That did it! I added com.apple.security.cs.allow-unsigned-executable-memory to my child-process entitlements and everything works as expected. All of my issues are fixed now. Thank you, thank you, thank you Quinn! I feel like I finally understand a whole bunch of random app store stuff that I'm NEVER going to touch again. That was really painful, but thank you for helping me through it.

Ok, so looks like we're getting there. Thank you for coming along the journey with me. TLDR; solved a bunch of problems, jump to last heading for current problem. Entitlements The correct "inherit" entitlements (for child items) are: com.apple.security.app-sandbox com.apple.security.inherit Inherit Entitlement Notes And the reason it didn't work during my previous attempt was because of a downstream issue which I'll get to in a minute. With this updated "inherit" plist, I continued to receive Unsatisfied entitlements: com.apple.security.application-groups, but as mentioned here this is a non-fatal issue and can often be ignored. (adding a com.apple.security.application-groups to the "inherit" plist caused other errors for me). All things ending in .framework, .app and .node need to be signed with this "inherit" entitlements. Main Entitlements For the record, my main app entitlements is as follows: com.apple.security.app-sandbox com.apple.application-identifier: TTTTTTTT.com.nnnnnnnnnnnnn.nnnnn com.apple.developer.team-identifier: TTTTTT com.apple.security.network.client com.apple.security.network.server com.apple.security.device.usb (specific to my app, others may not need this) com.apple.security.device.serial (specific to my app, others may not need this) com.apple.security.files.user-selected.read-write com.apple.security.cs.allow-jit com.apple.security.cs.allow-unsigned-executable-memory com.apple.security.cs.disable-executable-page-protection com.apple.security.cs.allow-dyld-environment-variables com.apple.security.cs.disable-library-validation keychain-access-groups: [TTTTTTTT.*] com.apple.security.application-groups: [TTTTTTTT.com.nnnnnnnnnnnnn.nnnnn] Debugging Dtruss: I was able to capture the sys calls by unsigning the main binary (Contents/MacOS/Nnnnn), but that required sudo-ing and the application seemed to be in a different sandbox when I did that and hit issues trying to read attributes from the main .app folder. In retrospect, I think that output was misleading for what I was trying to do. XCode: I tried to run the app via XCode's Debug > Debug Executable..., I ran into issues because my app doesn't have the com.apple.security.get-task-allow entitlement. But, just adding that entitlement to the main entitlements didn't work for me. (I think it conflicts with com.apple.security.app-sandbox?). Instead of dealing with that, I was able to just disable SIP with csrutil disable (via recovery mode reboot) and attach XCode no problem. When running in XCode, I was able to find that the exit was because of a failed assertion on the Mach Port. Mach/XPC Stuff Next issue was this pesky panic: FATAL:mach_port_rendezvous.cc(142)] Check failed: kr == KERN_SUCCESS. bootstrap_check_in. You can see the source code here https://chromium.googlesource.com/chromium/src/base/+/master/mac/mach_port_rendezvous.cc. Digging through the console logs, I was able to find this error Sandbox: Nnnnn(23775) deny(1) mach-register com.nnnnnnnnnnnnn.nnnnnn.MachPortRendezvousServer.23775. Btw, I kept SIP disabled for this part so I could attach my XCode debugger. So that's interesting, can't register a mach port... maybe a permissions issue me thinks? Digging around, I found that XPC naming must match your app identity A Service Management login item can only run a single XPC listener and its name must match the name of the login item. - https://developer.apple.com/forums/thread/703702?answerId=709877022#709877022 :wave: thank you Quinn. So, if the name needs to match... my error says it's trying to register without the TTTTT part of TTTTT.com.nnnnnnnnn.nnnn... So why is chromium / electron doing that... Going back to the chromium source code from above, jump to line 143 - note: mac::BaseBundleID(). Ok, so dig backwards, where does that come from - here it is: https://source.chromium.org/chromium/chromium/src/+/HEAD:base/mac/foundation_util.mm;l=289. which relies on base_bundle_id which is set in SetBaseBundleID. Some quick googling, that's set over here in electron. And interesting.. it looks for a ElectronTeamID Info.plist property. Quick check of our Info.plist - nada. Updated the build process to include ElectronTeamID: TTTTTT in my Info.plist. Cool, works great! Fun note: my app doesn't require com.apple.security.temporary-exception.mach-lookup.global-name since from what I can tell, com.apple.security.application-groups and com.apple.security.app-sandbox allow you to use any named Mach Port with a prefix of TTTTT.com.nnnnnnnnnn.nnnn. Pink Flashing Screen Once I tested that everything was working, I re-enabled SIP (csrutil enable) and started the app. Got a pink and white seizure-type screen. The console logs showed this error: kernel CODE SIGNING: 1036[nnnnn Helper (Re] vm_map_protect:6073(0x0,0x0,0x7) can't have both write and exec at the same time. I tried using com.apple.security.cs.disable-executable-page-protection in my main entitlement (since it would get inherited by the Helper), but that didn't work. Back to the drawing board...

I'm using electron so it's a little tricky to figure out. It looks like it's using posix_spawn, based on this chromium code - https://chromium.googlesource.com/chromium/src/+/master/base/mac/mach_port_rendezvous.cc + this electron patch. The crash seems to be happening at the MachPort connection checkpoint here 0 https://chromium.googlesource.com/chromium/src/+/master/base/mac/mach_port_rendezvous.cc#147 There are other spots in electron that have NSWorkspace, but I think that's just for shell commands. There's also a few launch services references, but I think that's for opening 3rd party apps. I was also able to grab a dtruss output to confirm that it's using posix_spawn. I had to first make a copy of the main executable Contents/MacOS/NNNN and remove the code sign with sudo codesign --remove-signature NNNN2. It seems like child processes are able to spawn, but not open the MachPort? Quinn, I'll email that full dtruss output to you and the full console logs from a my last post in case there's something that jumps out.

