You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

I am developing and distributing an XCFramework, and I want to ensure that it remains valid for as long as possible. I have some questions regarding certificate expiration and revocation: I understand that if an XCFramework is signed with a timestamp, it remains valid even after the signing certificate expires. However, if the signing certificate is revoked, the XCFramework immediately becomes unusable. As far as I know, Apple allows a maximum of two active distribution certificates at the same time. I assume that once a certificate expires, it will eventually need to be revoked in order to issue a third certificate. Is this correct? If an expired certificate is later revoked, will the XCFrameworks signed with that certificate also become invalid, even though they were timestamped? I want to ensure that released XCFrameworks remain valid for as long as possible. What is the best approach to achieve this? If anyone has insights or official documentation references on how to manage signing certificates for long-term XCFramework validity, I would appreciate your guidance. Thank you!

i was complete my program, and export a mac app already it work ok in my macmini, but if i want send it to app store, that i have no way now i still do not know how to make this app perfect like, when i use pyinstaller to build this app, is there any info or elements need make with? i can sign my app now, even i use codesign -dvvv my.app to check the sign, it is also ok, there no any feedback said it anything wrong. so, any master know fix app sign or any infoplist please tech me... help

Hi Team, I have created multiple certificates for macOS application. Below are the certificates created- Apple Development Certificate DeveloperID Installer Certificate Apple Distribution Certificate others certificates Later, I have imported the all these above certificates in keychain-access. Now, I tried to compile the code through Xcode. I am getting error for code signing certificate. Warning: unable to build chain to self-signed root for signer "Apple Development: Amit (M2WMF2YERI)” .... Command CodeSign failed with a nonzero exit code When I checked the TeamID of User(Amit) I can see that his current TeamID is [P8ZW3W9R2Q]. There is mismatch of teamID in apple development certificate generation. Note- All certificates are generated with current TeamID[P8ZW3W9R2Q] of user (Amit) except Apple Development certificate which has been generated with TeamID [M2WMF2YERI] which is generated with old TeamID of user (Amit). I attempted to generate the apple development certificate multiple times but it is getting generated with old TeamID TeamID[M2WMF2YERI] of user(Amit)
 Summary- While creating a developer certificate using apple developer account and mapping it in keychain, the certificate is being generated with old apple account details (Inactive) instead of the current one. This is causing issues when using the certificate in keychain. If anyone has encountered this issue, how it was resolved?
 Thanks

Hi Team, I have created multiple certificates for macOS application. Below are the certificates created- Apple Development Certificate DeveloperID Installer Certificate Apple Distribution Certificate others certificates Later, I have imported the all these above certificates in keychain-access. Now, I tried to compile the code through Xcode. I am getting error for code signing certificate. Warning: unable to build chain to self-signed root for signer "Apple Development: Amit (M2WMF2YERI)” .... Command CodeSign failed with a nonzero exit code When I checked the TeamID of User(Amit) I can see that his current TeamID is [P8ZW3W9R2Q]. There is mismatch of teamID in apple development certificate generation. Note- All certificates are generated with current TeamID[P8ZW3W9R2Q] of user (Amit) except Apple Development certificate which has been generated with TeamID [M2WMF2YERI] which is generated with old TeamID of user (Amit). I attempted to generate the apple development certificate multiple times but it is getting generated with old TeamID TeamID[M2WMF2YERI] of user(Amit)
 Summary- While creating a developer certificate using apple developer account and mapping it in keychain, the certificate is being generated with old apple account details (Inactive) instead of the current one. This is causing issues when using the certificate in keychain. If anyone has encountered this issue, how it was resolved?

Hello, After deploying our app, we encountered an issue where the app fails to launch properly on certain devices. To rule out potential code issues, we created a new clean project and tested it with the basic setup (certificate, bundle ID, and team). The app installs and runs fine on most devices, but it fails to open immediately on specific models. (The affected model is listed below.) Version: iOS 18.3.1 Model: iPhone 14 Pro After reviewing the console logs, we found an issue related to the app launching process. Could this issue be related to the app's configuration or the provisioning profile? We would appreciate any insight into why this issue occurs only on certain devices. Thank you for your help!

