You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi, we are sending MacOS apps packaged in a ZIP archive or DMG disk image to the Notary Service. Before we send the app for notarization, we check the code signature via command codesign -vvv --deep --strict /path/to/app_or_bundle The result is positive and it does not provide any gaps. (And yes, we are following the inside out code signing approach, mentioned at Using the codesign Tool's --deep Option Correctly) Unfortunately, the result of the Notary service provided that one file has no signature, which was not detected by the signature verification command. The path of the binary was in <app_name>.app.zip/<app_name>.app/Contents/Resources/inst/<binary> How I can be verify like a the Notary service does it on our side? Best regards, Stefan

In Xcode, under Signing & Capabilities (Release) for our bundle ID the selected provisioning profile does include the entitlement: com.apple.developer.payment-pass-provisioning However, when we upload a new build to TestFlight, the Build Metadata → Entitlements section for the same bundle ID does not include com.apple.developer.payment-pass-provisioning. Because of this, PKAddPaymentPassViewController does not open in TestFlight builds. This suggests that while the entitlement is enabled for the App ID and visible in Xcode, it may not yet be propagated to App Store Connect’s signing service for TestFlight/App Store builds. Please Note: The Wallet Entitlements team had confirmed that they had granted entitlements for our team and the apple IDs Xcode : 26.0.1 Profile being used: Distribution Profile

I’m trying to notarize an Electron app for distribution outside the Mac App Store, but every submission is rejected with error 7000. Team Details: Team ID: P3HATASMP9 Organization: Rose Ai Labs, Inc. Role: Account Holder Apple Developer Program: Active membership Certificate: Type: Developer ID Application Identity: “Developer ID Application: Rose Ai Labs, Inc. (P3HATASMP9)” Status: Valid in Keychain Access with full certificate chain App Details: Platform: macOS (Electron) Hardened runtime: Enabled Code signing: Successful (codesign -v passes) Submission History (all rejected with same error): Jan 20, 2026: d2f5e812-d443-4858-895e-ca9828f65d6b Jan 20, 2026: 4864e851-99d4-49df-87b8-22a6b280f4fc Jan 21, 2026: 69b177bd-5f08-4363-a2bb-1d286dd9f047 Jan 21, 2026: a181071b-e874-4794-90f3-c172b112900e Jan 21, 2026: ae3ec87f-60da-4826-91df-a247cd4fd46f Jan 21, 2026: b7165e2f-19a8-4d4a-9e00-21e85550ec8b Jan 24, 2026: 2b83d46d-6606-450f-9ffe-cbfa0f0bf179 Jan 27, 2026: ed8ba49c-b24f-422b-9271-44dff805fb61 Error from notarytool log: status: Rejected statusCode: 7000 statusSummary: Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions. What I’ve verified: Developer ID certificate is valid and trusted Apple Worldwide Developer Relations Certification Authority chain is complete App is properly code-signed with hardened runtime Using notarytool with valid credentials (submission uploads successfully) Account Holder role with full permissions Existing support case: 102808512705 I’ve had this issue for over a week with no resolution. The error message says “Team is not yet configured for notarization” which suggests something needs to be enabled on Apple’s side. Has anyone encountered this and found a resolution?

I’m working on an iOS VPN app and looking into using NETunnelProvider (Packet Tunnel) for the VPN implementation. From the documentation it seems that Packet Tunnel is required for VPN protocols like OpenVPN, but the Packet Tunnel capability doesn’t appear to be available by default. Does using NETunnelProvider / Packet Tunnel require a special entitlement to be enabled by Apple for App Store apps? If so, what is the general process for requesting or enabling that entitlement?

i am creating a app on "appmysite" while it runs its build test an error message pops up saying build failed. "it seems your app build has encountered an issue. the certificate used to generate the uploaded provisioning profile does not match the uploaded certificate." I understand why its saying it because the uploaded certificate had to be uploaded as ".p12". The certificate in the provisioning profile is made of ".cert". I am using a apple mac book and a xenovo windows computer. Im simply trying to figure out how to put the ".p12" certificate into the provisioning profile? whenever i go to my developer account and try to create a new provisioning account with the new ".p12" certificate. The only options that pop up for me to select are only the certificates that are in ".cert" form. I've tried exporting through "key access" and they show up in my files but no way to transfer to my developer account to combine it with a provisioning account. Any help is greatly appreciated, this is literally the only thing keeping my app from being ready for submission to review. ive been stuck on this for 3 days.

