Developer ID certificate. The app installs and runs correctly under the new signature. However, I’ve encountered a problem: the app is no longer able to access previously granted permissions (e.g., Screen Recording, System Audio Recording, and Input Monitoring). Furthermore, it cannot re-prompt for these permissions because they appear as already granted in System Settings. From what I understand, this issue is due to the change in the code signing identity. Specifically, the designated requirements used by macOS to identify an app have changed, so the system no longer associates the new version of the app with the previously granted permissions (as outlined in Apple's Technical Note TN3127). The only workaround I’ve found so far is to manually reset the app's permissions using Terminal commands (e.g., tccutil reset), but this is not something we can reasonably ask end users to do. Question: Is there a recommended or supported approach to either preserve permissions when changing Developer ID identities, or programmatically trigger a permissions reset for existing users? We're looking for a seamless solution that doesn't degrade user experience.

I spent 20 minutes trying to figure out why codesigning was failing -- I had the pf block set up correctly, my keychains were unlocked, and then, eventually, it occurred to me, hey, maybe an IP address changed, so I disabled IPv6 except for link local, and then amazingly, it went back to working. I filed FB13706261 over a year ago. This is ridiculous.

Hello Apple Developer Community, I'm experiencing a persistent issue with App Groups configuration for an iOS app extension that I can't resolve despite trying multiple approaches. I hope someone can help identify what I'm missing. Problem Description I'm getting this error when trying to build my iOS App Extension: Provisioning profile "iOS Team Provisioning Profile: com.idlrapp.Spleeft.SpleeftDataSaver" doesn't include the com.apple.developer.app-groups entitlement. My Setup Main App Bundle ID: com.idlrapp.Spleeft Extension Bundle ID: com.idlrapp.Spleeft.SpleeftDataSaver App Group ID: group.com.idlrapp.spleeft.shared Extension Type: Action Extension (Share Sheet) What I've Verified App Group Creation ✅ Created App Group group.com.idlrapp.spleeft.shared in Apple Developer Portal ✅ App Group shows as "Active" in the portal App ID Configuration ✅ Both App IDs (com.idlrapp.Spleeft and com.idlrapp.Spleeft.SpleeftDataSaver) have "App Groups" capability enabled ✅ Both App IDs are configured with the same App Group: group.com.idlrapp.spleeft.shared Entitlements Files Main App (Spleeft.entitlements): <key>com.apple.developer.app-groups</key> <array> <string>group.com.idlrapp.spleeft.shared</string> </array> Extension (SpleeftDataSaver.entitlements): <key>com.apple.developer.app-groups</key> <array> <string>group.com.idlrapp.spleeft.shared</string> </array> Xcode Configuration ✅ Both targets use "Automatically manage signing" ✅ Same Apple Developer Team selected for both ✅ App Groups capability shows correctly in Signing & Capabilities for both targets The Issue When I examine the downloaded .mobileprovision file, I can see it contains: <dict> <key>com.apple.security.application-groups</key> <array> <string>group.com.idlrapp.spleeft.shared</string> </array> <!-- Other entitlements... --> </dict> However, Xcode expects to find: <array> <string>group.com.idlrapp.spleeft.shared</string> </array> What I've Tried Multiple regenerations of provisioning profiles: Deleted all local provisioning profiles Toggled "Automatically manage signing" off/on Downloaded manual profiles from Developer Portal Verified App Group configuration: Double-checked App Group exists and is active Confirmed both App IDs have App Groups capability enabled Verified App Group assignment in both App IDs Entitlements cleanup: Ensured consistent App Group IDs across all files Removed duplicate/conflicting entries Clean builds and cache clearing: Product → Clean Build Folder Derived Data deletion Xcode restart Key Observation The provisioning profile contains com.apple.security.application-groups (which appears to be macOS-style) but Xcode expects com.apple.developer.app-groups (iOS-style) for the App Extension. Questions Is there a known issue with App Groups entitlement generation for iOS App Extensions? Should the provisioning profile contain com.apple.developer.app-groups instead of com.apple.security.application-groups? Is there a way to force regeneration of provisioning profiles with the correct entitlements? Are there additional steps required for App Extensions that differ from main apps? Any guidance would be greatly appreciated. This is blocking our App Extension development and we've exhausted our troubleshooting options. Thank you for your time and assistance.

