Hello. I have an enterprise application that requires specific privileges to execute correctly on MacOS. One of these privileges is SystemPolicyAllFiles (aka Full Disk Access), as we use the endpoint security framework. When we distribute our application, we generate: A signed, notarized pkg consisting of our application binaries. An MDM-compatible .mobileconfig, which contains the SystemPolicyAllFiles setting. We expect our users to install both to get the application to function correctly. However, we have three environments we deploy to: Internal (local development on a developer's workstation), "development" (where features are integrated prior to release) and "production" (what our customers get). For local, our developers create an Apple account and use a Mac Development certificate for signing. They also generate their own embedded.provisionprofile and drop that into their local installation config. For development/production, we use our Developer ID certificate and Developer Installer certificate, with an endpoint security embedded.provisionprofile bound to those. However, when we generate a .mobileconfig, we need to include a CodeRequirement (CR) for SystemPolicyAllFiles. I've been retrieving this using codesign -dr - ... (i.e., the designated requirement aka DR). However, the designated requirement is very specific to the certificate, which is problematic specifically for local development, where each developer has their own Mac Development certificate. Here's what the relevant section of our generated mobileconfig looks like right now: <dict> <key>SystemPolicyAllFiles</key> <array> <dict> <key>Allowed</key> <true/> <key>CodeRequirement</key> <string>identifier "com.example.app and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = <TEAMID></string> <key>Comment</key> <string>app</string> <key>Identifier</key> <string>com.exmple.app</string> <key>IdentifierType</key> <string>bundleID</string> <key>StaticCode</key> <false/> </dict> </array> </dict> That's in a format that works for our Developer ID cert, but the DR for the Mac Development certificate looks like: identifier "com.example.app" and anchor apple generic and certificate leaf[subject.CN] = "Mac Developer: John Doe (12ABC34567)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */ Question: Is it possible to relax the code requirement so that it is generic enough to cover all Mac Developer certificates and Developer ID certificates we use? If not, is there a way to have one code requirement for our Mac Developer certificates and a separate CR for our Developer ID certificate? My use case is deploying a static "local" .mobileconfig using our internal company MDM (Apple Business Essentials) to all developer workstations so we don't have to have each developer manually configure their system for the software to run. Thanks! D

Hello everyone, I’m currently developing an Electron application, and I’m trying to properly sign and notarize it for macOS. The notarization process itself seems to complete successfully—the file is accepted without issues. However, when I attempt to staple the notarization ticket to the executable, I consistently get Error 65 with TheStableAndValidateActionFailed. The issue is puzzling because the executable does not change at any point during the process. After facing this issue multiple times in my own project, I decided to test it on a more controlled setup. I followed the steps from this https://www.youtube.com/watch?v=hYBLfjT57hU and the instructions from this macos-code-signing-example which have previously worked for others. Yet, even with this setup, I still get the same Error 65. Below, I have attached the verbose logs for reference. I’m trying to understand what could be causing this issue—whether it’s related to certificates, the signing process, or something else entirely. Has anyone encountered a similar problem, and if so, how did you resolve it? Any insights would be greatly appreciated!

Is it possible to have some additional content at Versions/A/ in a macOS Framework bundle that is not in any of the standard folders? Will there be any side-effects during signing and notarization? The reason is it'd be a lot easier in my use case to be able to put content here instead of the Resources folder.

