Hey, For some reason I see crashes for my iOS app related to CloudKit entitlements. The crash happens on start up and it says: "CKException - Application has malformed entitlements. Found value "*" for entitlement com.apple.developer.icloud-services, expected an array of strings" I have checked my entitlements of the same build on App Store Connect and it shows "com.apple.developer.icloud-services: ( "CloudKit" )" So I am not sure why users are having this issue. I haven't been able to reproduce it. Does anyone have any idea why this is happening? Thanks

Hello, I am trying to distribute an app that is using the Enterprise entitlements for Vision OS. It is failing to upload to Test Flight because it says I have not the entitlements for the provisioning. This does not happen when deployed directly from Xcode. I can deploy to the headset and ha Is there anything I can do about it ? Part of the log below: 2025-01-10 17:02:06 +0000 Provisioning profile "iOS Team Store Provisioning Profile: com.appmr2.3d-Playbook" failed qualification checks: Profile doesn't support Main Camera Access and Passthrough in Screen Capture. Profile doesn't include the com.apple.developer.arkit.main-camera-access.allow and com.apple.developer.screen-capture.include-passthrough entitlements. 2025-01-10 17:02:06 +0000 2025-01-10 17:02:06 +0000 IDEProvisioningRepair(3d-Playbook.app): 2025-01-10 17:02:06 +0000 IDEProvisioningRepair(3d-Playbook.app): Using account <DVTAppleIDBasedDeveloperAccount: 0x600003cba400; username=''> for repair Thanks, Andres

I have the same problem as this question: https://developer.apple.com/forums/thread/757605 "That indicates you’re using a unique App ID prefix. This is a legacy feature that’s not supported on macOS." Mine is a macOS App distributed in 2021, that now needs an update. It has always been under Xcode automatically managed signing with a Team. (Still have the project files from 2021: automatic) Now validating a new version gives me that error : Invalid Provisioning Profile. The provisioning profile included in the bundle com.*** [***.pkg/Payload/***.app] is invalid. [Invalid 'com.apple.application-identifier' entitlement value.] For more information, visit the macOS Developer Portal. (ID: ***) And even re-validating the old archive from 2021 gives me this error. I have looked at my Apple Id's on "Certificates, Identifiers & Profiles", and I can indeed see that this app has an "App ID Prefix" that is not my Team, but something I don't recognise. I can not make a new App ID Configuration for the bundle id I have been using: "An App ID with Identifier 'com..appname' is not available. Please enter a different string." Removing the existing App ID Config does not work either: The App ID '.com..' appears to be in use by the App Store, so it can not be removed at this time. So, I'm a bit stuck. (Help!)

hey everyone.!! In one of my macOS projects I am trying to fetch the files and folders available on "Desktop" and "Document" folder and trying to showing it on collection view inside the my project, but when I try to fetch the files and folder of desktop and document, I am not able to fetch it. But if i try it by setting the entitlements False, I am able to fetch it. If any have face the similar issue, or have an alternative it please suggest. NOTE:- I have tried implementing it using NSOpenPanel and it works, but it lowers the user experience.

I've made an MacOS app with Unity Cloud Build and I want to sign and distribute it using App Store Connect. I download the compiled .app file and use codesign to sign all the appropriate files. I also use an entitlements file when I sign the runtime binary. I used the command codesign -d --entitlements on the resulting .app file to confirm that com.apple.security.app-sandbox is set to true, which it is. But when I use productbuild to create the .pkg file and upload it using Transporter, I get an e-mail from App Store Connect saying that "ITMS-90296: App sandbox not enabled" I don't know how to further debug this... Does anyone have any pointers on how to fix this? Note: it has to be doable either via the Unity Editor, Unity Build Cloud or the MacOS CLI... Codesign showing that app-sandbox is enabled: The error from App Store Connect:

I've got a Flutter app that is a “reader” app. The External Link Account Entitlement has already been requested and granted. It is already added as an Additional Capability to the App ID. The com.apple.developer.storekit.external-link.account entitlement is already present in the .entitlements file. Also SKExternalLinkAccount key is added to the Info.plist file with the correct URL. ExternalLinkAccount.open() is invoked via a MethodChannel call handler and things work perfectly in debug mode. The modal appears as expected and opens the link in the external browser. Xcode archive is also sucessful and the entitlement seems to be in place when inspecting the app with: codesign -d --entitlements :- ./path/to/app But when trying to distribute the app via Xcode the entitlement disappears. Other entitlements are not affected by this issue, eg.: com.apple.developer.associated-domains for universal links. This happens with automatically managed singing and a manually selected provisioning profile as well. When inspecting the latter in Xcode the necessary capability and entitlement is included. But when distributing to App Store Connect the entitlement disappears with both recommended and custom settings. I ran flutter clean mulitple times. What am I missing here?

