hi
I am using fastlane and match to upload an app to test flight. The app requires com.apple.developer.storekit.external-link.account to be activated.
My identifier has activated the capabilities and when I look at provisional profile, it also has it, but when the app has been uploaded, it's missing (although all other entitlements are there).
Now it gets weird:
Every time I run my flow I delete derived data, deletes all downloaded provisional profiles and use match to redownload them with read only (force is not an option).
It does not work. I go to Apple dev and Toggles the capability off and on and saves. This invalidates the profile. I press edit and save. So no real changes. Run my flow and the app is uploaded correctly WITH the correct capabilities. Runs the flow again without the manual steps and the entitlements will be missing once again.
Repeats the toggle stuff and the subsequent behavior repeats itself. Same flow and same code and same settings, app and profile....
I am building automated flows so this does not really work for me....
Heeeelp...
Entitlements
RSS for tagEntitlements allow specific capabilities or security permissions for your apps.
Post
Replies
Boosts
Views
Activity
A few weeks ago I requested the subject entitlement. I'm still waiting for it to be added to our account. Who or how can I find out what going on with it. I have no correspondence from Apple yet saying it was denied and why.
https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.developer.persistent-content-capture?language=objc
Thank you.
I applied for the Family Controls (Distribution) entitlement on November 22nd. But I never received a confirmation email after I submitted the request.
I then reached out to support who said they would check with the internal team to at least confirm if I had applied.
It's now been 20 days and I have received no updates on the status of my application.
This entitlement is existential to my app and I have been completely blocked while waiting for this as I can't even distribute the app on TestFlight.
I've considered reapplying again just to be safe, but I am worried that might make things worse.
I am a bootstrapped solo founder, and a prolonged delay (or outright denial) of this entitlement would be devastating to me.
Does anyone have any advice on where to go from here?
I got a error when validate App as flow
Asset validation failed
App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.***.yyy.pkg/Payload/***.app/Contents/MacOS/zzz" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. (ID: dc264017-f236-4e89-a100-e69c7f0fb318)
zzz is a command tool build by make, I need codesign it.
#1. use two lines below, run succes, but get 'App sandbox not enabled' problem
codesign -s "TTT1" -f -v --timestamp --options runtime dist/m_arm64/zzz
codesign -s "TTT1" -f -v --timestamp --options runtime dist/m_x64/zzz
#2. use two lines below, reduce 'App sandbox not enabled' , but run zzz get 'zsh: trace trap'
codesign -s "TTT2" -o runtime --entitlements zzz.entitlements -f dist/debug/zzz
codesign -s "TTT2" -o runtime --entitlements zzz.entitlements -f dist/debug/zzz
lipo -create dist/m_arm64/zzz dist/m_x64/zzz -output dist/zzz
lipo -archs dist/zzz
otool -L dist/zzz
the zzz.entitlements content is
the Info.plist embedded in zzz is
#codesign both success
codesign -d -vvv ./zzz
#use method 2, the sandbox poblem ok
codesign --display --entitlements - ./zzz
why when codesign with entitlements, the zzz cant run success? if I upload to appstore, the client will get the zsh error?
Has anyone encountered this kind of problem before?
Reference:
https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app
What is the actual ASN.1 structure of the DER encoded entitlements used for iOS and MacOS applications?
You can see a sample output at 'The Future is DER', but is there any official documentation or definition?
I have a werid case that shouldn't happen according to https://forums.developer.apple.com/forums/thread/706390
I have an audio unit which runs in FCP and I want it to launch a sandboxed app as a child process.
If I sign the child app with just "com.apple.security.app-sandbox" entitlement it crashes with SYSCALL_SET_PROFILE error.
According to the article referenced above: "This indicates that the process tried to setup its sandbox profile but that failed, in this case because it already has a sandbox profile."
This makes sense because audio units run in a sandboxed environment (in AUHostingService process).
So I added "com.apple.security.inherit" to the entitlements plist and now I get "Process is not in an inherited sandbox." error.
