General: DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained DevForums post --deep Considered Harmful DevForums post Don’t Run App Store Distribution-Signed Code DevForums post Resolving errSecInternalComponent errors during code signing DevForums post Finding a Capability’s Distribution Restrictions DevForums post Signing code with a hardware-based code-signing identity DevForums post Mac code signing: DevForums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding Nonstandard Code Structures in a Bundle documentation Embedding a Command-Line Tool in a Sandboxed App documentation Signing a Daemon with a Restricted Entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example DevForums post The Care and Feeding of Developer ID DevForums post TestFlight, Provisioning Profiles, and the Mac App Store DevForums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I recently added a new target for Apple Watch, which works fine on the simulator. However, I wasn't able to run it on real Apple watches. First, I don't see it in the list of devices, even after I click "trust" and connect to my Mac over charging cable. Second, I've always used automatic code signing, and everything seems OK here. Third, I also tried distributing it over TestFlight, but that build doesn't appear in the TF. I restarted my phone and relaunched the TF app. So, when I install the app to my iPhone over the cable, the watch app doesn't appear on Apple watches. Then, If I go to watch app and install my app manual (I see it at the bottom with the "install" button), it fails with the error "This app cannot be installed because its integrity could not be verified.". Also, there's an icon on the Apple watch, but it shows the same error when I click it. I unpaired and paired it again, but it didn't help. Also, I tried another pair of phones, and the same thing happened. I use an AppStore account (not enterprise), and the main app works fine. Is there a way how to fix it?

Hi, we have received an Application via App Transfer recently. I am now trying to generate a provisioning profile for App Store distribution. When we set the checkmark in Capabilities to use "iCloud Key-value storage" we cannot get "automatically manage signing" to work with an error: Provisioning profile "iOS Team Provisioning Profile: com.some.bundle.identifier" doesn't match the entitlements file's value for the com.apple.developer.ubiquity-kvstore-identifier entitlement. When a Provisioning Profile is manually generated via Developer Portal the com.apple.developer.ubiquity-kvstore-identifier entry shows the value of the previous app owner: "OLDTEAM.com.some.bundle.identifier". How can we change the com.apple.developer.ubiquity-kvstore-identifier value in our provisioning profile to get rid of the old team identifier? Help is much appreciated, thank you. FB15898983

Despite the recommendation of DTS Engineers at [https://forums.developer.apple.com/forums/thread/766500, Xcode 16.1 ](https://forums.developer.apple.com/forums/thread/766500, Xcode 16.1 ) the same behavior when automatically signing in our CI/CD environment: The operation couldn’t be completed. Unable to log in with account '<APPLE-ID>'. The login details for account '<APPLE-ID>' were rejected. error: No profiles for '<BUNDLE-ID>' were found: Xcode couldn't find any iOS App Development provisioning profiles matching '<BUNDLE-ID>' ** ARCHIVE FAILED ** In addition, we see several orphaned Xcode username entries in the local keychain / Keychain Access app that match the identifier stored in com.apple.dt.Xcode.plist under the key DVTDeveloperAccountManagerAppleIDLists - IDE.Identifiers.Prod. (Preferences read com.apple.dt.Xcode DVTDeveloperAccountManagerAppleIDLists) or we see that the DeveloperID stored in Xcode - Settings - Accounts is lost. We have reset a Mac mini (2023 / arm) to factory settings, reinstalled Sequoia in the current version and installed Xcode 16.1 (16B40). Nevertheless, we see the behavior described above. This behavior is not reproducible for us. We have opened the following tickets, but have not received a response that explains the behavior or offers a solution. Case ID: 9935876 Feedback: FB15700530

My non-cloud Developer ID certificate will expire soon, and my account also has a cloud-managed Developer ID Certificate. My Mac application build workflow uses Archiving, so the cloud cert should be fine for that. But my workflow also signs bundled apps, such as Sparkle framwork's Autodupate app, using the codesign tool. Is it correct that codesign only uses certificates from the local Keychain, and so cannot use a Cloud-managed Developer ID certificate? Before I manually renew the non-cloud Developer ID certificate, I want to make sure I'm not missing some easier method. Thanks.