I created an app in Xcode using ApplescriptObjC that is supposed to communicate with Finder and Adobe Illustrator. It has been working for the last 8 years, until now I have updated it for Sonoma and it no longer triggers the alerts for the user to approve the communication. It sends the Apple Events, but instead of the alert dialog I get this error in Console: "Sandboxed application with pid 15728 attempted to lookup App: "Finder"/"finder"/"com.apple.finder" 654/0x0:0x1d01d MACSstill-hintable sess=100017 but was denied due to sandboxing." The Illustrator error is prdictably similar. I added this to the app.entitlements file: <key>com.apple.security.automation.apple-events</key> <array> <string>com.apple.finder</string> <string>com.adobe.illustrator</string> </array> I added this to Info.plist: <key>NSAppleEventsUsageDescription</key> <string>This app requires access to Finder and Adobe Illustrator for automation.</string> I built the app, signed with the correct Developer ID Application Certificate. I've also packaged it into a signed DMG and installed it, with the same result as running it from Xcode. I tried stripping it down to just the lines of code that communicate with Finder and Illustrator, and built it with a different bundle identifier with the same result. What am I missing?

I am in need of assistance with sandboxing the riot games client and game league of legends. I originally played on a vm from linux but after the change to the incredibly intrusive rootkit malware vanguard. I cannot play from a vm or at least it would be difficult, if this route of containerizing it on mac proves to be more difficult (which wouldn't make sense) then I will go back to spoofing the a vm to not look like a vm. This is even more infuriating because I almost exclusively play Team Fight Tactics in which there is zero cheating and cheating would give a player zero advantage. I decided I would try the Mac version of the game but apple does not sandbox applications at all like flatpak and flatseal from linux. The game has access to my entire system and can read and write to my home directory. This is a massive security risk. I originally tried checking the system settings privacy and security section but the application was not listed anywhere nor was it given access on any of the sections listed. I checked both user local and global tcc.dbs and neither had records that gave the game or client any privileges. This was concerning because tcc.db appears to be the only user facing way of managing permissions that you would think would be a bare minimum baseline and yet the game and client have full access to my system and those permissions are listed nowhere and are given no where. Ie. the default is just to let it do as it pleases even though its a game that only thing it needs to render to the screen. MacOS should properly fix this and implement proper sandboxing of applications like flatpak. I then began building a configuration scheme for sandbox-exec seeing as it was the last opportunity to correctly contain the application to only have the permissions it needs. I carefully crafted the config but it fails just as simply allowing all with allow default... (version 1) (allow default) I run the application with the following command: sandbox-exec -f ~/config.sb "/Users/Shared/Riot Games/Riot Client.app/Contents/MacOS/RiotClientServices" Below are some of the errors produced from running the client sandboxed. 00:44:09.819 (SplashScreenManager) Displaying splash screen from default-splash.html for 2000ms 00:44:09.825 app.isPackaged true 00:44:09.842 Loading page from http://127.0.0.1:51563/index.html sandbox initialization failed: Operation not permitted Failed to initialize sandbox.[0102/004409.953876:ERROR:exception_snapshot_mac.cc(139)] exception_thread not found in task [0102/004409.954838:ERROR:process_reader_mac.cc(309)] thread_get_state(4): (os/kern) invalid argument (4) [0102/004409.954852:ERROR:process_reader_mac.cc(309)] thread_get_state(4): (os/kern) invalid argument (4) [0102/004409.955178:WARNING:process_reader_mac.cc(532)] multiple MH_EXECUTE modules (/usr/libexec/rosetta/runtime, /Library/Apple/usr/libexec/oah/libRosettaRuntime) [0102/004409.955364:WARNING:process_reader_mac.cc(532)] multiple MH_EXECUTE modules (/usr/libexec/rosetta/runtime, /Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/Frameworks/Riot Client Helper (Renderer).app/Contents/MacOS/Riot Client Helper (Renderer)) [0102/004410.111422:ERROR:exception_snapshot_mac.cc(139)] exception_thread not found in task [4607:0102/004415.168524:ERROR:gpu_process_host.cc(991)] GPU process exited unexpectedly: exit_code=6 [4607:0102/004415.187770:ERROR:network_service_instance_impl.cc(521)] Network service crashed, restarting service. 00:44:15.215 Renderer process has unexpectedly crashed or was killed: crashed (6) { reason: 'crashed', exitCode: 6 }

