General: DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained DevForums post --deep Considered Harmful DevForums post Don’t Run App Store Distribution-Signed Code DevForums post Resolving errSecInternalComponent errors during code signing DevForums post Finding a Capability’s Distribution Restrictions DevForums post Signing code with a hardware-based code-signing identity DevForums post Mac code signing: DevForums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding Nonstandard Code Structures in a Bundle documentation Embedding a Command-Line Tool in a Sandboxed App documentation Signing a Daemon with a Restricted Entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example DevForums post The Care and Feeding of Developer ID DevForums post TestFlight, Provisioning Profiles, and the Mac App Store DevForums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello everyone, I am encountering an issue with the iOS Autofill framework where the app saves the password with only the main domain (company.com) instead of the full subdomain (xyz.company.com) that I have specified. Here are the details of my configuration: Entitlements.plist: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.associated-domains</key> <array> <string>applinks:xyz.company.com</string> <string>webcredentials:xyz.company.com</string> </array> <key>keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)com.company</string> </array> </dict> </plist> apple-app-site-association file: { "applinks": { "details": [ { "appIDs": ["ABCDEFGHIJ.com.company"] } ] }, "webcredentials": { "apps": ["ABCDEFGHIJ.com.company"] } } Issue Description: I have configured the Entitlements.plist and the apple-app-site-association file to use a subdomain (xyz.company.com). However, when the app saves the password, it only saves it under company.com rather than the full subdomain xyz.company.com. Steps Taken: Verified that the Entitlements.plist contains the correct entries for applinks and webcredentials. Checked the apple-app-site-association file to ensure it includes the correct app IDs and details. Confirmed that the subdomain xyz.company.com is correctly set up and accessible. Expected Behavior: The Autofill framework should save passwords with the full subdomain xyz.company.com as specified in the configuration. Actual Behavior: Passwords are being saved with only the main domain company.com, ignoring the specified subdomain. Questions: Is there a specific configuration or step that I might be missing to ensure that the Autofill framework recognizes the full subdomain? Are there any known issues or limitations with using subdomains in the applinks and webcredentials settings? Any insights or suggestions on how to resolve this issue would be greatly appreciated. Thank you in advance for your help! Best regards, Andy

HI! I am developing an application that should utilize ScriptingBridge.framework to interact with another process. Firstly, I created a separate test application for which I have added Apple Events entitlements via "Signing & Capabilities" section in Xcode and updated its Info.plist to have "Privacy - AppleEvents Sending Usage Description". While the test app works fine (I see an automation request popup and the process executes as expected) the main application where I want to integrate this functionality gets closed immediately after reaching the code interacting with Scripting Bridge. On its launch, I see the following error message from tccd in Console: Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=<app bundleID>, ..., binary_path=<path to the app's binary>} I had no such issues with the test app. Moreover, I should mention that the bundle I want to have with such functionality is stored in another bundle, both main and inner bundles aren't sandboxed, and the target app has Application is agent (UIElement) key set in Info.plist. Can you suggest any ideas as to why processes behave so differently despite having pretty much the same build configurations?

I am creating a new macOS application that requires access to files outside of the sandbox. It needs to be docked in a silent state and packaged using the Electron Builder application. I have configured the relevant permissions as com.apple.security.memory-exception.files.absolute path.read-only, It can be accessed normally in the local version of mas dev. The configuration parameters are as follows: <key>com.apple.security.temporary-exception.files.absolute-path.read-only</key> <array> <string>/Volumes/NO NAME/</string> <string>/Volumes/NO NAME 1/</string> <string>/Volumes/NO NAME 2/</string> </array> But during the review period of the app store, some people said it was not of legal value. The following is the original statement: Your application is not properly sandboxed, or it contains one or more rights with invalid values. Before resubmitting the new binary file, please review the included rights and sandbox documentation and resolve this issue. com.apple.security.temporary-exception.files.absolute-path.read-only True If there is a com.apple.security.memory-exception.files.absolute path.read-only authorization, will the app store accept it? What do I need to do to access it?

