General:
DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements
Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities.
Developer > Support > Certificates covers some important policy issues
Entitlements documentation
TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series.
WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing
Certificate Signing Requests Explained DevForums post
--deep Considered Harmful DevForums post
Don’t Run App Store Distribution-Signed Code DevForums post
Resolving errSecInternalComponent errors during code signing DevForums post
Finding a Capability’s Distribution Restrictions DevForums post
Signing code with a hardware-based code-signing identity DevForums post
Mac code signing:
DevForums tag: Developer ID
Creating distribution-signed code for macOS documentation
Packaging Mac software for distribution documentation
Placing Content in a Bundle documentation
Embedding Nonstandard Code Structures in a Bundle documentation
Embedding a Command-Line Tool in a Sandboxed App documentation
Signing a Daemon with a Restricted Entitlement documentation
Defining launch environment and library constraints documentation
WWDC 2023 Session 10266 Protect your Mac app with environment constraints
TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference.
Manual Code Signing Example DevForums post
The Care and Feeding of Developer ID DevForums post
TestFlight, Provisioning Profiles, and the Mac App Store DevForums post
For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Entitlements
RSS for tagEntitlements allow specific capabilities or security permissions for your apps.
Posts under Entitlements tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Is it correct to codesign dylib/framewoks with entitlements? My understanding is that only executables need to have the entitlement and the dylibs loaded in that process will automatically inherit those entitlements.
However, I am seeing a lot of scripts on the internet that a signing dylibs as well with entitlements. For eg -
# sign *.dylibs
find "$APP_BUNDLE" -type f -name "*.dylib" -exec codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "$ENTITLEMENTS_FILE" --sign "$SIGNING_IDENTITY" {} \;
Is this even allowed? I know of at least one app that has passed notarization checks as well. If allowed, can a dylib have more entitlements than the process that loaded it?
We are implementing a feature that uses PKPassLibrary.requestAutomaticPassPresentationSuppression to prevent the Wallet from appearing when unlocking a lock. We have already completed the approval process for the entitlement to enable Pass Presentation Suppression.
In most cases, our code snippet works as expected, and the result is .success. However, we are also encountering other results, such as .denied, .alreadyPresenting, and .cancelled or .notSupported, which cause the Wallet to appear for users.
Here's the code snippet we're using:
PKPassLibrary.requestAutomaticPassPresentationSuppression { result in
logger.log(
.info,
"PKPassLibrary suppression result: \(result.description)",
LogContext.homeFeature
)
}
I would appreciate clarification on the following points:
What's the meaning of each result type (.denied, .alreadyPresenting, .cancelled, .notSupported) beyond what is mentioned in the documentation? The documentation here does not provide additional details.
What is the recommended handling for these specific result states? Should we be taking different actions or retries based on each case?
Thank you very much for your help.
Best, Ramiro.
I am working on a personal use app, to transcribe audio files. I have over 1000 Voice Memos of ideas for a dog training app and book, recorded while... walking dogs, of course.
I seem to not have the built in transcription option, either because Sonoma doesn't support it or my region doesn't, but I have learned a lot of Swift building an app that works great fort files in a folder in Documents.
I have also found the path to to all the Voice Memo recordings. But when I try to read the contents of the folder to build the queue for transcription I get The file “Recordings” couldn’t be opened because you don’t have permission to view it.
I expected this to be locked down, and some searching brought me to this and I have added Access User Selected Files (Read Only) = YES to the entitlements file, but I am not seeing where in the TARGETS editor I would assign com.apple.security.files.user-selected.read-only. If I add it as a key under info I don't get a popup to select, either in Xcode or when running the app. If I try to add that key to the entitlements file it doesn't allow for selection either.
I am sure I am just missing something in the documentation, likely as a result of being an Xcode & Swift noob. So, if I CAN do this and I am just missing something, can someone point the way? And if a folder inside another app is just verboten, manually copying those files to a documents folder for processing won't be the end of the world.
Hi there,
I have a Multiplatform app with just one app target with an iPhone, iPad and Мас Destination. On the Mac my app is a developer singed App that is being distributed outside of the Mac App Store.
I want to use App Groups, but as long as there are multiple destinations, Xcode only allows Group Identifiers starting with group.. However, for macOS I need to have a group ID that starts with the TeamID as explained here.
So I created two separate entitlements, which are identical, but with different group IDs:
With Automatic Code Signing enabled, I get this warning:
Xcode still seems thinks it has to use the macOS Group ID for the iOS version. In the App Groups section, the mac Group ID is red and the iOS Group ID is not checked.
The app builds and runs without issues on all platforms. The App Store Connect validation (for the iOS version) also works without any errors.
