General:
DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements
Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities.
Developer > Support > Certificates covers some important policy issues
Entitlements documentation
TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series.
WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing
Certificate Signing Requests Explained DevForums post
--deep Considered Harmful DevForums post
Don’t Run App Store Distribution-Signed Code DevForums post
Resolving errSecInternalComponent errors during code signing DevForums post
Finding a Capability’s Distribution Restrictions DevForums post
Signing code with a hardware-based code-signing identity DevForums post
Mac code signing:
DevForums tag: Developer ID
Creating distribution-signed code for macOS documentation
Packaging Mac software for distribution documentation
Placing Content in a Bundle documentation
Embedding Nonstandard Code Structures in a Bundle documentation
Embedding a Command-Line Tool in a Sandboxed App documentation
Signing a Daemon with a Restricted Entitlement documentation
Defining launch environment and library constraints documentation
WWDC 2023 Session 10266 Protect your Mac app with environment constraints
TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference.
Manual Code Signing Example DevForums post
The Care and Feeding of Developer ID DevForums post
TestFlight, Provisioning Profiles, and the Mac App Store DevForums post
For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Provisioning Profiles
RSS for tagA provisioning profile is a type of system profile used to launch one or more apps on devices and use certain services.
Posts under Provisioning Profiles tag
108 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Backup and restore Personal IOS data to a Supervised device?
We currently have around 200+ iPhone users that are using their devices as personal devices. We are planning on moving them to Intune using Automated Device Enrollment (Supervised).
Is it any way possible to backup their devices, do a factory reset, enroll them in Intune, then restore the old data?
Is it possible to do backup and restore in this situation? Is there an alternative way to restore the data back to a supervised device?
From the Apple Connect API documentation, it seems like this API does not provide an endpoint to add devices to provisioning profiles (or update profiles in any other way). Am I missing something in the docs or is this a known limitation? If latter, are there any viable alternatives?
When I upload the app to testflight, I get the following error: "Provisioning profile failed qualification. Profile doesn't include the selected signing certificate.". I have regenerated the profile. I have cleared cache, deleted profile and certificate and imported it back to xcode. Any ideas?
I currently manually resign my application for distribution. Until recently I haven't had any issues with the provisioning profile which I place inside the bundle.
However, I just got the following message from the store:
ITMS-91109: Invalid package contents - The package contains one or more files with the com.apple.quarantine extended file attribute.
The file it is referring to is:
Contents/embedded.provisionprofile
When I check the xattr on the provisionprofile I see the following line:
com.apple.quarantine: 0081;675c6072;Chrome;
So it seems like the provisionprofile I have downloaded from developer.apple.com has this attribute set.
Any insights on how to properly deal with this submission issue?
I’ve been having this issue recently while attempting to build my iOS app in VS for Mac.
When both signing identity and provisioning profile are set to automatic and manual I get the following error:
Apple distribution Not in keychain
Even the Build machine is connected to Mac machine over network and both developer and distribution certificates are active in keychain
Hey all -
Been building my app and all has been going well with successful builds through to test flight.
However, I have just added CKSharing support into the app and therefore into the entitlements to allow collaboration within the app.
As soon as I have added this, I can no longer build due to a signing certificate error stating my provisioning profile just not allow for CKSharing...
"Provisioning profile "iOS Team Provisioning Profile: com.MyApp" doesn't include the com.apple.developer.cksharing entitlement."
However, iCloud is enabled within my app profile, and all other cloudkit features have worked up until adding that specific entitlement.
Any help or guidance to get passed this would be greatly appreciated.
In Xcode's (version 16.1) "Devices and Simulators" window pressing the device's context menu item "Show Provisioning Profiles..." does nothing: no new window, no message, nothing. How can I fix this?
Hi,
we have received an Application via App Transfer recently. I am now trying to generate a provisioning profile for App Store distribution.
When we set the checkmark in Capabilities to use "iCloud Key-value storage" we cannot get "automatically manage signing" to work with an error:
Provisioning profile "iOS Team Provisioning Profile: com.some.bundle.identifier" doesn't match the entitlements file's value for the com.apple.developer.ubiquity-kvstore-identifier entitlement.
