General:
DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements
Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities.
Developer > Support > Certificates covers some important policy issues
Entitlements documentation
TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series.
WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing
Certificate Signing Requests Explained DevForums post
--deep Considered Harmful DevForums post
Don’t Run App Store Distribution-Signed Code DevForums post
Resolving errSecInternalComponent errors during code signing DevForums post
Finding a Capability’s Distribution Restrictions DevForums post
Signing code with a hardware-based code-signing identity DevForums post
Mac code signing:
DevForums tag: Developer ID
Creating distribution-signed code for macOS documentation
Packaging Mac software for distribution documentation
Placing Content in a Bundle documentation
Embedding Nonstandard Code Structures in a Bundle documentation
Embedding a Command-Line Tool in a Sandboxed App documentation
Signing a Daemon with a Restricted Entitlement documentation
Defining launch environment and library constraints documentation
WWDC 2023 Session 10266 Protect your Mac app with environment constraints
TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference.
Manual Code Signing Example DevForums post
The Care and Feeding of Developer ID DevForums post
TestFlight, Provisioning Profiles, and the Mac App Store DevForums post
For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Provisioning Profiles
RSS for tagA provisioning profile is a type of system profile used to launch one or more apps on devices and use certain services.
Posts under Provisioning Profiles tag
108 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Hi,
we have received an Application via App Transfer recently. I am now trying to generate a provisioning profile for App Store distribution.
When we set the checkmark in Capabilities to use "iCloud Key-value storage" we cannot get "automatically manage signing" to work with an error:
Provisioning profile "iOS Team Provisioning Profile: com.some.bundle.identifier" doesn't match the entitlements file's value for the com.apple.developer.ubiquity-kvstore-identifier entitlement.
When a Provisioning Profile is manually generated via Developer Portal the com.apple.developer.ubiquity-kvstore-identifier entry shows the value of the previous app owner: "OLDTEAM.com.some.bundle.identifier".
How can we change the com.apple.developer.ubiquity-kvstore-identifier value in our provisioning profile to get rid of the old team identifier?
Help is much appreciated, thank you.
FB15898983
What should I do when my Development or App Store certificates in my developer account under Certificates, Identifiers & Profiles are almost expired or when the certificates are already expired?
What should I do so that I can still use the certificates?
What happens when the certificates expire and when I already have an application in the App Store?
I am developing a watchOS app that uses the uses the Fall Detection API. After requesting the entitlement, and receiving the entitlement and adding it to my app, I managed to implement the feature, and run the app on the simulator in Xcode and it works fine.
But when I try to distribute the app to TestFlight internal testing, Xcode refuses and shows the following message:
"Provisioning profile failed qualification: Profile doesn't support Fall Detection Notifications"
and
"Provisioning profile failed qualification: Profile doesn't include the com.apple.developer.health.fall-detection entitlement"
I am using an Xcode managed provisioning profile, and when I checked the profile from "signing and capabilities", it says that the fall detection capability and the entitlement are included in the profile.
When I check my app's capabilities from "Certificates, Identifiers & Profiles" in the apple developer website, it says that the fall detection capability for my app has provisioning support for Ad hoc and Development only, is this the reason why I can't upload my app to TestFlight, or am I missing something? If it is the reason, then is there a way to change the provisioning support so that I can distribute the app?
Thanks in advance
Project Background:
I developed a Mac project using Electron and VSCode
Successfully uploaded the packaged pkg using Transporter,
However, I will receive an email informing me that there are some issues with the project:
ITMS-90296: App sandbox not enabled - The following executors must include the 'com. apple. security. app sandbox' entitlement with a Boolean value of true in the entitlement property list: [[com. electron. iflyrecclient. pkg/Payload/iFlytek Listen. app/Contents/MacOS/iFlytek Listen]]
ITMS-90886: 'Cannot be used with TestFlight because the signature for the bundle at' iFlytek hears. app 'is missing an application identifier but has an application identifier in the provisioning profile for the bundle.' Bundles with application identifiers in the provisioning profile are expected to have the same identifier signed into the bundle in order to be eligible for TestFlight.'
