General: DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained DevForums post --deep Considered Harmful DevForums post Don’t Run App Store Distribution-Signed Code DevForums post Resolving errSecInternalComponent errors during code signing DevForums post Finding a Capability’s Distribution Restrictions DevForums post Signing code with a hardware-based code-signing identity DevForums post Mac code signing: DevForums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding Nonstandard Code Structures in a Bundle documentation Embedding a Command-Line Tool in a Sandboxed App documentation Signing a Daemon with a Restricted Entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example DevForums post The Care and Feeding of Developer ID DevForums post TestFlight, Provisioning Profiles, and the Mac App Store DevForums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I want to use the com.apple.vm.networking entitlement which has a note: This entitlement is restricted to developers of virtualization software. To request this entitlement, contact your Apple representative. https://developer.apple.com/support/technical/ says: « Request entitlements using entitlement forms and ask for status updates in the resulting email thread. » but I haven't been able to find these "entitlement forms". Does anyone know what the right process is to request an entitlement?

We have a DriverKit entitlement for our USB driver. We now wish to use this same driver with a variant of our existing application. Of course this application has its own separate App ID and will be published in the App Store alongside our existing application. Will we need to go back to the well and ask Apple for another entitlement?

Hi After I added iCloud container and iCloud documents my UITests can't run anymore what is this problem and how can I solve it? Thanks!

While reading the developer documentation article Adopting SwiftData for a Core Data App, one particular line piqued my interest. For apps that evolve from a version that doesn’t have any app group container to a version that has one, SwiftData copies the existing store to the app group container. Given how troublesome it has been to migrate the Core Data persistent store to an app group container, I decided to try this out myself. I created an Xcode project using the default Core Data template. I then added a few Item objects with timestamps. There, I had what we would consider a regular Core Data app. I then created a widget extension for this app since this is one of the most common uses for adopting an app group in an Xcode project. After that, I linked the main target with the widget extension using an app group. In the widget extension, I tried to fetch the Item objects. I utilized the SwiftData code in the sample project associated with the article above. struct Provider: TimelineProvider { private let modelContainer: ModelContainer init() { let appGroupContainerID = "group.com.genebogdanovich.CoreDataSwiftDataAppGroup" guard let appGroupContainer = FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: appGroupContainerID) else { fatalError("Shared file container could not be created.") } let url = appGroupContainer.appendingPathComponent("CoreDataSwiftDataAppGroup.sqlite") print("\(url)") do { modelContainer = try ModelContainer(for: Item.self, configurations: ModelConfiguration(url: url)) } catch { fatalError("Failed to create the model container: \(error)") } } } func getTimeline(in context: Context, completion: @escaping (Timeline<Entry>) -> ()) { Task { @MainActor in let fetchDescriptor = FetchDescriptor<Item>() let items: [Item] = try! modelContainer.mainContext.fetch(fetchDescriptor) print(items) let entry = SimpleEntry(date: .now, emoji: "😀", count: items.count) let timeline = Timeline(entries: [entry], policy: .never) completion(timeline) } } The fetch yielded no results. However, as I explored the app group directory in the file system, I found a .sqlite file. That is interesting because SwiftData creates .store files by default. So, I am guessing that SwiftData did copy something. Or the ModelContainer initializer just created another empty SQLite file since the fetch returned zero results. I would highly appreciate someone elaborating on that quote from the documentation.

When creating an AddtoCalendar (ics, google, yahoo, outlook) Safari detects tracking only for outlook.live and outlook.office via the url used to add an event to the online calendar. I would like to inform web users that if this option is activated and they want to add the event to their online outlook calendar, they will need to temporarily deactivate this security feature! Is it possible to detect this option in jsx? Would there be a solution, like requesting authorisation to locate on a website, to allow only this url or this site (outlook.live or outlook.office) for tracking? I'm obviously thinking of something simple for the web user: a button to click.

