I am on a mission to secure our key material for our iOS app's code signing certificate. My first endeavor with storing the code signing certificate on a YubiKey is a marginal success - it seems that with a pin policy that requires entering the PIN at least once we must enter the PIN umpteen times per build. Creating a certificate with a policy of never would be ill-advised. On the other hand, we could chose to store the code signing certificate in the Secure Enclave. However, it seems that I am only allowed to create eliptic curve private keys and not RSA keys in the secure enclave. When I attempt to upload a certificate signing request to AppStoreConnect, I am told that only an RSA2048 key will do. What I am after is a way to authenticate access to the certificate once per boot so that we can make multiple builds per day without manual intervention whilst also ensuring that the key material is not stored on disk. A yubikey would be preferable, but I am fine with the secure enclave if need be. Is there a way to achieve this? Best regards, Emīls

Hi everyone, I'm trying to add the Side Button Access entitlement to my voice-based conversational app following the documentation, but I'm unable to find it in Xcode. Steps I followed: Selected my app target in Xcode project navigator Went to the Signing & Capabilities tab Clicked the + Capability button Searched for "Side Button Access" Problem: The "Side Button Access" option does not appear in the capabilities list at all. Environment: I'm developing and testing in Japan (where this feature should be available) Xcode version: Xcode 26.2 beta 3 iOS deployment target: iOS 26.2 Questions: Is there any pre-registration or special approval process required from Apple before this entitlement becomes available? Are there any additional requirements or prerequisites I need to meet? Is this feature already available, or is it still in a limited beta phase? Any guidance would be greatly appreciated. Thank you!

Hi everyone, My app notarization has been stuck in the “In Progress” state for the past 4 days. Here are the details: createdDate: 2025-10-12T07:56:46.228Z id: 8f8c9a33-1c72-489e-a189-74c797a12fbc name: DevScribe.zip status: In Progress I checked the Apple System Status page and noticed that the Developer Notarization service has been showing an outage since October 8th. Could this ongoing outage be the reason my notarization is stuck? Is anyone else experiencing the same issue? Any guidance or workaround would be greatly appreciated.

The problem is the following: We create a keychain item called NotaryTool (There are multiple accounts that use Notary tool and we created it for all of them ) This is created in the following way: $ xcrun notarytool store-credentials This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name. Profile name: NotaryTool We recommend using App Store Connect API keys for authentication. If you'd like to authenticate with an Apple ID and app-specific password instead, leave this unspecified. Path to App Store Connect API private key: //AuthKey_ABCDEFGH.p8 App Store Connect API Key ID: <ABCDEFGH> App Store Connect API Issuer ID: ABCDEF-ABCD-1234-1234-1234567 Validating your credentials... Success. Credentials validated. Credentials saved to Keychain. To use them, specify `--keychain-profile "NotaryTool"` The key is downloaded from Apple and some other IDs are provided alongside. These should remain in the keychain for as long as the user process is running (just like any other process) A few runs are successful when we run with the profile that was created. After a few runs we start seeing a failure. Now we are seeing the following issue where the keychain item just vanishes: Error: No Keychain password item found for profile: NotaryTool\n\nRun 'notarytool store-credentials' to create another credential profile.\nError during the not process\nTue Aug 26 06:02:09 2025 Notarization failed with notarytool with exit code 17664: \nTue Aug 26 06:02:09 2025 could not upload for notarization!!!

Hi support, Currently we are in a process of migrating our Qt application for MAC OS - ventura -v13.4. There is a specific feature in our application in which client tries to communicate with server (Socket communication) using Qt's QsslSocket Apis . To achieve this we are using self signed Ca certificate (.pem ) generated by using openSSl commands which uses IP address of the server. We are manually installing the certificate inside MAC OS - keychain and trusting it manually as well after installing . This is working fine in XCode environment in debug mode in MAC OS and client -server handshake is happening successfully. How ever after creating .dmg file (installer) the same handshake is not happening and we are getting error -Connection time out. Upon investigating this online, we got to know there has to be codesigning (both app bundle and the dmg file )along with notarization of the .dmg file in order to access keychain of MAC OS at runtime to access the self signed certificate installed. Now we have 2 queries here. Is code signing mandatory if we want to verify our app through keychain with .dmg file ? If yes, whats the best way to achieve this ? We have tried 2 options without any luck. option1 - Trying to build our specific target among 'ALL_BUILD' with signing key settings inside xcode where we are providing developer provisional certificate with apple team ID . After that we are trying to archive to generate dmg file which is code signed. We are failing here as the signed dmg is not getting installed due to other app related dependencies are missing . option 2- Code signing the dmg and the app bundle manually outside the environment of xcode with developer certificate and team ID. We are failing here as notarization needs to be done it seems to access keychain for certificate verification If Code signing is not mandatory then whats the best possible way to achieve this considering manually installation of certificate inside keychain with adding trust option is not working at the moment. Please specify the best solution if possible.