Here is my packaging process:
Generate an app using the electron packager tool
Sign the app using @ electron osx sign (version 1.3.1)
After signing, use
productbuild - component Yourappname App/Applications - sign "3rd Party Mac Developer Installer: * * * * * (XXXXXXXXXX)" Yourappname. pkg
command generates pkg
PS:
For the second step, I have set sand box=true in both entitlents.plist and entitlents.macinheriting. plist. And after signing, using
codesign -dvvv -- entitiements - /path
to view the app file shows' checkbox=true ', and the [iFlytek Listen. app/Contents/MacOS/iFlytek Listen] file in the issue also exists.
Using the Suspicious Package software to view pkg also has sandbox=true.
A few months ago, I uploaded it once and the issues mentioned in the email did not appear. The only changes were the macOS system version number and the replacement of the signature with provisionprofileprovisionprofile.
I have reviewed similar issues on the Apple Developer Forums, but have not been resolved
I've updated Xcode to 16.1, then I've created a new provisioning profile in developer.apple.com, successfully built and signed my application. It was on monday, 2024-11-04.
Two or three days later I was asked to add more devices and I had to create a new profile. I've noticed a new feature to control profile's name (yeah, cool!), had to accept new agreements. Then, have created a new profile, downloaded it, but could not add it with double-click to Xcode or import to Keychain Access - "Failed to install one or more provisioning profiles on the device". And whatever I tried, I couldn't register any new profiles since. Therefore, my app cannot be signed and tested anymore.
This is quite weird as nothing has changed on the system throughout the week.
Is this a known issue or is there any fix for that?
Hi!
I'm having troubles to sign my Xamarin Forms application, im getting the following error "Error : Could not find any available provisioning profiles for MyProject.iOS on iOS.". I've recently cleaned my Provisioning profiles folder ~/Library/MobileDevice/Provisioning Profiles since it wasn't being updated with my latest provisioning profile for my app. But now my provisioning profiles are not being downloaded, I'm not getting any other error on downloading profiles. I've tried from Xcode -> Settings -> Account -> Download manual profiles. Tried too open the profile downloaded from the Apple Developer Portal, also tried copy manually the provisioning profile downloaded to the previous mentioned path, none of those works.
The user that im logged in on Xcode is the admin/owner so is not a permissions issue. IDK what can be wrong or what can I try. So I'm going to be grateful for your help :(
Sometime since July 2024 the list of devices in our Enterprise Account is showing the same device and UDID 6 times.
Looking at the DATE REGISTERED field it is apparent that each instance of the device represents the 'old' device that should have been 'deleted' when the annual device reset was actioned. The date registered field shows dates with 2019, 2020, 2021, and so till 2024 (most recent).
I have 'disabled' two of the entries to see what happens, and those instances were disabled as expected without impacting the other instances. However, when attempting a re-enable of them, an error throws saying that they cant be enabled because that UDID already exists - obviously the other instances.
For now, I have left 4 active duplicates in place, and the 2 disabled ones as they are, and plan to deal with this again - if it re-occurs in 2025.
It does not seem to have impacted provisioing profiles - so will leave well enough alone. I am sure if I disable all of them, I will not be able to re-enabled any of them.
Is this a know issue? Is this the best strategy? - ie, wait till device reset next year and hope issue is resolved.
This post had similar issue, in 2023, but no response
Forum Post 733264
I was able to setup a release test for an iOS app for distribution using a web server. It works perfectly fine for all the devices I registered for the deployment profile.
However every time I try to distribute a Unity based Vision Pro application using the same process for building the package and set up for distribution it does not work.
Safari only shows a message telling me:
"Cannot connect to ."
When trying to install the iOS app from the same server it shows the message "Do you want to install ?" and installation completes correctly.
My iOS is a simple hello world app generated by Xcode.
My Unity app is an AR app targeting com.apple.platform.xros.
According to documentation there should not be any difference in deployment profiles/signing for iOS apps vs. visionOS apps.
What am I doing wrong? Any hint is appreciated how to continue.
We noticed that the APNs Profile we downloaded on https://developer.apple.com/bug-reporting/profiles-and-logs/ is mentioning "Facetime and Call Activity Logging".
Is it expected ?