I am currently developing a macOS application that listens for system-wide mouse clicks to simulate typing with user-provided text. The app requires Accessibility permissions to function properly, and I want to ensure compliance with Apple’s latest privacy and security guidelines. The app listens to global mouse clicks. It simulates keyboard input with user-provided text I would like detailed guidance on the following aspects: What specific entitlements are required to allow system-wide mouse click monitoring and simulating user input ? App Sandbox enable or disable? what keys required to explain global mouse click monitoring and keyboard input simulation in the info.plist What will be the configuration of Privacy Manifest

Hello, I'm developing a Command Line Tool in XCode, in order to capture system audio and save it to a file, which will then be used by a separate process. Everything works perfectly when running it from either XCode or the native terminal application (see image below), but as soon as I try to run it from any 3rd party application, it doesn't ask for permissions to record sound, and the resultant file ends up soundless. When archiving it and then running it from other 3rd party applications, e.g Warp (terminal) or spawning it as a child process from a bundled Electron application, it doesn't ask for permissions. Things of note: I've codesigned the application with "Developer ID Application" I've added NSAudioCaptureUsageDescriptionto Info.plist I've included Info.plist in the binary (see image below) I've added the com.apple.security.device.audio-input entitlement I've used the following resources as inspiration: https://github.com/insidegui/AudioCap https://developer.apple.com/documentation/coreaudio/capturing-system-audio-with-core-audio-taps As my use-case involves spawning the executable from Electron as a child process, I've tried to include the appropriate permissions to the parent application too, without success. I'm really at a loss here, it feels like I've tried everything. Any pointers are much appreciated! Thanks

our app has a helper to perform privileged operations. previously that helper was installed via SMJobBless() into the /Library/LaunchDaemons/ and /Library/PrivilegedHelperTools/ we also had a script that would install the helper from the command-line, which was essential for enterprise users that could not manually install the helper on all their employee's Macs. the script would copy the files to their install location and would use launchctl bootstrap system as the CLI alternative to SMJobBless(). the full script is here: https://pastebin.com/FkzuAWwV due to various issues with the old SMJobBless() approach we have ported to helper to the new SMAppService API where the helpers do not need to be installed but remain within the app bundle ( [[SMAppService daemonServiceWithPlistName:HELPER_PLIST_NAME] registerAndReturnError:&err] ) however, we are having trouble writing a (remote-capable) CLI script to bootstrap the new helper for those users that need to install the helper on many Macs at once. running the trivial sudo launchctl bootstrap system /Applications/MacUpdater.app/Contents/Library/LaunchDaemons/com.corecode.MacUpdaterPrivilegedInstallHelperTool2.plist would just result in a non-informative: Bootstrap failed: 5: Input/output error various other tries with launchctl bootstrap/kickstart/enable yielded nothing promising. so, whats the command-line way to install a SMAppService based helper daemon? obviously 'installing' means both 'registering' (which we do with registerAndReturnError in the GUI app) and 'approving' (which a GUI user needs to manually do by clicking on the notification or by going into System Settings). thanks in advance! p.s. we wanted to submit this as a DTS TSI, but those are no longer available without spending another day on a reduced sample projects. words fail me. p.p.s. bonus points for a CLI way to give FDA permissions to the app!

