How should certificates and notarization be configured for a desktop application developed with Electron so that it can be used properly? The software is distributed via website download.

Hi everyone, I’m developing an Electron application on macOS and I’m trying to register and activate a macOS System Extension, but I’m running into startup and entitlement issues. 🔧 What I’m trying to build • An Electron app packaged with electron-builder • Signed with Developer ID Application • Notarized using @electron/notarize • A macOS System Extension is already built and signed • The System Extension provides a virtual camera • I wrote a Swift helper that: • Registers / activates the virtual camera • Calls OSSystemExtensionManager • This Swift code is compiled into a .node native addon • The .node module is loaded and called from Electron (Node.js) to trigger system extension registration ❗ The problem When I add the following entitlement: com.apple.developer.system-extension.install the application fails to launch at all on macOS. Without this entitlement: • The app launches normally • But system extension activation fails with: Error Domain=OSSystemExtensionErrorDomain Code=2 Missing entitlement com.apple.developer.system-extension.install With this entitlement: • The app does not launch • No UI is shown • macOS blocks execution silently 🤔 My questions 1. Is it valid for an Electron app’s main executable to have com.apple.developer.system-extension.install? 2. Does Apple require a separate helper / launcher app to install system extensions instead of the Electron main app? 3. Are there any Electron-specific limitations when working with macOS System Extensions? 4. Is there a known working example of Electron + macOS System Extension? 5. Do I need a specific provisioning profile or App ID capability beyond Developer ID + notarization?

The entire 'Certificates, IDs & Profiles' section is missing from developer.apple.com portal for one of the accounts I am a developer for. The Team is also missing from the dropdowns in Xcode in Code Signing. The organization account membership is paid through July 2026, and I do not see that the Account Holder needs to sign any agreements. I am a user on other accounts, and none of them have this issue. Does anyone know what's going on?

Environment: MacBook Air Apple M2 (macOS Tahoe 26.1) Xcode 26.0 (17A324) Automatic signing enabled Feedback ID: FB21537761 Issue: I'm developing a multiplatform app and encountered an automatic signing failure immediately after adding the Keychain capability. Xcode displays the following error: Automatic signing failed Xcode failed to provision this target. Please file a bug report at https://feedbackassistant.apple.com and include the Update Signing report from the Report navigator. Provisioning profile "Mac Team Provisioning Profile: com.xxx. xxx" doesn't include the currently selected device "FIRF‘s MacBook Air" (identifier 00008112-000904CA3441xxxx). What I've Investigated/Tried: Checked the developer account devices and found that the device with identifier 00008112-000904CA3441xxxx is incorrectly labeled as an “iPod” (it is actually my MacBook Air). Attempted to manually enroll the Mac again, but it still appears as an iPod in the device list. Tried creating a provisioning profile manually, but no devices are available for selection in the device list when generating the profile. Question: Has anyone encountered a similar issue where a Mac is misidentified as an iPod in the developer portal, leading to provisioning failures? Any suggestions on how to resolve this or work around the device recognition problem? Thank you in advance for your help.

When attempting to access the (Certificates Identifiers & Profiles) page, I receive the message "Unable to find a team with the given Team ID to which you belong". Even while set as a developer or as an admin I still receive the same message above.

I am a developer with the following roles: Apple Developer Team = admin Using expo & EAS to build & sign = developer We are running a new project so credentials need to be sync'd up. With EAS i can either upload a p12 or use the automatic app signing credentials. I have successfully run this in other projects including another where I am the account owner/holder. For this new project, however, I am not the owner. When I try to "register bundle identifier" it results in: Error: Apple 403 detected - Access forbidden. This request is forbidden for security reasons - You currently don't have access to this membership resource. > eas credentials ✔ Select platform › iOS ✔ Which build profile do you want to configure? › preview ✔ Using build profile: preview If you provide your Apple account credentials we will be able to generate all necessary build credentials and fully validate them. This is optional, but without Apple account access you will need to provide all the missing values manually and we can only run minimal validation on them. ✔ Do you want to log in to your Apple account? … yes › Log in to your Apple Developer account to continue ✔ Apple ID: … myemail@gmail.com › Restoring session /Users/me/.app-store/auth/myemail@gmail.com/cookie ✔ Select a Team › My Project Team - Company/Organization (XXXXX) › Provider My Project Team LLC (XXXXX) ✔ Logged in Local session iOS Credentials Project @team/my-app Bundle Identifier com.teambundle.dev No credentials set up yet! ✔ What do you want to do? › Build Credentials: Manage everything needed to build your project iOS Credentials Project @team/my-app Bundle Identifier com.teambundle.dev No credentials set up yet! ✔ What do you want to do? › All: Set up all the required credentials to build your project ✖ Failed to register bundle identifier com.teambundle.dev Error: Apple 403 detected - Access forbidden. This request is forbidden for security reasons - You currently don't have access to this membership resource. Contact your team's Account Holder, MY MANAGER, or an Admin. Cryptic error? [Learn ](https://github.com/expo/fyi/blob/main/cryptic-error-eas.md) Why am I getting a 403?

