Displaying attribute for a private key I see a number of applications that are allowed to access it without needing a password e.g. racoon; Keychain Access.app; Certificate Assitant.app etc.. I want to add /usr/bin/codesign to the list but the gui window that pops up when I click on + doesn't seem to allow me to do that :( How do I do it please

Hi Team, I have created multiple certificates for macOS application. Below are the certificates created- Apple Development Certificate DeveloperID Installer Certificate Apple Distribution Certificate others certificates Later, I have imported the all these above certificates in keychain-access. Now, I tried to compile the code through Xcode. I am getting error for code signing certificate. Warning: unable to build chain to self-signed root for signer "Apple Development: Amit (M2WMF2YERI)” .... Command CodeSign failed with a nonzero exit code When I checked the TeamID of User(Amit) I can see that his current TeamID is [P8ZW3W9R2Q]. There is mismatch of teamID in apple development certificate generation. Note- All certificates are generated with current TeamID[P8ZW3W9R2Q] of user (Amit) except Apple Development certificate which has been generated with TeamID [M2WMF2YERI] which is generated with old TeamID of user (Amit). I attempted to generate the apple development certificate multiple times but it is getting generated with old TeamID TeamID[M2WMF2YERI] of user(Amit)
 Summary- While creating a developer certificate using apple developer account and mapping it in keychain, the certificate is being generated with old apple account details (Inactive) instead of the current one. This is causing issues when using the certificate in keychain. If anyone has encountered this issue, how it was resolved?

Hi, I am facing an issue with login persistence using firebase, but basically, it seems that I need to ensure I enable the Keychain Sharing within the Identities capabilities, the problem is, it is not even on the list. Thank you much

I spent 20 minutes trying to figure out why codesigning was failing -- I had the pf block set up correctly, my keychains were unlocked, and then, eventually, it occurred to me, hey, maybe an IP address changed, so I disabled IPv6 except for link local, and then amazingly, it went back to working. I filed FB13706261 over a year ago. This is ridiculous.

I am trying to build a release for an application that installs a DriverKit driver. I created a Developer ID Application Profile with a valid certificate but I'm coming across this error in Xcode 16.3 that is preventing me from archiving: Xcode 14 and later requires a DriverKit development profile enabled for iOS and macOS. Visit the developer website to create or download a DriverKit profile. I thought I needed a Dev ID Application profile to distribute the application and that a Development profile is for testing. Is there something I'm missing?

I am using matlab to create an application (.app) using matlab application compiler. Along with that, I use matlab to create an installer for that. Unfortunately, the installer is in (.app) format. So do some custom things to install the dependencies and copying my application to Applications folder. I am able to sign the original application with Developer ID application certificate. But I am not able to sign the installer in .app format with Developer ID installer certificate. Is there any flag in any signing executable that allows me to use Developer ID installer certificate to sign .app file instead of typical (.pkg/.dmg)? Any help would be much appreciated.

For years, I've been shipping my apps with a Perl script that now invokes notarytool to get the notarization, using this command /usr/bin/xcrun notarytool submit --apple-id jerry@sheepsystems.com --keychain-profile SSYShipProduct --team-id 4MAMECY9VS --output-format json /Users/jk/blah/blah/MyApp.zip --wait I used this script with this command several times during September 2024 to ship my apps, and it worked. But now, the above command fails with: Error: No Keychain password item found for profile: SSYShipProduct Run 'notarytool store-credentials' to create another credential profile. Of course, I am now running later versions of macOS beta and Xcode than I was in September. Does anyone know the problem? Screenshots from Terminal and Keychain Access are attached. Thank you.

