General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I can't upload my macOS app to app store connect. Each time i try to upload, i see this message: Provisioning profile failed qualification Profile doesn't support App Groups. An empty app without an app group uploads fine, but if i add an app group to it, it does not upload.

Hello, We're developing endpoint security software using the Endpoint Security framework, and we've encountered challenges with the behavior change in macOS 15 regarding provisioning UDIDs in cloned VMs. The Change Prior to macOS 15, cloning a VM preserved its UDID (format: 0000FE00-9C4ED9F68BBDC72D). Starting with macOS 15, cloned VMs receive a new UDID generated from the host's Secure Enclave (format: b043d27202c7ac37ca3c6b82673302225485cae9), making each clone effectively a new device. Our Workflow We maintain a clean base VM image and clone it for each test run. We add the base VM's UDID to our provisioning profile once, then create clones which (previously) retained that same UDID, allowing us to start new testing cycles without re-registering devices. This is essential because our product involves low-level system integration through the Endpoint Security framework, and if something goes wrong during development, it has the potential to affect system stability. To prevent any cascading issues between test runs or different product versions, we need each test to start from a known clean state rather than reusing the same VM. The Challenge With each VM clone generating a new UDID, we're hitting Apple's device registration limits quickly. This particularly impacts: New team members who spin up VMs for the first time and can't run signed builds Our CI/CD pipeline where multiple test environments need provisioning profiles Developers testing different branches who need separate clean environments Current Workaround We've found that VMs created on macOS 14 and upgraded to macOS 15+ retain their original UDID format. However, we're concerned this workaround may stop working in future macOS versions, which would leave us without a viable path forward. If the workaround stops working, our fallback would be signing each CI build with a Developer ID signature to allow running on any device. However, we'd prefer to avoid this as it would significantly increase load on Apple's signing infrastructure for what are essentially internal test builds. We completely understand the security reasoning behind tying UDIDs to the host's Secure Enclave for Apple Account support. However, for development workflows that don't require Apple Account features in VMs but do require clean, isolated test environments, the previous behavior was quite valuable. Question Is there a recommended approach for teams in our situation? We're happy to explore alternative workflows if there's a pattern we're missing, or we'd be glad to provide more context if this is a use case Apple is considering for future updates. Thanks for any guidance you can provide! Feedback case: FB21389730

My iOS app uses CloudKit key-value storage. I have not updated the app in a few years but it works fine. Since it was last updated, I transferred the app from an old organization to my personal developer account. Now that I'm working on the app again I get an error: Provisioning profile "iOS Team Provisioning Profile: com.company.app" doesn't match the entitlements file's value for the com.apple.developer.ubiquity-kvstore-identifier entitlement. In the entitlement file, it has $(TeamIdentifierPrefix)$(CFBundleIdentifier) as the value for iCloud Key-Value Store. I've verified the variables resolve as expected. When I parse the provisioning profile there is no entitlement value for key-value storage. What am I getting wrong?

Hi, I have an app built in Unity that I am trying to sign an notarize for distribution. I can successfully codesign the app and it runs properly. But after successfully notarizing the app, the app stops opening. My process is as follows: # codesign the app. omitting "--deep" "--option runtime" or both will result in notarization failing codesign --force --deep --verify --verbose --option runtime --sign "Developer ID Application: ORG NAME (ZZZZZZZZZ)" path/to/app.app # create notarization submission zip /usr/bin/ditto -c -k --keepParent path/to/app.app path/to/app.zip # submit for notarization xcrun notarytool submit --wait path/to/app.zip -v --apple-id apple@id.com --password "aaaa-aaaa-aaaa-aaaa" --team-id "ZZZZZZZZZ" Notarization seems to succeed. Running: spctl -a -vvv -t install path/to/app.app -returns: path/to/app.app: accepted source=Notarized Developer ID origin=Developer ID Application: JOHN DOE (ZZZZZZZZZ) The Problem: Before code signature, the app runs normally After code signature, the app runs normally After notarization, the app hangs indefinitely on opening. It stays in the Dock until force quit. The app does not create its main window. There are no Gatekeeper warnings or pop-up windows. Additional Information: The second time I attempt to open the application I get a pop-up warning me that the app was force-quit while opening windows. This happens whether or not I have used xcrun stapler to staple the notarization to the app This happens whether I run the app from the terminal, by double clicking on the .app package, or by running the Unix Executable within Contents/MacOS/ Any idea how I can debug this and figure out what's going wrong? Any help would be greatly appreciated.

