Hi, I am currently trying to install and run a watchOS App I developed in Xcode on an Apple watch series 9. I would like to add the Apple watch as a registered device to a developer account. I need to provide the device name and the device ID or UDID to register the Apple watch. I am not sure how I can get the UDID for the Apple watch. I would appreciate your help with information on how I can get the UDID for the Apple watch and if the watch needs to be registered with a developer account for installing and running a watchOS app from Xcode on the Apple watch. Thank you.

I’m working on a launch daemon. I’m in the process of adding setCodeSigningRequirement to both sides of the connection, starting with the XPC service. I’ve already made it so that the service calls setCodeSigningRequirement on a new connection passed to the listener method of NSXPCListenerDelegate. It works and the connection does get invalidated. The launch daemon logs stdout and stderr to a file already. So I figured that if a connection gets invalidated because of a code signing failure, it’d be nice to NSLog this to make it easier for users to debug what’s going on, without forcing them to use Console.app. The docs for setCodeSigningRequirement include an example of how to capture this error on the client side, when the client calls that method. What I cannot figure out is how to capture this error on the side of the XPC service. I could use setInvalidationHandler, but the problem with it is that a connection can be invalidated for a myriad of reasons and the handler doesn’t know what happened. Is there perhaps an equivalent of remoteObjectProxyWithErrorHandler but for the service side of the connection?

Is CertificateSigningRequest.certSigningRequest needed by Transporter for a very plain Mac application like the default Xcode Application App (from new Project) ?

I've successfully uploaded my macos app to tesflight (it's a game based on Unreal Engine5). It has passed all checks and is now in testflight, but when i launch it it says "The application can't be opened. -10673" And pops up another windown : "The beta app, , is no longer available. The provisioning profile is invalid" The provisioning profile doesn't specify OS versions - it's signed with distribution and installation certificates for AppStore. What would cause this? How can I fix this? MacOS version 14.5

Hello all I am hoping I can get some assistance on an expired certificate. I received an email from Apple saying that my distribution certificate was expiring and that I needed to generate a new certificate. I did try and reach out to support but they suggested that I post my question here! Firstly, I am not sure what type of certificate I need? S e condly, I do not have an apple Mac. I do all my activiies on App Store Connect on my Windows PC so I dont have the abililty to generate a CSR file? Thirdly, I have always been on my windows PC so I would never have been able to use a "mac" to generate my previous certicate. Lasty, do I even need a new certificate? I regulary publish updates to my existing apps but have no plans to produce any new ones. I look forward to your reply. Regards Joanne Cooper

I am using a provisioning profile with a wildcard app identifier. When I click "Distribute App" in Xcode, I encounter the following errors: "Automatic signing cannot register bundle identifier" "No profiles for were found."

Asset validation failed (90034) Missing or invalid signature. The bundle 'uk.companyname.app' at bundle path 'Payload/Runner.app' is not signed using an Apple submission certificate.

Due to changes in macOS 15 Sequoia with respect to container privacy/privileges, I have observed warnings with one of my apps (non-sandboxed) when its subsidiary crash reporter process tries to access the host app's data folder. I THINK I've worked around this issue by granting the crash reporter and the host app access to the same application group. I'm not 100% sure how all this works except that the problem went away :) The problem is, once the problem goes away on a given system, it goes away for good! Even with subsequent attempts to open a version of the app before the fix was in place, the system warning is not presented. I've tried to reset SystemPolicyAppBundles on the app via tccutil, but it makes no difference. Using the wisdom from one of Quinn's posts (https://developer.apple.com/forums/thread/706442) I set up a log stream invocation to try to gather clues, and I notice that when I launch my app now, I see messages like: Found provenance data on process: TA(82542d1beaf132a6, 2), 51084 Process was already in provenance sandbox, skipping: 51084, TA(82542d1beaf132a6, 2) I suspect this "provenance" may reflect the change in how the system treats my application. First: I wonder if it's a bug that any change in "provenance" should retroactively apply to versions of the app before the change was made. Second, I wonder if there's some way to RESET this provenance so that I can reproduce the bug again? I might be able to reproduce it by changing the bundle ID for the app but for purposes of testing against existing, shipped versions of the app, I'd love to be able to reset things for sanity-checking.