Hello everyone,
We develop an app called Unite (bundle ID: com.BZG.Unite), which allows users to create standalone macOS applications from websites. These user-generated apps are based on a backend browser template called DefaultApp (bundle ID: com.bzg.default.app). Here's how our setup works:
Unite and DefaultApp: Both are signed with our Developer ID and include necessary provisioning profiles and entitlements.
User-Created Apps: When a user creates an app with Unite, it generates a customized version of DefaultApp with the user's chosen name and settings. These apps are ad-hoc signed upon creation to reflect their unique identity.
Issue
Since updating to macOS 15, every time a user launches a created app, they encounter a persistent prompt asking for permission to access files outside the app's container. Granting full disk access in System Preferences suppresses the prompt, but this is not a practical solution for end-users.
Upon launching a user-created app (e.g., "ExampleTest"), the following prompt appears:
This prompt appears on every launch of the app.
Steps to Reproduce
On a Mac running macOS 15, create a new app using Unite (e.g., "ExampleTest").
Launch the newly created app.
Observe the prompt requesting access to files outside the app's container.
Close and relaunch the app; the prompt appears again.
What We Have Tried
Given that our apps use an app group (group.BZG.unite.sharedData) to share data between Unite, DefaultApp, and user-created apps, we believe this is triggering the prompt due to changes in System Integrity Protection (SIP) in macOS 15. We are further confident given that if the user does not allow access, the app does launch, but shows an error indicating that the created app was unable to access the data that is typically in the shared group.
Here’s a summary of our troubleshooting efforts:
1. Adjusting App Group Configuration
Ensured the app group name aligns with Apple's guidelines, including prefixing with the Team ID (teamid.group.BZG.unite.sharedData).
Verified that the app group is correctly declared in the com.apple.security.application-groups entitlement.
2. Provisioning Profile Creation
Generated provisioning profiles via Xcode and the Developer Console, ensuring the app group entitlement is included.
Applied the provisioning profile to the user-created app during code signing.
Despite these efforts, the issue continues.
3. Entitlements and Code Signing
Created an entitlements file for the user-created app, mirroring the entitlements from DefaultApp, including:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>id.com.BZG.ExampleTest</string>
<key>com.apple.developer.team-identifier</key>
<string>id</string>
<key>com.apple.security.application-groups</key>
<array>
<string>id.group.BZG.unite.sharedData</string>
</array>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>
Signed the user-created app with our Developer ID and the provisioning profile
Verified the entitlements
4. Reviewing System Logs
Observed error messages indicating unsatisfied entitlements:
message: com.BZG.ExampleTest: Unsatisfied entitlements: com.apple.security.application-groups
**5. Consulting Documentation and WWDC Sessions
**
Referenced post on App Groups in macOS vs iOS.
Reviewed the macOS 15 Release Notes regarding SIP and app group container protection.
Watched WWDC 2024 Session 10123: What's new in privacy, starting at 12:23.
Questions
Is there a way to authorize the com.apple.security.application-groups entitlement in the provisioning profile for ad-hoc signed apps?
Given the SIP changes in macOS 15, how can we enable our ad-hoc signed, user-generated apps to access the app group container without triggering the persistent prompt?
Are there alternative approaches to sharing data between the main app and user-generated apps that comply with macOS 15's SIP requirements?
Is there anything to try that we're missing here to solve this?
Any guidance on how to resolve this issue or workarounds to allow app group access without triggering the prompt would be greatly appreciated.
Thank you for your assistance!
When attempting to run a build script that is currently working for several other projects, the export fails and the IDEDistribution.verbose.log (see below) suggestion is to add a profile to the Export Options property list but as can be seen in the ExportOptions.plist text (see below), there is a profile for each of the three builds.
XCode 16.0
MacOS 14.7
IDEDistribution.verbose.log below
2024-10-28 12:20:30 +0000 [MT] Step failed: <IDEDistributionSigningAssetsStep: 0x60000146e840>: Error Domain=IDEDistributionSigningAssetStepErrorDomain Code=0 "Locating signing assets failed." UserInfo={NSLocalizedDescription=Locating signing assets failed., IDEDistributionUnderlyingErrors=(
"Error Domain=IDEProvisioningErrorDomain Code=9 ""QuickDelegateTestApp.app" requires a provisioning profile." UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedDescription="QuickDelegateTestApp.app" requires a provisioning profile., NSLocalizedRecoverySuggestion=Add a profile to the "provisioningProfiles" dictionary in your Export Options property list.}"
)}
ExportOptions.plist below
I have two different USB devices with different vendor IDs I would like to connect to. I submitted two separate requests for the com.apple.developer.driverkit.transport.usb entitlement for each vendor ID. However I am noticing the provisioning profile only has one of the vendor IDs.