Hello Apple Developer Community, I'm experiencing a persistent issue with App Groups configuration for an iOS app extension that I can't resolve despite trying multiple approaches. I hope someone can help identify what I'm missing. Problem Description I'm getting this error when trying to build my iOS App Extension: Provisioning profile "iOS Team Provisioning Profile: com.idlrapp.Spleeft.SpleeftDataSaver" doesn't include the com.apple.developer.app-groups entitlement. My Setup Main App Bundle ID: com.idlrapp.Spleeft Extension Bundle ID: com.idlrapp.Spleeft.SpleeftDataSaver App Group ID: group.com.idlrapp.spleeft.shared Extension Type: Action Extension (Share Sheet) What I've Verified App Group Creation ✅ Created App Group group.com.idlrapp.spleeft.shared in Apple Developer Portal ✅ App Group shows as "Active" in the portal App ID Configuration ✅ Both App IDs (com.idlrapp.Spleeft and com.idlrapp.Spleeft.SpleeftDataSaver) have "App Groups" capability enabled ✅ Both App IDs are configured with the same App Group: group.com.idlrapp.spleeft.shared Entitlements Files Main App (Spleeft.entitlements): <key>com.apple.developer.app-groups</key> <array> <string>group.com.idlrapp.spleeft.shared</string> </array> Extension (SpleeftDataSaver.entitlements): <key>com.apple.developer.app-groups</key> <array> <string>group.com.idlrapp.spleeft.shared</string> </array> Xcode Configuration ✅ Both targets use "Automatically manage signing" ✅ Same Apple Developer Team selected for both ✅ App Groups capability shows correctly in Signing & Capabilities for both targets The Issue When I examine the downloaded .mobileprovision file, I can see it contains: <dict> <key>com.apple.security.application-groups</key> <array> <string>group.com.idlrapp.spleeft.shared</string> </array> <!-- Other entitlements... --> </dict> However, Xcode expects to find: <array> <string>group.com.idlrapp.spleeft.shared</string> </array> What I've Tried Multiple regenerations of provisioning profiles: Deleted all local provisioning profiles Toggled "Automatically manage signing" off/on Downloaded manual profiles from Developer Portal Verified App Group configuration: Double-checked App Group exists and is active Confirmed both App IDs have App Groups capability enabled Verified App Group assignment in both App IDs Entitlements cleanup: Ensured consistent App Group IDs across all files Removed duplicate/conflicting entries Clean builds and cache clearing: Product → Clean Build Folder Derived Data deletion Xcode restart Key Observation The provisioning profile contains com.apple.security.application-groups (which appears to be macOS-style) but Xcode expects com.apple.developer.app-groups (iOS-style) for the App Extension. Questions Is there a known issue with App Groups entitlement generation for iOS App Extensions? Should the provisioning profile contain com.apple.developer.app-groups instead of com.apple.security.application-groups? Is there a way to force regeneration of provisioning profiles with the correct entitlements? Are there additional steps required for App Extensions that differ from main apps? Any guidance would be greatly appreciated. This is blocking our App Extension development and we've exhausted our troubleshooting options. Thank you for your time and assistance.

This is my .entitlements file: Code signing: codesign --sign -vvv --timestamp --options=runtime --force --entitlements ./UES.entitlements -s "Developer ID Application: XXX. (XXXXXXX)" ./UES.app I work fine in the macOS 13.x system, but the "killed" error occurs in macOS11.x. The system log is displayed as follows: (If codesign remove the --entitlements ./UES.entitlements, it will operate normally) 2025-04-21 13:58:27.039638+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:27.039762+0800 0xd5bbf Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:27.039815+0800 0xd5bbf Default 0x0 0 0 kernel: proc 29354: load code signature error 4 for file "UES" 2025-04-21 13:58:27.040720+0800 0xd5bc0 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29354, /Applications/UES.app/Contents/MacOS/UES 2025-04-21 13:58:27.045974+0800 0xd58be Error 0x0 66405 0 CoreServicesUIAgent: [com.apple.launchservices:uiagent] handle LS launch error: {\n Action = oapp;\n AppMimimumSystemVersion = "10.13";\n AppPath = "/Applications/UES.app";\n ErrorCode = "-10826";\n} 2025-04-21 13:58:39.121619+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:39.121832+0800 0xd5e0f Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:39.121861+0800 0xd5e0f Default 0x0 0 0 kernel: proc 29415: load code signature error 4 for file "UES" 2025-04-21 13:58:39.122571+0800 0xd5e10 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29415, /Applications/UES.app/Contents/MacOS/UES 2025-04-21 13:58:46.297915+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:46.298031+0800 0xd5f85 Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:46.298072+0800 0xd5f85 Default 0x0 0 0 kernel: proc 29485: load code signature error 4 for file "UES" 2025-04-21 13:58:46.300248+0800 0xd5f86 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29485, /Applications/UES.app/Contents/MacOS/UES What causes the pattern to be narrow?

Trying to play around with Secure Enclave Protected keychain operations in a Tauri-based MacOS app and running into issues. After much digging and trial and error, here is my understanding and where I'm at: To access these keychain related APIs, the app must be codesigned, and have the following entitlements: <key>com.apple.application-identifier</key> <string>XXXXXXXXXX.com.myorg.myapp</string> <key>com.apple.developer.team-identifier</key> <string>XXXXXXXXXX</string> <key>keychain-access-groups</key> <array> <string>XXXXXXXXXX.*</string> </array> Currently using a Development cert, generated from Xcode, not a paid account I had to install the intermediate cert from https://www.apple.com/certificateauthority/ XXXXXXXXXX is the "Team ID", which can be found on my Development cert under Details > "Organizational Unit" If I build the app and run it (without signing) I get code 34018 If I sign the app and try to run it, I am no longer able to boot it, with error: The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x12a60a130 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}} Not quite sure what is missing - any help is much appreciated.