We have trying to programmatically send data to Final Cut Pro by using Apple Event as decribed in Sending Data Programmatically to Final Cut Pro : tell application "Final Cut Pro" activate open POSIX file "/Users/JohnDoe/Documents/UberMAM/MyEvents.fcpxml" end tell This works fine in Script Editor but we run into problems when trying to do the same in our macOS app. We found interesting information in Workflow Extensions SDK 1.0.2 Release Notes.pdf. A) Hardened runtime has "Apple Events Enabled" checked. B) Info.plist contains NSAppleEventsUsageDescription: <key>NSAppleEventsUsageDescription</key> <string>Test string</string> C) We added following entitlements: <key>com.apple.security.scripting-targets</key> <dict> <key>com.apple.FinalCut</key> <array> <string>com.apple.FinalCut.library.inspection</string> </array> <key>com.apple.FinalCutTrial</key> <array> <string>com.apple.FinalCut.library.inspection</string> </array> </dict> <key>com.apple.security.automation.apple-events</key> <true/> With this configuration in place, our app is able to call AppleScript to activate Final Cut Pro application but it is unable to open the file. Following error is returned: Error executing AppleScript: { NSAppleScriptErrorAppName = "Final Cut Pro Trial"; NSAppleScriptErrorBriefMessage = "A privilege violation occurred."; NSAppleScriptErrorMessage = "Final Cut Pro Trial got an error: A privilege violation occurred."; NSAppleScriptErrorNumber = "-10004"; NSAppleScriptErrorRange = "NSRange: {56, 64}"; } Also there is no prompt asking user to allow Automation from our app to Final Cut. I am not sure whether the prompt is to be expected when developing an application in Xcode. Our current workaround is to add (or even replace com.apple.security.scripting-targets with): com.apple.security.temporary-exception.apple-events entitlement like this <key>com.apple.security.temporary-exception.apple-events</key> <array> <key>com.apple.FinalCutTrial</key> </array> However while this approach might work in development we know this would probably prevent us from publishing the app to Mac App Store. I think we are missing something obvious. Could you help? :-)

Hi, I wanted to use Siri Capability for a WatchOS app, however in xcode on a WatchOS project, the option to add Siri is not present. In an IOS project this is visible but if you are not part of the ADP or ADEP you do not have access to it, this message appears in red if you try to select it as a personal team. I am considering paying to join the ADP but I am unsure if it will unlock the ability to use Siri capability on WatchOS. It looks like it is completely unsupported as it cannot be even selected from the capabilities section in xcode , even though Apple states it is supported under ADP and ADEP on their website. I am a little confused. Does anyone else have this issue, or is Siri present under capabilities for you in a WatchOS project?

I am developing a suite of apps/helpers that get built into an installer package for deployment (outside The App Store). We have that release process ± working, except that most of the development team members are not admins/privileged on the team. They don't really need to publish on behalf of the team, and so we don't want to have debug builds also depend on being signed as "Developer ID Application". But that is running into problems… If I select instead "Sign to Run Locally" this results in an error for some of the build products along the lines of: [Build Target] requires a provisioning profile. Enable development signing and select a provisioning profile in the Signing & Capabilities editor. If I select "Apple Development" as the Code Signing Identity it leaves me with basically the same error as "Developer ID Application" does: Provisioning profile [Name of App/Helper] doesn't include signing certificate "Apple Development: [Name of Developer] ([TEAMID])" And finally, if simply set the Debug value for Provisioning Profile to "None" for the problematic products I get errors like: "[Name of app]" requires a provisioning profile. Select a provisioning profile in the Signing & Capabilities editor. I believe perhaps because some of the targets have an entitlements file granting access to various things (their own XPC services, their own shared preferences, as well as Outgoing Network Connections and com.apple.security.smartcard access…). In older versions of Xcode and/or macOS we didn't have trouble like this, local development could be done by basically any team member. Now it seems like maybe all developers need to have release-signing privileges to test/debug even on their own machines? Or is there a combination I'm missing, that would allow anyone on the team (or perhaps not even on the team) to build and debug the code locally, while still limiting who is able to actually sign notarized release builds on behalf of the team?