I have an app Arpeggio.app which I build and then sign without errors: "electron-osx-sign dist/mac-arm64/Arpeggio.app --identity="Developer ID Application: XXXX (XXXXXX)" --hardened-runtime --no-gatekeeper-assess --entitlements=entitlements.plist". It returns "Application signed: dist/mac-arm64/Arpeggio.app". I then use "/usr/bin/ditto -c -k --sequesterRsrc --keepParent src dst" to make a zip with the same signatures. I then submit the zip for notarization: "xcrun notarytool submit dist/mac-arm64/Arpeggio.zip --apple-id XXXX etc" which returns "Waiting for processing to complete. Current status: Accepted.............. Processing complete id: ***-***-xx-xx status: Accepted". Then I staple the notarization to the app and get "The staple and validate action worked!". Now it shows all validated and that the notarization is stapled. I then run "spctl --assess --type execute -vv 'dist/mac-arm64/Arpeggio.app'" as a last check and always get this: dist/mac-arm64/Arpeggio.app: unknown error 99999=1869f Why is this happening? I can't seem to debug the issue but out notarization and signing is always successful and the app works as expected. Pleas ehelp me get to the bottom of this.

Hi there, I have a Multiplatform app with just one app target with an iPhone, iPad and Мас Destination. On the Mac my app is a developer singed App that is being distributed outside of the Mac App Store. I want to use App Groups, but as long as there are multiple destinations, Xcode only allows Group Identifiers starting with group.. However, for macOS I need to have a group ID that starts with the TeamID as explained here. So I created two separate entitlements, which are identical, but with different group IDs: With Automatic Code Signing enabled, I get this warning: Xcode still seems thinks it has to use the macOS Group ID for the iOS version. In the App Groups section, the mac Group ID is red and the iOS Group ID is not checked. The app builds and runs without issues on all platforms. The App Store Connect validation (for the iOS version) also works without any errors. Am I doing something wrong? Do I need a separate Mac target because Xcode does not support separate Group IDs for Multiplatform apps?

We get a "The application "Finder" does not have permission to open "(null)“" error message in macOS 15.1 when trying to open unsigned applications. Is this a known bug in macOS 15.1 ? If so any indications of whether it will be fixed in the future. In macOS 15.0.1 the workaround for launching unsigned applications still worked.

I am a developer on a project at work. I recently got a new laptop; however, since then I have been unable to build/deploy our application. I received a copy of the Developer ID Application certificate and Developer ID Installer certificate from a fellow developer. Note, everything works on their machine with these certificates. I have gone through the steps documented here https://developer.apple.com/forums/thread/712005 When I run security find-identity -p codesigning, I have two certificates that show up. one for my User and one for the Developer ID Application that my colleague gave me. Both show up as matching and valid identities. When I try to codesign "MyTrue", as documented in the link above, using "Apple Development" works; however, the "Developer ID Application" identity does not. I get a errSecInternalComponent error. ahenderson@ahendersonmacbook [17:29:23] [~/Downloads] -> % codesign -s "Apple Development" -f MyTrue -vvv MyTrue: replacing existing signature MyTrue: signed Mach-O universal (x86_64 arm64e) [MyTrue] ahenderson@ahendersonmacbook [17:30:48] [~/Downloads] -> % codesign -s "Developer ID Application" -f MyTrue -vvv MyTrue: replacing existing signature Warning: unable to build chain to self-signed root for signer "Developer ID Application: SRS Pharmacy Systems, Inc. ([REDACTED])" MyTrue: errSecInternalComponent I have downloaded all of the intermediate certificates from the apple PKI and have them installed under my keychain in login. Having spent days on this, I am at the end of my rope. Laptop Specs: M3 Pro 36GB Ram MacOS Sequoia 15.1 It is worth noting that my colleagues laptop is not running Sequoia. Not sure if that makes any difference or not. It is also worth noting, that I can run the codesign manually with the Developer ID Application using sudo (I know I shouldn't do this, but I just wanted to see if that made any difference).