Hi Forum I am working on an ios app with a companion watchos app. The watchos app was made in 2018, it uses watchkit and has a watchkit app target and a watchkit app extension target. When I started working on it, the app was already published and running. More importantly, the watch app was installing on the users watch automatically, when the app was installed on their phones. I came in and made some changes, updated some things and added some smaller features. After uploading to testflight and testing the app there, we sent it for review and updated the app. This updated app, introduced the issue that when users now downloaded the app, the watch app seems to be missing. For me, downloading this new version on either testflight or app store works fine, but whenever my boss or a new user does it, the watch app is missing. I have tried to go back to the older version of the app I started with, but this doesn't seem to change anything. My coworker tried to do do the same thing, uploading the old version, but with a new version number and everything works like normal. He suggested the reason was that he uses xcode 16, while I use xcode 26 and the updated xcode has some slightly different settings, which can mess it up. Does anybody know about this or have the same problem? And is it correct that it can be the way settings are handled in xcode 26 compared to 16?

Hi! I've been scratching my brain for a few days now to no avail. I have a Perl project that I need to embed within my app. Perl includes a pp command (https://metacpan.org/pod/pp) which takes the runtime binary and then slaps the Perl code at the end of the binary itself which in brings some woes in a sense that the binary then needs to be "fixed" (https://github.com/rschupp/PAR-Packer/tree/master/contrib/pp_osx_codesign_fix) by removing the linker-provided signature and fixing LINKEDIT and LC_SYMTAB header sections of the binary. Nevertheless, I've successfully gotten the binary built, fixed up and codesigned it via codesign -s '$CS' mytool (where $CS is the codesigning identity). I can verify the signature as valid using codesign -v --display mytool: Identifier=mytool Format=Mach-O thin (arm64) CodeDirectory v=20400 size=24396 flags=0x0(none) hashes=757+2 location=embedded Signature size=4820 Signed Time=5. 1. 2026 at 8:54:53 PM Info.plist=not bound TeamIdentifier=XXXXXXX Sealed Resources=none Internal requirements count=1 size=188 It runs without any issues in Terminal, which is great. As I need to incorporate this binary in my app which is sandboxed, given my experience with other binaries that I'm including in the app, I need to codesign the binary with entitlements com.apple.security.app-sandbox and com.apple.security.inherit. So, I run: codesign -s '$CS' --force --entitlements ./MyTool.entitlements --identifier com.charliemonroe.mytool mytool ... where the entitlements file contains only the two entitlements mentioned above. Now I add the binary to the Xcode project, add it to the copy resources phase and I can confirm that it's within the bundle and that it's codesigned: codesign -vvvv --display MyApp.app/Contents/Resources/mytool Identifier=com.xxx.xxx.xxx Format=Mach-O thin (arm64) CodeDirectory v=20500 size=24590 flags=0x10000(runtime) hashes=757+7 location=embedded VersionPlatform=1 VersionMin=1703936 VersionSDK=1704448 Hash type=sha256 size=32 CandidateCDHash sha256=0a9f93af81e8e5cb286c3df6e638b2f78ab83a9e CandidateCDHashFull sha256=0a9f93af81e8e5cb286c3df6e638b2f78ab83a9edf463ce45d1cd3f89a6a4a00 Hash choices=sha256 CMSDigest=0a9f93af81e8e5cb286c3df6e638b2f78ab83a9edf463ce45d1cd3f89a6a4a00 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=32768 Executable Segment flags=0x1 Page size=16384 CDHash=0a9f93af81e8e5cb286c3df6e638b2f78ab83a9e Signature size=4800 Authority=Apple Development: XXXXXX (XXXXXX) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=9. 1. 2026 at 5:12:22 PM Info.plist=not bound TeamIdentifier=XXXXX Runtime Version=26.2.0 Sealed Resources=none Internal requirements count=1 size=196 codesign --display --entitlements :- MyApp.app/Contents/Resources/mytool <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.inherit</key><true/></dict></plist> All seems to be in order! But not to Gatekeeper... Attempting to run this using the following code: let process = Process() process.executableURL = Bundle.main.url(forResource: "mytool", withExtension: nil)! process.arguments = arguments try process.run() process.waitUntilExit() Results in failure: process.terminationStatus == 255 Console shows the following issues: default 17:12:40.686604+0100 secinitd mytool[88240]: root path for bundle "<private>" of main executable "<private>" default 17:12:40.691701+0100 secinitd mytool[88240]: AppSandbox request successful error 17:12:40.698116+0100 kernel exec of /Users/charliemonroe/Library/Containers/com.charliemonroe.MyApp/Data/tmp/par-636861726c69656d6f6e726f65/cache-9c78515c29320789b5a543075f2fa0f8072735ae/mytool denied since it was quarantined by MyApp and created without user consent, qtn-flags was 0x00000086 Quarantine, hum? So I ran: xattr -l MyApp.app/Contents/Resources/mytool None listed. It is a signed binary within a signed app. There are other binaries that are included within the app and run just fine exactly this way (most of them built externally using C/C++ and then codesigned exectly as per above), so I really don't think it's an issue with the app's sandbox setup... Is there anyone who would be able to help with this? Thank you in advance!