I am facing an issue while trying to staple a notarization ticket to my signed macOS installer package. Details of my setup: The .pkg file is signed using my Developer ID Installer certificate. The app inside the package is signed using my Developer ID Application certificate. Notarization via xcrun notarytool completes successfully with status: Accepted. However, the stapler command fails with the following error: xcrun stapler staple -v /Users/mac-test/Desktop/IPMPlus_Arm_Installer_signed.pkg Processing: /Users/mac-test/Desktop/IPMPlus_Arm_Installer_signed.pkg Could not validate ticket for /Users/mac-test/Desktop/IPMPlus_Arm_Installer_signed.pkg The staple and validate action failed! Error 65. I verified that all other Apple notarization-related servers (api.apple-cloudkit.com, gs.apple.com, ocsp.apple.com, ocsp2.apple.com, crl.apple.com, developer.apple.com) are reachable. However, the domain cdn-apple-cloudkit.apple.com cannot be resolved from any network, including mobile or public Wi-Fi. Both dig and nslookup return “No answer” even when using external DNS servers like 8.8.8.8 or 1.1.1.1. It appears that cdn-apple-cloudkit.apple.com might be required during the stapler validation process, but the DNS for this domain is not resolving. Could you please confirm whether this CDN endpoint is required for stapling, and if there is currently an outage or configuration issue with cdn-apple-cloudkit.apple.com?

My app records the screen to use the audio for audio analysis for a music visualization. The app works perfectly in production but when uploaded to Transporter is rejected as below. What is the correct entitlement to use as the entitlement I am using seems deprecated. Validation failed (409) Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on macOS. Specifically, key 'com.apple.security.screen-capture' in 'com.boxedpandora.pulse.pkg/Payload/PuLsE.app/Contents/MacOS/PuLsE' is not supported. (ID: a1a436f5-925d-43bc-908d-0761064d589b) Many thanks for any input provided!

Hello Colleagues, We have been seeing a delay in our Apple notarization submission that hangs for hours "in progress" without completing: This issue has been occurring since Friday, October 17th. We have also checked the Apple System Status page and there is no indication of any outage for Apple notarization.

I'm building a content filtering app using NEURLFilterManager and NEURLFilterControlProvider (introduced in iOS 26). The app uses a PIR server for privacy-preserving URL filtering. Everything works with development-signed builds, but App Store export validation rejects: Entitlement value "url-filter-provider" for com.apple.developer.networking.networkextension — "not supported on iOS" I have "Network Extensions" enabled on my App IDs in the developer portal, but the provisioning profiles don't seem to include url-filter-provider, and I don't see a URL filter option in the Capability Requests tab. What I've tried: Entitlement values: url-filter-provider, url-filter — both rejected at export Extension points: com.apple.networkextension.url-filter, com.apple.networkextension.url-filter-control — both rejected Regenerating provisioning profiles after enabling Network Extensions capability My setup: iOS 26, Xcode 26 Main app bundle: com.pledgelock.app URL filter extension bundle: com.pledgelock.app.url-filter PIR server deployed and functional Is there a specific request or approval process needed for the url-filter-provider entitlement? The WWDC25 session "Filter and tunnel network traffic with NetworkExtension" mentions this entitlement but I can't find documentation on how to get it approved for distribution. Any guidance appreciated. Thanks!