When a Provisioning Profile is manually generated via Developer Portal the com.apple.developer.ubiquity-kvstore-identifier entry shows the value of the previous app owner: "OLDTEAM.com.some.bundle.identifier".
How can we change the com.apple.developer.ubiquity-kvstore-identifier value in our provisioning profile to get rid of the old team identifier?
Help is much appreciated, thank you.
FB15898983
What should I do when my Development or App Store certificates in my developer account under Certificates, Identifiers & Profiles are almost expired or when the certificates are already expired?
What should I do so that I can still use the certificates?
What happens when the certificates expire and when I already have an application in the App Store?
I am developing a watchOS app that uses the uses the Fall Detection API. After requesting the entitlement, and receiving the entitlement and adding it to my app, I managed to implement the feature, and run the app on the simulator in Xcode and it works fine.
But when I try to distribute the app to TestFlight internal testing, Xcode refuses and shows the following message:
"Provisioning profile failed qualification: Profile doesn't support Fall Detection Notifications"
and
"Provisioning profile failed qualification: Profile doesn't include the com.apple.developer.health.fall-detection entitlement"
I am using an Xcode managed provisioning profile, and when I checked the profile from "signing and capabilities", it says that the fall detection capability and the entitlement are included in the profile.
When I check my app's capabilities from "Certificates, Identifiers & Profiles" in the apple developer website, it says that the fall detection capability for my app has provisioning support for Ad hoc and Development only, is this the reason why I can't upload my app to TestFlight, or am I missing something? If it is the reason, then is there a way to change the provisioning support so that I can distribute the app?
Thanks in advance
Project Background:
I developed a Mac project using Electron and VSCode
Successfully uploaded the packaged pkg using Transporter,
However, I will receive an email informing me that there are some issues with the project:
ITMS-90296: App sandbox not enabled - The following executors must include the 'com. apple. security. app sandbox' entitlement with a Boolean value of true in the entitlement property list: [[com. electron. iflyrecclient. pkg/Payload/iFlytek Listen. app/Contents/MacOS/iFlytek Listen]]
ITMS-90886: 'Cannot be used with TestFlight because the signature for the bundle at' iFlytek hears. app 'is missing an application identifier but has an application identifier in the provisioning profile for the bundle.' Bundles with application identifiers in the provisioning profile are expected to have the same identifier signed into the bundle in order to be eligible for TestFlight.'
Here is my packaging process:
Generate an app using the electron packager tool
Sign the app using @ electron osx sign (version 1.3.1)
After signing, use
productbuild - component Yourappname App/Applications - sign "3rd Party Mac Developer Installer: * * * * * (XXXXXXXXXX)" Yourappname. pkg
command generates pkg
PS:
For the second step, I have set sand box=true in both entitlents.plist and entitlents.macinheriting. plist. And after signing, using
codesign -dvvv -- entitiements - /path
to view the app file shows' checkbox=true ', and the [iFlytek Listen. app/Contents/MacOS/iFlytek Listen] file in the issue also exists.
Using the Suspicious Package software to view pkg also has sandbox=true.
A few months ago, I uploaded it once and the issues mentioned in the email did not appear. The only changes were the macOS system version number and the replacement of the signature with provisionprofileprovisionprofile.
I have reviewed similar issues on the Apple Developer Forums, but have not been resolved
I've updated Xcode to 16.1, then I've created a new provisioning profile in developer.apple.com, successfully built and signed my application. It was on monday, 2024-11-04.
Two or three days later I was asked to add more devices and I had to create a new profile. I've noticed a new feature to control profile's name (yeah, cool!), had to accept new agreements. Then, have created a new profile, downloaded it, but could not add it with double-click to Xcode or import to Keychain Access - "Failed to install one or more provisioning profiles on the device". And whatever I tried, I couldn't register any new profiles since. Therefore, my app cannot be signed and tested anymore.
This is quite weird as nothing has changed on the system throughout the week.
Is this a known issue or is there any fix for that?
Hi!