Hi Developer Community, I'm encountering persistent code signing failures on macOS Sonoma 15.3 with a valid Developer ID Application certificate. The error occurs consistently across multiple certificate regenerations and various troubleshooting approaches. Environment macOS Version: Sonoma 15.3 Developer Account Type: Developer ID Certificate Type: Developer ID Application Certificate Details: Developer ID Application certificate valid until 2027 Using SHA-256 with RSA Encryption Certificate shows as valid in Keychain Access with associated private key Error Message Warning: unable to build chain to self-signed root for signer "Developer ID Application: [my certificate]" [filename]: errSecInternalComponent Steps to Reproduce Install certificate chain in order: Apple Root CA (System keychain) Apple WWDR CA (System keychain) Developer ID CA (System keychain) Developer ID Application certificate (Login keychain) Verify certificate installation: security find-identity -v -p codesigning Result shows valid identity. Attempt code signing with any binary: codesign -s "Developer ID Application: [my certificate]" -f --timestamp --options runtime [filename] Results in errSecInternalComponent error Troubleshooting Already Attempted Regenerated Developer ID Application certificate multiple times from Developer Portal Completely removed and reinstalled entire certificate chain Verified trust settings on all certificates (set to "Always Trust" for code signing) Tried multiple codesign command variations including --no-strict flag Verified keychain integrity Installed latest Apple CA certificates from apple.com/certificateauthority Verified certificate chain is properly recognized by security verify-cert Additional Information All certificates show as valid in Keychain Access Private key is properly associated with Developer ID Application certificate Trust settings are correctly configured for all certificates in the chain Problem persists after clean certificate installations Error occurs with any binary I try to sign Has anyone else encountered this issue on Sonoma 15.3? Any suggestions for resolving this system-level certificate trust chain issue would be greatly appreciated. Thanks in advance!

Hi everyone, I am doing my app playground, when I change the development team or try to clear it, this bug happend? So I wonder do I have to remove it when I submit my work or just leave it there. Signing for "myapp" requires a development team. Select a development team in the Signing & Capabilities editor.

In an expo managed project which utilizes custom expo plugins, we're having trouble getting the keychain-access-groups entitlement inserted to our provisioningprofile for signing. The provisioning profile we download from apple dev portal contains: <key>keychain-access-groups</key> <array> <string>56APMZ7FZY.*</string> <string>com.apple.token</string> </array> and this is not recognized by xcode for signing; an error is thrown: Provisioning profile "ccpp" doesn't include the com.apple.developer.keychain-access-groups entitlement. A matching error is thrown during EAS build. So we need to find a way to modify the ccpp.mobileprovision locally and then sign the build using the modified ccpp.mobileprovision. Or, we need guidance on the proper way to resolve this situation. Questions: why does the downloaded mobileprovision file have the keychain-access-groups key, and not com.apple.developer.keychain-access-groups? Both Xcode and EAS appear to demand the latter keyname. when I use expo prebuild, I am able to see the following in the .entitlements file: <key>com.apple.developer.keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)com.myapp</string> </array> I am adding this entitlement using a custom expo plugin. However, the mobileprovision file downloaded from apple developer portal has no knowledge of this setting which is only applied through expo prebuild. So what I am left with at the end is an entitlements file generated by my expo prebuild which has the correct setting, and a provisioningprofile downloaded from dev portal with an incorrect setting, and I don't know how to mend the downloaded provisioningprofile (incorrect setting) with my local entitlements file (correct setting).