After updating to Xcode 15.3 and Sonoma, I started getting an error when packaging my app: Provisioning profile failed qualification Profile doesn't include the com.apple.developer.mail-client entitlement. There is no indication in the documentation that this has anything to do with the provisioning profile, and there is no capacility that needs to be added. I was given the "com.apple.developer.mail-client" entitlement from Apple over a year ago as documented in: https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_mail-client, and it worked fine until now.

Hi, we are a Carrier company (Utility provider) and working on a feature to display real-time Wifi Signal strength of customer devices (connected to Router Gateway) to help customers identify low and high signal areas, and possibly install extenders to improve signal strength at weak points. This feature requires NEHotspotHelper entitlement approval to access signalStrength property. We went through this Apple documentation too and we're open to other recommendations from Apple https://developer.apple.com/forums/thread/721067 . Since we currently don't have direct point of contact with Apple to discuss this requirement, hence wanted to check it here. Kindly advise. Thanks !

On our CI (GitHub Actions) we are signing our .ipa with codesign and after that uploads the resulting .ipa with altool to TestFligt. The problem is that the entitlements added by codesign no longer appear when we view the build on TestFlight. The app requires entitlements for push notification and for associated domains. codesign -s Distribution prod.entitlements prod.ipa Immediately after we do a codesign --verbose --display --entitlements - and the entitlements show fine. Next command is xcrun altool --upload-app --type ios -f prod.ipa --apiKey $api_key_id --apiIssuer $appstore_api_key_issuer To us it seems like altool strips the entitlements from the .ipa. What are we doing wrong?

Hello, I am currently facing an issue with my iOS app and its associated Preview extension. I am trying to save a file to a shared container using App Groups, so that my main app can read the file. The code works perfectly on the iOS simulator, but when I run the app on a physical device I encounter a "You don't have permission to save the file" error. Here's the relevant code snippet: let appGroupIdentifier = "group.com.yourcompany.yourapp" func saveDataToSharedContainer(fileName: String, data: Data) -> Bool { guard let containerURL = FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: appGroupIdentifier) else { print("Error: Unable to access the shared container.") return false } let fileURL = containerURL.appendingPathComponent(fileName) do { try data.write(to: fileURL, options: .atomic) print("Data saved to shared container successfully.") return true } catch { print("Error: Unable to save data to shared container. \(error)") return false } } I have already verified the following: App Groups capability is enabled for both the main app target and the extension target. The App Group identifier is consistent in both the main app target and the extension target, as well as in the Swift code. Provisioning profiles and signing certificates are up-to-date, and the issue persists after cleaning the project and resetting the provisioning profiles. Despite trying these steps, the issue remains unresolved. This error is reproducible in a new project with a Preview extension. I would greatly appreciate any insights or suggestions from the community to help me resolve this issue. Thank you in advance!

I'm looking to automate device provisioning using App Store Connect API. Two things are snagging me: Updating Profiles API: Adding a new device seems clunky (read-all-devices, save, delete profile, recreate with a new device). Is there a simpler way to do it? I looked over the documentation and it seems like there's no streamlined way to do it, am I correct? Entitlements API: Not public yet? Does anyone know about any plans to open it up soon? I asked Apple Support and they didn't provide any information on this. Specifying entitlements during provisioning is an important step. Thanks for any help!

We have a legacy app written in a mix of C, ObjC, C++ and ObjC++ with .xib files. It is not sandboxed. It sends an Apple Event to TV (the app of that name from Apple, not a physical TV) using /usr/bin/osascript, calling a compiled Apple Script which is in our app bundle's Resources directory with parameters which we generate in our app at runtime. The first time it does this on a fresh system, the OS puts up a dialog asking for permission to control TV, and after the user clicks Allow, our app appears under Security and Privacy in the Automation section. That's all fine, but what is unexpected is that the app has no Apple Events entitlement (com.apple.security.automation.apple-events), and it doesn't have a NSAppleEventsUsageDescription string either. The documentation at https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_automation_apple-events says Your app doesn’t need the Apple Events Entitlement if it only sends Apple events to itself or to other processes signed with the same team ID. but we're not on the Apple team. When I filter the log for messages from tccd pertaining to our app, it does indeed complain : Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=<our bundle id>” But despite those complaints, everything works - I can send the event, and TV acts upon it. Is this working only by accident, and might fail in some minor future OS update? tccd also complains about the microphone Prompting policy for hardened runtime; service: kTCCServiceMicrophone requires entitlement com.apple.security.device.audio-input but it is missing for requesting={TCCDProcess: identifier=<our bundle ID> but we don't use the microphone tccd complains about this too <path-to-our-app> attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement What does that mean, and should we be concerned?