Notarization Rejects Valid Developer ID Certificates - Apple Infrastructure Issue? Environment macOS: 15.6.1 Xcode: 26.0.1 Architecture: arm64 (Apple Silicon) Team ID: W---------- Certificate Status: Valid until 2030 (verified on developer.apple.com) Problem Apple's notarization service consistently rejected properly signed packages with error: "The binary is not signed with a valid Developer ID certificate." Despite: ✅ Valid certificates on developer.apple.com ✅ Local signing succeeds (codesign --verify passes) ✅ Proper certificate/key pairing verified ✅ Package structure correct Failed Submission IDs September 2025: adeeed3d-4732-49c6-a33c-724da43f9a4a 5a910f51-dc6d-4a5e-a1c7-b07f32376079 3930147e-daf6-4849-8b0a-26774fd92c3c b7fc8e4e-e03c-44e1-a68e-98b0db38aa39 d7dee4a1-68e8-44b5-85e9-05654425e044 da6fa563-ba21-4f9e-b677-80769bd23340 What I've Tried Re-downloaded fresh certificates from Apple Developer Portal Verified certificate chain locally Tested with multiple different builds Confirmed Team ID matches across all configurations Verified no unsigned nested components Waited 3 months for potential propagation delays Verified all agreements are current and accepted Re-tested with minimal test package - same error persists Local Verification # Certificates present and valid security find-identity -v -p codesigning | grep "Developer ID" 1) XXXXXXXXXX "Developer ID Application: <<REDACTED>> (W----------)" 2) XXXXXXXXXX "Developer ID Installer: <<REDACTED>> (W----------)" # Signing succeeds codesign --verify --deep --strict --verbose=2 [app] → Success Question This appears similar to thread #784184. After 3 months and ensuring all agreements are signed, the issue persists with identical error. The certificates work for local signing but Apple's notarization service rejects them. Could this be: Backend infrastructure issue with Team ID W----------? Certificate not properly registered in Apple's notarization database? Known issue requiring Apple Support intervention? Has anyone else experienced valid Developer ID certificates being rejected specifically by the notarization service while working locally?