Hello, i've recently received the entitlements to access the main camera stream for a project on the Apple Vision Pro. What happens : When executing code from this WWDC tutorial , i'm getting this error when trying to use a Camera Frame Provider : ar_camera_frame_provider_t <0x300d58870>: Failed to start camera stream with error: <ar_error_t: 0x303fcc4c0 Error Domain=com.apple.arkit Code=100 "App not authorized." UserInfo={NSLocalizedFailureReason=Using camera frame provider requires an entitlement., NSLocalizedRecoverySuggestion=, NSLocalizedDescription=App not authorized.} What I've tried : I followed the instructions given by mail, by : adding the .license file at the root of my project, adding the .entitlements file by adding capabilities in the project (Main Camera Access & Passthrough in screen capture are there). I've added NSCameraDescription, NSEnterpriseMCAMUsageDescription and NSWorldSensingUsageDescription (they all have a value assigned). I've also followed those post & post advices. When checking on the Account settings, i do see the capabilities in the "additional capabilities" On first launch, I'm also getting prompted to accept the NSEnterpriseMCAMUsageDescription, so I assume the info.plist file is valid? What did i missed to get the entitlements working ? Here's the code : import ARKit import SwiftUI import Vision import RealityKit class MainCameraAccess { var arKitSession = ARKitSession() var cameraFrameProvider = CameraFrameProvider() var pixelBuffer: CVPixelBuffer? func startCameraSession() async { let formats = CameraVideoFormat.supportedVideoFormats(for: .main, cameraPositions: [.left]) // Request authorization await arKitSession.requestAuthorization(for: [.cameraAccess]) // Start the session do { try await arKitSession.run([cameraFrameProvider]) } catch { print("Failed to start ARKit session: \(error)") return } // Get camera frame updates guard let cameraFrameUpdates = cameraFrameProvider.cameraFrameUpdates(for: formats[0]) else { return } // Process frames for await cameraFrame in cameraFrameUpdates { guard let mainCameraSample = cameraFrame.sample(for: .left) else { continue } self.pixelBuffer = mainCameraSample.pixelBuffer } } func saveLatestImage() { guard let pixelBuffer = self.pixelBuffer else { print("No image available to save.") return } // Convert CVPixelBuffer to UIImage let ciImage = CIImage(cvPixelBuffer: pixelBuffer) let context = CIContext() guard let cgImage = context.createCGImage(ciImage, from: ciImage.extent) else { print("Failed to create CGImage.") return } let uiImage = UIImage(cgImage: cgImage) // Save UIImage to Photos Album UIImageWriteToSavedPhotosAlbum(uiImage, nil, nil, nil) print("Image saved to photo library.") } } Thanks in advance for the help, Jeremy

Hi all, For context, the Family Controls entitlement request (for the Personal Device Management category/individual use case) includes the question: Will your app share device or usage data beyond the individual for the individual use case, or Family Sharing for the parent/guardian use case, including through means such as screenshots, screen recordings, or server logging? I'm looking for clarification on how to interpret this. I originally answered Yes and was rejected, then later answered No and was accepted. Ideally, I would like my screen time management app to allow users to opt-in to social features. One simple example is opting into a leaderboard with your friends for who has the lowest screen time. If the user installed this app for themself and chooses to share this basic data with their friends, it sounds like an ethical and unproblematic feature but I suppose storing that data would fall under "server logging"? If anyone has any experience with this, I would appreciate a more explicit description of the requirement above. Is what I described allowed? Thanks for reading!

Hi, we have received an Application via App Transfer recently. I am now trying to generate a provisioning profile for App Store distribution. When we set the checkmark in Capabilities to use "iCloud Key-value storage" we cannot get "automatically manage signing" to work with an error: Provisioning profile "iOS Team Provisioning Profile: com.some.bundle.identifier" doesn't match the entitlements file's value for the com.apple.developer.ubiquity-kvstore-identifier entitlement. When a Provisioning Profile is manually generated via Developer Portal the com.apple.developer.ubiquity-kvstore-identifier entry shows the value of the previous app owner: "OLDTEAM.com.some.bundle.identifier". How can we change the com.apple.developer.ubiquity-kvstore-identifier value in our provisioning profile to get rid of the old team identifier? Help is much appreciated, thank you. FB15898983

I am developing a watchOS app that uses the uses the Fall Detection API. After requesting the entitlement, and receiving the entitlement and adding it to my app, I managed to implement the feature, and run the app on the simulator in Xcode and it works fine. But when I try to distribute the app to TestFlight internal testing, Xcode refuses and shows the following message: "Provisioning profile failed qualification: Profile doesn't support Fall Detection Notifications" and "Provisioning profile failed qualification: Profile doesn't include the com.apple.developer.health.fall-detection entitlement" I am using an Xcode managed provisioning profile, and when I checked the profile from "signing and capabilities", it says that the fall detection capability and the entitlement are included in the profile. When I check my app's capabilities from "Certificates, Identifiers & Profiles" in the apple developer website, it says that the fall detection capability for my app has provisioning support for Ad hoc and Development only, is this the reason why I can't upload my app to TestFlight, or am I missing something? If it is the reason, then is there a way to change the provisioning support so that I can distribute the app? Thanks in advance

We applied for Location Push Entitlement on June. It has been several months since then but we still got not any results (either passed or rejected). Can anyone tell us what's going on?