I double-click it, and it doesn't install. I drag it to the provisioning profile folder, and it gets deleted immediately. It's an Apple Developer problem. I've already wiped my Mac clean twice and reinstalled everything, and I'm still having this problem.

We have a command line script that runs xcodebuild to make an archive, then runs xcodebuild again to export the archive to make an ipa, and then runs "altool --validate-app" to check that everything will be fine for a subsequent upload to the app store. This has been working fine for a few years but recently stopped working and we cannot figure out why. The validation fails with this error: ERROR: [altool.105912F20] Validation failed (409) Invalid Provisioning Profile. The provisioning profile included in the com. bundle [Payload/.app] is invalid. [Missing code-signing certificate]. A distribution provisioning profile should be used when uploading apps to App Store Connect. (ID: ) The project is configured with 'Automatically manage signing' unchecked, and the profile was created on developer.apple.com/account/resources/profiles and the matching profile magically appears in the "Provisioning Profile" drop down in Xcode. The profile was created with two certificates checked, but examining the embedded.mobileprovision profile that ends up in the compiled ipa payload it appears to contain 19 certificates (probably all of them for this org?). Is there a way to find out which certificate is missing exactly? And once identified is it a case of adding it to the profile used during compilation to fix this? Ancillary question: why does the embedded.mobileprovision file contain so many certificates, and how does xcodebuild decide which ones it includes there?

Hello! I need help with the following issue. I can't create a provisioning profile. The following error message appears: The following devices are either already present and have not been modified, or they contain invalid identifiers. I'm a beginner and have been struggling with this issue for a month and a half. Any help would be appreciated.

i am creating a app on "appmysite" while it runs its build test an error message pops up saying build failed. "it seems your app build has encountered an issue. the certificate used to generate the uploaded provisioning profile does not match the uploaded certificate." I understand why its saying it because the uploaded certificate had to be uploaded as ".p12". The certificate in the provisioning profile is made of ".cert". I am using a apple mac book and a xenovo windows computer. Im simply trying to figure out how to put the ".p12" certificate into the provisioning profile? whenever i go to my developer account and try to create a new provisioning account with the new ".p12" certificate. The only options that pop up for me to select are only the certificates that are in ".cert" form. I've tried exporting through "key access" and they show up in my files but no way to transfer to my developer account to combine it with a provisioning account. Any help is greatly appreciated, this is literally the only thing keeping my app from being ready for submission to review. ive been stuck on this for 3 days.

The device UDID was registered to the developer account 40 hours ago, the STATUS column was "processing" in the first 24 hours, then turned to empty. But I still can't run my app (with distribution method "development"), when I try to run it after download it through my OTA URL, it prompts “the app cannot be installed because its integrity could not be verified” but everything runs good on a iPhone which was registered a month ago. What should I do now? keep waiting?

Hi, after 2 years of not updating my app on appstore i wanted to submit an update for my iOS app which also containts a watch app target. When i try to submit it to upload it i get the following errors: Failed registering bundle identifier The app identifier "(myappBundleID).watchkitapp" cannot be registered to your development team because it is nit available. Change your bundle identifier to a unique string to try again. No Profiles for "(myappBundleID).watchkitapp" were found. Xcode culdn't find any iOS App Store provisining profiles matching "(myappBundleID).watchkitapp" Since i have my app already in store with that bundle identifier i don't know why it can not be registered to my team. Also i don't want to change the bundle identifier because then i can not publish it as update to store.