Environment: MacBook Air Apple M2 (macOS Tahoe 26.1) Xcode 26.0 (17A324) Automatic signing enabled Feedback ID: FB21537761 Issue: I'm developing a multiplatform app and encountered an automatic signing failure immediately after adding the Keychain capability. Xcode displays the following error: Automatic signing failed Xcode failed to provision this target. Please file a bug report at https://feedbackassistant.apple.com and include the Update Signing report from the Report navigator. Provisioning profile "Mac Team Provisioning Profile: com.xxx. xxx" doesn't include the currently selected device "FIRF‘s MacBook Air" (identifier 00008112-000904CA3441xxxx). What I've Investigated/Tried: Checked the developer account devices and found that the device with identifier 00008112-000904CA3441xxxx is incorrectly labeled as an “iPod” (it is actually my MacBook Air). Attempted to manually enroll the Mac again, but it still appears as an iPod in the device list. Tried creating a provisioning profile manually, but no devices are available for selection in the device list when generating the profile. Question: Has anyone encountered a similar issue where a Mac is misidentified as an iPod in the developer portal, leading to provisioning failures? Any suggestions on how to resolve this or work around the device recognition problem? Thank you in advance for your help.

Code signing uses various different identifier types, and I’ve seen a lot of folks confused as to which is which. This post is my attempt to clear up that confusion. If you have questions or comments, put them in a new thread, using the same topic area and tags as this post. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Code Signing Identifiers Explained An identifier is a short string that uniquely identifies a resource. Apple’s code-signing infrastructure uses identifiers for various different resource types. These identifiers typically use one of a small selection of formats, so it’s not always clear what type of identifier you’re looking at. This post lists the common identifiers used by code signing, shows the expected format, and gives references to further reading. Unless otherwise noted, any information about iOS applies to iOS, iPadOS, tvOS, visionOS, and watchOS. Formats The code-signing identifiers discussed here use one of two formats: 10-character This is composed of 10 ASCII characters. For example, Team IDs use this format, as illustrated by the Team ID of one of Apple’s test teams: Z7P62XVNWC. Reverse-DNS This is composed of labels separated by a dot. For example, bundle IDs use this format, as illustrated by the bundle ID of the test app associated with this post: com.example.tn3NNNapp. The Domain Name System has strict rules about domain names, in terms of overall length, label length, text encoding, and case sensitivity. The reverse-DNS identifiers used by code signing may or may not have similar limits. When in doubt, consult the documentation for the specific identifier type. Reverse-DNS names are just a convenient way to format a string. You don’t have to control the corresponding DNS name. You can, for example, use com.<SomeCompany>.my-app as your bundle ID regardless of whether you control the <SomeCompany>.com domain name. To securely associate your app with a domain, use associated domains. For more on that, see Supporting associated domains. IMPORTANT Don’t use com.apple. in your reverse-DNS identifiers. That can yield unexpected results. Identifiers The following table summarises the identifiers covered below: Name | Format | Example | Notes ---- | ------ | ------- | ----- Team ID | 10-character | `Z7P62XVNWC` | Identifies a developer team User ID | 10-character | `UT376R4K29` | Identifies a developer Team Member ID | 10-character | `EW7W773AA7` | Identifies a developer in a team Bundle ID | reverse-DNS | `com.example.tn3NNNapp` | Identifies an app App ID prefix | 10-character | `Z7P62XVNWC` | Part of an App ID | | `VYRRC68ZE6` | App ID | mixed | `Z7P62XVNWC.com.example.tn3NNNNapp` | Connects an app and its provisioning profile | | `VYRRC68ZE6.com.example.tn3NNNNappB` | Code-signing identifier | reverse-DNS | `com.example.tn3NNNapp` | Identifies code to macOS | | `tn3NNNtool` | App group ID | reverse DNS | `group.tn3NNNapp.shared` | Identifies an app group | reverse DNS | `Z7P62XVNWC.tn3NNNapp.shared` | Identifies an macOS-style app group As you can see, there’s no clear way to distinguish a Team ID, User ID, Team Member ID, and an App ID prefix. You have to determine that based on the context. In contrast, you choose your own bundle ID and app group ID values, so choose values that make it easier to keep things straight. Team ID When you set up a team on the Developer website, it