Am I doing something wrong? Do I need a separate Mac target because Xcode does not support separate Group IDs for Multiplatform apps?
Hi everyone.
Can anyone who has had experience tell me how long it takes to get a response to the approval to use critical alerts?
Thanks.
Since this file is protected by SIP, it can't just be changed by an installer/app without prompting the user. If the user chooses to deny the request, the sudo file won't be updated with a security critical pam module.
I need to insert our custom pam module into /etc/pam.d/sudo without the user being able to deny the operation.
Hello,
I have an application which uses a helper[1] to download[2] files. When files download is a DMG and user mounts the image to run the application from this DMG it doesn't pass Gatekeeper. It presents the "Application XYZ.app can't be opened.".
Same file downloaded via Safari shows a different dialog, the "XYZ.app is an app downloaded from the internet. Are you sure you want to open it?"
In the system log I see this line:
exec of /Volumes/SampleApp/SampleApp.app/Contents/MacOS/SampleApp denied since it was quarantined by Download\x20Helper and created without user consent, qtn-flags was 0x00000187
The application is running sandboxed and hardened, the main application has com.apple.security.files.downloads.read-write entitlement. Everything is signed by DeveloperID and passes all checks[3].
I tried to check the responsible process[4] of the helper. Then trivial stuff like download folder access in System Settings/Privacy & Security/Files & Folders. Everything seems to be fine.
For what it worths the value of quarantine attribute is following:
com.apple.quarantine: 0087;6723b80e;My App;
The Safari downloaded one posses:
com.apple.quarantine: 0083;6723b9fa;Safari;02162070-2561-42BE-B30B-19A0E94FE7CA
Also tried a few more ways and got to 0081 with Edge and 0082 with a sample app with similar setup. Not sure if that has any meaning.
What could I be doing wrong that Gatekeeper right away refuses to run the application from DMG instead of showing the dialog like in other cases?
[1] The executable is in application bundle located in Contents/Helpers/DownloadHelper.app in the main application bundle.
[2] Nothing fancy, curl + regular POSIX file operations
[3] codesign, syspolicy_check, spctl
[4] launchctl procinfo pid
Hello everyone,
We develop an app called Unite (bundle ID: com.BZG.Unite), which allows users to create standalone macOS applications from websites. These user-generated apps are based on a backend browser template called DefaultApp (bundle ID: com.bzg.default.app). Here's how our setup works:
Unite and DefaultApp: Both are signed with our Developer ID and include necessary provisioning profiles and entitlements.
User-Created Apps: When a user creates an app with Unite, it generates a customized version of DefaultApp with the user's chosen name and settings. These apps are ad-hoc signed upon creation to reflect their unique identity.
Issue
Since updating to macOS 15, every time a user launches a created app, they encounter a persistent prompt asking for permission to access files outside the app's container. Granting full disk access in System Preferences suppresses the prompt, but this is not a practical solution for end-users.
Upon launching a user-created app (e.g., "ExampleTest"), the following prompt appears:
This prompt appears on every launch of the app.
Steps to Reproduce
On a Mac running macOS 15, create a new app using Unite (e.g., "ExampleTest").
Launch the newly created app.
Observe the prompt requesting access to files outside the app's container.
Close and relaunch the app; the prompt appears again.
What We Have Tried
Given that our apps use an app group (group.BZG.unite.sharedData) to share data between Unite, DefaultApp, and user-created apps, we believe this is triggering the prompt due to changes in System Integrity Protection (SIP) in macOS 15. We are further confident given that if the user does not allow access, the app does launch, but shows an error indicating that the created app was unable to access the data that is typically in the shared group.
Here’s a summary of our troubleshooting efforts:
1. Adjusting App Group Configuration
Ensured the app group name aligns with Apple's guidelines, including prefixing with the Team ID (teamid.group.BZG.unite.sharedData).
Verified that the app group is correctly declared in the com.apple.security.application-groups entitlement.
2. Provisioning Profile Creation
Generated provisioning profiles via Xcode and the Developer Console, ensuring the app group entitlement is included.
Applied the provisioning profile to the user-created app during code signing.
Despite these efforts, the issue continues.
3. Entitlements and Code Signing
Created an entitlements file for the user-created app, mirroring the entitlements from DefaultApp, including:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>id.com.BZG.ExampleTest</string>
<key>com.apple.developer.team-identifier</key>
<string>id</string>
<key>com.apple.security.application-groups</key>
<array>
<string>id.group.BZG.unite.sharedData</string>
</array>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>
Signed the user-created app with our Developer ID and the provisioning profile
Verified the entitlements
4. Reviewing System Logs
Observed error messages indicating unsatisfied entitlements:
message: com.BZG.ExampleTest: Unsatisfied entitlements: com.apple.security.application-groups
**5. Consulting Documentation and WWDC Sessions
**
Referenced post on App Groups in macOS vs iOS.