After upgrading the virtual machines used for building and testing our macOS application, it seems that something new in Sequoia is preventing virtual machines from running anything signed with a Mac Development certificate. At first glance the issue seems very similar to this thread, but it could be unrelated. We are using the tart toolset to build and run our VMs. People seem to be having related issues there with Sequoia in particular. I have added the VM's hardware UUID to the Devices list of our account. I have included that device in the devices list of our Mac Development provisioning profile. I have re-downloaded the profile, ensured that it is properly getting built into the app, and ensured that the hardware UUID of the VM matches the embedded provisioning profile: Virtual-Machine App.app/Contents % system_profiler SPHardwareDataType | grep UUID Hardware UUID: 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 Virtual-Machine App.app/Contents % grep 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 ../../App.app/Contents/embedded.provisionprofile Binary file ../../App.app/Contents/embedded.provisionprofile matches However, when I try to run the application, it fails, and while I have searched the system logs to find a more informative error message, the only thing I can find is that the profile doesn't match the device somehow: Virtual-Machine App.app/Contents % open ../../App.app The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x6000039440f0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}} Virtual-Machine App.app/Contents % log show --info --debug --signpost --last 3m | grep -i embedded.provisionprofile 2025-01-21 16:33:32.369829+0000 0x65ba Error 0x0 2872 7 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] embedded provisioning profile not valid: file:///private/tmp/builds/app/.caches/Xcode/DerivedData/Build/Products/Debug/App.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.} I don't understand why the provisioning profile wouldn't allow the device if the hardware UUID matches. I have also attempted to add the Provisioning UDID in the devices list instead, but the form rejects that value because it's a different format (the form specifically requests a hardware UUID for macOS development, and a provisioning UDID for everything else). If there is any debugging tool that lets me check a provisioning profile against the running hardware and print a more verbose reason for why it's not allowed on the device, please let me know. Otherwise I'd have to conclude that, since I haven't experienced this issue before on an earlier OS, it has something to do with virtual machines running macOS Sequoia. (The same Mac Development-signed application runs just fine on my MacBook Pro running 15.2, as well as the VM host, which is also running 15.2.) I have also tried resetting the VM's hardware UUID and adding that one to the devices list, to no effect. This is obviously seriously impacting our CI/CD pipelines to allow for proper UI testing of our application. If anyone is aware of any workarounds, I would love to hear them!

Hello, After deploying our app, we encountered an issue where the app fails to launch properly on certain devices. To rule out potential code issues, we created a new clean project and tested it with the basic setup (certificate, bundle ID, and team). The app installs and runs fine on most devices, but it fails to open immediately on specific models. (The affected model is listed below.) Version: iOS 18.3.1 Model: iPhone 14 Pro After reviewing the console logs, we found an issue related to the app launching process. Could this issue be related to the app's configuration or the provisioning profile? We would appreciate any insight into why this issue occurs only on certain devices. Thank you for your help!

