I have applied for the app push provider permission in the Network Extension entitlement, but have not received a response yet. How long does it take to apply for authorization?

Hi, can't activate system-extension. in any case getting Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements" (sometimes get code = 9) P.S. In debug running all is working. (The system is asking to activate sysex) Has to read huge amount of forum, samples, and docs. But no luck What and how i've tried steps which i've doing #- signing sysextension binaries with Developer ID Application #- signing system extension with Developer ID Application #- signing application with Developer ID Application #- checking all signatures with Developer ID Application #- building pkg installer #- signing installer with Developer ID Installer #- checking signing #- sending installer for notarization #- waiting for installer verification #- after success I call stapler staple #- When calling sysex activation I get (But the problem is persist when i've try to move signed app to application folder, or try to notarize zip) or in any case which possibly mention on forum, i've get sign command sample codesign --force --timestamp --options runtime --sign "Developer ID ***" Also has to tried with ** --deep,** but no luck. Result of steps descrribed here: App has System Extension compatibility, Sysex haven't System Extension. App is used the same bundle id as in AppStore (also has to tried separate one, but no luck) In console just two informative message regarding it, but nothing specific default 01:08:04.745310+0200 sysextd client activation request for com.company.appName.PacketTunnelMacExternal default 01:08:04.745330+0200 sysextd attempting to realize extension with identifier com.company.appName.PacketTunnelMacExternal default 01:08:04.750996+0200 appName-Mac-External [0x13a9496f0] invalidated because the current process cancelled the connection by calling xpc_connection_cancel() Could you please assits with solve issue?

PLATFORM AND VERSION macOS Development environment: Other: Python Run-time configuration: macOS 14.6.1 DESCRIPTION OF PROBLEM We have created application using python and created .app using pyInstaller. We want to get the location access using python based application which we are trying to run on MacOS 14.6.1. Without including NSLocationUsageDescription in our info.plist, it is working fine but not getting location permission pop up. After including NSLocationUsageDescription in info.plist application got corrupted. STEPS TO REPRODUCE We are using below commands to sign the application codesign --force -s "Developer ID Application: Pitney Bowes (72NX38Y9GF)" -v DeviceHub.app --deep --strict --options=runtime --entitlements ../info.plist DeviceHub.app ditto -c -k --keepParent --rsrc --sequesterRsrc --arch 'x86_64' DeviceHub.app DeviceHub.zip xcrun notarytool submit DeviceHub.zip --keychain-profile "DHAgentProfile" --wait xcrun stapler staple DeviceHub.app

Hi everyone, I maintain an app that is developed and distributed with an Apple Developer Enterprise subscription and delivered via my institution’s private site, where users download the .ipa file after logging in. From what I see, we use automatic signing in Xcode where possible. On the 1st of January 2024, the provisioning profile expired, and the developer before me had to rush to renew it because the app stopped working. Now, I have some questions about how to prevent this from happening again: When should I renew the provisioning profile? Can I renew it before the expiration without blocking the current app version that users have already downloaded? How do I renew it? If I need to download a certificate, does it need to be converted into a different format? Do we need to build a new .ipa file that users will have to download before the expiration date? here a screenshot clearance and guide:

I'm trying to sign an app to run locally because development provisioning does not work for unspecified reasons. I'm adding NSAllowsLocalNetworking to the app transport security section of the entitlements and the result is that the selection to sign the app locally vanishes from the signing section in Xcode. I need to access a local web application which does not provide HTTPS. I'm not only very confused about this but actually pretty ******. Is this once again Apple playing games for absolutely no reason? Why can't I build and run an application on my system that does not have to do anything with Apple, the app store, customers or anything? This is just for me and I cannot make it work.

I recently changed the architecture of my app by moving some of the logic into a helper app, which is embedded together with the main app. The main app's bundle looks like this: Main.app - Contents - MacOS - Main - Helper.app It all works fine during development, and I could successfully archive and notarize it. However, when I try to launch the notarized version of the helper app, it fails with the signing issues. failed to fetch Main.app/Contents/MacOS/Helper.app/Contents/_CodeSignature/CodeRequirements-1 error=-10 I have tried a few things, but could not find any working solution. Any help is appreciated!