We have a MacOS application that we plan on distributing standalone (it'll be installed through MDM or directly, not through the app store). We utilize endpoint security and full disk access for this (enterprise) app. I have a makefile that uses codesign to sign the app inside-out. All that appears to work (i.e., when I try to run the app directly it functions as I expect it to). What's the recommended way to allow the developers in my team to also sign the app for local development so it functions as close as possible to production? My first thought is to distribute the developer identity to their machines using MDM. However, ideally i'd like to rule out the ability for a developer who has the MDM profile assigned to export the keys. That really only leaves a centralized solution in place or disabling SIP on their system (which I don't want to do). Alternatively, would creating a separate identity for production make more sense, so that in the case the developer certificate is revoked, the production releases continue to function as normal (however, I assume this would also require creating two different profiles for the endpoint security entitlement--one for each certificate). Thanks! Derek

Howdy, I thought this would be an easy question, but it turns out it's really not! In fact, it flies in the face of how the Apple ecosystem is set up. That said, I still need an answer to be able to inform our customers of what their app update options are. The question: Does app store provisioning ever expire? Based on the very limited information I can find, it either expires in one year, two years, or never. Anecdotal evidence seems to indicate that the answer could be never, but I need to confirm this. The use case: Some of our customers are very old school. They tend to find a technical solution and stick with it. As such, they do not update apps regularly on their field iPads. They generally only update when they are forced to. They use MDM to deploy the app, and would set the MDM not to pull updated apps from the app store when available, essentially keeping the same version of the app in use for as much as 3 years or more. If this were to happen, I need to know if the provisioning for the old version of the app will ever expire if they get it from the app store. I know with an enterprise deployment of .ipa files via MDM, the app provisioning/certificate will expire after 1 or 2 years (can't remember which atm), but I can't find an answer about app store provisioning. Hopefully someone can provide me with an answer on this forum. Thanks in advance, Mapguy

I have some questions regarding App Group Id's and use of the FileManager during an Appstore iOS transfer. I've read a lot of the topics here that cover app groups and iOS, but it's still unclear exactly what is going to happen during transfer when we try to release an updated version of the app from the new account. We're using this method FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: "group.com.foo.bar") to store files on the device that are important for app launch and user experience. Once we transfer the app and begin the process of creating a new version under the new account will we be able to read the files that are stored using this app group id under the new account? What steps do we need to take in order to handle this and continue being able to access these files? It seems like the app group is not transferred in the process? I've seen some users mention they removed the app group from the original account and created it again under the receiving account (with notes mentioning this is undocumented behavior). These conversations we're centered around Shared user defaults, and that applies as well but I'm more concerned with reading the values from the file system. Thanks!

I have read the posted solution threads and am still stuck with solving this issue. I have created a python app that works perfect on my machine and I would like to distribute externally via .zip file. I have created a certificate and downloaded it (G2 Sub-CA (Xcode 11.4.1 or later)) Next i have installed the Çert into the login keychain along with the Matching G2 Intermediate Cert (in system) and the proper Root Cert. However I am still not getting a proper chain when evaluating the developer certificate and I am at a loss at this point. I would love to pay someone to simply walk me through it if anyone has some time to solve this problem with me so I can run the notarytool and then distribute my application. Thanks!

I am managing provisioning profiles manually, including the one for my Notification Service Extension. I am wondering what happens if the provisioning profile for the Notification Service Extension expires. I have two types of apps: An App Store-distributed app An Enterprise-distributed app Can someone clarify how the expiration of the Notification Service Extension's provisioning profile affects both cases? Will the extension stop functioning, or will it continue to work normally?

I am trying to build/deploy app to my phone however I get this message: "provisioning profile doesn't include the currently selected device" My developer account is pretty old one and used to be one the paid-version one. My understanding is that I should be able to deploy apps using free account but I don't see where I can add or delete devices....stuck in the loop over here! :-) I've created support request via email but I don't know if that is being worked or not...four days since I put it in. I suppose my other options are new apple-id or pay $99 and hope apple pays attention then? Any other suggestions?

I have a pass type id that expired. I created a CSR in keychain access on my Mac. I uploaded the CSR and generated a new cert. I downloaded the new cert and imported into keychain access. I don't see the associated private key and I cannot export a .p12 certificate. It's possible I started with the wrong key to generate the CSR or maybe I inadvertently deleted key while trying to locate the cert after importing. I'm not sure how to determine which. I do still have the private key from the cert that expired. But, I cannot figure out how to sign a cert again, my only option now is download. I've been searching the forum and while there may be an answer, I may just be looking for the wrong thing. I could use some help if anybody would be so kind.