Thank you Quinn. I was able to get my app to build on AppStoreConnect for TestFlight by removing the com.apple.application-identifier key from my nested app entitlements, but it now crashes on-launch and I can't figure it out :/ So my nested applications now have app entitlements like this: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>TTTTTT.com.bbbbbbbbbbbbbbb.bbbb</string> </array> </dict> </plist> So it builds and is able to be downloaded by TestFlight, but my app crashes on startup. I've tried playing with the nested app entitlements without any luck. Attempted: com.apple.security.app-sandbox + com.apple.security.inherit (didn't work) Attempted: com.apple.security.app-sandbox (didn't work) Attempted: com.apple.security.app-sandbox + com.apple.security.application-groups (didn't work) In my most recent test, com.apple.security.app-sandbox + com.apple.security.application-groups, I'm getting the following console errors error 11:37:37.340377-0400 taskgated-helper com.bbbbbbbbbbbbbb.bbbb: Unsatisfied entitlements: com.apple.security.application-groups error 11:37:37.340426-0400 taskgated-helper Disallowing: com.bbbbbbbbbbbbbb.bbbb error 11:37:37.770554-0400 kernel Sandbox: Bbbb(23775) deny(1) mach-lookup com.apple.CoreLocation.agent error 11:37:37.770618-0400 kernel Sandbox: Bbbb(23775) deny(1) mach-lookup com.apple.locationd.desktop.registration error 11:37:37.776840-0400 kernel Sandbox: Bbbb(23775) deny(1) mach-register com.bbbbbbbbbbbbbb.bbbb.MachPortRendezvousServer.23775 error 11:37:37.842333-0400 runningboardd RBSStateCapture remove item called for untracked item 221-170-18294 (target:[app<application.com.bbbbbbbbbbbbbb.bbbb.nnnnnnnnnnn.nnnnnnnnnnn(501)>:23775]) error 11:37:37.842364-0400 runningboardd RBSStateCapture remove item called for untracked item 221-139-18293 (target:[app<application.com.bbbbbbbbbbbbbb.bbbb.nnnnnnnnnnn.nnnnnnnnnnn(501)>:23775]) error 11:37:37.842438-0400 runningboardd RBSStateCapture remove item called for untracked item 221-139-18292 (target:[app<application.com.bbbbbbbbbbbbbb.bbbb.nnnnnnnnnnn.nnnnnnnnnnn(501)>:23775]) For extra detail, my main app entitlement is as follows: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>com.apple.security.device.usb</key> <true/> <key>com.apple.security.device.serial</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.application-identifier</key> <string>TTTTTTT.com.bbbbbbbbbbbbb.bbbb</string> <key>keychain-access-groups</key> <array> <string>TTTTTTT.*</string> </array> <key>com.apple.developer.team-identifier</key> <string>TTTTTTT</string> <key>com.apple.security.application-groups</key> <array> <string>TTTTTTT.com.bbbbbbbbbbbbb.bbbb</string> </array> </dict> </plist>

@eskimo, thank you for your response. (and thank you for all your comments in the developer forums, they've been really helpful!) Unfortunately I can't build my app via xcode (or maybe just don't know how) so I can't really test the different entitlements (e.g. the keychain one) in xcode. I build a sample app and added the keychain entitlement so I could see what keys got added. I tried adding this to my entitlements file, but it didn't solve the error. <key>keychain-access-groups </key> <array> <string>$(AppIdentifierPrefix)-trigger-provisioning-profile </string> </array> I ended up switching my build system from electron-builder to electron-forge and I now get a green checkmark on the "verify" action in Transporter. I don't really know what changed. The signatures look the same, the file structure of the .app look largely the same. A few little differences I noticed: the helper applications in Contents/Frameworks changed from "App Name Helper (GPU).app" to "appName Helper (GPU).app". in Contents/Frameworks/App Name Helper (GPU).app/Contents/Info.plist the CFBundleName changed from "Electron Helper" to "appName" the codesign entitlements are the same before and after (codesign -d --entitlements - --xml Contents/Frameworks/App Name Helper.app) When I upload my x64 build to appstoreconnect, I'm now receiving a "Not Available for Testing" status without any details. I'm going to try a universal build and see if that works better.

I've received the same error as well. I'm using electron with nested helper applications (e.g. Main.app/Contents/Frameworks/Helper.app) The following causes the error for me codesign -s "$DISTRIBUTION_KEY" -f --entitlements "$CHILD_PLIST" "packages/mas-universal/{APP_NAME}.app/Contents/Frameworks/{APP_NAME} Helper (Renderer).app" productbuild --component "packages/mas-universal/{APP_NAME}.app" /Applications --sign "$INSTALLER_KEY" "packages/{APP_NAME}.pkg" -- This seems to fix the error, but causes a new error codesign --sign {40-char-hash-from-electron/osx-sign} --force --timestamp --options runtime --entitlements "$CHILD_PLIST" "packages/mas-universal/{APP_NAME}.app/Contents/Frameworks/{APP_NAME} Helper (Renderer).app" productbuild --component "packages/mas-universal/{APP_NAME}.app" /Applications --sign "$INSTALLER_KEY" "packages/{APP_NAME}.pkg" -- WARNING ITMS-90885: ""Cannot be used with TestFlight because the executable “${executable}” in bundle “${bundle}” is missing a provisioning profile but has an application identifier in its signature. Nested executables are expected to have provisioning profiles with application identifiers matching the identifier in the signature in order to be eligible for TestFlight.""