generates a unique Team ID for that team. This uses the 10-character format. For example, Z7P62XVNWC is the Team ID for an Apple test team. When the Developer website issues a certificate to a team, or a user within a team, it sets the Subject Name > Organisational Unit field to the Team ID. When the Developer website issues a certificate to a team, as opposed to a user in that team, it embeds the Team ID in the Subject > Common Name field. For example, a Developer ID Application certificate for the Team ID Z7P62XVNWC has the name Developer ID Application: <TeamName> (Z7P62XVNWC). ### User ID When you first sign in to the Developer website, it generates a unique User ID for your Apple Account. This User ID uses the 10-character format. For example, UT376R4K29 is the User ID for an Apple test user. When the Developer website issues a certificate to a user, it sets the Subject Name > User ID field to that user’s User ID. It uses the same value for that user in all teams. Team Member ID When you join a team on the Developer website, it generates a unique Team Member ID to track your association with that team. This uses the 10-character format. For example, EW7W773AA7 is the Team Member ID for User ID UT376R4K29 in Team ID Z7P62XVNWC. When the Developer website issues a certificate to a user on a team, it embeds the Team Member ID in the Subject > Common Name field. For example, an Apple Development certificate for User ID UT376R4K29 on Team ID Z7P62XVNWC has the name Apple Development: <UserName> (EW7W773AA7). IMPORTANT This naming system is a common source of confusion. Developers see this ID and wonder why it doesn’t match their Team ID. The advantage of this naming scheme is that each certificate gets a unique name even if the team has multiple members with the same name. The John Smiths of this world appreciate this very much. Bundle ID A bundle ID is a reverse-DNS identifier that identifies a single app throughout Apple’s ecosystem. For example, the test app associated with this post has a bundle ID of com.example.tn3NNNapp. If two apps have the same bundle ID, they are considered to be the same app. Bundle IDs have strict limits on their format. For the details, see CFBundleIdentifier. If your macOS code consumes bundle IDs — for example, you’re creating a security product that checks the identity of code — be warned that not all bundle IDs conform to the documented format. And non-bundled code, like a command-line tool or dynamic library, typically doesn’t have a bundle ID. Moreover, malicious code might use arbitrary bytes as the bundle ID, bytes that don’t parse as either ASCII or UTF-8. WARNING On macOS, don’t assume that a bundle ID follows the documented format, is UTF-8, or is even text at all. Do not assume that a bundle ID that starts with com.apple. represents Apple code. A better way to identify code on macOS is with its designated requirement, as explained in TN3127 Inside Code Signing: Requirements. On iOS this isn’t a problem because the Developer website checks the bundle ID format when you register your App ID. App ID prefix An App ID prefix forms part of an App ID (see below). It’s a 10-character identifier that’s either: The Team ID of the app’s team A unique App ID prefix Note Historically a unique App ID prefix was called a Bundle Seed ID. A unique App ID prefix is a 10-character identifier generated by Apple and allocated to your team, different from your Team ID. For example, Team ID Z7P62XVNWC has been allocated the unique App ID prefix of VYRRC68ZE6. Unique App ID prefixes are effectively deprecated: You can’t create a new App ID prefix. So, unless your team is very old, you don’t have to worry about unique App ID prefixes at all. If a unique App ID prefix is available to your team, it’s possible to create a new App ID with that prefix. But doing so prevents that app from sharing state with other apps from your team. Unique app ID prefixes are not supported on macOS. If your app uses a unique App ID prefix, you can request that it be migrated to use your Team ID by contacting Apple > Developer > Contact Us. If you app has embedded app extensions that also use your unique App ID prefix, include all those App IDs in your migration request. WARNING Before migrating from a unique App ID prefix, read App ID Prefix Change and Keychain Access. App ID An App ID ties your app to its provisioning profile. Specifically: You allocate an App ID on the Developer website. You sign your app with an entitlement that claims your App ID. When you launch the app, the system looks for a profile that authorises that claim. App IDs are critical on iOS. On macOS, App IDs are only necessary when your app claims a restricted entitlement. See TN3125 Inside Code Signing: Provisioning Profiles for more about this. App IDs have the format <Prefix>.