I have built my application for arm and x64 so I have two files called DeepSkyStacker.app in different directories. I have followed the instructions to notarise the arm version of the app, but an concerned about what I should do to notarise the other one - do I just zip that up and then run: xcrun notarytool submit "DeepSkyStacker.zip" --keychain-profile "Notary Profile for DeepSkyStacker" --wait xcrun stapler staple DeepSkyStacker.app again or will that mess everything up? Related to that can I use the Notary Profile I created for DeepSkyStacker to notarise other apps that are part of the same product (DeepSkyStackerLive and DeepSkyStackerCL)?? Thanks David

I have some questions regarding App Group Id's and use of the FileManager during an Appstore iOS transfer. I've read a lot of the topics here that cover app groups and iOS, but it's still unclear exactly what is going to happen during transfer when we try to release an updated version of the app from the new account. We're using this method FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: "group.com.foo.bar") to store files on the device that are important for app launch and user experience. Once we transfer the app and begin the process of creating a new version under the new account will we be able to read the files that are stored using this app group id under the new account? What steps do we need to take in order to handle this and continue being able to access these files? It seems like the app group is not transferred in the process? I've seen some users mention they removed the app group from the original account and created it again under the receiving account (with notes mentioning this is undocumented behavior). These conversations we're centered around Shared user defaults, and that applies as well but I'm more concerned with reading the values from the file system. Thanks!

I’m having trouble with the notary step of our electron app. It sometimes says “In progress” for days on end, where other times, it only takes 15-20 minutes. For the last few weeks, I’ve noticed that it will take longer than the 20 minutes if our app was using a not latest version of the electron module -- https://www.npmjs.com/package/electron. I would then update our codebase to build using the latest version, and then try to sign and notarize the app again, and it would work till a new version was released. This was the first time that that process didn’t work. Everything is on latest, and we’re still getting stuck “in progress” for days on end. We have been signing and Notarizing this app for years now, so it's not the first time we're trying to do this process To make matters stranger, I have two branches of the same exact code base – same dependencies, same source code, same everything – there is no difference. One sign and notarize works 100% of the time where the other one hasn’t worked yet. Any ideas would be helpful. I'm not really sure where to begin to debug this. Thanks!

There is something wrong with my keychain. Can someone point me in the right direction? codesign --force --sign "Developer ID Application: Denis Putnam (2368694WQF)" --options runtime "/Users/denisputnam/git/expense_tracker/dist/ExpenseTracker.app" /Users/denisputnam/git/expense_tracker/dist/ExpenseTracker.app: replacing existing signature Warning: unable to build chain to self-signed root for signer "Developer ID Application: Denis Putnam (2368694WQF)" /Users/denisputnam/git/expense_tracker/dist/ExpenseTracker.app: errSecInternalComponent Deniss-MacBook-Pro:expense_tracker denisputnam$ security find-certificate -c "Developer ID Certification Authority" -p /Library/Keychains/System.keychain | openssl x509 -noout -dates notBefore=Sep 22 18:55:10 2021 GMT notAfter=Sep 17 00:00:00 2031 GMT Deniss-MacBook-Pro:expense_tracker denisputnam$

Hi everyone, I applied for CarPlay Entitlements on [Date 4. 26, 2025] using. (*CarPlay Entitlements Case-ID : 13045151) I haven't received any updates or responses regarding my application yet. It's been 7 days since the application. My service requires CarPlay integration with a Black Box device. The primary purpose of this integration is to allow users to configure device settings through CarPlay. Furthermore, we plan to utilize the "Communication" category of Entitlements to notify users of parking incidents detected by the Black Box device while parked. This functionality is crucial for alerting drivers to potential issues affecting their vehicles. Could anyone share their experience with the typical turnaround time for CarPlay Entitlements, especially for applications involving device integration and the "Communication" category? Is this delay normal? Is there any way to check the application status or contact the appropriate team to inquire about its progress? Thank you for any insights or advice you can provide! Sincerely,