I am in the process of creating a multiplatform app with a shared code base using swiftUI for iOS and mac. This app has a widget extension target for both iOS and mac and a helper app for mac only. I am trying to share data and userdefaults between the main app and the widget extension for ios, and for the mac share data between the main app, widget extension and the helper app. I have setup an app group container to share data between all targets. However this is only working on iOS. The app group capability is not extended to macOS. I have been researching for weeks now and all the answers I can find are for if the macOS were a different target, which would entail me having the macos group container prefixed with my team identifier. With a multiplatform app, the main app simply won't let me prefix the group container with my team identifier. Which unfortunately xcode prevents me from doing for a multiplatform app. I have no idea of how to solve this issue and any help will be appreciated.

Hi everyone, Been working with Apple's notarization process for a while, and we've recently noticed some unexpected behavior. It seems like the notarization service might be looking inside ZIP archives contained within my app's distribution package. In the past, we don't recall the notarization process digging into ZIP files like this—only the main app bundle and its contents were scanned for signatures. Has there been a recent change or update to the notarization service that now includes inspecting files within ZIP archives? If so, are there specific guidelines or documentation updates regarding this change? Can anyone point me to what to expect and how to adjust my workflow accordingly. While "signing all the files" is the default answer, is there a more cohesive answer to this question? Thanks

We have a cross platform App available on Mac, iOS & soon tvOS. We are adding a new App Group to be used by this app. We also have a as yet unpublished future Mac Catalyst app that will need access to the App Group. The Apple docs suggest prefixing app groups on Mac with the team ID but not on other platforms. We would like to avoid prefixing with the team ID because: my understanding is that Mac Catalyst apps don't use the team ID and we would like to support that use case to communicate between our current cross platform app and the future catalyst app. Having a single code base but different group container IDs per platform means a bunch of extra conditional logic in the project we would rather avoid. So with that context our aim is to have an app group that is named consistently across platforms and meets sandboxing requirements for App Store distribution. However when developing using the non-team prefixed app group name on macOS Sequioa I see the following alert every time I launch the app. I have the App Group listed correctly in the entitlements file and if I change the app group name on macOS from group.com.example to (TEAMID).com.example then it works as expected so I think the rest of the setup is correct. Looking at the Sequoia Beta release notes it states: Specifically, the app must use FileManager to get the app group container path and meet one of the following requirements: the app is deployed through Mac App Store; the app group identifier is prefixed with the app’s Team ID; or the app group identifier is authorised by a provisioning profile embedded within the app. I am using Xcode managed signing and looking at the provisioning profiles I can see that the iOS one includes the app group but the macOS one does not. I assume that if I could somehow get the app group correctly add to the macOS provisioning profile then all would be good. But I am now stuck on how to get the app group added to the macOS provisioning profile. It seems whatever I try Xcode does not want to add it. Presumably this is because it expects you to instead use a team ID prefixed app group which would not need to be added. Is there any magic I can do to make this work with automatic signing? If not then how would I go about setting it up manually and is that the best solution?

Having an issue today where archives on Xcode Cloud are failing at the Code Signing step. The error reported by Xcode Cloud has been one of the 2 following: 502 error from developerservices2.apple.com Unexpected character 'u' (I assume this is in some way related to the HTTP failure above, but please correct me if I'm wrong) Sometimes they even appear together, with the HTTP error as a warning and the unexpected character as the error I assume this is some kind of Xcode Cloud / developer tools outage. I saw another post on the forum from 3 weeks ago that reported the same errors coming from Xcode Cloud. I also saw that there is a "Resolved Outage" with Xcode Cloud from 8/19 (maybe that is related)? Has anyone found a way around this? Any updates on when this will be resolved? It has been happening for us consistently since the first Xcode Cloud archive that we ran today (around 10AM EDT).

I'm trying to install from Xcode (15.4) to my physical device but I get the following error: Failed to install embedded profile for : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.) The project was successfully building previously, but after encountering an issue while implementing Infobip (a 3rd party library for push notifications) where we weren't getting notifications sent from the Infobip dashboard, we had to change Provisioning Profile to one with a production setup for the aps-environment (given that the suggestion from the Infobip support team was to ensure that the provisioning profile and environment match). Note that it was development before. After downloading the new Provisioning Profile onto Xcode, the project fails to build now with the error mentioned above. I don't know what to do now, and I'm stuck.