Product: macOS, Notarization Tool: notarytool, Stapler Tool: xcrun stapler, Application: master-billing.app, DMG: master-billing.dmg I'm attempting to notarize and staple a macOS .dmg file containing a signed .app. Notarization completes successfully, but the stapling step fails with Error 65. All tools are up-to-date and I'm following the official Apple process. #!/bin/bash set -e APP="dist/mac-arm64/master-billing.app" DMG="dist/mac-arm64/master-billing.dmg" IDENTITY="Developer ID Application: NAME (TEAM ID)" PROFILE="notarysiva" VOLUME_NAME="MasterBilling" Sign binaries and frameworks find "$APP" -type f ( -name ".dylib" -or -name ".so" -or -name "*.node" -or -perm -u+x ) -exec codesign --force --options runtime --timestamp --sign "$IDENTITY" {} ; find "$APP" -type d ( -name ".app" -or -name ".framework" ) -exec codesign --force --options runtime --timestamp --sign "$IDENTITY" {} ; codesign --deep --force --options runtime --timestamp --sign "$IDENTITY" "$APP" Create DMG hdiutil create -volname "$VOLUME_NAME" -srcfolder "$APP" -ov -format UDZO "$DMG" Sign DMG codesign --sign "$IDENTITY" --timestamp "$DMG" Verify DMG signature codesign --verify --verbose=2 "$DMG" Submit for notarization xcrun notarytool submit "$DMG" --keychain-profile "$PROFILE" --wait Staple ticket xcrun stapler staple -v "$DMG" Signing all binaries, dylibs, and frameworks... . . ✅ App signing complete. 💽 Creating DMG... ...................................................................................... created: /Users/one/Documents/MASTER/bill-master/dist/mac-arm64/master-billing.dmg 🔏 Signing the DMG... ✅ Verifying DMG signature... dist/mac-arm64/master-billing.dmg: valid on disk dist/mac-arm64/master-billing.dmg: satisfies its Designated Requirement 📤 Submitting DMG for notarization... Conducting pre-submission checks for master-billing.dmg and initiating connection to the Apple notary service... Submission ID received id: 32927c3c-7459-42b4-a90c Upload progress: 100.00% (123 MB of 123 MB) Successfully uploaded file id: 32927c3c-7459-42b4-a90c path: /Users/one/Documents/MASTER/bill-master/dist/mac-arm64/master-billing.dmg Waiting for processing to complete. Current status: Accepted............ Processing complete id: 32927c3c-7459-42b4-a90c status: Accepted 📌 Stapling notarization ticket to DMG... Processing: /Users/one/Documents/MASTER/bill-master/dist/mac-arm64/master-billing.dmg . . . Downloaded ticket has been stored at file:///var/folders/1l/ht34h5y11mv3rhv8dlxy_g4c0000gp/T/5bb9e667-dfe1-4390-8354-56ced7f48fa0.ticket. Could not validate ticket for /Users/one/Documents/MASTER/bill-master/dist/mac-arm64/master-billing.dmg The staple and validate action failed! Error 65.

This is a continuation of my own old post that became inactive to regain traction. I am trying to resolve issues that arise when distributing a macOS app with a SysExt Network Extension (Packet Tunnel) outside the App Store using a Developer ID Certificate. To directly distribute the app, I start with exporting the .app via Archive in Xcode. After that, I create a new Developer ID provisioning profile for both the app and sysext and replace the embedded ones in the .app package. After I have replaced the provisioning profiles and the have the entitlements files ready, I start signing the frameworks, sysext and parent app. codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>"<app>.app/Contents/Library/SystemExtensions/<sysext>.systemextension/Contents/Frameworks/<fw>.framework/Versions/A/<fw> codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/Frameworks/<fw>.framework/ codesign --force --options runtime --entitlements dist-vpn.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/Library/SystemExtensions/<sysext>.systemextension/Contents/MacOS/<sysext> codesign --force --options runtime --entitlements dist.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app After validation is successful with codesign --verify --deep --strict --verbose=4 <app>.app I zip the package, notarize and staple it ditto -c -k --keepParent "<app>.app" "<app>..zip" xcrun notarytool submit <app>.zip --keychain-profile “”<credents> --wait xcrun stapler staple <app>.app After that I finish creating signed and notarized .dmg/.pkg. hdiutil create -volname “<app>” -srcfolder “<app>.app/" -ov -format UDZO ./<app>.dmg codesign --force --sign "Developer ID Application: <name>" <app>.dmg xcrun notarytool submit <app>.dmg --keychain-profile "<credentials>" --wait xcrun stapler staple <app>.dmg Then when I move the .dmg to a clean system, open the .dmg, move the .app to the Applications folder, the attempt to run it fails with “The application “” can’t be opened.”. When I look into the console, the gatekeeper disallows the launch job with the message:
 86127 debug ProvisioningProfiles taskgated-helper ConfigurationProfiles entitlements: { "com.apple.developer.networking.networkextension" = ( "packet-tunnel-provider-systemextension" ); "com.apple.developer.system-extension.install" = 1; "com.apple.developer.team-identifier" = <teamid>; "keychain-access-groups" = ( “<teamid>.<app>.AppGroup" ); } com.apple.ManagedClient
<app>: Unsatisfied entitlements: com.apple.developer.networking.networkextension, keychain-access-groups, com.apple.developer.system-extension.install, com.apple.developer.team-identifier LAUNCH: Runningboard launch of <app> <private> returned RBSRequestErrorFailed, error Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600001a25830 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}, so returning -10810

 I went through all possible formats (macOS-Style and iOS-Style App Group IDs) and combinations of appgroups according to the post “App Groups: macOS vs iOS: Working Towards Harmony”. But none of those work for me. The weird part is that when I try the same steps on different developer account, I am able to get the app running. What can be wrong?