Hi guys, I am new to publishing apps on Apple Store. I used python, pyside6, torch, pyinstaller to build an app for Apple Store. For codesigning, I used the correct "Developer ID Application" to sign the code. When I validate the .app file (codesign -vv --strict ), I got the following my_app.app: valid on disk my_app.app: satisfies its Designated Requirement Next, I used ditto to "ditto -c -k --sequesterRsrc --keepParent my_app.app my_app.zip" to zip it. Then, I submitted this my_app.zip file for notarization with "xcrun notarytool submit ..." and got the following "accepted" message. Received new status: Accepted Current status: Accepted............... [20:08:54.530Z] Info [API] Submission in terminal status: Accepted Processing complete After that, I want to staple it with "xcrun stapler staple my_app.app", but I got the following Could not validate ticket for my_app.app The staple and validate action failed! Error 65. To further investigate it, I ran "spctl -a -vvv my_app.app" and got my_app.app: rejected source=Unnotarized Developer ID origin=Developer ID Application... I don't know why this would happen after notarization accepted. Could someone help me understand this issue? Thanks!

We are building an installer application to install a dext. Building in Xcode, the installer app launches fine locally and installs the dext. We then try to sign it with the company Developer ID application certificate. However after doing so we cannot launch the application anymore as we get the following crash at launch: Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: CODESIGNING 1 Taskgated Invalid Signature Triggered by Thread: 0 Thread 0 Crashed: 0 dyld_path_missing 0x102e187c0 _dyld_start + 0 Thread 0 crashed with ARM Thread State (64-bit): x0: 0x0000000000000000 x1: 0x0000000000000000 x2: 0x0000000000000000 x3: 0x0000000000000000 x4: 0x0000000000000000 x5: 0x0000000000000000 x6: 0x0000000000000000 x7: 0x0000000000000000 x8: 0x0000000000000000 x9: 0x0000000000000000 x10: 0x0000000000000000 x11: 0x0000000000000000 x12: 0x0000000000000000 x13: 0x0000000000000000 x14: 0x0000000000000000 x15: 0x0000000000000000 x16: 0x0000000000000000 x17: 0x0000000000000000 x18: 0x0000000000000000 x19: 0x0000000000000000 x20: 0x0000000000000000 x21: 0x0000000000000000 x22: 0x0000000000000000 x23: 0x0000000000000000 x24: 0x0000000000000000 x25: 0x0000000000000000 x26: 0x0000000000000000 x27: 0x0000000000000000 x28: 0x0000000000000000 fp: 0x0000000000000000 lr: 0x0000000000000000 sp: 0x000000016d13fba0 pc: 0x0000000102e187c0 cpsr: 0x00000000 far: 0x0000000000000000 esr: 0x00000000 Address size fault Binary Images: 0x102e14000 - 0x102eaffff dyld_path_missing (*) <9cf0401a-a938-389e-a77d-9e9608076ccf> /dyld_path_missing 0x102cc0000 - 0x102cc3fff main_executable_path_missing (*) <5fb2bea6-ba11-340d-a7a4-8657d5a736e2> /main_executable_path_missing 0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ??? Error Formulating Crash Report: dyld_process_snapshot_get_shared_cache failed Following the different help pages from Apple, the application seems to be correctly signed. Looking at the Console, we are seeing the following message at launch: "Unsatisfied entitlements: com.apple.developer.system-extension.install, com.apple.developer.driverkit". However, the entitlement file I am using to sign the installer app contains those entitlements. We are looking at different possible issues for days now and can't figure it out. Any advice or thought would be appreciated.

In xcode, the signing&amp;capabilities TAB for ios says: Automatic signing failed Xcode failed to provision this target. Please file a bug report at https://feedbackassistant.apple.com and include the Update Signing report from the Report navigator. Provisioning profile "iOS Team Provisioning Profile: com.kikk.morsecode" doesn't include the com.apple.developer.in-app-purchase entitlement. Even though I've already configured the corresponding Certificates, Identifiers &amp; Profiles in developer Does anyone have the same problem? My Version of xcode is Version 15.4 (15F31d), running on m2pro.

Hi, Out app is approved on app store, however we want to distribute outside apps tore as well. But notarization always fails with error: Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.", "statusCode": 7000, Any help to address this issue is highly appreciated.

I am building an application using .NET and Avalonia UI. The application is cross-platform. One of the tasks of the application is to coordinate data collection that is then routed into a Docker container for analysis. Everything works as expected in Windows. Everything works as expected in macOS on the development workstation and before packaging. After I package/codesign into a hardened runtime, I start seeing crashes at the moment when I try to execute the system calls to Docker. I am reasonably confident that this has something to do with an entitlement flag or some other permissions issue. I have been trying to sort this on my own for a while. I am only hoping someone can nudge me in the right direction. Thanks, Kevin