I'm having troubles to sign my Xamarin Forms application, im getting the following error "Error : Could not find any available provisioning profiles for MyProject.iOS on iOS.". I've recently cleaned my Provisioning profiles folder ~/Library/MobileDevice/Provisioning Profiles since it wasn't being updated with my latest provisioning profile for my app. But now my provisioning profiles are not being downloaded, I'm not getting any other error on downloading profiles. I've tried from Xcode -> Settings -> Account -> Download manual profiles. Tried too open the profile downloaded from the Apple Developer Portal, also tried copy manually the provisioning profile downloaded to the previous mentioned path, none of those works.
The user that im logged in on Xcode is the admin/owner so is not a permissions issue. IDK what can be wrong or what can I try. So I'm going to be grateful for your help :(
Sometime since July 2024 the list of devices in our Enterprise Account is showing the same device and UDID 6 times.
Looking at the DATE REGISTERED field it is apparent that each instance of the device represents the 'old' device that should have been 'deleted' when the annual device reset was actioned. The date registered field shows dates with 2019, 2020, 2021, and so till 2024 (most recent).
I have 'disabled' two of the entries to see what happens, and those instances were disabled as expected without impacting the other instances. However, when attempting a re-enable of them, an error throws saying that they cant be enabled because that UDID already exists - obviously the other instances.
For now, I have left 4 active duplicates in place, and the 2 disabled ones as they are, and plan to deal with this again - if it re-occurs in 2025.
It does not seem to have impacted provisioing profiles - so will leave well enough alone. I am sure if I disable all of them, I will not be able to re-enabled any of them.
Is this a know issue? Is this the best strategy? - ie, wait till device reset next year and hope issue is resolved.
This post had similar issue, in 2023, but no response
Forum Post 733264
I was able to setup a release test for an iOS app for distribution using a web server. It works perfectly fine for all the devices I registered for the deployment profile.
However every time I try to distribute a Unity based Vision Pro application using the same process for building the package and set up for distribution it does not work.
Safari only shows a message telling me:
"Cannot connect to ."
When trying to install the iOS app from the same server it shows the message "Do you want to install ?" and installation completes correctly.
My iOS is a simple hello world app generated by Xcode.
My Unity app is an AR app targeting com.apple.platform.xros.
According to documentation there should not be any difference in deployment profiles/signing for iOS apps vs. visionOS apps.
What am I doing wrong? Any hint is appreciated how to continue.
We noticed that the APNs Profile we downloaded on https://developer.apple.com/bug-reporting/profiles-and-logs/ is mentioning "Facetime and Call Activity Logging".
Is it expected ?
Hello everyone,
We develop an app called Unite (bundle ID: com.BZG.Unite), which allows users to create standalone macOS applications from websites. These user-generated apps are based on a backend browser template called DefaultApp (bundle ID: com.bzg.default.app). Here's how our setup works:
Unite and DefaultApp: Both are signed with our Developer ID and include necessary provisioning profiles and entitlements.
User-Created Apps: When a user creates an app with Unite, it generates a customized version of DefaultApp with the user's chosen name and settings. These apps are ad-hoc signed upon creation to reflect their unique identity.
Issue
Since updating to macOS 15, every time a user launches a created app, they encounter a persistent prompt asking for permission to access files outside the app's container. Granting full disk access in System Preferences suppresses the prompt, but this is not a practical solution for end-users.
Upon launching a user-created app (e.g., "ExampleTest"), the following prompt appears:
This prompt appears on every launch of the app.
Steps to Reproduce
On a Mac running macOS 15, create a new app using Unite (e.g., "ExampleTest").
Launch the newly created app.
Observe the prompt requesting access to files outside the app's container.
Close and relaunch the app; the prompt appears again.
What We Have Tried
Given that our apps use an app group (group.BZG.unite.sharedData) to share data between Unite, DefaultApp, and user-created apps, we believe this is triggering the prompt due to changes in System Integrity Protection (SIP) in macOS 15. We are further confident given that if the user does not allow access, the app does launch, but shows an error indicating that the created app was unable to access the data that is typically in the shared group.