Hello, I’m facing an issue with enabling In-App Purchases (IAP) for my iOS app, and it’s causing provisioning errors during the build process. Issue: • In Apple Developer Portal → Certificates, Identifiers & Profiles, the In-App Purchase capability is checked but grayed out, so I can’t modify it. • In Xcode, under Signing & Capabilities, I don’t see In-App Purchase listed. • When trying to build, I get the following error: Provisioning profile “BillionMines_Dev_Profile” doesn’t include the com.apple.developer.in-app-purchase entitlement. • Automatic signing in Xcode fails with: Xcode failed to provision this target. What I Have Tried: 1. Verified that my App ID is explicitly defined (not a wildcard ID). 2. Regenerated and downloaded a new Provisioning Profile, ensuring it matches my app. 3. Confirmed that In-App Purchase is enabled in App Store Connect under Features. 4. Cleaned the build folder and restarted Xcode. 5. Manually added com.apple.developer.in-app-purchase to my .entitlements file. Questions: • Why is the In-App Purchase option grayed out in Certificates, Identifiers & Profiles? • How can I ensure my provisioning profile includes the com.apple.developer.in-app-purchase entitlement? • Are there additional steps required to fully activate In-App Purchases? Any help would be greatly appreciated! Thanks in advance.

The mentioned way of setting up complications does not work. We can't create the identifier according to the guideline mentioned in the WWDC session. https://developer.apple.com/videos/play/wwdc2020/10049/?time=1021 Timestamp: 17:04 Error: An attribute in the provided entity has invalid value An App ID with Identifier '.watchkitapp.complication' is not available. Please enter a different string. To clarify - the non masked identifier is not used on another property inside our dev program. Without creating the identifier our tests result in not working push notifications. Error message while testing: discarded as application was not registered. Is the way mentioned in the WWDC session still valid? BR

Hi, I have a macOS Intel machine running Ventura 13.7.4. This machine is used as a build node for Jenkins to run a test for a USB device that has an HID interface. The test runner for this is Java's junit on Azul's Zulu JDK 8 for mac. I've added the com.apple.security.device entitlement to this JDK 8 bundle and signed using a self-signed certificate. This certificate is available in the system keychain at: keychain: "/Library/Keychains/System.keychain" version: 256 class: 0x80001000 On my personal account on this machine, I can run the test and it calls IOHIDDevicePlugin's open function and returns success: [junit] [debug] [hid.cpp:1457] HIDAccess::Open Success in open for cDeviceHandle: 0x6000006abb38 If I run the same test logged in as the Jenkins agent account, then open returns: [junit] [debug] [hid.cpp:1484] Could not open HID with handle: 0x600002a5c018, error (-1ffffd3f): (iokit/common) privilege violation I can see the certificate that signed the JDK bundle running the command: security find-certificate -c "java-rt-usb" -a -m The results are the same for both accounts. Is my setup expected to work? I.e. create a self-signed cert in one account with admin privileges, put the cert in the system keychain, sign an app bundle with a new usb entitlement using this cert, and then run that app in another account on the same machine. If it's expected to work, are there any more troubleshooting tools I can use? ioreg shows the same output for these devices under test in both accounts: $ ioreg -p IOUSB -w0 +-o CMSIS-DAP@14620000 <class AppleUSBDevice, id 0x1000026ae, registered, matched, active, busy 0 (1 ms), retain 17> +-o CMSIS-DAP@14630000 <class AppleUSBDevice, id 0x1000026d6, registered, matched, active, busy 0 (1 ms), retain 17>