Hello, I was trying to solve the error "Command CodeSign failed with a nonzero exit code" that occurs when I try to archive and publish my app. I realized the Team IDs on the Portal (To right corner next to my name eg "Pete Park - ABC1D2E334") and my Mac Keychain Acces (eg "Pete Park - XYZ9W8V776") do not match. The number on KeyChain Access, is that's a Team ID. (clueless self learner here) If yes, do they need to match? Any suggestion for the CodeSign error? Is "errSecInternalComponent" the error? Sorry if these questions are obvious or stupid. Thanks so much for any advice.

Hi, I have been building a MacCatalyst versions of an iOS app for years using a separate build that included a specific .entitlements file that excludes the com.apple.security.device.camera. Yet when I now build with Xcode 16.1 that entitlement is included. I have double checked my signing entitlement for my MacCatalyst build it is configured properly. I have check my .entitlement file to ensusre com.apple.security.device.camera is not there. All is as it should be. I have changed nothing, my build flow is the same. App Store Review has prevented the Mac build to be release becuse the com.apple.security.device.camera is set. What can I do to correct this?

I am trying to set up a workflow where Apple Vision Pro users in my organization can install a signed enterprise .ipa file from an internal web page. The relevant link looks something like this: &amp;lt;a role="button" href="itms-services://?action=download-manifest&amp;amp;url=https://my.example.com/path/manifest.plist"&amp;gt;Click here to download&amp;lt;/a&amp;gt; After verifying that all the mime types were correct on the server and the certificate was valid, I finally attached my AVP headset to my Mac's console app and saw that the errors look like this: [com.example.myapp] Skipping due to incompatible platform: com.apple.platform.xros Could not load download manifest with underlying error: Error Domain=ASDErrorDomain Code=752 "Not compatible with this platform: com.apple.platform.xros" UserInfo={NSDebugDescription=Not compatible with this platform: com.apple.platform.xros} This manifest.plist was made by the "Distribute App" workflow in Xcode 16.0. Multipart question: Is installing VisionOS apps via manifest+ipa over a web connection a supported way of installing apps? If the issue is with com.apple.platform.xros, what should be the platform-identifier for VisonOS apps?

Creating CSR file from my Mac steps are :- Going to the Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority... Filling the required details in the field, save to desk then continue and save it desktop. Then going to the Developer account in Certification screen and creating a new certificate on click on plus icon then selecting Apple distribution > continue , Then uploading CSR file in the required box and continue. After this I have downloaded the “distribution.cer” file then double clicked on the file then going to the KeyChain Access to see the My Certificate section there is no certificate which I have installed but it showing in the Certificate section without Private key. This steps I have followed but not getting Private key in my certificate how to correct this issue System Configuration :- Mac OS- 14.5 Chip - Apple M1 Keychain Access version - Version 11.0 (55314)

Here is the situation: We are shipping an application bundle which is submitted to the notarization service for approval. The application bundle adheres to the notarization standards and is approved. Problem: We need to ship a zip file inside this application. This zip file has all the files that are signed. Most of the files are signed by us. However there are some 3P zip files which are not signed by us. We would rather not open these 3P zip files as there might be SLAs involved here. As a result we end up with a zip file which contains mixed signatures. This zip file needs to be part of that application that needs to be notarized. Question: What is the best way to do this in order for the notarization service to approve the application and ship the zip file as part of the application? Note: We don't know if all the files inside the 3P zips are correctly signed (example: With Hardened Runtime). They are all signed though Also, when the zip files contents are laid out onto the customer machine, they are all signed and validated. However, some files might not have hardened runtime. Thanks in advance.

Hi community! It is known that application designed for iOS may be launched on MacOS with arm chip. With XCode this is simple, you just choose to launch on current machine (Designed for iPad). As I can see, some magic happens: some tool wraps myproj.app into another app, which contains WrappedBundle link and Wrapper subdirectory. Does anybody know how to invoke this wrapping tool via command line? I am using CLion as IDE for my personal preferences, and I want to build app with CLion and wrap the result with external tool into a MacOS-compatible app to test if it works for MacOS as well. In other words, having the myproj.app I want to run something like "magictool -wrap /path/to/myproj.app" Best regards!