Is it possible to directly distribute a macOS app with a Developer ID Certificate that belongs to a different team? I am trying to resolve issues that arise when distributing a macOS app with a Network Extension (Packet Tunnel) outside the App Store using a Developer ID Certificate from a different team than the app’s provisioning profiles and entitlements. I started by attempting Direct Distribution in Xcode with automatic signing. However, it fails with the following message: Provisioning profile "Mac Team Direct Provisioning Profile: ” failed qualification checks: Profile doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. I suspect the issue is that the provisioning profile allows "packet-tunnel-provider-systemextension", whereas the entitlements generated by Xcode contain "packet-tunnel-provider". When I manually modify the .entitlements file to include the -systemextension suffix, the project fails to build because Xcode does not recognize the modified entitlement. If there is a workaround for this issue, please let me know. Due to these issues, I resorted to manually creating a signed and notarized app. My process is as follows: Export the .app from the Xcode archive. Since the exported .app does not contain the necessary entitlements or provisioning profile for direct distribution, I replace Contents/embedded.provisioningprofile in both the .app and the .appex network extension. Sign the app and its components in the following order: codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/Frameworks/<fw>.framework/ codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>"<app>.app/Contents/PlugIns/<netext>.appex/Contents/Frameworks/<fw>.framework/Versions/A/<fw> codesign --force --options runtime --entitlements dist-vpn.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/PlugIns/<netext>.appex/ codesign --force --options runtime --entitlements dist.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app Verify the code signature: codesign --verify --deep --strict --verbose=4 <app>.app - <app>.app: valid on disk - <app>.app: satisfies its Designated Requirement Create a ZIP archive using: ditto -c -k --sequesterRsrc --keepParent <app>.app <app>.zip Notarize the app with notarytool and staple it. The notarization completes successfully with errors: nil. Package the notarized app into a DMG, notarize, and staple the DMG. The app runs successfully on the development machine. However, when moved to another machine and placed in /Applications, it fails to open. Inspecting Console.app reveals Gatekeeper is blocking the launch:
 taskgated-helper <bundleid>: Unsatisfied entitlements: com.apple.developer.networking.networkextension, com.apple.developer.team-identifier taskgated-helper entitlements: { "com.apple.developer.networking.networkextension" = ("packet-tunnel-provider-systemextension"); "com.apple.developer.team-identifier" = <teamid>; } As mentioned earlier, the Developer ID Certificate used for signing belongs to a different team. We are a third-party developer and do not have access to the Developer ID Certificate of the team assigned as the team-identifier. When I changed the bundle identifier (app ID), team, entitlements, and provisioning profiles to match the team associated with the Developer ID Certificate, the app worked. My question is:
 Is this failure caused by using a Developer ID Certificate from a different team, or should it still work if the provisioning profiles and entitlements are correctly set? Could there be an issue elsewhere in the provisioning profiles or entitlements for the original app ID?

Hi, I'm having a really hard time figuring out why I cannot perform cloud signing via Developer ID with xcodebuild. I have a macOS application, which I can perfectly cloud sign the following way: Sign into Xcode with my Admin + Account Holder Apple ID. Delete my Developer ID Application certificate from Keychain Access. In Xcode, click Archive. When archived, click "Distribute App" in Xcode Organizer. The app is cloud signed. I prove this by extracting the certificate codesign --extract-certificates -- /path/to/app.app then locate the 1.2.840.113635.100.6.1.32 bit mentioned by Quinn in this post. I however do it by simply opening the certifiacte with Keychain Access, where I can investigate the content of the certificate, rather than use that tool he does. Then, I do the following to attempt to cloud sign via xcodebuild: Create an API Key for the whole team in Users and Access > Integrations > App Store Connect with the "Admin" role selected. Download the private key .p8 file to ~/Downloads. Sign out of my Apple ID in Xcode by removing the account in Settings > Accounts. Create an archive: xcodebuild archive -scheme "<redacted scheme name>" -archivePath ~/Downloads/archive.xcarchive -authenticationKeyIssuerID <redacted issuer id> -authenticationKeyID <redacted key id> -authenticationKeyPath ~/Downloads/AuthKey_<redacted key id>.p8 -allowProvisioningUpdates The archive is successfully created, with a new "Apple Development: Created via API (TEAM ID)" naming. Export the archive: xcodebuild -exportArchive -archivePath ~/Downloads/archive.xcarchive -authenticationKeyIssuerID <redacted issuer id> -authenticationKeyID <redacted key id> -authenticationKeyPath ~/Downloads/AuthKey_<redacted key id>.p8 -allowProvisioningUpdates -exportOptionsPlist ~/Downloads/exportOptions.plist -exportPath ~/Downloads which then fails: 2025-03-07 10:27:58.706 xcodebuild[2152:40704] [MT] IDEDistribution: -[IDEDistributionLogging _createLoggingBundleAtPath:]: Created bundle at path "/var/folders/tn/yy7ynz3d0yb4p3sd_5q_wl0h0000gn/T/<redacted app name> macOS_2025-03-07_10-27-58.706.xcdistributionlogs". error: exportArchive Cloud signing permission error error: exportArchive No signing certificate "Developer ID Application" found ** EXPORT FAILED ** Opening the distribution logs, I find this in the Provisioning Log: 2025-03-07 09:09:58 +0000 2025-03-07 09:09:58 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:58 +0000 IDEProvisioningRepair(<redacted app name>.app): Sending request 84E57539-BC1D-407A-8402-7BCE9F2FD100 to <https://appstoreconnect.apple.com/xcbuild/v1/certificates> for session DVTServicesTeamBasedSession <issuer: <redacted issuer id>; key identifier: <redacted key id>>. Method: POST Headers: { Accept = "application/vnd.api+json"; "Accept-Encoding" = "gzip, deflate"; Authorization = "Bearer <redacted bearer token>"; "Content-Length" = 116; "Content-Type" = "application/vnd.api+json"; "User-Agent" = Xcode; "X-HTTP-Method-Override" = GET; "X-Xcode-Version" = "16.2 (16C5032a)"; } Payload: {"urlEncodedQueryParams":"teamId=<redacted team id>&filter%5BcertificateType%5D=DEVELOPER_ID_APPLICATION_MANAGED&limit=200"} 2025-03-07 09:09:59 +0000 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): Received response for 84E57539-BC1D-407A-8402-7BCE9F2FD100 @ <https://appstoreconnect.apple.com/xcbuild/v1/certificates>. Code = 0 2025-03-07 09:09:59 +0000 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): Response payload: { "errors" : [ { "id" : "3d09690a-e26f-497f-b576-25104064387e", "status" : "403", "code" : "FORBIDDEN_ERROR", "title" : "This request is forbidden for security reasons", "resultCode" : 7495, "detail" : "You haven't been given access to cloud-managed distribution certificates. Please contact your team's Account Holder or an Admin to give you access. If you need further assistance, contact Apple Developer Program Support at https://developer.apple.com/contact/." } ] } Which is really weird, since I am using an API key with Admin rights. If I create a new key, and use it only for this command, App Store Connect does show the "Last Used" date as today after running the command. I thought some time might need to pass, but the issue has been persisting since yesterday. What could be wrong here? I do have a managed Developer ID Application certificate showing in my account but I still can't retrieve it with an Admin right imbued API key.