<BundleOrWildcard>, where: <Prefix> is the App ID prefix, discussed above. <BundleOrWildcard> is either a bundle ID, for an explicit App ID, or a wildcard, for a wildcard App ID. The wildcard follows bundle ID conventions except that it must end with a star (*). For example: Z7P62XVNWC.com.example.tn3NNNNapp is an explicit App ID for Team ID Z7P62XVNWC. Z7P62XVNWC.com.example.* is a wildcard App ID for Team ID Z7P62XVNWC. VYRRC68ZE6.com.example.tn3NNNNappB is an explicit App ID with the unique App ID prefix of VYRRC68ZE6. Provisioning profiles created for an explicit App ID authorise the claim of just that App ID. Provisioning profiles created for a wildcard App ID authorise the claim of any App IDs whose bundle ID matches the wildcard, where the star (*) matches zero or more arbitrary characters. Wildcard App IDs are helpful for quick tests. Most production apps claim an explicit App ID, because various features rely on that. For example, in-app purchase requires an explicit App ID. Code-signing identifier A code-signing identifier is a string chosen by the code’s signer to uniquely identify their code. IMPORTANT Don’t confuse this with a code-signing identity, which is a digital identity used for code signing. For more about code-signing identities, see TN3161 Inside Code Signing: Certificates. Code-signing identifiers exist on iOS but they don’t do anything useful. On iOS, all third-party code must be bundled, and the system ensures that the code’s code-signing identifier matches its bundle ID. On macOS, code-signing identifiers play an important role in code-signing requirements. For more on that topic, see TN3127 Inside Code Signing: Requirements. When signing code, see Creating distribution-signed code for macOS for advice on how to select a code-signing identifier. If your macOS code consumes code-signing identifiers — for example, you’re creating a security product that checks the identity of code — be warned that these identifiers look like bundle IDs but they are not the same as bundle IDs. While bundled code typically uses the bundled ID as the code-signing identifier, macOS doesn’t enforce that convention. And non-bundled code, like a command-line tool or dynamic library, often uses the file name as the code-signing identifier. Moreover, malicious code might use arbitrary bytes as the code-signing identifier, bytes that don’t parse as either ASCII or UTF-8. WARNING On macOS, don’t assume that a code-signing identifier is a well-formed bundle ID, UTF-8, or even text at all. Don’t assume that a code-signing identifier that starts with com.apple. represents Apple code. A better way to identify code on macOS is with its designated requirement, as explained in TN3127 Inside Code Signing: Requirements. App Group ID An app group ID identifies an app group, that is, a mechanism to share state between multiple apps from the same team. For more about app groups, see App Groups Entitlement and App Groups: macOS vs iOS: Working Towards Harmony. App group IDs use two different forms of reverse-DNS identifiers: iOS-style This has the format group.<GroupName>, for example, group.tn3NNNapp.shared. macOS-style This has the format <TeamID>.<GroupName>, for example, Z7P62XVNWC.tn3NNNapp.shared. The first form originated on iOS but is now supported on macOS as well. The second form is only supported on macOS. iOS-style app group IDs must be registered with the Developer website. That ensures that the ID is unique and that the <GroupName> follows bundle ID rules. macOS-style app group IDs are less constrained. When choosing such a macOS-style app group ID, follow bundle ID rules for the group name. If your macOS code consumes app group IDs, be warned that not all macOS-style app group IDs follow bundle ID format. Indeed, malicious code might use arbitrary bytes as the app group ID, bytes that don’t parse as either ASCII or UTF-8. WARNING Don’t assume that a macOS-style app group ID follows bundle ID rules, is UTF-8, or is even text at all. Don’t assume that a macOS-style app group ID where the group name starts with com.apple. represents Apple in any way. Some developers use app group IDs of the form <TeamID>.group.<GroupName>. There’s nothing special about this format. It’s just a macOS-style app group ID where the first label in the group name just happens to be group Starting in Feb 2025, iOS-style app group IDs are fully supported on macOS. If you’re writing new code that uses app groups, use an iOS-style app group ID. This allows sharing between different product types, for example, between a native macOS app and an iOS app running on the Mac. Revision History 2026-01-06 First posted.