My command line tool with a JIT entitlement is failing to run on Sequoia. 2025-05-26 14:17:09.758 E taskgated-helper[91764:3ab7036] [com.apple.ManagedClient:ProvisioningProfiles] Disallowing DecisionRuleTool because no eligible provisioning profiles found 2025-05-26 14:17:09.758 Df amfid[576:3ab6d6b] /Users/jim/DecisionRuleTool not valid: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=file:///Users/jim/DecisionRuleTool, NSLocalizedDescription=No matching profile found} 2025-05-26 14:17:09.759 Df kernel[0:3ab7031] (AppleMobileFileIntegrity) AMFI: When validating /Users/jim/DecisionRuleTool: 2025-05-26 14:17:09.759 Df kernel[0:3ab7031] mac_vnode_check_signature: /Users/jim/DecisionRuleTool: code signature validation failed fatally: When validating /Users/jim/DecisionRuleTool: 2025-05-26 14:17:09.759 Df kernel[0:3ab7031] proc 91763: load code signature error 4 for file "DecisionRuleTool" 2025-05-26 14:17:09.759 Df kernel[0:3ab7032] (AppleSystemPolicy) ASP: Security policy would not allow process: 91763, /Users/jim/DecisionRuleTool Codesign isn't giving me any clues as to why. It validates. Asking it what the entitlements are on the binary: % codesign --display --entitlements - /Users/joconnor/MACEP-9852-2/tools/detection/DecisionRuleTool Executable=/Users/jim/DecisionRuleTool [Dict] [Key] com.apple.application-identifier [Value] [String] XXXXXXXXX.com.mycompany.drt [Key] com.apple.developer.team-identifier [Value] [String] XXXXXXXXX [Key] com.apple.security.cs.allow-jit [Value] [Bool] true https://developer.apple.com/documentation/Xcode/signing-a-daemon-with-a-restricted-entitlement This makes it look like this may be hopeless, that I can't create a command line took with proper entitlements.

Hi guys, I am new to publishing apps on Apple Store. I used python, pyside6, torch, pyinstaller to build an app for Apple Store. For codesigning, I used the correct "Developer ID Application" to sign the code. When I validate the .app file (codesign -vv --strict ), I got the following my_app.app: valid on disk my_app.app: satisfies its Designated Requirement Next, I used ditto to "ditto -c -k --sequesterRsrc --keepParent my_app.app my_app.zip" to zip it. Then, I submitted this my_app.zip file for notarization with "xcrun notarytool submit ..." and got the following "accepted" message. Received new status: Accepted Current status: Accepted............... [20:08:54.530Z] Info [API] Submission in terminal status: Accepted Processing complete After that, I want to staple it with "xcrun stapler staple my_app.app", but I got the following Could not validate ticket for my_app.app The staple and validate action failed! Error 65. To further investigate it, I ran "spctl -a -vvv my_app.app" and got my_app.app: rejected source=Unnotarized Developer ID origin=Developer ID Application... I don't know why this would happen after notarization accepted. Could someone help me understand this issue? Thanks!

Hello Apple Developer Community, I'm experiencing a persistent issue with App Groups configuration for an iOS app extension that I can't resolve despite trying multiple approaches. I hope someone can help identify what I'm missing. Problem Description I'm getting this error when trying to build my iOS App Extension: Provisioning profile "iOS Team Provisioning Profile: com.idlrapp.Spleeft.SpleeftDataSaver" doesn't include the com.apple.developer.app-groups entitlement. My Setup Main App Bundle ID: com.idlrapp.Spleeft Extension Bundle ID: com.idlrapp.Spleeft.SpleeftDataSaver App Group ID: group.com.idlrapp.spleeft.shared Extension Type: Action Extension (Share Sheet) What I've Verified App Group Creation ✅ Created App Group group.com.idlrapp.spleeft.shared in Apple Developer Portal ✅ App Group shows as "Active" in the portal App ID Configuration ✅ Both App IDs (com.idlrapp.Spleeft and com.idlrapp.Spleeft.SpleeftDataSaver) have "App Groups" capability enabled ✅ Both App IDs are configured with the same App Group: group.com.idlrapp.spleeft.shared Entitlements Files Main App (Spleeft.entitlements): Extension (SpleeftDataSaver.entitlements): Xcode Configuration ✅ Both targets use "Automatically manage signing" ✅ Same Apple Developer Team selected for both ✅ App Groups capability shows correctly in Signing & Capabilities for both targets The Issue When I examine the downloaded .mobileprovision file, I can see it contains: However, Xcode expects to find: What I've Tried Multiple regenerations of provisioning profiles: Deleted all local provisioning profiles Toggled "Automatically manage signing" off/on Downloaded manual profiles from Developer Portal Verified App Group configuration: Double-checked App Group exists and is active Confirmed both App IDs have App Groups capability enabled Verified App Group assignment in both App IDs Entitlements cleanup: Ensured consistent App Group IDs across all files Removed duplicate/conflicting entries Clean builds and cache clearing: Product → Clean Build Folder Derived Data deletion Xcode restart Key Observation The provisioning profile contains com.apple.security.application-groups (which appears to be macOS-style) but Xcode expects com.apple.developer.app-groups (iOS-style) for the App Extension. The main app builds fine, but the extension consistently fails with this entitlement mismatch. Questions Is there a known issue with App Groups entitlement generation for iOS App Extensions? Should the provisioning profile contain com.apple.developer.app-groups instead of com.apple.security.application-groups? Is there a way to force regeneration of provisioning profiles with the correct entitlements? Are there additional steps required for App Extensions that differ from main apps? Any guidance would be greatly appreciated. This is blocking our App Extension development and we've exhausted our troubleshooting options. Environment: Xcode: [Tu versión de Xcode] iOS Deployment Target: [Tu target] Developer Account: [Paid/Individual/Team] Thank you for your time and assistance.