Hi, We have a series of apps all configured with Xcode managed signing. The only difference between them, except their code, is the build ID. In our CI, one app builds and exports without errors, while all the others fail. Authentication is done through keyID/keyFile/keyIssuerID triplet, but the Xcode installation on the CI machine has a bunch of those empty accounts in it as mentioned in this thread https://forums.developer.apple.com/forums/thread/764554. Looking at the xcodebuild archive logs, I have this for the "working" app : Default = "<_IDEProvisionableConfigurationSnapshot ✉️: name: Default, provisioningStyle: 0, certificateSigningStyle: 2, team: <IDEProvisioningBasicTeam: ✉️; teamID='<TEAMID>', teamName='MYTEAM'>, profileSupport: <IDEProvisioningProfileSupport: ✉️>, platform: <DVTPlatform:✉️:'com.apple.platform.iphoneos':<DVTFilePath:✉️:'/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform'>>, sdk: (null), sdkVariant: (null), bundleIdentifier: livetranslation.LiveTranslation, profileSpecifier: (null), certificateIdentifier: iPhone Distribution, entitlementsFilePath: (null), baseEntitlements: <IDEProvisionableEntitlements: ✉️; signedEntitlements='{\n}', simulatedEntitlements='(null)'>, entitlementsExpansion: <IDEDistributionProvisioningEntitlementsExpansion: ✉️>, entitlementsDestination: 1, allowSigningWithoutTeamSelection: 0, signingRequiresTeam: 0, appIDFeatures: <DVTPortalAppIDFeatures ✉️: Features: {\n}, Containers: {\n}>, provisioningPurpose: app-store, supportsIOSMac: 0>"; }, overrides: <IDEProvisionableOverrides ✉️: configuration: Default, profileSupport: <IDEProvisioningProfileSupport: ✉️>, provisioningStyle: (null), certificateSigningStyle: (null), provisioningPurpose: app-store, team: (null), platform: <DVTPlatform:✉️:'com.apple.platform.iphoneos':<DVTFilePath:✉️:'/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform'>>, sdk: (null), sdkVariant: (null), profileSpecifier: (null), certificateIdentifier: (null), bundleIdentifier: (null), entitlements: (null), entitlementsFile: (null), baseEntitlements: (null), entitlementsExpansion: (null), entitlementsDestination: (null), allowSigningWithoutTeamSelection: (null), signingRequiresTeam: (null), appIDFeatures: (null)>>>, configuration: Default, codesignParameterSnapshot: <IDECodesignParameterSnapshot: ✉️>: Identity: E1A91D4C347F60D4E8EFFAD9C8F2493AB99DFAFA Certificate <DVTSigningCertificate: ✉️; name='Apple Distribution: MYTEAM (TEAMID)', hash='E1A91D4C347F60D4E8EFFAD9C8F2493AB99DFAFA', serialNumber='1AE77EDC19294212C6AE6D5DC550D66C', certificateKinds='( "1.2.840.113635.100.6.1.7", "1.2.840.113635.100.6.1.4" ), issueDate='🕙''>>, errors: (null)> and this for the apps failing to sign : 🕙 [MT] Step failed: <IDEDistributionSigningAssetsStep: ✉️>: Error Domain=IDEDistributionSigningAssetStepErrorDomain Code=0 "Locating signing assets failed." UserInfo={NSLocalizedDescription=Locating signing assets failed., IDEDistributionUnderlyingErrors=( "Error Domain=DeveloperAPIServiceErrorDomain Code=5 \"Cloud signing permission error\" UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedRecoverySuggestion=You haven't been given access to cloud-managed distribution certificates. Please contact your team's Account Holder or an Admin to give you access. If you need further assistance, contact Apple Developer Program Support at https://developer.apple.com/contact/., NSLocalizedDescription=Cloud signing permission error}", "Error Domain=IDEProfileLocatorErrorDomain Code=1 \"No profiles for 'com.myteam.myapp' were found\" UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedDescription=No profiles for 'com.myteam.myapp' were found, NSLocalizedRecoverySuggestion=Xcode couldn't find any iOS App Store provisioning profiles matching 'com.myteam.myapp'.}" )} I've checked that the ID used to authenticate has cloud signing permissions (it obviously has them since it's working for one app). So what could be the problem here ?