I want to help contribute a feature in a virtual-machine app in macOS that supports PCIe device passthrough over thunderbolt. I have a question about the entitlements. Since I do not represent the GPU vendors, would I be allowed to get a driver signed that matches GPU vendor IDs? Is there such a thing as wildcard entitlement for PCIDriverKit? I don't want end-users to have to disable SIP to be able to use this. Any suggestions/leads? Thank you.

As mentioned in the linked post, I can archive the project locally but not via Xcode Cloud. I have also created a new project, but the same thing happens here. https://developer.apple.com/forums/thread/746210 Error Code: ITMS-90035: Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “{AppName}.app/{AppName}” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing.

There seems to be a problem to a specific Apple Developer Account regarding Xcode Cloud Distribution (Signing). The Xcode Cloud Error Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “XcodeCloudTest.app/XcodeCloudTest” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing. Investigation Apple Developer Forums This issue seems to be known: https://developer.apple.com/forums/thread/746210 Debugging by ourselves We setup an example Xcode project from a default iOS Xcode app template to rule out any project issues. This example project failed with the same error as stated above. In the next step we tried the same example project with a different Apple Developer Account and it successfully distributed the example App through Xcode Cloud. Conclusion It seems like there is no setup issue on developer-side, because our example project works out-of-the-box on a different Apple Developer Account. Our only hope is that Apple will have a look on our Developer Account. Maybe there is some internal setting.

Hello Apple Developer Forum Community, I’ve got a problem with the signing process of my AppClip Test App. Can someone help me? As I don’t know hot to get the certificate...

Hi everyone, I am trying to generate an .ipa file for my .NET MAUI (net9.0-ios) application, but every attempt fails with the same codesigning error. I have tried multiple approaches, including building from Windows paired to macOS, and directly building through the macOS terminal, but nothing is working. Below are the exact steps I followed: Steps I Performed Generated the Apple Development certificate using Keychain Access on macOS. Added that certificate into my developer account and created the corresponding provisioning profile. Created an App ID, attached the App ID to the provisioning profile, and downloaded it. Added the provisioning profile into Xcode. Verified that the certificate is correctly visible in Keychain Access (private key available). Attempted to build/publish the MAUI app to generate the .ipa file. Issue Whenever I run the publish command or build via Windows/macOS, codesigning fails with the following error: /usr/bin/codesign exited with code 1: Frameworks/libSkiaSharp.framework: replacing existing signature Warning: unable to build chain to self-signed root for signer "Apple Development: Created via API (8388XAA3RT)" Frameworks/libSkiaSharp.framework: errSecInternalComponent Failed to codesign 'PCS_EmpApp.app/Frameworks/libSkiaSharp.framework': Warning: unable to build chain to self-signed root for signer "Apple Development: Created via API (8388XAA3RT)" PCS_EmpApp.app: errSecInternalComponent Build eventually fails with: Build failed with 4 error(s) and 509 warning(s) Environment .NET: 9.0 MAUI: latest tools Xcode: 26.0.1 macOS: 26.0.1 Building for ios-arm64 (device) What I suspect It looks like the signer certificate might not be trusted, or the certificate chain cannot connect to an Apple root CA. But the certificate was created using the Developer website and appears valid. Need Help With Why is codesign unable to build the certificate chain? Do I need a different type of certificate? (App Store / Distribution vs Development?) Is there any special configuration required for MAUI apps using native frameworks like libSkiaSharp.framework? How can I successfully generate the .ipa file? Any guidance will be greatly appreciated. Thank you!

I am using Automatically Manage Signing And I have registered my Mac UUID in developer account, but it is still giving me these errors - Device My Mac is not registered to your team Ai Glider Inc. Devices must be registered in order to run your code, but you do not have permission to register them. Please check with your team's admin. No profiles for 'com.aiexample.sebexample' were found Xcode couldn't find any Mac App Development provisioning profiles matching 'com.aiexample.sebexample'.