I’m working on an iOS VPN app and looking into using NETunnelProvider (Packet Tunnel) for the VPN implementation. From the documentation it seems that Packet Tunnel is required for VPN protocols like OpenVPN, but the Packet Tunnel capability doesn’t appear to be available by default. Does using NETunnelProvider / Packet Tunnel require a special entitlement to be enabled by Apple for App Store apps? If so, what is the general process for requesting or enabling that entitlement?

Hi everyone, I applied for CarPlay Entitlements on [Date 04. 26, 2024] using CarPlay is Case ID "13045151". I haven't received any updates or responses regarding my application yet. It's been 7 days since the application. My service requires CarPlay integration with a Black Box device. The primary purpose of this integration is to allow users to configure device settings through CarPlay. Furthermore, we plan to utilize the "Communication" category of Entitlements to notify users of parking incidents detected by the Black Box device while parked. This functionality is crucial for alerting drivers to potential issues affecting their vehicles. Could anyone share their experience with the typical turnaround time for CarPlay Entitlements, especially for applications involving device integration and the "Communication" category? Is this delay normal? Is there any way to check the application status or contact the appropriate team to inquire about its progress? Thank you for any insights or advice you can provide! Sincerely,

I am trying to build a release for an application that installs a DriverKit driver. I created a Developer ID Application Profile with a valid certificate but I'm coming across this error in Xcode 16.3 that is preventing me from archiving: Xcode 14 and later requires a DriverKit development profile enabled for iOS and macOS. Visit the developer website to create or download a DriverKit profile. I thought I needed a Dev ID Application profile to distribute the application and that a Development profile is for testing. Is there something I'm missing?

I've seen a few posts about this online and it seems that Xcode generates random team ID's with it's automatic signing system. But I haven't seen any way to make this work properly. If I log into the dev portal and look at my account, in the upper right I can see my team ID. If I manually generate a cert, I get a totally different one. Question: How can I generate a cert with my proper team ID (my paid account) where the ID's on my certs, identifiers and profiles all match? I've never had this issue before and am unsure how to solve it.

Can you please help us with the scenario below, including details and Apple’s recommendations? I've already read through the Notarization and Gatekeeper documentation. The installed version of our application is 1.2.3, located in /Applications/XYZSecurity.app. We created an upgrade package for version 1.2.4. As part of the pre-install script in the 1.2.4 installer, we explicitly deleted some obsolete .dylib files from /Applications/XYZSecurity.app/Contents/Frameworks and some executable files from /Applications/XYZSecurity.app/Contents/MacOS that were no longer needed in version 1.2.4. The installation of version 1.2.4 completed successfully, but we see the below error logs in installer.log: PackageKit: Failed to unlinkat file reference /Applications/XYZSecurity.app/Contents/Frameworks/libhelper.dylib PackageKit: Failed to unlinkat file reference /Applications/XYZSecurity.app/Contents/MacOS/helper-tool Our Key Questions: Is it the right practice to remove obsolete files in the pre-install script during an upgrade? Is this approach recommended by Apple? Can this cause any issues with Apple Gatekeeper? Is there a possibility of my application getting blocked by Gatekeeper as a result?

My notary service has been stuck for more than 5 hours. Is it because i am a new user or there is an notary service outage.

Hi, I was sent here by Apple developer account, it seems here is the only option for me, so your help is very much appreciated! Basically we are building a chromium based browser on iOS, we applied the "com.apple.developer.web-browser" entitlement, and it shows up in our identifier, profile etc. The app is signed with the new entitlement and published to the app store. However it is not listed as an option for default browser, doesn't matter which device I tried. I did verified that the Info.plist contains http/https urlschemes as required. In fact a few of us checked all available documents multiple times and still couldn't see why.

Hello Quinn and Apple Developer Support, We are encountering an issue where our notarization queue appears to be stuck, and we would greatly appreciate your help. A few days ago, we assisted another team by submitting their app for notarization using our own Apple Developer account, because their own notarization attempts were getting stuck. However, the submission we made for them under our account has now been stuck in the “In Progress” state for about 5 days. Later, their own submission (using their account) was rejected after 2–3 days, but our submission for them (under our account) has never completed. Since then, all our subsequent notarization requests have also remained “In Progress”, which strongly suggests that the stuck submission is blocking our entire notarization queue. Here are the details from our submission history: xcrun notarytool history --apple-id "xxx" --team-id "xxx" --password "xxx" Partial results: id: 0bafa66f-4f47-4327-811f-a05481be5d0b status: In Progress id: 2d00b75a-a17a-44fc-afa1-71e0e39ec2cd status: In Progress The first ID is our own app’s submission. The second ID belongs to the submission we made for the other team. Both have been stuck in “In Progress” for several days, which seems abnormal. Could you please help us clear or reset the notarization queue for our account so that we can continue submitting our own apps? Thank you very much for your time and assistance! Best regards, gongcj