Reviewed the macOS 15 Release Notes regarding SIP and app group container protection.
Watched WWDC 2024 Session 10123: What's new in privacy, starting at 12:23.
Questions
Is there a way to authorize the com.apple.security.application-groups entitlement in the provisioning profile for ad-hoc signed apps?
Given the SIP changes in macOS 15, how can we enable our ad-hoc signed, user-generated apps to access the app group container without triggering the persistent prompt?
Are there alternative approaches to sharing data between the main app and user-generated apps that comply with macOS 15's SIP requirements?
Is there anything to try that we're missing here to solve this?
Any guidance on how to resolve this issue or workarounds to allow app group access without triggering the prompt would be greatly appreciated.
Thank you for your assistance!
Hi,
I have been building a MacCatalyst versions of an iOS app for years using a separate build that included a specific .entitlements file that excludes the com.apple.security.device.camera. Yet when I now build with Xcode 16.1 that entitlement is included.
I have double checked my signing entitlement for my MacCatalyst build it is configured properly. I have check my .entitlement file to ensusre com.apple.security.device.camera is not there. All is as it should be.
I have changed nothing, my build flow is the same.
App Store Review has prevented the Mac build to be release becuse the com.apple.security.device.camera is set.
What can I do to correct this?
Hey folks,
I developed a DLP program based on Endpoint Security for the enterprise, and everything functioned normally. I also applied for the development permission of Endpoint Security before, which took 3 months. Now I want to distribute the software internally, so I tried to apply for a certificate for distribution permission. After waiting for 3 months, Apple told me that the permission was rejected.
This is the replay content:
Thank you for your interest in Endpoint Security. After carefulconsideration, we regret that we're unable to approve your request at this time. If you'd like to submit another request for this capability, please review andconfirm that your app details and justification meet the criteria before resubmittting.
Rejecting duplicate request.
Apple Developer Relations
I don't know what's wrong, what should I do to get distribution or developer id permissions.
Hello,
I have a command line application that uses iTunesLibrary to "save" the state of what I have listened to. I have it run every night via a LaunchAgent. You can see the source here: https://github.com/bolsinga/itunes_json
Prior to Sequoia it would run nightly. I'd just have to grant it access to the Music library once, and it would be fine thereafter. However with Sequoia it requires UI interaction to grant it access every time. This makes it no longer run unattended overnight, defeating its purpose.
I have the console logs of when this happens. You can see it in my issue tracking it here: https://github.com/bolsinga/itunes_json/issues/410
One thing that makes me wonder is that it is a command line application, not a bundle. How do I make a command line application get access to MusicKit / iTunesLibrary, and keep it thereafter? I'd like to get my pre-Sequoia behavior back. I've filed FB15592660 too.
I've granted it access to run in the background, as well as access to my Music library (please see attached screenshots).
AMPLibraryAgent 10:48:29.489944-0700 xpc Connection from framework client invalidated pid:57606 clientname:iTunesLibrary(itunes_json)
AMPLibraryAgent 10:48:29.492763-0700 service Unloading domains(14) for ClientID:iTunesLibrary(itunes_json)-1229 previous open:15 new open:1
itunes_json 10:48:59.980864-0700 connection [0x157f05800] activating connection: mach=true listener=false peer=false name=com.apple.amp.library.framework
tccd 10:48:59.982568-0700 access AUTHREQ_ATTRIBUTION: msgID=1795.214, attribution={accessing={TCCDProcess: identifier=itunes_json, pid=57652, auid=501, euid=501, binary_path=/Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json}, requesting={TCCDProcess: identifier=com.apple.AMPLibraryAgent, pid=1795, auid=501, euid=501, binary_path=/System/Library/PrivateFrameworks/AMPLibrary.framework/Versions/A/Support/AMPLibraryAgent}, },
tccd 10:48:59.982651-0700 access requestor: TCCDProcess: identifier=com.apple.AMPLibraryAgent, pid=1795, auid=501, euid=501, binary_path=/System/Library/PrivateFrameworks/AMPLibrary.framework/Versions/A/Support/AMPLibraryAgent is checking access for accessor TCCDProcess: identifier=itunes_json, pid=57652, auid=501, euid=501, binary_path=/Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json