I have a Catalyst app ('container') which hosts an embedded AUv3 Audio Unit extension ('plugin'). This used to work for years and has worked with this project until a few days ago. it still works on iOS as expected on MacOS the extension is never registered/installed and won't load extension won't show up with AUVal seems to have stopped working with the 26.1 XCode update I'm fairly certain the problem is not code related (i.e. likely build settings, project settings, entitlements, signing, etc.) I have compared all settings with another still-working project and can't find any meaningful difference (I can't request code-level support because even the minimal thing vastly exceeds the 250 lines of code limit.) How can I debug the issue? I literally don't know where to start to fix this problem, short of rebuilding the entire thing and hope that it magically starts working again.

Hello, I would like to clarify how link association and app-opening preferences work in iOS, specifically when a user opens a URL in a browser that can be handled by an installed application. I have noticed the following behavior: When a user taps a URL that can be opened by an app, iOS sometimes asks whether to open the link in the app or continue in the browser. After choosing an option once (for example, "Open in App" or "Stay in Browser"), it seems that this preference becomes persistent. Even after deleting the application and reinstalling it, the browser (Safari or third-party browsers) sometimes continues to open the link directly in the browser without asking the user again. In some cases, it appears impossible to reset or clear this association, and the user is not prompted again to choose how the link should be opened. My questions are: How exactly does iOS store link-handling preferences between apps and browsers? Are these preferences saved on the system level, inside Safari, or associated with the app installation itself? Is there a way for a user to manually reset or clear these link-opening associations? Should deleting and reinstalling the app reset these preferences, or is the behavior expected to persist? Is this behavior different for Universal Links, App Clips, or for regular URL scheme associations? This situation is important for us because it affects user experience, and at the moment it is difficult to understand or reproduce the internal logic behind these link associations. Thank you in advance for your clarification.

Hi, We have several Apps that use CEF internally for real-time offscreen HTML rendering. Specifically, we have a framework with an embedded XPC service that itself uses CEF to render HTML and sends the resulting IOSurface back to the host App via XPC for rendering in a Metal pipeline. So far our Apps have only been available as a direct download, but recently we have been trying to submit one of them to the MAS and have run into several issues, CEF being one of them. The core of the issue seems to be that submission to the MAS requires that all executables, including XPC services, be signed with the sandbox entitlement. After enabling the sandbox on the host App, my XPC service with CEF continued to function as before. However, after signing the XPC service with the sandbox entitlement, it stopped working. After some research, it seems that the issue here is that the XPC service once signed with the entitlement is running in its own sandbox, and because CEF uses global Mach ports for internal communication, this then fails. Further, I have read from other developers that even if these issues are overcome by e.g. modifying CEF, they have been rejected by the review team because CEF uses some private API calls. So my question is, does anyone have concrete information on whether or not it will be possible to successfully submit an App using CEF in this way (App > Framework > XPC > CEF) for publication on the MAS? Further, as an alternative I have been looking at WebKit, specifically WKWebView and calling "takeSnapshot", as this seems to be the only documented way to retrieve pixels. However, it seems that this method is not designed for real-time rendering. Assuming that CEF is a non-starter for the MAS, is there anything specific that Apple recommends for real-time offscreen HTML rendering? Cheers, Dave Lincoln

Hi there, When I deploy my app to the iPhone for testing, I get the following error: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.4gpZFc/extracted/c_mll.app : 0xe8008018 (The identity used to sign the Please ensure that the certificates used to sign your app have not expired. If this issue persists, please attach an IPA of your app when sending a report to Apple. executable is no longer valid.) My account was mistakenly deactivated by Apple last month. After appealing, Apple restored it at the end of last month. Currently, my Apple Developer account seems to be working fine. Today, I recreated the developer certificate and identifier, added the account in XCode, everything seemed fine, and I clicked the XCode button (Start the active scheme). The build was successful, but I got the error: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.4gpZFc/extracted/c_mll.app : 0xe8008018 (The identity used to sign the executable is no longer valid.) Both my certificate and identifier were created just a few hours ago and show no issues. Before my account was deactivated, everything was working fine. I used a regular non-Apple developer account in XCode and performed the same steps, and it worked fine. I looked at relevant posts on the forum and tried the suggestions, but none of them solved my problem.