I am using Xcode Cloud to build my Mac Catalyst app for Developer ID Distribution as a DMG package that must be codesigned and notarized. I have a ci_post_xcodebuild.sh script that runs after the Archive action. This needs to perform the following tasks: Produce a DMG from the provided exported archive located at CI_DEVELOPER_ID_SIGNED_APP_PATH Codesign that DMG using the same certificate identity that Xcode Cloud used when automatic code signing the exported archive using cloud signing. Notarize that code signed dmg with the notary service Generate a Sparkle appcast.xml file Upload the DMG and appcast.xml file to s3 The issue I am having is that I do not have access to the cloud signing keychain identity that Xcode Cloud uses to automatically codesign the exported archive. I check for identities and none are found. Running: security find-identity -v -p codesigning There are no code signing identities available. Make sure you have a "Developer ID (Application)" certificate (with the private key) installed on your Mac with Keychain Access. How can I access the cloud signing identity in this script so I can sign my DMG file before notarizing it? I am currently experimenting with installing my own certificate in the build server keychain and run my own archive + export commands after the Build action completes. This is not ideal. Thanks, Andrew

Recently I noticed that when I build and archive my app with Xcode Cloud, it fails due to code signing issue. But that's weird because I have all development and distribution certificates. Does anyone have any idea how to solve this?

I have a security agent plugin that uses NSXPCConnection to communicate with a launch daemon. This works well, but I want to make sure the launch daemon has not been compromised. I added code to call setCodeSigningRequirement in my module that handles the client side of the NSXPCConnection. However, when used in the security agent plugin, remoteObjectProxyWithErrorHandler reports an error NSCocoaErrorDomain Code=4102 "The code signature requirement failed." If I call my xpc module from a test application, I do not receive an error and everything works as expected. I have tried different code signing requirements. Even with just "anchor apple generic" I still get the error. The console log shows two entries of interest com.apple.SecurityAgentHelper.arm64 default 09:13:29.677567-0500 SecurityAgentHelper-arm64 EOGSecurityServiceClient biometricAuthorization remote proxy error: Error Domain=NSCocoaErrorDomain Code=4102 "The code signature requirement failed." UserInfo={NSDebugDescription=The code signature requirement failed.}

I am in the process of notarizing a dmg file. We are getting some errors in the process. These errors can be retrieved from the notarytool -log option. However, I would like to get the error in a link form like we used to get with altool so that I could share it with my team. Does anyone know how to get a link for the failure log?