How do I submit a request for the USB Transport entitlement to support more than one vendor ID? I'm new to writing a DriverKit driver, so is this even possible?
Creating CSR file from my Mac steps are :-
Going to the Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority...
Filling the required details in the field, save to desk then continue and save it desktop.
Then going to the Developer account in Certification screen and creating a new certificate on click on plus icon then selecting Apple distribution > continue , Then uploading CSR file in the required box and continue.
After this I have downloaded the “distribution.cer” file then double clicked on the file then going to the KeyChain Access to see the My Certificate section there is no certificate which I have installed but it showing in the Certificate section without Private key.
This steps I have followed but not getting Private key in my certificate how to correct this issue
System Configuration :-
Mac OS- 14.5
Chip - Apple M1
Keychain Access version - Version 11.0 (55314)
I have a .NET MAUI iOS app where its provisioning profiles at first expired a few days ago. So I created new "Apple Development" and "Apple Distribution" certificates using an existing certificate signing request created on 19 October 2023 at 11:46 AM, included the new certificates in the expired provisioning profiles, regenerated and downloaded the provisioning profiles.
In the "bundle signing" section of the "project properties" window of Visual Studio for Mac version 17.6.14 (build 413), I have made the following settings:
Configuration: release
Platform: any CPU
Signing identity is not set to automatic
I have selected the correct provisioning profile, but when deploying the app in release mode, the following error message is thrown so the app cannot be deployed to the device:
ERROR: Failed to install the app on the device. (com.apple.dt.CoreDeviceError error 3002.)
NSURL = file:///Users/intelligenthosting/Desktop/IMA-Attendance-App/maui/maui/bin/Release/net7.0-ios/ios-arm64/maui.app/
----------------------------------------
Unable to Install ?IMA Attendance? (IXUserPresentableErrorDomain error 14.)
NSLocalizedRecoverySuggestion = Failed to install embedded profile for com.imaedu.attendanceapp : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)
NSLocalizedFailureReason = This app cannot be installed because its integrity could not be verified.
----------------------------------------
Failed to install embedded profile for com.imaedu.attendanceapp : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.) (MIInstallerErrorDomain error 13.)
SourceFileLine = 308
FunctionName = -[MIInstallableBundle _installEmbeddedProfilesWithError:]
LibMISErrorNumber = -402620385
LegacyErrorString = ApplicationVerificationFailed
1%... 2%... 3%... 4%... 5%... 6%... 7%... 8%... 9%... 10%... 11%... 12%... 13%... 14%... 15%... 16%... 18%... 19%... 20%... 21%... 22%... 23%... 24%... 25%... 26%... 27%... 28%... 30%... 31%... 32%... 33%... 34%... 35%... 36%... 37%... 38%... 39%... 40%... 41%... 42%... 43%... 44%... 45%... 46%... 47%... 48%... 49%... 50%... 51%... 52%... 53%... 54%... 55%... 56%... 57%... 59%... 60%... 62%... 66%... 68%...
error MT1045: Failed to execute 'devicectl': 'devicectl -j /var/folders/ny/qt1fm9zx063__j1b_nglx8pw0000gn/T/tmpFalYTp.tmp device install app --device "iPad (3)" /Users/intelligenthosting/Desktop/IMA-Attendance-App/maui/maui/bin/Release/net7.0-ios/ios-arm64/maui.app' returned the exit code 1.
Application could not be uploaded to the device.
What have I done wrong in the above process? What is the most appropriate method to update expired provisioning profiles? Thanks in advance
Dear
We try to generate IPA with Xcode Cloud but this task fail in Export archive phase (Export archive for app-store distribution).
The error that appear in the archive logs is:
error: exportArchive Provisioning profile "iOS Team Store Provisioning Profile: cl.app.myapp" doesn't include the com.apple.CommCenter.fine-grained entitlement.