tccd 10:48:59.995636-0700 access AUTHREQ_SUBJECT: msgID=1795.214, subject=/Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json,
tccd 10:48:59.996283-0700 access -[TCCDAccessIdentity staticCode]: static code for: identifier /Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json, type: 1: 0xc00341b00 at /Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json
tccd 10:49:00.018205-0700 access Failed to match existing code requirement for subject /Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json and service kTCCServiceMediaLibrary
cdhash H"6bc380972f4df49b337a2a05308fb7b98fbe6473" or cdhash H"0708bcaabbfbab8770522050f7e2642d4d864f31"
cdhash H"6bc380972f4df49b337a2a05308fb7b98fbe6473" or cdhash H"0708bcaabbfbab8770522050f7e2642d4d864f31"
tccd 10:49:00.018997-0700 access AUTHREQ_PROMPTING: msgID=1795.214, service=kTCCServiceMediaLibrary, subject=Sub:{/Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json}Resp:{TCCDProcess: identifier=itunes_json, pid=57652, auid=501, euid=501, binary_path=/Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json},
AMPLibraryAgent 10:49:02.489170-0700 xpc ampld> register framework ClientName:iTunesLibrary(itunes_json)
tccd 10:49:02.488189-0700 events Publishing <TCCDEvent: type=Create, service=kTCCServiceMediaLibrary, identifier_type=Path, identifier=/Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json> to 4 subscribers: {
633 = "<TCCDEventSubscriber: token=633, state=Initial, csid=(null)>";
628 = "<TCCDEventSubscriber: token=628, state=Passed, csid=com.apple.chronod>";
464 = "<TCCDEventSubscriber: token=464, state=Passed, csid=com.apple.cloudd>";
513 = "<TCCDEventSubscriber: token=513, state=Passed, csid=com.apple.photolibraryd>";
}
AMPLibraryAgent 10:49:02.490391-0700 xpc ampld> registered framework ClientName:iTunesLibrary(itunes_json) with clientID:1230
itunes_json 10:49:02.792084-0700 connection [0x147e04340] activating connection: mach=true listener=false peer=false name=com.apple.amp.artworkd
itunes_json 10:49:02.801482-0700 <Missing Description> openDatabase 0xe4af30f4493e5ef5 artwork folder Y '<private>'
itunes_json 10:49:02.805087-0700 <Missing Description> openDatabase 0xf2db6e8d7672edc9 artwork folder Y '<private>'
itunes_json 10:49:02.806736-0700 <Missing Description> openDatabase 0xfb2acd898c951851 artwork folder Y '<private>'
itunes_json 10:49:02.813286-0700 <Missing Description> openDatabase 0xf0f4919c5ff0e88 artwork folder Y '<private>'
itunes_json 10:49:09.634928-0700 connection [0x600002b6a0d0] activating connection: mach=true listener=false peer=false name=com.apple.cfprefsd.daemon
itunes_json 10:49:09.635019-0700 connection [0x600002b78000] activating connection: mach=true listener=false peer=false name=com.apple.cfprefsd.agent
AMPLibraryAgent 10:49:12.382878-0700 xpc Connection from framework client invalidated pid:57652 clientname:iTunesLibrary(itunes_json)
AMPLibraryAgent 10:49:12.383474-0700 service Unloading domains(14) for ClientID:iTunesLibrary(itunes_json)-1230 previous open:15 new open:1
itunes_json.log
I have two different USB devices with different vendor IDs I would like to connect to. I submitted two separate requests for the com.apple.developer.driverkit.transport.usb entitlement for each vendor ID. However I am noticing the provisioning profile only has one of the vendor IDs.
How do I submit a request for the USB Transport entitlement to support more than one vendor ID? I'm new to writing a DriverKit driver, so is this even possible?
Hi guys, I’m writing an app that integrates Screen Time API more specifically one that has only DeviceActivityReport.
The app runs as expected but I have an issue when pushing it to AppStoreConnect:
Provisioning profile failed qualification: Profile doesn't support Family Controls (Development).
Provisioning profile failed qualification: Profile doesn't include the com.apple.developer.family-controls entitlement.
Provisioning profile failed qualification: Profile doesn't support Family Controls (Development).
Provisioning profile failed qualification: Profile doesn't include the com.apple.developer.family-controls entitlement.
My app has Family Controls (Development) set in Capabilities, entitlement file, provisioning profile and distribution certificates.
I have already requested Apple for the entitlement key for Family Controls (I’m waiting for them to reply).
So, I have few questions now:
Can I distribute a build for internal testers via TestFlight without waiting for Apple’s reply to my request?
Do I need to wait Apple’s reply to distribute the app to internal tester under Family Controls (Development) ?
Has anybody had the same issue and solved it without waiting for Apple to approve the request during development (no distribution)?