Here’s a summary of our troubleshooting efforts:
1. Adjusting App Group Configuration
Ensured the app group name aligns with Apple's guidelines, including prefixing with the Team ID (teamid.group.BZG.unite.sharedData).
Verified that the app group is correctly declared in the com.apple.security.application-groups entitlement.
2. Provisioning Profile Creation
Generated provisioning profiles via Xcode and the Developer Console, ensuring the app group entitlement is included.
Applied the provisioning profile to the user-created app during code signing.
Despite these efforts, the issue continues.
3. Entitlements and Code Signing
Created an entitlements file for the user-created app, mirroring the entitlements from DefaultApp, including:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>id.com.BZG.ExampleTest</string>
<key>com.apple.developer.team-identifier</key>
<string>id</string>
<key>com.apple.security.application-groups</key>
<array>
<string>id.group.BZG.unite.sharedData</string>
</array>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>
Signed the user-created app with our Developer ID and the provisioning profile
Verified the entitlements
4. Reviewing System Logs
Observed error messages indicating unsatisfied entitlements:
message: com.BZG.ExampleTest: Unsatisfied entitlements: com.apple.security.application-groups
**5. Consulting Documentation and WWDC Sessions
**
Referenced post on App Groups in macOS vs iOS.
Reviewed the macOS 15 Release Notes regarding SIP and app group container protection.
Watched WWDC 2024 Session 10123: What's new in privacy, starting at 12:23.
Questions
Is there a way to authorize the com.apple.security.application-groups entitlement in the provisioning profile for ad-hoc signed apps?
Given the SIP changes in macOS 15, how can we enable our ad-hoc signed, user-generated apps to access the app group container without triggering the persistent prompt?
Are there alternative approaches to sharing data between the main app and user-generated apps that comply with macOS 15's SIP requirements?
Is there anything to try that we're missing here to solve this?
Any guidance on how to resolve this issue or workarounds to allow app group access without triggering the prompt would be greatly appreciated.
Thank you for your assistance!
When attempting to run a build script that is currently working for several other projects, the export fails and the IDEDistribution.verbose.log (see below) suggestion is to add a profile to the Export Options property list but as can be seen in the ExportOptions.plist text (see below), there is a profile for each of the three builds.
XCode 16.0
MacOS 14.7
IDEDistribution.verbose.log below
2024-10-28 12:20:30 +0000 [MT] Step failed: <IDEDistributionSigningAssetsStep: 0x60000146e840>: Error Domain=IDEDistributionSigningAssetStepErrorDomain Code=0 "Locating signing assets failed." UserInfo={NSLocalizedDescription=Locating signing assets failed., IDEDistributionUnderlyingErrors=(
"Error Domain=IDEProvisioningErrorDomain Code=9 ""QuickDelegateTestApp.app" requires a provisioning profile." UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedDescription="QuickDelegateTestApp.app" requires a provisioning profile., NSLocalizedRecoverySuggestion=Add a profile to the "provisioningProfiles" dictionary in your Export Options property list.}"
)}
ExportOptions.plist below
I have two different USB devices with different vendor IDs I would like to connect to. I submitted two separate requests for the com.apple.developer.driverkit.transport.usb entitlement for each vendor ID. However I am noticing the provisioning profile only has one of the vendor IDs.
How do I submit a request for the USB Transport entitlement to support more than one vendor ID? I'm new to writing a DriverKit driver, so is this even possible?
Creating CSR file from my Mac steps are :-
Going to the Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority...
Filling the required details in the field, save to desk then continue and save it desktop.
Then going to the Developer account in Certification screen and creating a new certificate on click on plus icon then selecting Apple distribution > continue , Then uploading CSR file in the required box and continue.
After this I have downloaded the “distribution.cer” file then double clicked on the file then going to the KeyChain Access to see the My Certificate section there is no certificate which I have installed but it showing in the Certificate section without Private key.
This steps I have followed but not getting Private key in my certificate how to correct this issue
System Configuration :-
Mac OS- 14.5
Chip - Apple M1
Keychain Access version - Version 11.0 (55314)