According to the article referenced above: "Another cause of a trap within _libsecinit_appsandbox is when a nonsandboxed process runs another program as a child process and that other program’s executable has the com.apple.security.app-sandbox and com.apple.security.inherit entitlements. That is, the child process wants to inherit its sandbox from its parent but there’s nothing to inherit."
And this doesn't make sense at all. The first error indicates the child process is trying to create a sandboxed environment within a parent sandboxed environment while the second error indicates there's no a parent sandboxed environment...
I specifically checked the child process has "com.apple.security.app-sandbox" and "com.apple.security.inherit" entitlements only.
If I remove all entitlements from the child process it launches and runs fine from the audio unit plugin. And if I remove "com.apple.security.inherit" but leave "com.apple.security.app-sandbox" I can successfully launch the app in standalone mode (in Finder).
For the testing puroses I use a simple Hello World desktop application generated by XCode (Obj-C).
Does anybody have an idea what can be the reason for such a weird behavior?
I want to use the com.apple.vm.networking entitlement which has a note:
This entitlement is restricted to developers of virtualization software. To request this entitlement, contact your Apple representative.
https://developer.apple.com/support/technical/ says:
« Request entitlements using entitlement forms and ask for status updates in the resulting email thread. » but I haven't been able to find these "entitlement forms". Does anyone know what the right process is to request an entitlement?
We have a DriverKit entitlement for our USB driver. We now wish to use this same driver with a variant of our existing application. Of course this application has its own separate App ID and will be published in the App Store alongside our existing application.
Will we need to go back to the well and ask Apple for another entitlement?
Hello,
I cannot build a signed app that will both be accepted by Testflight and run locally. Only one or the other!
I'm singing my .app and building the package thus:
CODESIGN_ID="Apple Distribution: company (number)"
INSTALLSIGN_ID="3rd Party Mac Developer Installer: company (number)"
codesign --force --deep --entitlements plist.xcent -o runtime --timestamp --sign "$CODESIGN_ID" myapp.app
productbuild --sign "$INSTALLSIGN_ID" --timestamp --component myapp.app /Applications myapp.pkg
With entitlements:
<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>com.apple.security.get-task-allow</key>
<false/>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
<key>com.apple.application-identifier</key>
<string>TEAM.com.COMPANY.APPNAME</string>
<key>com.apple.developer.team-identifier</key>
<string>TEAM/string>
</dict>
</plist>
If I leave out the last two entitlements "com.apple.application-identifier" and
"com.apple.developer.team-identifier", the package validates and runs locally. It can be uploaded but it is NOT accepted by Testflight.
When i add the last two entitlements (above), it will not validate until i also add in my provisioning profile into; myapp.app/Contents/embedded.provisionprofile
When this is done, the package validates, uploads and is accepted by Testflight. It can be tested and runs.
But, myapp.app will no longer run locally!! no will the local copy of myapp.pkg install. It will only run through Testflight or will run again if i take out the above keys that Testflight apparently requires.
Can anyone shed any light on this? Am i doing something wrong.
Thanks for any help.
Hi,
we have received an Application via App Transfer recently. I am now trying to generate a provisioning profile for App Store distribution.
When we set the checkmark in Capabilities to use "iCloud Key-value storage" we cannot get "automatically manage signing" to work with an error:
Provisioning profile "iOS Team Provisioning Profile: com.some.bundle.identifier" doesn't match the entitlements file's value for the com.apple.developer.ubiquity-kvstore-identifier entitlement.
When a Provisioning Profile is manually generated via Developer Portal the com.apple.developer.ubiquity-kvstore-identifier entry shows the value of the previous app owner: "OLDTEAM.com.some.bundle.identifier".
How can we change the com.apple.developer.ubiquity-kvstore-identifier value in our provisioning profile to get rid of the old team identifier?
Help is much appreciated, thank you.
FB15898983
/Users/varunashokbhaisidpara/Desktop/Screenshot 2024-11-15 at 5.43.44 PM.png
This error occurs When I try to upload an app on the test flight or App Store. I checked "Automatically manage signing" in the main target. and i have added extensions DeviceActivityMonitorExtension, ShieldConfigurationExtension, ShieldActionExtension, DeviceActivityReport. and all have selected "Automatically manage signing" in the target > signing and capability.
pls provide me with an exact solution set by step.