I started the notarization process for my electron app (just a browser window loading a URL) yesterday (26/03/2025) at around 05:23 GMT. I noticed in a couple of posts here in the forum that it may sometimes take a day to notarize the first app submitted by a team, but it has been over 30 hours since I submitted the app for notarization Here's the log. createdDate: 2025-03-26T05:23:11.102Z id: ddcb3fca-4667-4acb-8fd1-3298a7c244cc name: xolock-browser.zip status: In Progress Is there any reason why it is taking so long? Thanks in advance!

Dear Apple Support, for better understanding to use the Notary Service, I would like to ask when and what have to be notarized. I am absolutely aware of using the Notary Service and which packages can be submitted and how to get the status. Scenario: We have one library which is developed by a specific team and other teams develop and deliver to customer MacOS apps which packages this library for the shipment. So, the library will be produced internally and will be shipped in different products. The library will be code signed before we make available internally. When should we notarize (and staple) this library? Directly after the code is signed or when it will be packaged in each product when it will be delivered to customer? Best regards, Stefan

Dear Apple support, Since the last couple of days, we have some (very) long running notarization requests. Similar requests were done normally under 1 minute. This behavior is unexpected to us, and we did not see it before. The issue occurs for a small CLI tool submitted as a ZIP archive. Checking the documentation, I come across the section about "Avoid long notarization response times and size limits" (https://developer.apple.com/documentation/security/customizing-the-notarization-workflow#Avoid-long-notarization-response-times-and-size-limits). One fact is mentioned “Limit notarizations to 75 per day.” What is behavior if that limitation is reached? Is that limitation per Apple ID or per team ID? Are there some known issues about Notarization Service? Best regards, Stefan

I'm working on a system extension leveraging endpoint security entitlement. However, while in development, is there a way to continue working and testing locally without having the endpoint security entitlement approved or needing the extension signed. I got these errors running a build: Provisioning profile "Mac Team Provisioning Profile: "com.xxxxx.extension" doesn't include the com.apple.developer.endpoint-security.client entitlement.

Hi all, I’ve run into a signing/entitlements problem that shows up only on Big Sur (11.x). The very same .app launches perfectly on Monterey (12), Ventura (13), Sonoma (14 / 14.5) and Sequoia (15). Failure on macOS 11 com.apple.xpc.launchd[1] (application.app.myapp.exams.566312.566318[1602]): removing service since it exited with consistent failure – OS_REASON_CODESIGNING | When validating …/MyAppNameBlurred 3.13.1.app/Contents/MacOS/MyAppNameBlurred 3.13.1: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: Binary is improperly signed. Launching from Terminal: open -a "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" kLSNoLaunchPermissionErr (-10826) | Launchd job spawn failed with error: 153 What I’ve already checked # signature itself codesign -dvvv "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" # => valid, Authority = Developer ID Application, runtime enabled # full deep/strict verification codesign --verify --deep --strict -vvv "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" # => “satisfies its Designated Requirement” # Gatekeeper assessment spctl --assess --type execute --verbose=4 "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" # => accepted (override security disabled) # embedded provisioning profile matches bundle ID codesign -d --entitlements :- "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" | plutil -p - security cms -D -i "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app/Contents/embedded.provisionprofile" \ | plutil -extract Entitlements xml1 -o - # => both show the AAC entitlement and everything looks in order # notarization ticket stapler validate "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" # => “The validate action worked!” Deployment target: MACOSX_DEPLOYMENT_TARGET = 11.0 Entitlement added: com.apple.developer.automatic-assessment-configuration = true Provisioning profile: generated this year via Developer ID, includes the assessment entitlement and nothing else unusual. Runtime code: we call AEAssessmentSession's network configuration part only on 12 + (guarded with @available(macOS 12.0, *)). Has anyone hit this mismatch on 11.x? Could Big Sur be expecting something older or idk? Any pointers appreciated! Thanks!