I tried building a macOS app with Electron, but I ran into problems during notarization. I used notarytool to upload my DMG and got status: Invalid. xcrun notarytool log output { "logFormatVersion": 1, "jobId": "680bf475-a5f4-4675-9083-aa755d492b18", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "BODYPARK-v3.6.0-mac.app.zip", "uploadDate": "2025-09-25T02:50:41.523Z", "sha256": "e61074b9bba6d03696f2d8b0b13870daafc283960e61ab5002d688e4e82ef6f6", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "BODYPARK-v3.6.0-mac.app.zip/BODYPARK-v3.6.0-mac.app/Contents/Resources/plugin/XMagic/mac/libpag.framework/libpag", "message": "The signature of the binary is invalid.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735", "architecture": "x86_64" }, { "severity": "error", "code": null, "path": "BODYPARK-v3.6.0-mac.app.zip/BODYPARK-v3.6.0-mac.app/Contents/Resources/plugin/XMagic/mac/libpag.framework/libpag", "message": "The signature does not include a secure timestamp.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733", "architecture": "x86_64" }, { "severity": "error", "code": null, "path": "BODYPARK-v3.6.0-mac.app.zip/BODYPARK-v3.6.0-mac.app/Contents/Resources/plugin/XMagic/mac/libpag.framework/libpag", "message": "The signature of the binary is invalid.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735", "architecture": "arm64" }, { "severity": "error", "code": null, "path": "BODYPARK-v3.6.0-mac.app.zip/BODYPARK-v3.6.0-mac.app/Contents/Resources/plugin/XMagic/mac/libpag.framework/libpag", "message": "The signature does not include a secure timestamp.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733", "architecture": "arm64" } ] } I checked the signature of my .app file: codesign -v -vvv --deep --strict /Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/MacOS/BODYPARK-v3.6.0-mac --prepared:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/BODYPARK-v3.6.0-mac Helper (GPU).app --validated:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/BODYPARK-v3.6.0-mac Helper (GPU).app --prepared:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/BODYPARK-v3.6.0-mac Helper (Plugin).app --validated:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/BODYPARK-v3.6.0-mac Helper (Plugin).app --prepared:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/TXFFmpeg.framework/Versions/Current/. --validated:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/TXFFmpeg.framework/Versions/Current/. --prepared:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/. --prepared:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/Helpers/chrome_crashpad_handler --validated:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/Helpers/chrome_crashpad_handler --validated:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/. --prepared:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/TXSoundTouch.framework/Versions/Current/. --validated:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/TXSoundTouch.framework/Versions/Current/. --prepared:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/BODYPARK-v3.6.0-mac Helper.app --validated:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/BODYPARK-v3.6.0-mac Helper.app --prepared:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/BODYPARK-v3.6.0-mac Helper (Renderer).app --validated:/Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/Frameworks/BODYPARK-v3.6.0-mac Helper (Renderer).app /Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/MacOS/BODYPARK-v3.6.0-mac: valid on disk /Users/zhangheng/Desktop/development/coach-app/dist_electron/mac-universal/BODYPARK-v3.6.0-mac.app/Contents/MacOS/BODYPARK-v3.6.0-mac: satisfies its Designated Requirement It looks like local signing succeeded, but notarization is failing. I’m a beginner with macOS signing/notarization. Could you please help me figure out what I’m doing wrong and how to fix this? I’d really appreciate any guidance.