The product archive package's signature is invalid. Ensure that it is signed with your "3rd Party Mac Developer Installer" certificate. (90237) I'm receiving this error, despite the fact that I'm using this certificate when creating the pkg (with electron-forge) My configuration is shown below - note the 3rd Party Mac Developer Installer identity when using new MakerPKG. const config: ForgeConfig = { packagerConfig: { asar: true, name: 'Deep Focus', icon: 'resources/icon.icns', osxSign: { identity: 'Apple Distribution: Timeo Williams (3Y4F3KTSJA)', type: 'distribution', provisioningProfile: '/Users/timeo/Desktop/Deep Focus/deepWork/distribution.provisionprofile', preAutoEntitlements: false, // eslint-disable-next-line @typescript-eslint/explicit-function-return-type optionsForFile() { return { entitlements: 'build/entitlements.mas.plist' } } }, extendInfo: 'build/info.plist', osxUniversal: { mergeASARs: true }, appCategoryType: 'public.app-category.productivity', appBundleId: 'com.electron.deepfocus', extraResource: [ 'resources/.env', 'resources/icon.icns', ] }, rebuildConfig: {}, makers: [ new MakerSquirrel({}), new MakerZIP({}), new MakerRpm({}), new MakerDeb({}), new MakerDMG({ appPath: './out/Deep Focus-darwin-arm64/Deep Focus.app', name: 'Deep Focus', icon: './resources/icon.icns', format: 'ULFO', overwrite: true, contents: (opts) => [ { x: 130, y: 220, type: 'file', path: opts.appPath }, { x: 410, y: 220, type: 'link', path: '/Applications' } ] }), new MakerPKG({ name: 'Deep Focus', identity: '3rd Party Mac Developer Installer: Timeo Williams (3Y4F3KTSJA)' }) ], plugins: [ new VitePlugin({ build: [ { entry: 'src/main.ts', config: 'vite.main.config.ts', target: 'main' }, { entry: 'src/preload.ts', config: 'vite.preload.config.ts', target: 'preload' } ], renderer: [ { name: 'main_window', config: 'vite.renderer.config.mts' // Path to Vite config for renderer process } ] }), new FusesPlugin({ version: FuseVersion.V1, [FuseV1Options.RunAsNode]: false, [FuseV1Options.EnableCookieEncryption]: true, [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, [FuseV1Options.EnableNodeCliInspectArguments]: false, [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true, [FuseV1Options.OnlyLoadAppFromAsar]: true }) ] } Yet, I'm getting the error from Transporter that it's invalid?

I am working on task to add WKWebView to Autofill extension. This web view presents web content that can access camera feed. As an example here is a simple html: I have added Camera permission entitlements to both main app and autofill extension Info.plist Camera feed is accessed properly from the main app. However, doing the same in the Autofill extension does not show Camera stream in the web content. I am receiving camera permissions alert and am allowing permissions. It just stucks on the black screen and in console I see these logs: 16000a00 - GPUProcessProxy::didClose: 0x116000a00 - GPUProcessProxy::gpuProcessExited: reason=Crash 0x1150180c0 - [PID=1 523] WebProcessProxy::gpuProcessExited: reason=Crash Error acquiring assertion: <Error Domain=RBSServiceErrorDomain Code=1 "target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit" UserInfo={NSLocalizedFailureReason=target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit}> 0x115020360 - ProcessAssertion::acquireSync Failed to acquire RBS assertion 'GPUProcess Background Assertion' for process with PID=1 524, error: Error Domain=RBSServiceErrorDomain Code=1 "target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit" UserInfo={NSLocalizedFailureReason=target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit} 0x1160012a0 - GPUProcessProxy::didClose: 0x1160012a0 - GPUProcessProxy::gpuProcessExited: reason=Crash 0x1150180c0 - [PID=1 523] WebProcessProxy::gpuProcessExited: reason=Crash Error acquiring assertion: <Error Domain=RBSServiceErrorDomain Code=1 "target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit" UserInfo={NSLocalizedFailureReason=target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit}> 0x115020300 - ProcessAssertion::acquireSync Failed to acquire RBS assertion 'GPUProcess Background Assertion' for process with PID=1 525, error: Error Domain=RBSServiceErrorDomain Code=1 "target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit" UserInfo={NSLocalizedFailureReason=target is not running or doesn't have entitlement com.apple.runningboard.assertions.webkit} Looks like WKWebView crashes. Here are my configurations for the WKWebView: let webConfiguration = WKWebViewConfiguration() webConfiguration.allowsInlineMediaPlayback = true webConfiguration.mediaTypesRequiringUserActionForPlayback = [] let webView = WKWebView(frame: .zero, configuration: webConfiguration) webView.navigationDelegate = self webView.uiDelegate = self webView.scrollView.isScrollEnabled = false webView.contentMode = .scaleAspectFit view.addSubview(webView) Does anyone know what might be the problem? Is it even possible to access Camera from web content in Autofill extension?