I have been trying to package a FileMaker 18 runtime app* for Mac distribution for - oh - a year and a half on and off (the Windows version was packaged in an afternoon). I succeeded - or thought I had - until I updated to Tahoe. Now my packaging process does everything it did formerly (creates the DMG, etc.), but when opened, fails to see/load a third-party plugin (BaseElements.fmplugin). Does anyone know why this should be? I have attached 4 of my build files in the hope that someone can point me in the right direction. Thanks in advance for any advice you may provide. Regards, L *Claris deprecated the runtime feature years ago, but it still runs and is useful for proof of concept. P.S. A contributor to an earlier query kindly suggested I go down the zip file or pkg installer route, rather than the DMG route. I tried doing as much but found both as susceptible to Mac spaghetti signage. build_all.txt repair_and_sign.txt build_dmg.txt notarize_dmg.txt

I've signed an app, zipped it, and uploaded it to github. When I download it on another Mac, I get "it can't be opened because it could not be verified for malware". But on that computer, I can verify it with codesign, and it appears to be correct (as far as I can tell). I can copy/paste the app from my other Mac, and that copy will run without problem. sys_policy, however, gives: Notary Ticket Missing File: ReView.app Severity: Fatal Full Error: A Notarization ticket is not stapled to this application. Type: Distribution Error This is the same for the copy that runs, and the copy that doesn't. The difference between them appears to be a quarantine xattr. I can delete this, and the app launches without incident. Is this expected? Why should a signed app be quarantined just because it's been downloaded? The whole point of paying the fee is to avoid the security obstacles...! ;-)

Hi, I read that notarization should be fairly quick. I thought that it was stuck, so I ended up sending a few submissions of the same app. I was wondering if you'd able to tell me the status of my latest submission (id: a094f93d-8bb2-47fe-a411-b6e357456ec7). It has been saying "In Progress" for over 3 hours now. If it is held for in-depth review, would you be able to tell me what's the wait period is like? Thanks!

So we are building a Tauri app and I have no been able to get our App to be Notarized using Developer ID. We have a ticket open for 3 months now. Can anyone help me out here? { "logFormatVersion": 1, "jobId": "e2ec4d13-bb83-41d4-a497-ba80cf830af1", "status": "Rejected", "statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.", "statusCode": 7000, "archiveFilename": "HIDDEN", "uploadDate": "2026-01-23T16:13:37.589Z", "sha256": "fd52815d5edf14b66b25529e89c207b2acff2c41642261e1049a479f19f2b72f", "ticketContents": null, "issues": null } How do we escalate to engineering team? Sincerely, Nash Gadre https://camouflagenetworks.com

Hello, We are currently using Apple Notarization (notarytool) for distributing a macOS app, and we are experiencing very long notarization times for large app bundles. [Issue] For apps with large binary sizes, notarization consistently takes around 3.5 to 4.5 hours from submission to completion. This delay is causing practical issues in our release pipeline, especially when: A hotfix or urgent update is required Multiple builds must be notarized in a short time CI/CD-based distribution is expected to complete within a predictable timeframe [Environment] Platform: macOS Notarization method: notarytool Distribution: Outside Mac App Store App size: 100 GB~ (compressed ZIP) Signing: Hardened Runtime enabled, codesigned correctly Submission status: Successfully accepted, but processing time is very long [What we have confirmed] The notarization eventually succeeds (no failures) Re-submitting the same build shows similar processing times Network upload itself completes normally; the delay is in Apple-side processing Smaller apps complete notarization much faster [Questions] Is a 3–4+ hour notarization time expected behavior for large macOS apps? Are there recommended best practices to reduce notarization processing time for large binaries? For example, splitting components, adjusting packaging, or specific signing strategies Is there any official guidance or limitation regarding notarization queueing or processing based on app size? Are there known service-side delays or regional differences that could affect processing time? Any insight or confirmation would be greatly appreciated, as this directly impacts our production release workflow. Thank you.

id: a6f37169-19a7-4abc-b086-3f298866f65d id: 596e3ca4-e8a6-4ba9-9ac7-cf07a430eebb In Progress from 2026-01-21T05:56:24.160Z、2026-01-21T05:55:45.032Z for 30 hours

I'm trying to notarize an application for the first time & it's stuck for more than 24 hours now. I ended up submitting the same app more than 5 times, but all are stuck in waiting state. There is no visibility into what's happening & whenever i check the status it just shows as "In Progress". How can i expedite this process ?

These have been stuck in progress for a long time. Usually this process is fairly quick for this app: id: 92caae7f-1796-4928-bb35-72f5f2667786 id: 3645e93f-a8ac-4826-8a4a-690f980dde8e id: 3645e93f-a8ac-4826-8a4a-690f980dde8e What can be done, it is holding back deployments :(

Hi, I am using a carrier account and have been able to use com.apple.CommCenter.fine-grained entitlement successfully for the past few years. Currently I am trying to use this entitlement in an app clip. but recieving the following error: Validation failed (409) Invalid entitlement. App clip 'xyz.app/AppClips/appClip.app' contains a code signing entitlement 'com.apple.coretelephony.SimAuthentication.allow' that is not supported. Remove the 'com.apple.coretelephony.SimAuthentication.allow' entitlement. (ID: 87f67652-0e22-441d-b7ec-ea4baacab39e) NSUnderlyingError : Validation failed (-19241) Invalid entitlement. App clip 'xyz.app/AppClips/appClip.app' contains a code signing entitlement 'com.apple.coretelephony.SimAuthentication.allow' that is not supported. Remove the 'com.apple.coretelephony.SimAuthentication.allow' entitlement. status : 409 Is it possible to use com.apple.CommCenter.fine-grained entitlement in an app clip? if so do you have any suggestion how to resolve this error?