I need to obtain the user's EID within my app. We are a mobile network operator and have also applied for Apple's eSIM development. Does Apple provide a certified developer access to an API for obtaining EID? I understand that there is no public API available, but I'm unsure if approved operators can access EID. If so, how can I apply for this private API?

In my sandboxed MacOS app I want to access OSLogStore programmatically to fetch logs for multi-component application (app, libraries, deriver) for further analysis. According to the documentation, - https://developer.apple.com/documentation/oslog/oslogstore/3366102-local the app should have com.apple.logging.local-storeentitlement. I have added this entitlement "by hand" to the entitlement file as I I can't find a correspondent entry in the Xcode -> Sign & Capabilities interface. When I run the app, I get Unsatisfied entitlements: com.apple.logging.local-store error and the app doesn't start. If I remove the entitlement, the app can't get access to the logd subsystem. How can I add com.apple.logging.local-store to my app? Should I request this not visible via Xcode configuration UI from apple? Thanks!

Hi, My application doesn't start playback anymore after signing it with entitlements. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.device.audio-input</key> <true/> <key>com.apple.security.device.microphone</key> <true/> <key>com.apple.security.assets.music.read-write</key> <true/> <key>com.apple.security.network.server</key> <true/> </dict> </plist> regards, Joël

Hi All, I submitted a Family Controls Request Form but haven't heard back. I didn't get any case id when I submitted the request, so how do you track it and know when It is approved? I'm currently developing an app that requires the main target and also the app extension to both use Family Controls. Does this mean I need to request forms for both app bundles separately or just the main app? This is really worrying for us as our project is almost ready and we are unable to launch it :( . Would appreciate any responses. Thanks,

Hi, Can a single domain serve a /.well-known/apple-app-site-association file for multiple apps from different developers? We currently have our own domain, let's say example.com, which serves https://example.com/.well-known/apple-app-site-association which lists our app, let's say "ABCDEFG.com.example.AppA" for path "/app/a". We're talking with another developer who has another app on the store. Can we add their app, "MNOPQR.com.different.AppB" on our site, https://example.com/.well-known/apple-app-site-association, add their app ID for path "/app/b", ask them to add our example.com domain in their associated-domains entitlement, and would it work? I mean would https://example.com/app/a open our app "ABCDEFG.com.example.AppA" and https://example.com/app/b open their app "MNOPQR.com.different.AppB" ? We want to open https://example.com/redirect/app redirect to either /app/a or /app/b depending on the query parameters and launch our or their app. Thanks in advance!

There is an inconsistent issue when views are rendered from the Device Activity Report Extension. This issue is noticeable only on release versions and it works fine in debug mode. Around 80% of the times, the Report Views return blank screen and this is only the case when a weekly/monthly filter is used. Although, it works as expected for daily report views. My questions are: How are all the Report Activity Views working fine in debug mode but not in release mode? How the daily activity filter works fine in the release mode but the weekly/monthly filters don't work? Is this because of a memory limit issue in the extension? As of now, I have the family-controls(distribution) entitlement only for the app and for the extensions I only have family-controls(development) entitlement. Do I need to request for family-controls(Distribution) entitlement even for the extensions? I have seen threads on the forum mentioning the blank screen issue associated with the DeviceActivityReport but haven't found a solution to it. Any suggestions/feedback would be of great help, thanks.

How to add Additional capabilities in Certificates, Identifiers & Profiles on app store account to Enable the Tap to Pay on iPhone capability.

I have a question regarding the way iOS handles app permissions. Why doesn't Apple provide a feature to review the reasons an app gave for requesting certain permissions after the initial authorization? There are instances where permissions were granted a long time ago or perhaps inadvertently, and now I can't recall why the app needed those permissions in the first place. This feature could be helpful for users trying to understand and manage their privacy settings more effectively. Thank you for any insights or information