Any idea about to resolve this problem ?
king regards
We want to make an app for the customers to install ipa files without use of third party apps or Other devices like Xcode, ITunes
Starting Point
I recently transferred an app from an old to a new developer account. The transfer itself went smoothly with the app using the following capabilities:
CoreData, CloudKit, Push Notifications, In-App Purchases
Keychain is not used
After completing the app transfer, I worked on a new update. For this, I set the new developer account as the development team of the project in Xcode. However, as soon as I try to install the new version locally on my physical test device, I get the following error message:
application-identifier entitlement string ({new_team_id}.{bundle_id}) does not match installed application's application-identifier string ({old_team_id}.{bundle_id}); rejecting upgrade.`
(Note: The test device has the latest production version installed, which was still published by the old developer account. The update can be installed without any problems if no previous version is installed. {new_team_id}, {old_team_id} and {bundle_id} are a substitute for the original content.)
What I've tried so far
I found a Technical Note on this topic and followed the steps suggested. However, the Apple Support wasn't able to provide me with the required Special Provisioning Profile.
That's why I tested a different approach with a dummy application: I have completed an update as described above (new developer account selected as development team). Next, I uploaded it to App Store Connect and published it as a new version. I received the following warning during the upload process, but ignored it since I don't use the keychain:
At first glance, the publication process appears to have gone smoothly. While the update caused the above error during local testing, the update via the App Store went smoothly. As the latest production version has now also been published from the new Apple Developer Account, further updates can now also be tested locally on a physical device without any problems.
Questions
Why is it that the update causes an error when tested locally, but works without problems via the App Store?
Can this approach also be used without concern for an app with a large active user base, which also uses the capabilities described above (in particular CoreData & CloudKit) without causing problems?
Thanks a lot for your support in advance!
Hello there!
I found the page on Docs about Editing provisioning profiles: https://developer.apple.com/help/account/manage-profiles/edit-download-or-delete-profiles/
but there, are showed only cases where one should edit it or when it is expired. It is not showed the case where the profile IS ABOUT to expire. What If it is about to expire and I want to act before expiring? Somewhere on the forum I read that clicking "save" with no changes could be enough, but it is not clear to me if I need to choose something more about it.
I add a screenshot since It seems to me the UI changed a bit recently.
using Enterprise developer program, in-house distribution
I can see no certificate with dec 31 2025 (+ - 1 day) on my dev page certificates list.
but I have, among my certificates, an iOS distribution certificate with exactly nov 23 2026 es expiration date.
why are two choices present with two different expiration dates?
with which criteria should I pick one or the other?
if I have no need to change something, what should I do or do not in this screen at renewal time? (I.E. at beginning of December 2024?)
app Id should be the bundle id, is it so? but in this moment app and id are different, shouldn't they be the same?
Since a few days now, I'm using Xcode 16 and I try to install a newly made provisioning profile for my app. On the development profile I always get the message "Failed to install one or more provisioning profiles on the device". But no message at all for the distribution profile. I even tried setting up completely new certificates as I updated to macOS 15 and Xcode 16. No success.
When checking the installed profiles via Finder under
open ~/Library/MobileDevice/Provisioning\ Profiles
I only see profiles from my last project from june this year. It does not matter how often I press "Download Manual Profiles" in Xcode nothing new lands here.
Is there any other way to install newly created profiles? As my project is done with .NET and not a native Xcode project I do not have the option to let Xcode it generate for me (if this would even work).
I have an app that includes a DriverKit extension that up until now I've been building without issue using Xcode 13.
It was time to regenerate my Developer ID Application certificate so I needed to rebuild the app. However, I'm now running macOS Ventura and Xcode 14.3.1, and cannot get it to build in this later version of Xcode for reasons that are totally inscrutable to me. I've tried using both the newly generated provisioning profiles I've manually created in the "Certificates, Identifiers & Profiles" developer page, and the (still valid) provisioning profiles I already had installed.
The trouble is that, when I select a provisioning profile I made for the DriverKit extension, Xcode won't accept it for the following reason:
Platform: macOS
Doesn't match platform DriverKit
This makes no sense to me! There is no way to create a distribution provisioning profile for the "DriverKit" platform. All I can select is either "Mac" or "Mac Catalyst". So there's seemingly no way out of this. What am I missing?