Thank you
I'm working on a system extension leveraging endpoint security entitlement. However, while in development, is there a way to continue working and testing locally without having the endpoint security entitlement approved or needing the extension signed.
I got these errors running a build:
Provisioning profile "Mac Team Provisioning Profile: "com.xxxxx.extension" doesn't include the com.apple.developer.endpoint-security.client entitlement.
Is it correct to codesign dylib/framewoks with entitlements? My understanding is that only executables need to have the entitlement and the dylibs loaded in that process will automatically inherit those entitlements.
However, I am seeing a lot of scripts on the internet that are signing dylibs as well with entitlements. For eg -
# sign *.dylibs
find "$APP_BUNDLE" -type f -name "*.dylib" -exec codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "$ENTITLEMENTS_FILE" --sign "$SIGNING_IDENTITY" {} \;
Is this even allowed? I know of at least one app that has passed notarization checks as well. If allowed, can a dylib have more entitlements than the process that loaded it?
I recently completed an app transfer from one developer account to another (both controlled by me). The old team ID was GZS3K47B3Y, the new one is LRG5645LP7.
Almost everything is working properly, but I am seeing that my iCloud Key-Value store (NSUbiquitousKeyValueStore) is no longer shared across my app and app extensions after the transfer.
Previously, my app and app extensions all shared a single iCloud Key-Value store, and they could all read/write to the same iCloud synced store. This is no longer working after the app transfer.
According to this support page (https://developer.apple.com/help/app-store-connect/transfer-an-app/overview-of-app-transfer):
"If your app uses iCloud Key-Value Storage (KVS), the full KVS value will be embedded in any new provisioning profiles you create for the transferred app. Update your entitlements plist with the full KVS value in your provisioning profile."
This seems to be the case for the main app, whose provisioning profile contains the full value:
com.apple.developer.ubiquity-kvstore-identifier: GZS3K47B3Y.com.serpentisei.studyjapanese
But the app extension's provisioning profile now contains:
com.apple.developer.ubiquity-kvstore-identifier: LRG5645LP7.*
Is there a way to update the app extension provisioning profile to also include the original identifier from before the transfer, so that I can continue to share iCloud KVS access across the app and extension?
Thanks!
After installing n application to my AppleTv I can't open it up. I get:
This app cannot be installed because its integrity could not be verified.
Hello everyone,
We develop an app called Unite (bundle ID: com.BZG.Unite), which allows users to create standalone macOS applications from websites. These user-generated apps are based on a backend browser template called DefaultApp (bundle ID: com.bzg.default.app). Here's how our setup works:
Unite and DefaultApp: Both are signed with our Developer ID and include necessary provisioning profiles and entitlements.
User-Created Apps: When a user creates an app with Unite, it generates a customized version of DefaultApp with the user's chosen name and settings. These apps are ad-hoc signed upon creation to reflect their unique identity.
Issue
Since updating to macOS 15, every time a user launches a created app, they encounter a persistent prompt asking for permission to access files outside the app's container. Granting full disk access in System Preferences suppresses the prompt, but this is not a practical solution for end-users.
Upon launching a user-created app (e.g., "ExampleTest"), the following prompt appears:
This prompt appears on every launch of the app.
Steps to Reproduce
On a Mac running macOS 15, create a new app using Unite (e.g., "ExampleTest").
Launch the newly created app.
Observe the prompt requesting access to files outside the app's container.
Close and relaunch the app; the prompt appears again.
What We Have Tried
Given that our apps use an app group (group.BZG.unite.sharedData) to share data between Unite, DefaultApp, and user-created apps, we believe this is triggering the prompt due to changes in System Integrity Protection (SIP) in macOS 15. We are further confident given that if the user does not allow access, the app does launch, but shows an error indicating that the created app was unable to access the data that is typically in the shared group.
Here’s a summary of our troubleshooting efforts:
1. Adjusting App Group Configuration
Ensured the app group name aligns with Apple's guidelines, including prefixing with the Team ID (teamid.group.BZG.unite.sharedData).