I am developing a PCIDriverKit dext, and testing on Sequoia Beta (Version 15.0 Beta, 24A5298h). Both the dext and the "owning" application build on Xcode 16.0 beta 4. I can run the owning application and register the dext. When the OS attempts to load the dext, though, code signing validation errors occur: 2024-07-30 15:54:02.386 Df kernel[0:ae6a] Driver com.company.Dext-Loader.dext has crashed 0 time(s) 2024-07-30 15:54:02.386 Df kernel[0:ae6a] DK: Dext_Loader_Driver-0x100001464 waiting for server com.company.Dext-Loader.dext-100001464 2024-07-30 15:54:02.388 Df kernelmanagerd[112:abb5] Found 1 dexts with bundle identifier com.company.Dext-Loader.dext 2024-07-30 15:54:02.388 Df kernelmanagerd[112:abb5] Using unique id a0cf49ca3ea45f5d54a3e8644e2dde6b0e8666c649c1e9513ca4166919038b53 to pick dext matching bundle identifier com.company.Dext-Loader.dext 2024-07-30 15:54:02.388 Df kernelmanagerd[112:abb5] Picked matching dext for bundle identifier com.company.Dext-Loader.dext: Dext com.company.Dext-Loader.dext v34 in executable dext bundle com.company.Dext-Loader.dext at /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext 2024-07-30 15:54:02.389 I kernel[0:ae71] igmp_domifreattach: reattached igmp_ifinfo for ifp XHC 2024-07-30 15:54:02.389 I kernel[0:ae71] mld_domifreattach: reattached mld_ifinfo for ifp XHC2 2024-07-30 15:54:02.389 Df kernelmanagerd[112:abb5] DextRecordTable read from plist: { com.company.Dext-Loader.dext: MRS-> Optional(( path: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext; state: loaded )) history-> [ ( path: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext; state: loaded ) ] } 2024-07-30 15:54:02.389 Df kernelmanagerd[112:abb5] Launching dext com.company.Dext-Loader.dext com.company.Dext-Loader.dext 0x100001464 a0cf49ca3ea45f5d54a3e8644e2dde6b0e8666c649c1e9513ca4166919038b53 2024-07-30 15:54:02.390 I kernelmanagerd[112:abb5] [com.apple.km:DextLaunch] Skipping addBreadcrumbForDextWithIdentifier for <private> 0 2024-07-30 15:54:02.389 Df kernel[0:ae71] ifnet_attach: Waiting for all kernel threads created for interface XHC2 to get scheduled at least once. 2024-07-30 15:54:02.389 Df kernel[0:ae71] ifnet_attach: All kernel threads created for interface XHC2 have been scheduled at least once. Proceeding. 2024-07-30 15:54:02.390 Df kernelmanagerd[112:abb5] Launching driver extension: Dext com.company.Dext-Loader.dext v34 in executable dext bundle com.company.Dext-Loader.dext at /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext 2024-07-30 15:54:02.479 E kernel[0:a9fb] (Sandbox) 1 duplicate report for Sandbox: imagent(633) deny(1) mach-lookup com.apple.contactsd.persistence 2024-07-30 15:54:02.479 E kernel[0:a9fb] (Sandbox) Sandbox: taskgated-helper(2985) deny(1) user-preference-read kCFPreferencesAnyApplication 2024-07-30 15:54:02.483 Df kernel[0:ae73] (AppleMobileFileIntegrity) AMFI: code signature validation failed. 2024-07-30 15:54:02.483 Df kernel[0:ae73] (AppleMobileFileIntegrity) AMFI: bailing out because of restricted entitlements. 2024-07-30 15:54:02.483 Df kernel[0:ae73] (AppleMobileFileIntegrity) AMFI: When validating /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: 2024-07-30 15:54:02.483 Df kernel[0:ae73] mac_vnode_check_signature: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext: code signature validation failed fatally: When validating /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: 2024-07-30 15:54:02.483 Df kernel[0:ae73] validation of code signature failed through MACF policy: 1 2024-07-30 15:54:02.483 Df kernel[0:ae73] check_signature[pid: 2984]: error = 1 2024-07-30 15:54:02.483 Df kernel[0:ae73] proc 2984: load code signature error 4 for file "com.company.Dext-Loader.dext" 2024-07-30 15:54:02.485 Df kernelmanagerd[112:abb5] [com.apple.libxpc.OSLaunchdJob:all] <OSLaunchdJob | handle=46B92B57-A90A-4EBD-8EF4-54313C6EE332>: submitAndStart completed, info=spawn failed, error=162: Codesigning issue 2024-07-30 15:54:02.483 Df kernel[0:ae73] (Sandbox) /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext[2984] ==> com.apple.dext 2024-07-30 15:54:02.485 E kernelmanagerd[112:abb5] [com.apple.libxpc.OSLaunchdJob:all] <OSLaunchdJob | handle=46B92B57-A90A-4EBD-8EF4-54313C6EE332>: job failed to spawn, plist={ ProcessType => Driver _ManagedBy => com.apple.kernelmanagerd CFBundleIdentifier => com.company.Dext-Loader.dext _JetsamPropertiesIdentifier => com.company.Dext-Loader.dext LimitLoadToSessionType => System _DextCheckInPort => <mach send right: 0xbd486ccc0> { name = 15679, right = send, urefs = 2 } UserName => _driverkit _NullBootstrapPort => true ReslideSharedCache => false LaunchOnlyOnce => true Label => com.company.Dext-Loader.dext-0x100001464 RunAtLoad => true ProgramArguments => [<capacity = 8> 0: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext 1: com.company.Dext-Loader.dext 2: 0x100001464 3: com.company.Dext-Loader.dext ] SandboxProfile => com.apple.dext } The Xcode project uses these signing options: Automatically manage signing Team: Company Provisioning Profile: Xcode Managed Profile Signing Certificate: Apple Development: () The same project, with the same signing options, builds and loads its dext without issues from Xcode 15.3 on Sonoma 14.5. That same dext binary from Xcode 15.3 loads and passes the signature checks on Sequoia, but using Xcode on Sequoia is when the signature validation fails. Can anyone suggest a way to resolve these signature validation errors? (Other than just developing on Sonoma and testing on Sequoia?)