I have a .NET MAUI iOS app where its provisioning profiles at first expired a few days ago. So I created new "Apple Development" and "Apple Distribution" certificates using an existing certificate signing request created on 19 October 2023 at 11:46 AM, included the new certificates in the expired provisioning profiles, regenerated and downloaded the provisioning profiles. In the "bundle signing" section of the "project properties" window of Visual Studio for Mac version 17.6.14 (build 413), I have made the following settings: Configuration: release Platform: any CPU Signing identity is not set to automatic I have selected the correct provisioning profile, but when deploying the app in release mode, the following error message is thrown so the app cannot be deployed to the device: ERROR: Failed to install the app on the device. (com.apple.dt.CoreDeviceError error 3002.) NSURL = file:///Users/intelligenthosting/Desktop/IMA-Attendance-App/maui/maui/bin/Release/net7.0-ios/ios-arm64/maui.app/ ---------------------------------------- Unable to Install ?IMA Attendance? (IXUserPresentableErrorDomain error 14.) NSLocalizedRecoverySuggestion = Failed to install embedded profile for com.imaedu.attendanceapp : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.) NSLocalizedFailureReason = This app cannot be installed because its integrity could not be verified. ---------------------------------------- Failed to install embedded profile for com.imaedu.attendanceapp : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.) (MIInstallerErrorDomain error 13.) SourceFileLine = 308 FunctionName = -[MIInstallableBundle _installEmbeddedProfilesWithError:] LibMISErrorNumber = -402620385 LegacyErrorString = ApplicationVerificationFailed 1%... 2%... 3%... 4%... 5%... 6%... 7%... 8%... 9%... 10%... 11%... 12%... 13%... 14%... 15%... 16%... 18%... 19%... 20%... 21%... 22%... 23%... 24%... 25%... 26%... 27%... 28%... 30%... 31%... 32%... 33%... 34%... 35%... 36%... 37%... 38%... 39%... 40%... 41%... 42%... 43%... 44%... 45%... 46%... 47%... 48%... 49%... 50%... 51%... 52%... 53%... 54%... 55%... 56%... 57%... 59%... 60%... 62%... 66%... 68%... error MT1045: Failed to execute 'devicectl': 'devicectl -j /var/folders/ny/qt1fm9zx063__j1b_nglx8pw0000gn/T/tmpFalYTp.tmp device install app --device "iPad (3)" /Users/intelligenthosting/Desktop/IMA-Attendance-App/maui/maui/bin/Release/net7.0-ios/ios-arm64/maui.app' returned the exit code 1. Application could not be uploaded to the device. What have I done wrong in the above process? What is the most appropriate method to update expired provisioning profiles? Thanks in advance

Context/Project Idea: I'm currently developing a project that consists of a macOS application using Swift and a local Python backend that executes specific tasks such as processing data. The Python backend is the core of this project, while the Swift application is a mere interface to interact with it. These two project parts should be decoupled so the user can theoretically run their own backend and connect the Swift application to it. Likewise, the user should be able to connect to the shipped backend using, e.g. curl. Current plan: My main idea is to use launchctl to launch a launchd agent which runs the Python backend. The script launching the backend will generate an API key stored in a keychain access group. The Swift application can then get that key and access the backend. The user can always get that API key from the keychain if they want to connect to it programmatically. Here are the main questions I have currently: Python Interpreter Consistency: I'm exploring options such as cx_Freeze or PyInstaller to create a standalone Python executable for better system stability. Does anyone have experience with these tools in a macOS environment, or are there other reliable alternatives worth considering? Adding a Launchd Agent to Xcode: How can I add a launchd agent to my Xcode project to manage a Python executable built with cx_Freeze or PyInstaller? What steps should I follow to ensure it functions properly? Keychain Access for Launchd Agent: Is it feasible for a launchd agent to access a Keychain access group? What configurations or permissions are necessary to implement this? Thanks in advance!