我没有勾选entitlements 中的” com.apple.security.network.server“和” com.apple.security.device.usb“，但是确实在打包时又自动出现在包里，我现在无法解决这个问题，我需要帮助，谢谢 我的.entitlements 文件如下： 排查命令： codesign -d --entitlements :- ./Device\ Guard.app Executable=/Users/zhanghai/Library/Developer/Xcode/DerivedData/MacGuardApp-fvfnspyxcojxojdfclyohrnupgsh/Build/Products/Debug/Device Guard.app/Contents/MacOS/Device Guard warning: Specifying ':' in the path is deprecated and will not work in a future release

I am developing a macOS app that requires the Associated Domains entitlement. The app will be distributed as a custom app. The app needs to be signed using Team A’s Developer ID Application certificate and packaged under Team A’s Team ID. Team A has a secure signing and packaging setup, but they do not provide access to their Developer ID Application Identity (cert) or their provisioning profile. I am part of Team B and have access to Team B’s Developer ID Application identity and provisioning profiles. I am thinking of doing the following: I create a provisioning profile under Team B that authorizes the Associated Domains entitlement. I sign the app using Team B’s Developer ID Application identity, ensuring the required entitlements are included. Then, I re-sign the app using Team A’s Developer ID Application identity, since Team A has also set up the same bundle ID with the Associated Domains entitlement and corresponding provisioning profile. Questions: Is this approach correct & does it have any drawback? Will the double signing process work without issues, given that Team A has the required provisioning profile for the same bundle ID? Are there better ways to handle this situation where signing must be done under Team A but access is limited? Thanks!

I am trying to distribute my Unity app to test flight. Build works on iPhone locally, archiving also works but when I start distribution to test flight I get this Error codesign command failed (/var/folders/gn/ql1bht8j2z7b18b3xtt0j7rr0000gn/T/XcodeDistPipeline.~~~2gmyFJ/Root/Payload/TondoJigsaw2.app/Frameworks/UnityFramework.framework: replacing existing signature /var/folders/gn/ql1bht8j2z7b18b3xtt0j7rr0000gn/T/XcodeDistPipeline.~~~2gmyFJ/Root/Payload/TondoJigsaw2.app/Frameworks/UnityFramework.framework: invalid or corrupted code requirement(s) Requirement syntax error(s): line 1:152: unexpected token: sQuaricon ) I am not sure what is the problem Team name is: “sQuaricon” Name Surname s.p. Bundle ID is: com.Squaricon.TondoJigsaw2 When I change bundle ID to com.testasd.TondoJigsaw2 (I do this in Xcode before archiving) that error disappears and I reach the part where I have to pick language. Even though this is not the solution, I think it is interesting, it implies issue might be with Bundle ID but this bundle ID is correct. I am using "automatically manage signing", I did not create any provisioning profile or certificate manually.

Hi the best community! When I try to submit the app to Testflight I receive the following error: "codesign command failed (/var/folders/j9/yh_rkh114rbgvmglf4gycj8w0000gn/T/XcodeDistPipeline.~~~OW0Dwk/Root/Payload/Application.app/Frameworks/Alamofire.framework: replacing existing signature /var/folders/j9/yh_rkh114rbgvmglf4gycj8w0000gn/T/XcodeDistPipeline.~~~OW0Dwk/Root/Payload/Application.app/Frameworks/Alamofire.framework: invalid or corrupted code requirement(s) Requirement syntax error(s): line 1:155: unexpected token: NPH )" I have never stuck with this issue before. Xcode Version 16.0 I assume that there is something related to code signing and our company name in App Store connect: Medical Institution “NPH” (The company name has been anonymized for privacy purposes.) Appreciate any help. Thank you!

Yesterday there were reported outages on the Developer ID Notary Service, but it was reported pretty late and we were able to notice the outages in real time. It says resolved now, however an error still persists: Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired. Is there an ongoing outage at this moment that is not being reported again? Our pipelines have been working flawlessly for months without intervention nor changes until the most recent outages

Hello, In our Account we have an iOS app with an explicit identifier "ABC123.com.some.app" that is using non-team prefix which is DEF456. It has also explicit identifiers for Widgets bundle and Notification Service. Due to non-team prefix, it can't access e.g. shared keychain and data put there by our other apps. Since we are working on features that require these capabilities, we would like to update the app identifier, so it is prefixed with our team id DEF456. Initially, we thought that the process would require steps like: Create new app, team-prefixed identifier(s) for app and all things that need them Recreate the provisioning profiles with new App Identifier Roll out the app using with new profiles via App Store but when trying to create the new identifier with com.some.app and team id prefix DEF456 we are getting following error: An App ID with Identifier com.some.app is not available. Please enter a different string. Can anybody advise us how to correctly perform such change and what steps are required from our end? We would like to keep our existing App Store entry, ratings and smoothly switch users. We are aware that this kind of migration results in loss of Keychain access. Thanks for any advice on that!