I need signingkey, signingkeyId, TeamIdentifier and BundleIdentifier for a project (aws sns) but i want to have these in free apple developer account how can i do this, any help will be appreciated

when I trying to run my App in mac or iPhone, Xcode alert "Revoke certificate", and when I click "Revoke Certificate", it begin loading ,then become"Certificate installation failed". and if I click try again, it become "Revoke certificate" again, how to I resolve this problem.

Hello, Do Apple root certificates AppleRootCA-G2.cer and AppleRootCA-G3.cer expire? if yes, in how long? thanks in advance.

I have two MAUI Mac Catalyst apps. According to this guide https://learn.microsoft.com/en-us/dotnet/maui/mac-catalyst/deployment/publish-outside-app-store?view=net-maui-8.0#publish-using-the-command-line I created certificates, signed Release versions of applications, packed them with pkgbuild and productbuild which I also signed with created certificate They are both signed with same Code Signing key, have same team id. I had set up NSUpdateSecurityPolicy https://developer.apple.com/documentation/bundleresources/information_property_list/nsupdatesecuritypolicy like this: Using codesign -dv I cheked that updater, old and new versions of app share same Team Id and have correct bundle identifiers After update, updater wants to overwrite old app contents, but it always receives UnathorizedAccessException when touching any file located in application If my updater app has "App Managment" or "Full disk access" permission in System settings, everything works fine, but user needs to set up it manualy, that is not comfortable, so how can I request this permission? Also according to what I know, application don't need this permission if it's Team ID set up in NSUpdateSecurityPolicy Maybe I incorrectly set up NSUpdateSecurityPolicy, but I can't notice anything wrong. Also, can it be because I overwrite application using MAUI and C#? Thanks a lot for any answer!

Hi, If anyone can please advise -- If signing a framework inside a XCFramework is recommended/mandatory?

I'm trying to install from Xcode (15.4) to my physical device (iPhone SE 3rd gen, iOS 17.5.1) but I get the following error. My provisioning profile is from a 3rd party organization, but I have confirmed my device UUID is added to their account and that the profile does contain the beta-reports-active flag. I have also checked that this is added to the entitlements file. It works fine it I deploy and install via TestFlight, but for obvious reasons I would prefer not to have to do that for each and every build. Can anyone suggest how to resolve this, either with local config or by asking the account admin to modify the provisioning profiles? Unable to Install “[redacted]” Domain: IXUserPresentableErrorDomain Code: 14 Recovery Suggestion: Failed to install embedded profile for [redacted] : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.) User Info: { DVTErrorCreationDateKey = "2024-07-03 12:47:34 +0000"; IDERunOperationFailingWorker = IDEInstallCoreDeviceWorker; } -- Unable to Install “[redacted]” Domain: IXUserPresentableErrorDomain Code: 14 Recovery Suggestion: Failed to install embedded profile for [redacted] : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.) User