Hello, I have created multiple Developer ID Application and Developer ID Installer certificates across different Apple OS versions without keeping the Certificate Signing Requests (CSR). As I’m not very experienced with Apple’s system, I made this mistake and now I am unable to create new certificates because I have reached the maximum number of certificates allowed. I develop software based on Electron and have been building and signing my applications with electron-builder, integrating the app signing needed to submit the app to the Apple Store via Transporter. Here is the relevant portion of my package.json build config: "mac": { "appId": "com.nome_app.ext", "type": "distribution", "target": [ "mas" ], "artifactName": "name_app.${ext}", "category": "public.app-category.utilities", "provisioningProfile": "build/prov_prof_mac_name_app.provisionprofile" }, "mas": { "appId": "com.name_app.ravia", "hardenedRuntime": false, "type": "distribution", "gatekeeperAssess": true, "artifactName": "name_app.${ext}", "category": "public.app-category.utilities", "entitlements": "build/entitlements.mas.plist", "extendInfo": { "NSMicrophoneUsageDescription": "This app requires microphone access.", "NSCameraUsageDescription": "This app requires webcam access." }, "entitlementsInherit": "build/entitlements.mas.inherit.plist" } } Currently, I have recreated the Mac Developer Application and Mac Developer Installer certificates, but without valid Developer ID Installer and Developer ID Application certificates, I always get this error during build: `skipped macOS application code signing reason=cannot find valid "Developer ID Application" identity or custom non-Apple code signing certificate, it could cause some undefined behaviour, e.g. macOS localized description not visible, see https://electron.build/code-signing allIdentities= 718241A413826C6A97E2062EAEC155BEF5330CCA "iPhone Distribution: RAVIA SOFTWARE DI VILLANOVA DOMENICO ANTONIO (T9UD6J5HXZ)" (CSSMERR_TP_NOT_TRUSTED) 60B360CCE27FE915799FAE7C8E6A16962F2DE9B0 "3rd Party Mac Developer Installer: RAVIA SOFTWARE DI VILLANOVA DOMENICO ANTONIO (T9UD6J5HXZ)" (CSSMERR_TP_NOT_TRUSTED) 4518A8CE3BAC4F27B09D654DA14F52FBE15A0A85 "3rd Party Mac Developer Application: RAVIA SOFTWARE DI VILLANOVA DOMENICO ANTONIO (T9UD6J5HXZ)" (CSSMERR_TP_NOT_TRUSTED) ... (additional identities with CSSMERR_TP_NOT_TRUSTED) Valid identities only: 718241A413826C6A97E2062EAEC155BEF5330CCA "iPhone Distribution: RAVIA SOFTWARE DI VILLANOVA DOMENICO ANTONIO (T9UD6J5HXZ)" (CSSMERR_TP_NOT_TRUSTED) ... • signing file=dist/mas/Studio Medico Specialistico.app platform=mas type=distribution identityName=3rd Party Mac Developer Application: RAVIA SOFTWARE DI VILLANOVA DOMENICO ANTONIO (T9UD6J5HXZ) identityHash=4518A8CE3BAC4F27B09D654DA14F52FBE15A0A85 provisioningProfile=build/prov_prof_mac_studiomedicospecialistico.provisionprofile • Command failed multiple times: codesign --sign "3rd Party Mac Developer Application: RAVIA SOFTWARE DI VILLANOVA DOMENICO ANTONIO (T9UD6J5HXZ)" --force --timestamp --entitlements build/entitlements.mas.inherit.plist /path/to/app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/af.lproj/locale.pak Warning: unable to build chain to self-signed root for signer "3rd Party Mac Developer Application: RAVIA SOFTWARE DI VILLANOVA DOMENICO ANTONIO (T9UD6J5HXZ)" Error: errSecInternalComponent From my understanding, the system cannot find a valid Developer ID Application identity for signing. The existing certificates all show the CSSMERR_TP_NOT_TRUSTED error and the signing command fails with errSecInternalComponent. **I have confirmed that the certificates are installed in my keychain, but they may be missing private keys or not fully trusted. Is there a possibility to reset my Apple Developer account’s Developer ID Application and Developer ID Installer certificates, so I can start fresh and generate new valid certificates? Could you please advise on how to proceed or if there is any way to clear the current certificate limit?** Thank you very much for your help.

I'm starting a new project in Xcode, but the Team ID in the "Signing and Capabilities" section for iOS is different from the one on the website. Is this a problem? Why does Xcode automatically send a different ID when signing?