Are Administrators able to request a system extension via https://developer.apple.com/contact/request/system-extension/ or are Account Holders the only ones who can?

Hello, there are popular USB GPS receivers from GlobalSat called BU-353N5. It's shipped with driver application and works well. Once connected GPS receiver is visible as a /dev/tty.PL2303G-USBtoUART120 and produces NMEA codes there. I'm a developer of an offline maps application which is available for iOS and macOS using Mac Catalyst. Is it possible to connect to the /dev/tty* from mac catalyst app? Is there an entitlement for that? There are also driver sources available to work directly with USB device based on Prolific 2303, but before I'll try to integrate driver into the app I wan't to be sure there is no way to use an existing one.

Hello I have a problem with provisionprofile file. I have created Identifier with Sign in with Apple capability turned on, created Profile with Developer ID selected and now I try to export archive with generated Developer ID provision file but it says "Profile doesn't support Sign in with Apple" Also interesting thing that default provisions like macOS App Development Mac App Store Connect don't show such error when I try to export archive Maybe this problem is only related to Developer ID provision and Direct Distribution doesn't support Sign in with Apple, but I havent found proves about this idea

Is it correct to codesign dylib/framewoks with entitlements? My understanding is that only executables need to have the entitlement and the dylibs loaded in that process will automatically inherit those entitlements. However, I am seeing a lot of scripts on the internet that are signing dylibs as well with entitlements. For eg - # sign *.dylibs find "$APP_BUNDLE" -type f -name "*.dylib" -exec codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "$ENTITLEMENTS_FILE" --sign "$SIGNING_IDENTITY" {} \; Is this even allowed? I know of at least one app that has passed notarization checks as well. If allowed, can a dylib have more entitlements than the process that loaded it?

I am working on a personal use app, to transcribe audio files. I have over 1000 Voice Memos of ideas for a dog training app and book, recorded while... walking dogs, of course. I seem to not have the built in transcription option, either because Sonoma doesn't support it or my region doesn't, but I have learned a lot of Swift building an app that works great fort files in a folder in Documents. I have also found the path to to all the Voice Memo recordings. But when I try to read the contents of the folder to build the queue for transcription I get The file “Recordings” couldn’t be opened because you don’t have permission to view it. I expected this to be locked down, and some searching brought me to this and I have added Access User Selected Files (Read Only) = YES to the entitlements file, but I am not seeing where in the TARGETS editor I would assign com.apple.security.files.user-selected.read-only. If I add it as a key under info I don't get a popup to select, either in Xcode or when running the app. If I try to add that key to the entitlements file it doesn't allow for selection either. I am sure I am just missing something in the documentation, likely as a result of being an Xcode &amp; Swift noob. So, if I CAN do this and I am just missing something, can someone point the way? And if a folder inside another app is just verboten, manually copying those files to a documents folder for processing won't be the end of the world.

Hi there, I have a Multiplatform app with just one app target with an iPhone, iPad and Мас Destination. On the Mac my app is a developer singed App that is being distributed outside of the Mac App Store. I want to use App Groups, but as long as there are multiple destinations, Xcode only allows Group Identifiers starting with group.. However, for macOS I need to have a group ID that starts with the TeamID as explained here. So I created two separate entitlements, which are identical, but with different group IDs: With Automatic Code Signing enabled, I get this warning: Xcode still seems thinks it has to use the macOS Group ID for the iOS version. In the App Groups section, the mac Group ID is red and the iOS Group ID is not checked. The app builds and runs without issues on all platforms. The App Store Connect validation (for the iOS version) also works without any errors. Am I doing something wrong? Do I need a separate Mac target because Xcode does not support separate Group IDs for Multiplatform apps?

Hi everyone. Can anyone who has had experience tell me how long it takes to get a response to the approval to use critical alerts? Thanks.

Since this file is protected by SIP, it can't just be changed by an installer/app without prompting the user. If the user chooses to deny the request, the sudo file won't be updated with a security critical pam module. I need to insert our custom pam module into /etc/pam.d/sudo without the user being able to deny the operation.