Hi, I am a developer and app manager using a personal account. I am encountering an issue where the automatic signing feature in Xcode is not working, and I receive the error message: "Signing for 'Runner' requires a development team." Additionally, I cannot access the "Certificates, Identifiers & Profiles" section, even though I have already added my account to Xcode. How can I fix this issue? Is it possible to run or upload the app without this signing process?

Hello, I am getting the following error in Xcode Cloud: /Volumes/workspace/repository/macos/Runner.xcodeproj: error: No signing certificate "Mac Development" found: No "Mac Development" signing certificate matching team ID "22649D52Q5" with a private key was found. (in target 'Runner' from project 'Runner') I have automatic signing turned on in Xcode and the program compiles/runs fine in Xcode. Below is my ci_post_clone.sh script #!/bin/sh # Fail this script if any subcommand fails. set -e # The default execution directory of this script is the ci_scripts directory. cd $CI_PRIMARY_REPOSITORY_PATH # change working directory to the root of your cloned (cloud) repo. # Install Flutter using git. git clone https://github.com/flutter/flutter.git --depth 1 -b stable $HOME/flutter export PATH="$PATH:$HOME/flutter/bin" # Install Flutter artifacts for iOS (--ios), or macOS (--macos) platforms. flutter precache --macos # Install Flutter dependencies. flutter pub get # Install CocoaPods using Homebrew. HOMEBREW_NO_AUTO_UPDATE=1 # disable homebrew's automatic updates. brew install cocoapods # Install CocoaPods dependencies. cd macos pod deintegrate pod update cd .. # Install Flutter dependencies. flutter pub get dart run build_runner build -d # flutter build macos flutter build macos --release

When checking that a .dmg file is correctly stapled with the command xcrun stapler validate -v file.dmg I intermittently get errors like Properties are { NSURLIsDirectoryKey = 0; NSURLIsPackageKey = 0; NSURLIsSymbolicLinkKey = 0; NSURLLocalizedTypeDescriptionKey = "Disk Image"; NSURLTypeIdentifierKey = "com.apple.disk-image-udif"; "_NSURLIsApplicationKey" = 0; } Codesign offset 0x1eb82c90 length: 15891 Stored Codesign length: 15891 number of blobs: 5 Total Length: 15891 Found blobs: 5 Props are { cdhash = {length = 20, bytes = 0x07d207070853a23966374ae1b36e921148b3a5f3}; digestAlgorithm = 2; flags = 73728; secureTimestamp = "2024-07-26 06:08:31 +0000"; signingId = "SIGNED-file.dmg... [ Message content over the limit has been removed. ] } Headers: { "Content-Type" = "application/json"; } Response is (null) error is Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={_kCFStreamErrorCodeKey=-2102, NSUnderlyingError=0x6000012b4a80 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "(null)" UserInfo={_kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <82266119-065E-480C-B012-F30B48DB0F44>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <82266119-065E-480C-B012-F30B48DB0F44>.<1>" ), NSLocalizedDescription=The request timed out., NSErrorFailingURLStringKey=https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup, NSErrorFailingURLKey=https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup, _kCFStreamErrorDomainKey=4} I am not able to pin down the cause of this, could it be rate limiting on the API? Any other thoughts as to the cause? Thanks.

Hi… I’m struggling with Sign in With Apple and the problem is exacerbated by it being in a Qt6 / C++ MacOS app which uses ObjC to do interact with Apple Frameworks. Outsude XCode, of course, because we use QT Creator. I’m pretty sure that I set it up correctly by implementing an @interface CWAppleAuthenticationServiceImpl : NSObject <ASAuthorizationControllerPresentationContextProviding,ASAuthorizationControllerDelegate> - (id)initWithOwner:(MyAppleAuthenticationService *) owner; and all the rest. Code compiles an runs, and when when I call [controller performRequests] the presentationAnchorForAuthorizationController gets called. But nothing visible happens in the app. Instead it jumps right into didCompleteWithError , so I guess I did connect everything correctly – except that it doesn’t work correctly. So I sign the app, providing the entitlements <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.applesignin</key> <array> <string>Default</string> </array> </dict> </plist> Signing and Notarisation works, but when I start the app, it crashes. The entitlesments are part of the app, i checked that with codesign which claims that everything is fine. The crash appears to be the same as described in https://forums.developer.apple.com/forums/thread/698870, i.e. "Error of invalid code signature" . This is backed by me signing it without entitlements, which yields a working and running application, albeit without signIn capabilities. I’m a bit stumped.