base" : 6481543168, "size" : 5134811136, "uuid" : "7bc5af5f-1e86-3b36-9036-16025c72cb70" }, "vmSummary" : "ReadOnly portion of Libraries: Total=1.0G resident=0K(0%) swapped_out_or_unallocated=1.0G(100%)\nWritable regions: Total=28.8M written=369K(1%) resident=369K(1%) swapped_out=0K(0%) unallocated=28.5M(99%)\n\n VIRTUAL REGION \nREGION TYPE SIZE COUNT (non-coalesced) \n=========== ======= ======= \nActivity Tracing 256K 1 \nAttributeGraph Data 1024K 1 \nCoreAnimation 48K 3 \nDispatch continuations 6144K 1 \nFoundation 16K 1 \nKernel Alloc Once 32K 1 \nMALLOC 16.8M 10 \nMALLOC guard page 3760K 4 \nSTACK GUARD 64K 4 \nStack 2640K 4 \n__AUTH 3975K 362 \n__AUTH_CONST 60.1M 643 \n__CTF 824 1 \n__DATA 28.6M 604 \n__DATA_CONST 24.9M 650 \n__DATA_DIRTY 4800K 581 \n__FONT_DATA 2352 1 \n__INFO_FILTER 8 1 \n__LINKEDIT 188.3M 7 \n__OBJC_RO 84.3M 1 \n__OBJC_RW 3177K 1 \n__TEXT 839.6M 666 \n__TPRO_CONST 128K 2 \nmapped file 32.7M 3 \npage table in kernel 369K 1 \nshared memory 80K 4 \n=========== ======= ======= \nTOTAL 1.3G 3558 \n", "legacyInfo" : { "threadTriggered" : { "queue" : "com.apple.main-thread" } }, "logWritingSignature" : "96bc482de9d7d2e828b9b488a2feab6193d3c188", "bug_type" : "309", "roots_installed" : 0, "trmStatus" : 1, "trialInfo" : { "rollouts" : [ ], "experiments" : [

Dears, this is my first ever piece of code on Mac. I wanted to try ShazamKit. I created App Id and enabled App Service ShazamKit. I properly configured my app (a very small test app) with the proper boundle id, Team and entitlements file. I keep receiving this error in the Signing in section: Automatic signing failed Xcode failed to provision this target. Please address the following issues preventing automatic signing from creating a valid profile. Entitlement com.apple.developer.shazamkit not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file I noticed the message is mentioning "profile"...does it refer to a "Profile" as in "Certificate"/"Identifiers"/"Devices"/"Profiles"/"Keys"/"Services" option? I did not create any "Profile". I just enabled the App Service under "Certificates, Identifiers & Profiles"=>"Identifiers"=>"Edit your App ID Configuration"=>"App Services" Thx!

Multiple notarization submissions have been stuck at "In Progress" status for over 2 days with no resolution or error: 4996643b-4512-4025-9648-028fbafca82f - submitted Jan 18 b6db6cd0-dad7-4a8e-b1fc-379467c1086d - submitted Jan 17 88f269c1-56ea-4404-98ba-edbe9a05b3d2 - submitted Jan 19 No logs available (notarytool log returns "not yet available"). The submissions were uploaded successfully and received submission IDs. Is there a known issue with the notarization service?

Hello! I need help with the following issue. I can't create a provisioning profile. The following error message appears: The following devices are either already present and have not been modified, or they contain invalid identifiers. I'm a beginner and have been struggling with this issue for a month and a half. Any help would be appreciated.

We have a command line script that runs xcodebuild to make an archive, then runs xcodebuild again to export the archive to make an ipa, and then runs "altool --validate-app" to check that everything will be fine for a subsequent upload to the app store. This has been working fine for a few years but recently stopped working and we cannot figure out why. The validation fails with this error: ERROR: [altool.105912F20] Validation failed (409) Invalid Provisioning Profile. The provisioning profile included in the com. bundle [Payload/.app] is invalid. [Missing code-signing certificate]. A distribution provisioning profile should be used when uploading apps to App Store Connect. (ID: ) The project is configured with 'Automatically manage signing' unchecked, and the profile was created on developer.apple.com/account/resources/profiles and the matching profile magically appears in the "Provisioning Profile" drop down in Xcode. The profile was created with two certificates checked, but examining the embedded.mobileprovision profile that ends up in the compiled ipa payload it appears to contain 19 certificates (probably all of them for this org?). Is there a way to find out which certificate is missing exactly? And once identified is it a case of adding it to the profile used during compilation to fix this? Ancillary question: why does the embedded.mobileprovision file contain so many certificates, and how does xcodebuild decide which ones it includes there?

Hi everyone!! I am submitting an App for Notarization for the first time, I have several attempts, some returned invalid and other show In Progress for more than 8 hours. Is that normal? I addressed the issues that make the other ones Invalid. Thanks so much!