Hi everyone, I applied for CarPlay Entitlements on [Date 4. 26, 2025] using. (*CarPlay Entitlements Case-ID : 13045151) I haven't received any updates or responses regarding my application yet. It's been 7 days since the application. My service requires CarPlay integration with a Black Box device. The primary purpose of this integration is to allow users to configure device settings through CarPlay. Furthermore, we plan to utilize the "Communication" category of Entitlements to notify users of parking incidents detected by the Black Box device while parked. This functionality is crucial for alerting drivers to potential issues affecting their vehicles. Could anyone share their experience with the typical turnaround time for CarPlay Entitlements, especially for applications involving device integration and the "Communication" category? Is this delay normal? Is there any way to check the application status or contact the appropriate team to inquire about its progress? Thank you for any insights or advice you can provide! Sincerely,

To learn how to develop/distribute a DriverKit driver (DEXT) and a UserClient app correctly, I am trying to run the following sample dext and app. https://developer.apple.com/documentation/driverkit/communicating-between-a-driverkit-extension-and-a-client-app?language=objc I walked throught steps in README.md included in the project and faced issues. First, I referred the "Configure the Sample Code Project" section in the README.md and configured the sample code project to build with automatic signing. I could run the app and activate the dext successfully and made sure the app could communicate with the dext. Next, I tried the manual signing. I followed steps described in the "Configure the Sample Code Project" section carefully. The following entitlements has already been assigned to my team account. DriverKit Allow Any UserClient Access DriverKit USB Transport - VendorID DriverKit I could build both app and dext and could run the app. However, when I clicked the "Install Dext" button to activate the dext, I got the following error: sysex didFailWithError: extension category returned error Am I missing something? I would also like to know detailed steps to publicly distribute my dext and app using our Developer ID Application Certificate, as README.md only shows how to configure the project for development. Xcode version: 16.3 (16E140) Development OS: macOS 15.5 (24F74) Target OS: macOS 15.5 (24F74)

I recently had to update my certificates for a project. I deleted a few old ones, and I currently have one Development certificate. I needed to create another Development certificate specifically, it's saying "Maximum number of certificates generated." I thought the maximum was two Development certificates? Has anyone else had this issue? Thinking it could be a stuck workflow or something like that.

Hi Developers, I'm encountering persistent validation errors in Xcode 16.3 (16E140) on macOS 15.4.1 (24E263) with M1 when archiving and distributing a macOS app (Developer ID signing + notarization). App Structure: A native Swift/Obj-C wrapper app that launches a nested .app inside its Resources. The nested app is built with PyInstaller and includes: A Python core Custom C++ binaries Many bundled .so libraries (e.g., from OpenCV, PyQt/PySide) Issues During Validation: App Sandbox Not Enabled Error: App Sandbox missing for NestedApp.app/Contents/MacOS/NestedExecutable. Question: For Developer ID (not App Store), is sandboxing strictly required for nested PyInstaller apps? If the wrapper is sandboxed, must the nested app be as well? Given the PyInstaller app's nature (requiring broad system access), how should entitlements be managed? Upload Symbols Failed Errors for missing .dSYM files for: The nested app’s executable Custom C++ binaries .so files (OpenCV, PyQt, etc.) These are either third-party or built without DWARF data, making .dSYM generation impractical post-build. Question: Are these symbol errors critical for Developer ID notarization (not App Store)? Can notarization succeed despite them? Is lack of symbol upload a known limitation with PyInstaller apps? Any best practices?