App is signed, notarized and stapled, I send that dmg file with file transfer tool, it can open correctly on other mac without any warning or error. However, if I send that dmg file through IM to the same mac, it will produces the "cannot check it for malicious software" error. I check the transfered dmg with spctl -a -t open -vvv --context context:primary-signature MyApp.dmg, it show source=Notarized Developer ID; origin=*** How can I resolve this issue?

Hello Apple Community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. The top-level app is built with Xcode 16.1 and it's written 100% in Swift6. For test purposes we are running the app on MacOS Sequoia 15.0, 15.1 and Sonoma 14.4. The app can be downloaded via TestFlight and Console app shows the next errors: Crash Reports python3.11 Application Specific Signatures: Unable to get bundle identifier for container id python3: Unable to get bundle identifier because Info.plist from code signature information has no value for kCFBundleIdentifierKey. tccd process error Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=62822, auid=502, euid=502, binary_path=[PATH TO SAMPLEAPP]]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=577, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, The next documents were helping a lot to reach the current state althought sometimes I was not sure how to apply them in this python interpreter context: Signing a daemon with a restricted entitlement Embedding a command-line tool in a sandboxed app XPC Rendezvous, com.apple.security.inherit and LaunchAgent Placing content in a bundle There are a lot of details that I will try to explain in the next lines. Once archived the app, it looks like this: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/Info.plist SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/Python.bundle And this is how Python.bundle looks like: Python.bundle/Contents Python.bundle/Contents/Info.plist Python.bundle/Contents/Resources Python.bundle/Contents/Resources/bin Python.bundle/Contents/Resources/bin/python3.11 <- Python executable Python.bundle/Contents/Resources/lib Python.bundle/Contents/Resources/lib/python3.11 <- Folder with python libraries This is the Info.plist associated with Python.bundle: <dict> <key>CFBundleIdentifier</key> <string>com.sampleapp.app.Python</string> <key>CFBundleName</key> <string>Python</string> <key>CFBundleVersion</key> <string>1.0</string> <key>CFBundlePackageType</key> <string>BNDL</string> </dict> For some reason Bundle Identifier is ignored. Created a Python target and added to the main app, I selected the Bundle template. In Python target I made the next customizations: Enabled the Skip Install (SKIP_INSTALL) build setting. Disabled the Code Signing Inject Base Entitlements Added entitlements com.apple.security.inherit to it, with a Boolean value of true. Tried to set Other Code Signing Flags (OTHER_CODE_SIGN_FLAGS) build setting to: $(inherited) -i $(PRODUCT_BUNDLE_IDENTIFIER) But I had to remove it because I could not get rid of this error "-i com.sampleapp.app.Python: No such file or directory" Created a python.plist and set it in the Packaging Build Settings section. I set Generate Info.plist File to No In this document: Embedding a command-line tool in a sandboxed app Says: "Add the ToolX executable to that build phase, making sure Code Sign On Copy is checked." But I could not do it to avoid duplicates, since the bundle itself contains the executable too. I'm not sure how to handle this case. Tried to add python3.11 executable in the bundle MacOS folder, but bundle executableURL returned nil and I could not use python from the code. This is how I get Python bundle from code: static var pythonBundle: Bundle? { if let bundlePath = Bundle.main.path(forResource: "Python", ofType: "bundle"), let bundle = Bundle(path: bundlePath) { return bundle } return nil } Created Python.entitlements with the next key-values: <key>com.apple.security.app-sandbox</key> <true/> and it is used in an Archive Post-action of SampleApp, in order to sign the python executable of Python.bundle as follows: codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$DEVELOPER_ID_APPLICATION" "$ARCHIVE_PATH" The reason of using an Archive Post-action is becauses signing from a Python.bundle Build phase was generating errors related to Sandboxing. These are the entitlements to codesign SampleApp: <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> Most probably I was mixing concepts and it seems created some confusion. We would really love to get some advice, Thanks!

There does not seem to be a way to code sign a PAM module so that an XPC service can verify the signature with setCodeSigningRequirement. There should be a way to build a PAM module (dynamic Library ) so it can be code signed. Put in a bundle and code signing the bundle does not work .