Verified that the app group is correctly declared in the com.apple.security.application-groups entitlement.
2. Provisioning Profile Creation
Generated provisioning profiles via Xcode and the Developer Console, ensuring the app group entitlement is included.
Applied the provisioning profile to the user-created app during code signing.
Despite these efforts, the issue continues.
3. Entitlements and Code Signing
Created an entitlements file for the user-created app, mirroring the entitlements from DefaultApp, including:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>id.com.BZG.ExampleTest</string>
<key>com.apple.developer.team-identifier</key>
<string>id</string>
<key>com.apple.security.application-groups</key>
<array>
<string>id.group.BZG.unite.sharedData</string>
</array>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>
Signed the user-created app with our Developer ID and the provisioning profile
Verified the entitlements
4. Reviewing System Logs
Observed error messages indicating unsatisfied entitlements:
message: com.BZG.ExampleTest: Unsatisfied entitlements: com.apple.security.application-groups
**5. Consulting Documentation and WWDC Sessions
**
Referenced post on App Groups in macOS vs iOS.
Reviewed the macOS 15 Release Notes regarding SIP and app group container protection.
Watched WWDC 2024 Session 10123: What's new in privacy, starting at 12:23.
Questions
Is there a way to authorize the com.apple.security.application-groups entitlement in the provisioning profile for ad-hoc signed apps?
Given the SIP changes in macOS 15, how can we enable our ad-hoc signed, user-generated apps to access the app group container without triggering the persistent prompt?
Are there alternative approaches to sharing data between the main app and user-generated apps that comply with macOS 15's SIP requirements?
Is there anything to try that we're missing here to solve this?
Any guidance on how to resolve this issue or workarounds to allow app group access without triggering the prompt would be greatly appreciated.
Thank you for your assistance!
Hey folks,
I developed a DLP program based on Endpoint Security for the enterprise, and everything functioned normally. I also applied for the development permission of Endpoint Security before, which took 3 months. Now I want to distribute the software internally, so I tried to apply for a certificate for distribution permission. After waiting for 3 months, Apple told me that the permission was rejected.
This is the replay content:
Thank you for your interest in Endpoint Security. After carefulconsideration, we regret that we're unable to approve your request at this time. If you'd like to submit another request for this capability, please review andconfirm that your app details and justification meet the criteria before resubmittting.
Rejecting duplicate request.
Apple Developer Relations
I don't know what's wrong, what should I do to get distribution or developer id permissions.
Hi,
I just updated my machine to macOS 15, and while developing and running my app (with Xcode), I keep getting messages about my app "would like to access data from other apps". This happens even from Xcode Previews, so it's pretty annoying. My production app doesn't seem to be affected by this problem; the system prompt just pops when running the debug version.
I came across something about App Groups in macOS and how something has changed in macOS15 regarding system permissions. I use the "group.***" prefix in my macOS app, without the team prefix. Is that the problem here? But why is my production app working fine, but the development app is triggering the prompt repeatedly?
Would love any feedback or workarounds.
Thanks.
Hi.
I'm an iOS developer,
We are creating a Automaker Carplay app for an Automaker provider, but we are facing some troubles:
Xcode error:
Provisioning profile "iOS Team Provisioning Profile: BundleIdentifier" doesn't match the entitlements file's value for the com.apple.developer.carplay-protocols entitlement.
We have the entitlements requested and approved by apple, but we cannot deploy the app in real devices. We don't know if we need to do an extra step.
Thank you very much.
We are developing an application for local file discovery and transfer.
We applied to Apple for two permissions. One is com.apple.developer.networking.multicast, which supports the four provisioning profiles: Development, Ad hoc, App Store Connect, and Developer ID. The other is com.apple.developer.device-information.user-assigned-device-name, but Apple only approved it for Development and Ad hoc, without granting App Store Connect support. This prevents us from using the user-assigned-device-name permission in the archive.
Could you please clarify the situation? How can we get user-assigned-device-name supported for App Store Connect?