I am trying to add WeatherKit support to a commandline app to fetch historical data. I've configured an app ID with the WeatherKit entitlement, but WeatherKit does not appear in the Capabilities list to add. When I try to access weather data, it fails with Code=4097 "connection to service named com.apple.weatherkit.authservice" suggesting it's not authorized. How do I add the WeatherKit entitlement to a commandline Swift app?

Hello, I can see this option in my certificate on the developer.apple.com platform. The entitlements file is updated with: com.apple.developer.proximity-reader.payment.acceptance code-block I’ve created a new profile for development and App Store, but in Release mode, my profile is not recognized… What configuration might be missing?

Hi, I am part of a team working to incorporate vehicle crash detection using SafetyKit. However, I am unable to know more details about this entitlement since the details page (https://developer.apple.com/contact/request/vehicular-crash-events/) is showing an unauthorised message as shown in the image below. All the latest licenses have been reviewed and agreed to. Please let me know what can be done to access this link and know the details of this entitlement.

How can I show my VoIP calling app in the same list as Facetime and Whatsapp as shown in the image? My app implements VoIP calls and is integrated with CallKit. Any tip would be appreciated!

I have an existing Xcode project that I am trying to add MusicKit to, but for some reason I am unable to. I have logged into my developer account, and ticked off the MusicKit checkbox under the Services tab of my app in the Certificates, Identifiers & Profiles section. In Xcode I have Automatically manage signing set to true. But MusicKit does not show up as a Capability, neither in the list of capabilities in my app, nor when trying to add it with the +Capability button. I have done this successfully before with Game Center, so I really do not understand why this does not work with MusicKit. Any ideas as to how this can be solved?

I have a werid case that shouldn't happen according to https://forums.developer.apple.com/forums/thread/706390 I have an audio unit which runs in FCP and I want it to launch a sandboxed app as a child process. If I sign the child app with just "com.apple.security.app-sandbox" entitlement it crashes with SYSCALL_SET_PROFILE error. According to the article referenced above: "This indicates that the process tried to setup its sandbox profile but that failed, in this case because it already has a sandbox profile." This makes sense because audio units run in a sandboxed environment (in AUHostingService process). So I added "com.apple.security.inherit" to the entitlements plist and now I get "Process is not in an inherited sandbox." error. According to the article referenced above: "Another cause of a trap within _libsecinit_appsandbox is when a nonsandboxed process runs another program as a child process and that other program’s executable has the com.apple.security.app-sandbox and com.apple.security.inherit entitlements. That is, the child process wants to inherit its sandbox from its parent but there’s nothing to inherit." And this doesn't make sense at all. The first error indicates the child process is trying to create a sandboxed environment within a parent sandboxed environment while the second error indicates there's no a parent sandboxed environment... I specifically checked the child process has "com.apple.security.app-sandbox" and "com.apple.security.inherit" entitlements only. If I remove all entitlements from the child process it launches and runs fine from the audio unit plugin. And if I remove "com.apple.security.inherit" but leave "com.apple.security.app-sandbox" I can successfully launch the app in standalone mode (in Finder). For the testing puroses I use a simple Hello World desktop application generated by XCode (Obj-C). Does anybody have an idea what can be the reason for such a weird behavior?

Hi I have a question about In app Provisioning for Apple Pay. I'm a developer in company which makes application for one of banks. They want to have ability to add cards to Wallet by their app not by Wallet application. I know which functions and documentation i need to use but I have a problem with testing it. We are third party developer, have seperate teams, bank also has 3 apps for their testing environments. Bank sign agreements with Apple so they could have entitlements to check integration. And that is a question. Is there any change to check our implementation before checking it in production app? I've seen sandbox account feature: https://developer.apple.com/apple-pay/sandbox-testing/ but I can' open In App provisioning window without entitlements. In Apple documentation we have statement that Apple is giving this entitlement only for production applications. So how to test it and check implementation before getting to production or without "mocking" application as production (changing id).