So I just updated Xcode to 16.3 and updated a project to its recommended build settings which includes "Register App Groups". So I have an outside Mac App Store app that uses app groups. Here we have an action extension. I can't debug it, can't get it to run. Nothing useful in Xcode is displayed when I try... but it looks like a code signing issue when I run and have Console open. So I try to make a provisioning profile manually and set it...didn't work. I noticed now though in signing & capabilities the group id is in red...like it's invalid, or something? This was a "macOS styled" group without the "group." prefix. So am I supposed to switch it to have the group. prefix? It makes the red text go away (no warnings or anything about app groups here, just red text). So if I change it to group. prefix..does that make an entire new container?What happens on app update for installs that don't have group. prefix? Does the system transparently migrate the group? Or Am I supposed to migrate the entire group container to the identifier with group. prefix? Also how does this affect running on older version of macOS? If I go with the "group." prefix to make the red text go away,.. what happens on macOS 11.0? Got a little more than I bargained for here after midnight.

Hi, We have an app that is a default mail client, so it has this entry in its entitlements file: com.apple.developer.mail-client. This seems to create issues with ad-hoc distribution. We can distribute the app on App Store Connect without any issues and have been doing so for a while. We wanted to try using Xcode Cloud to manage our releases. The app export works fine for both App Store Distribution and Development Distribution. However, the ad-hoc distribution step fails. (We don't need ad-hoc distribution, but Xcode Cloud seems to prevent us from removing this step.) I tried building and releasing the app locally for ad-hoc distribution and encountered the same error as on Xcode Cloud. When Xcode tries to generate the profile, it outputs the following error: Provisioning profile "iOS Team Ad Hoc Provisioning Profile: com.infomaniak.mail" failed qualification checks: Profile doesn't support Default Mail App. Profile doesn't include the com.apple.developer.mail-client entitlement. Is it something broken with our config ? What are we missing ? Local error in Xcode Organizer: Remote error on Xcode cloud:

I'm trying to get an app notarized, which fails with this error: The signature of the binary is invalid. However, locally checking the signature does succeed: $ codesign -vvv --deep --strict TheApp.app […] TheApp.app: valid on disk TheApp.app: satisfies its Designated Requirement Performing this check on every single item in the app's MacOS folder also succeeds. Context: embedded prebuilt binaries Now, the app has something unusual about it: it embeds prebuilt binaries, arranged in various nested folders. So, the app bundle's MacOS folder actually contains another folder with a whole tree of executables and libraries: Removing these (before building) does fix the notarization issue, but obviously I'd like to keep them in. I did my best to properly sign these items: At build time, they're copied into the product by a Copy Files phase (but not signed), then signed by a script phase That signing uses the same signing identity as the running Xcode build, and enables the hardened runtime The app builds and runs correctly, even as a release build The app has runtime hardening and app sandbox enabled How should I go about diagnosing the notarization issue?

In an expo managed project which utilizes custom expo plugins, we're having trouble getting the keychain-access-groups entitlement inserted to our provisioningprofile for signing. The provisioning profile we download from apple dev portal contains: <key>keychain-access-groups</key> <array> <string>56APMZ7FZY.*</string> <string>com.apple.token</string> </array> and this is not recognized by xcode for signing; an error is thrown: Provisioning profile "ccpp" doesn't include the com.apple.developer.keychain-access-groups entitlement. A matching error is thrown during EAS build. So we need to find a way to modify the ccpp.mobileprovision locally and then sign the build using the modified ccpp.mobileprovision. Or, we need guidance on the proper way to resolve this situation. Questions: why does the downloaded mobileprovision file have the keychain-access-groups key, and not com.apple.developer.keychain-access-groups? Both Xcode and EAS appear to demand the latter keyname. when I use expo prebuild, I am able to see the following in the .entitlements file: <key>com.apple.developer.keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)com.myapp</string> </array> I am adding this entitlement using a custom expo plugin. However, the mobileprovision file downloaded from apple developer portal has no knowledge of this setting which is only applied through expo prebuild. So what I am left with at the end is an entitlements file generated by my expo prebuild which has the correct setting, and a provisioningprofile downloaded from dev portal with an incorrect setting, and I don't know how to mend the downloaded provisioningprofile (incorrect setting) with my local entitlements file (correct setting).