I have done a deep search about this topic but it is still not clear to me if an internal build could be distributed under Family Controls (Development) or if it is mandatory to wait for the distribution one
Hi Team,
mac installer is crashing in macos15 after successfully installing. but it is working in below mac os versions.
.app file in successfully code signed and notarized.
crash logs is attahced, please check.
sh-2024-10-17-124323 2 1.ips
below is our entitlement.plist file for reference.
we are clueless what is causing issues in macos 15 as we are unable to luanch it post succesful installation.
please kind take a look into the logs attached and help us resolve the issues.
Thanks,
NareshG
I have an App in production and want to add new capabilities to the app.
Will adding additional capabilities cause the production App to break?
I requested an entitlement 2 weeks ago, and sent a support email 1 week ago. My developer account already had this entitlement, but I transferred the app (which was approved in the app store) to an organization I made it for.
I haven't heard anything from Apple in two weeks, including NO RESPONSE to my email asking when I would hear back.
Is this common? I'll call them on Monday but damn I delivered this product to the organization many weeks ago and now Apple is holding me up now with no indication of how much longer.
Context/Project Idea:
I'm currently developing a project that consists of a macOS application using Swift and a local Python backend that executes specific tasks such as processing data. The Python backend is the core of this project, while the Swift application is a mere interface to interact with it.
These two project parts should be decoupled so the user can theoretically run their own backend and connect the Swift application to it. Likewise, the user should be able to connect to the shipped backend using, e.g. curl.
Current plan:
My main idea is to use launchctl to launch a launchd agent which runs the Python backend. The script launching the backend will generate an API key stored in a keychain access group. The Swift application can then get that key and access the backend. The user can always get that API key from the keychain if they want to connect to it programmatically.
Here are the main questions I have currently:
Python Interpreter Consistency: I'm exploring options such as cx_Freeze or PyInstaller to create a standalone Python executable for better system stability. Does anyone have experience with these tools in a macOS environment, or are there other reliable alternatives worth considering?
Adding a Launchd Agent to Xcode: How can I add a launchd agent to my Xcode project to manage a Python executable built with cx_Freeze or PyInstaller? What steps should I follow to ensure it functions properly?
Keychain Access for Launchd Agent: Is it feasible for a launchd agent to access a Keychain access group? What configurations or permissions are necessary to implement this?
Thanks in advance!
Hi, team.
So, I'm working on reading certificates from the keychain that have been stored or saved by other apps into it.
I understand that kSecAttrAccessGroupToken allows us to achieve that.
It is a requirement to use com.apple.token group in the entitlements file.
Having done that, I cannot store SecSertificates into the keychain, and into the security group. I can do it without the security group, but after adding in the dictionary the kSecAttrAccessGroup: kSecAttrAccessGroupToken, I can no longer add certificates.
I get the famous -34018. No entitlement found.
However, when I try to read certificates in the same access group, I do not get a -34018 error back. I instead get a -25300, which I understand means no keychain item was found in this access group.
How can this be happening?
Reading, the entitlement works, writing does not.
Here are my queries:
For adding:
let addQuery = [
kSecClass: kSecClassCertificate,
kSecValueRef: secCertificate as Any,
kSecAttrLabel: certificateName,
kSecAttrAccessGroup: kSecAttrAccessGroupToken
] as [CFString: Any]
let status = SecItemAdd(addQuery as CFDictionary, nil)
For reading:
var item: CFTypeRef?
let query = [
kSecClass: kSecClassCertificate,
kSecMatchLimit: kSecMatchLimitAll,
kSecReturnRef: kCFBooleanTrue as Any,
kSecAttrAccessGroup: kSecAttrAccessGroupToken
] as [CFString: Any]
let status = SecItemCopyMatching(query as CFDictionary, &item)
We are utilizing the StoreKit external purchase link within the app and have configured the necessary keys in the entitlements according to the documentation. The Info.plist file has also been updated with the required key and a single destination URL, following the guidelines from this documentation. However, when we click the link in the app, it redirects to the default browser, and the in-app system disclosure sheet does not appear.
Should the in-app disclosure sheet appear automatically, or do we need to design and implement it ourselves?
Hi.
I'm an iOS developer,
We are creating a Automaker Carplay app for an Automaker provider, but we are facing some troubles:
Xcode error:
Provisioning profile "iOS Team Provisioning Profile: BundleIdentifier" doesn't match the entitlements file's value for the com.apple.developer.carplay-protocols entitlement.
We have the entitlements requested and approved by apple, but we cannot deploy the app in real devices. We don't know if we need to do an extra step.
Thank you very much.