Hi, I'm having a really hard time figuring out why I cannot perform cloud signing via Developer ID with xcodebuild. I have a macOS application, which I can perfectly cloud sign the following way: Sign into Xcode with my Admin + Account Holder Apple ID. Delete my Developer ID Application certificate from Keychain Access. In Xcode, click Archive. When archived, click "Distribute App" in Xcode Organizer. The app is cloud signed. I prove this by extracting the certificate codesign --extract-certificates -- /path/to/app.app then locate the 1.2.840.113635.100.6.1.32 bit mentioned by Quinn in this post. I however do it by simply opening the certifiacte with Keychain Access, where I can investigate the content of the certificate, rather than use that tool he does. Then, I do the following to attempt to cloud sign via xcodebuild: Create an API Key for the whole team in Users and Access > Integrations > App Store Connect with the "Admin" role selected. Download the private key .p8 file to ~/Downloads. Sign out of my Apple ID in Xcode by removing the account in Settings > Accounts. Create an archive: xcodebuild archive -scheme "<redacted scheme name>" -archivePath ~/Downloads/archive.xcarchive -authenticationKeyIssuerID <redacted issuer id> -authenticationKeyID <redacted key id> -authenticationKeyPath ~/Downloads/AuthKey_<redacted key id>.p8 -allowProvisioningUpdates The archive is successfully created, with a new "Apple Development: Created via API (TEAM ID)" naming. Export the archive: xcodebuild -exportArchive -archivePath ~/Downloads/archive.xcarchive -authenticationKeyIssuerID <redacted issuer id> -authenticationKeyID <redacted key id> -authenticationKeyPath ~/Downloads/AuthKey_<redacted key id>.p8 -allowProvisioningUpdates -exportOptionsPlist ~/Downloads/exportOptions.plist -exportPath ~/Downloads which then fails: 2025-03-07 10:27:58.706 xcodebuild[2152:40704] [MT] IDEDistribution: -[IDEDistributionLogging _createLoggingBundleAtPath:]: Created bundle at path "/var/folders/tn/yy7ynz3d0yb4p3sd_5q_wl0h0000gn/T/<redacted app name> macOS_2025-03-07_10-27-58.706.xcdistributionlogs". error: exportArchive Cloud signing permission error error: exportArchive No signing certificate "Developer ID Application" found ** EXPORT FAILED ** Opening the distribution logs, I find this in the Provisioning Log: 2025-03-07 09:09:58 +0000 2025-03-07 09:09:58 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:58 +0000 IDEProvisioningRepair(<redacted app name>.app): Sending request 84E57539-BC1D-407A-8402-7BCE9F2FD100 to <https://appstoreconnect.apple.com/xcbuild/v1/certificates> for session DVTServicesTeamBasedSession <issuer: <redacted issuer id>; key identifier: <redacted key id>>. Method: POST Headers: { Accept = "application/vnd.api+json"; "Accept-Encoding" = "gzip, deflate"; Authorization = "Bearer <redacted bearer token>"; "Content-Length" = 116; "Content-Type" = "application/vnd.api+json"; "User-Agent" = Xcode; "X-HTTP-Method-Override" = GET; "X-Xcode-Version" = "16.2 (16C5032a)"; } Payload: {"urlEncodedQueryParams":"teamId=<redacted team id>&filter%5BcertificateType%5D=DEVELOPER_ID_APPLICATION_MANAGED&limit=200"} 2025-03-07 09:09:59 +0000 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): Received response for 84E57539-BC1D-407A-8402-7BCE9F2FD100 @ <https://appstoreconnect.apple.com/xcbuild/v1/certificates>. Code = 0 2025-03-07 09:09:59 +0000 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): Response payload: { "errors" : [ { "id" : "3d09690a-e26f-497f-b576-25104064387e", "status" : "403", "code" : "FORBIDDEN_ERROR", "title" : "This request is forbidden for security reasons", "resultCode" : 7495, "detail" : "You haven't been given access to cloud-managed distribution certificates. Please contact your team's Account Holder or an Admin to give you access. If you need further assistance, contact Apple Developer Program Support at https://developer.apple.com/contact/." } ] } Which is really weird, since I am using an API key with Admin rights. If I create a new key, and use it only for this command, App Store Connect does show the "Last Used" date as today after running the command. I thought some time might need to pass, but the issue has been persisting since yesterday. What could be wrong here? I do have a managed Developer ID Application certificate showing in my account but I still can't retrieve it with an Admin right imbued API key.

I am trying to resign a package using a script from Docebo. But I got an error when running the script error: The specified item could not be found in the keychain. So I ran security find-identity and I got a 0 Valid identity message. But I can see these certificates installed in my keychain and downloaded a brand new mobile provissioning profile. No dice... any ideas?