Hello, I have an application which uses a helper[1] to download[2] files. When files download is a DMG and user mounts the image to run the application from this DMG it doesn't pass Gatekeeper. It presents the "Application XYZ.app can't be opened.". Same file downloaded via Safari shows a different dialog, the "XYZ.app is an app downloaded from the internet. Are you sure you want to open it?" In the system log I see this line: exec of /Volumes/SampleApp/SampleApp.app/Contents/MacOS/SampleApp denied since it was quarantined by Download\x20Helper and created without user consent, qtn-flags was 0x00000187 The application is running sandboxed and hardened, the main application has com.apple.security.files.downloads.read-write entitlement. Everything is signed by DeveloperID and passes all checks[3]. I tried to check the responsible process[4] of the helper. Then trivial stuff like download folder access in System Settings/Privacy & Security/Files & Folders. Everything seems to be fine. For what it worths the value of quarantine attribute is following: com.apple.quarantine: 0087;6723b80e;My App; The Safari downloaded one posses: com.apple.quarantine: 0083;6723b9fa;Safari;02162070-2561-42BE-B30B-19A0E94FE7CA Also tried a few more ways and got to 0081 with Edge and 0082 with a sample app with similar setup. Not sure if that has any meaning. What could I be doing wrong that Gatekeeper right away refuses to run the application from DMG instead of showing the dialog like in other cases? [1] The executable is in application bundle located in Contents/Helpers/DownloadHelper.app in the main application bundle. [2] Nothing fancy, curl + regular POSIX file operations [3] codesign, syspolicy_check, spctl [4] launchctl procinfo pid

Hello everyone, We develop an app called Unite (bundle ID: com.BZG.Unite), which allows users to create standalone macOS applications from websites. These user-generated apps are based on a backend browser template called DefaultApp (bundle ID: com.bzg.default.app). Here's how our setup works: Unite and DefaultApp: Both are signed with our Developer ID and include necessary provisioning profiles and entitlements. User-Created Apps: When a user creates an app with Unite, it generates a customized version of DefaultApp with the user's chosen name and settings. These apps are ad-hoc signed upon creation to reflect their unique identity. Issue Since updating to macOS 15, every time a user launches a created app, they encounter a persistent prompt asking for permission to access files outside the app's container. Granting full disk access in System Preferences suppresses the prompt, but this is not a practical solution for end-users. Upon launching a user-created app (e.g., "ExampleTest"), the following prompt appears: This prompt appears on every launch of the app. Steps to Reproduce On a Mac running macOS 15, create a new app using Unite (e.g., "ExampleTest"). Launch the newly created app. Observe the prompt requesting access to files outside the app's container. Close and relaunch the app; the prompt appears again. What We Have Tried Given that our apps use an app group (group.BZG.unite.sharedData) to share data between Unite, DefaultApp, and user-created apps, we believe this is triggering the prompt due to changes in System Integrity Protection (SIP) in macOS 15. We are further confident given that if the user does not allow access, the app does launch, but shows an error indicating that the created app was unable to access the data that is typically in the shared group. Here’s a summary of our troubleshooting efforts: 1. Adjusting App Group Configuration Ensured the app group name aligns with Apple's guidelines, including prefixing with the Team ID (teamid.group.BZG.unite.sharedData). Verified that the app group is correctly declared in the com.apple.security.application-groups entitlement. 2. Provisioning Profile Creation Generated provisioning profiles via Xcode and the Developer Console, ensuring the app group entitlement is included. Applied the provisioning profile to the user-created app during code signing. Despite these efforts, the issue continues. 3. Entitlements and Code Signing Created an entitlements file for the user-created app, mirroring the entitlements from DefaultApp, including: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>id.com.BZG.ExampleTest</string> <key>com.apple.developer.team-identifier</key> <string>id</string> <key>com.apple.security.application-groups</key> <array> <string>id.group.BZG.unite.sharedData</string> </array> <key>com.apple.security.app-sandbox</key> <true/> </dict> </plist> Signed the user-created app with our Developer ID and the provisioning profile Verified the entitlements 4. Reviewing System Logs Observed error messages indicating unsatisfied entitlements: message: com.BZG.ExampleTest: Unsatisfied entitlements: com.apple.security.application-groups **5. Consulting Documentation and WWDC Sessions ** Referenced post on App Groups in macOS vs iOS. Reviewed the macOS 15 Release Notes regarding SIP and app group container protection. Watched WWDC 2024 Session 10123: What's new in privacy, starting at 12:23. Questions Is there a way to authorize the com.apple.security.application-groups entitlement in the provisioning profile for ad-hoc signed apps? Given the SIP changes in macOS 15, how can we enable our ad-hoc signed, user-generated apps to access the app group container without triggering the persistent prompt? Are there alternative approaches to sharing data between the main app and user-generated apps that comply with macOS 15's SIP requirements? Is there anything to try that we're missing here to solve this? Any guidance on how to resolve this issue or workarounds to allow app group access without triggering the prompt would be greatly appreciated. Thank you for your assistance!