Info: { IDERunOperationFailingWorker = IDEInstallCoreDeviceWorker; } -- Failed to install the app on the device. Domain: com.apple.dt.CoreDeviceError Code: 3002 User Info: { NSURL = "file:///Users/dan/Library/Developer/Xcode/DerivedData/iosApp-gxsprezneuyftnhbmfyfssbeojgd/Build/Products/Debug%20development-iphoneos/[redacted].app/"; } -- Unable to Install “[redacted]” Domain: IXUserPresentableErrorDomain Code: 14 Failure Reason: This app cannot be installed because its integrity could not be verified. Recovery Suggestion: Failed to install embedded profile for [redacted] : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.) -- Failed to install embedded profile for [redacted] : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.) Domain: MIInstallerErrorDomain Code: 13 User Info: { FunctionName = "-[MIInstallableBundle _installEmbeddedProfilesWithError:]"; LegacyErrorString = ApplicationVerificationFailed; LibMISErrorNumber = "-402620385"; SourceFileLine = 308; } -- Event Metadata: com.apple.dt.IDERunOperationWorkerFinished : { "device_isCoreDevice" = 1; "device_model" = "iPhone14,6"; "device_osBuild" = "17.5.1 (21F90)"; "device_platform" = "com.apple.platform.iphoneos"; "dvt_coredevice_version" = "355.28"; "dvt_mobiledevice_version" = "1643.100.60"; "launchSession_schemeCommand" = Run; "launchSession_state" = 1; "launchSession_targetArch" = arm64; "operation_duration_ms" = 3497; "operation_errorCode" = 14; "operation_errorDomain" = IXUserPresentableErrorDomain; "operation_errorWorker" = IDEInstallCoreDeviceWorker; "operation_name" = IDERunOperationWorkerGroup; "param_debugger_attachToExtensions" = 0; "param_debugger_attachToXPC" = 1; "param_debugger_type" = 3; "param_destination_isProxy" = 0; "param_destination_platform" = "com.apple.platform.iphoneos"; "param_diag_MainThreadChecker_stopOnIssue" = 0; "param_diag_MallocStackLogging_enableDuringAttach" = 0; "param_diag_MallocStackLogging_enableForXPC" = 1; "param_diag_allowLocationSimulation" = 1; "param_diag_checker_tpc_enable" = 1; "param_diag_gpu_frameCapture_enable" = 0; "param_diag_gpu_shaderValidation_enable" = 0; "param_diag_gpu_validation_enable" = 0; "param_diag_memoryGraphOnResourceException" = 0; "param_diag_queueDebugging_enable" = 1; "param_diag_runtimeProfile_generate" = 0; "param_diag_sanitizer_asan_enable" = 0; "param_diag_sanitizer_tsan_enable" = 0; "param_diag_sanitizer_tsan_stopOnIssue" = 0; "param_diag_sanitizer_ubsan_stopOnIssue" = 0; "param_diag_showNonLocalizedStrings" = 0; "param_diag_viewDebugging_enabled" = 1; "param_diag_viewDebugging_insertDylibOnLaunch" = 1; "param_install_style" = 0; "param_launcher_UID" = 2; "param_launcher_allowDeviceSensorReplayData" = 0; "param_launcher_kind" = 0; "param_launcher_style" = 99; "param_launcher_substyle" = 8192; "param_runnable_appExtensionHostRunMode" = 0; "param_runnable_productType" = "com.apple.product-type.application"; "param_structuredConsoleMode" = 1; "param_testing_launchedForTesting" = 0; "param_testing_suppressSimulatorApp" = 0; "param_testing_usingCLI" = 0; "sdk_canonicalName" = "iphoneos17.5"; "sdk_osVersion" = "17.5"; "sdk_variant" = iphoneos; } -- System Information macOS Version 14.3 (Build 23D56) Xcode 15.4 (22622) (Build 15F31d) Timestamp: 2024-07-03T13:47:34+01:00