1.Provisioning profile "xxx" doesn't include signing certificate "Developer ID Application: xxxxx". 2.Provisioning profile "xxx" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. I decoded the profile, <dict> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> <string>dns-proxy-systemextension</string> <string>dns-settings</string> <string>relay</string> <string>url-filter-provider</string> <string>hotspot-provider</string> </array> <key>com.apple.security.application-groups</key> <array> <string>xxxxx</string> <string>xxxxx</string> </array> <key>com.apple.developer.networking.vpn.api</key> <array> <string>allow-vpn</string> </array> <key>com.apple.application-identifier</key> <string>xxxxx</string> <key>keychain-access-groups</key> <array> <string>xxxxx</string> </array> <key>com.apple.developer.team-identifier</key> <string>xxxxx</string> </dict> Kindly help me to resolve this.

The attached file bellow contains the full error error I clone this repo to my mac, change team id and group, and run it in Xcode: https://github.com/protonpass/ios-pass There's no issue when I ran it with the Debug configuration, but when I go to Product > Scheme > Edit Scheme and change the iOS target build configuration to Release then I got that error above. I have tried Archive and export the ipa, verify that the provisioning profile contains my Mac UDID, but when double clicking the ipa to install, I also got the error This app cannot be installed because its integrity could not be verified.

Xcode automatic signing consistently fails for the macOS target when adding the App Groups capability, even though the Developer Portal is correctly configured. Error: Provisioning profile “Mac Team Provisioning Profile: com.example.testapp.mobile” doesn’t support the App Groups capability. Setup: • Bundle ID: com.example.testapp.mobile • App Group: $(TeamIdentifierPrefix)group.com.example.testapp.mobile Troubleshooting Steps Tried (None Helped): • Changed bundle identifiers and deleted/recreated them in the Developer Portal • Deleted and recreated App Groups • Removed and re-added the developer account in Xcode • Deleted all provisioning profiles from the system • Cleared Derived Data and Xcode caches • Even tried on a clean macOS system This setup used to work previously. The issue seems to have started after the Apple Developer account was renewed.

Hello, Recently our team requested the "Notification (NSE) filtering" capability. Our request was rejected but we sent a new request with a more detailed explanation of our need. However if we go check the status of the request in the Capability Requests tab the status is "No requests". We sent the new request yesterday. Is it even possible to request a capability after a rejected request? We really need the capability and the absence of it is blocking our progress.