I am working with a compiler that produces native binaries, It's really meant for servers so it's not integrated with Xcode or the Xcode build system. As such the output binaries get the default ad-hoc signatures the linker makes. After (re)compiling such a binary, there is a delay whilst running it. This is because macOS notices it's an unknown binary and goes off to ask notarization servers/Xprotect if it's known malware. Fine, I understand the need for this and why it happens. From the logs it's clear that macOS is now tracking the "provenance" of binaries. This means where they came from. This raises the question of whether it could know that my local dev binaries are coming from this compiler, if it was in turn properly signed and notarized. And if so, whether there is some security policy I could set to say "if binary X produces binary Y, then trust Y". Yes I know this would be a security exploit if it were done that way by default, but I am willing to take the risk of special malware that compiles itself first using this special compiler that isn't installed by default then runs the output, as presumably any such malware would be so targeted Xprotect/notarization wouldn't know about it anyway. The provenance mechanism is some internal security thing and isn't documented, but I'm curious if anyone knows more about it and whether it's usable for this? Or alternatively if there's a way to stop macOS doing these slow checks for certain binaries e.g. under specific paths?

I have signed and notarized a single executable file command line tool developed outside Xcode, and distributed outside of the App store by way of a download from a website as follows below, but nevertheless gatekeeper blocks running the tool with the usual message, just like without signing or notarization. If I remove the com.apple.quarantine xattr, the tool runs as it should without gatekeeper interference, as expected. I have browsed countless posts here, with similar issues, but in the end I can't find what's wrong with the process. From what I gather, as long as the target Mac is connected to the Internet, stapling should not be required (I do understand I can't staple a single file executable command line tool), although Gatekeeper would be expected to complain in the case of the first run being done without Internet connection. The certificate is a "Developer Id Application" certificate, installed and valid on the machine doing the signing. It is unclear to me what the distinction is between "Developer Id Application" and "Developer Id Installer" certificates, but it's confusing that using -t install with spctl will actually accept the app. The app is open source and available on GitHub (although the full distribution packaging is done in a separate build environment with some additional logic). The app used below as the target for signing and notarization is available to download from https://www.axantum.com/ in a .tar.gz archive. Here follows a log of commands and output: XecretsCli.plist: (This was necessary to add to the signing to avoid corruption of the executable by the code signing) codesign -s GCXRMT5SQC -f --timestamp -s 0CF6800E595AA6DE9EBB905066619A9BFDD17A77 --entitlements XecretsCli.plist -o runtime XecretsCli codesign -d -vvv --entitlements :- XecretsCli Executable=/Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli Identifier=XecretsCli Format=Mach-O thin (x86_64) CodeDirectory v=20500 size=271478 flags=0x10000(runtime) hashes=8473+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2 CandidateCDHashFull sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a Hash choices=sha256 CMSDigest=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a CMSDigestType=2 CDHash=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2 Signature size=8987 Authority=Developer ID Application: Axantum Software AB (GCXRMT5SQC) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Jun 20, 2024 at 13:26:05 Info.plist=not bound TeamIdentifier=GCXRMT5SQC Runtime Version=13.1.0 Sealed Resources=none Internal requirements count=1 size=172 Warning: Specifying ':' in the path is deprecated and will not work in a future release codesign -v -vvv --strict --deep XecretsCli XecretsCli: valid on disk XecretsCli: satisfies its Designated Requirement zip XecretsCli.zip XecretsCli adding: XecretsCli (deflated 63%) xcrun notarytool submit "XecretsCli.zip" --keychain-profile "Notarize" --wait Conducting pre-submission checks for XecretsCli.zip and initiating connection to the Apple notary service... Submission ID received id: e5990902-3101-42de-a1a6-b9ea40b944b8 Upload progress: 100.00% (12.4 MB of 12.4 MB) Successfully uploaded file id: e5990902-3101-42de-a1a6-b9ea40b944b8 path: /Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli.zip Waiting for processing to complete. Current status: Accepted........ Processing complete id: e5990902-3101-42de-a1a6-b9ea40b944b8 status: Accepted spctl -a -vvv XecretsCli XecretsCli: rejected (the code is valid but does not seem to be an app) origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC) spctl -a -vvv -t install XecretsCli XecretsCli: accepted source=Notarized Developer ID origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC) Trying to run the executable: "XecretsCli" can't be opened because the identity of the developer cannot be confirmed. Your security preferences allow installation of only apps from the App Store and identified developers. Chrome downloaded this file today at 10:37. OK

Hello, I use setCodeSigningRequirement: in sandboxed XPCService and it seems that no matter what I always get errSecCSNoSuchCode[1] when the app is signed with development certificate. The same application signed with DeveloperID is fine. I use following CSR for development signed builds. identifier com.example.app and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and certificate leaf[field.1.2.840.113635.100.6.1.12] exists But also tried to simplify to identifier com.example.app or just true. If I validated the CSR with codesign -R I get "explicit requirement satisfied". I spotted this log line: Sandbox: com.example.app(67058) deny(1) file-read-data /Users/(...)/example-app/build/arm64-mac/src/mac/app/Debug/Example App.app/Contents/MacOS/ExampleApp So I disabled the sandbox for XPCService and now everything works. But then why the DeveloperID signed build works with XPCService sandboxed? ...or does it really? :) Just for completeness the CSR which I use in production build are: identifier com.example.app and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = EXAMPLE

I was developing an electron based app, and I want to embed a system extension in it, everything works fine with SIP disabled. But for normal cases, I found out: Notarization require hardened runtime enabled. The container is an electron based app, which has JIT related feature, so it requires hardened runtime relaxation entitlements (some exception) But System extension disallow these entitlements, this error message is captured from the log system: Hardened Runtime relaxation entitlements disallowed on System Extensions So does this mean we can't embed a system extension in an Electron-based app?

Hello,I have released macOS version of my game before iOS Version, after releasing macOS version, cannot run & debug my game on Xcode getting error ; Provisioning profile "iOS Team Provisioning Profile: com.codepad.motorush" doesn't include the com.apple.application-identifier entitlement. please take a look to screenshot view.

Hi, I want to resign my app with a different certificate. Is it possible to keep the entitlements (including com.apple.application-identifier)? I want to resign the whole app including the plugins and frameworks, but I saw --deep was considered harmful. Sorry, I'm a bit confused. Any help would be appreciated.