Entitlements

RSS for tag

Entitlements allow specific capabilities or security permissions for your apps.

Entitlements Documentation

Post

Replies

Boosts

Views

Activity

ASP rejection of signed command line application
I am trying to run something I built with the CLI versions of clang on my M3 MBP. The application is signed: codesign -d -v /usr/local/bin/wine* Executable=/usr/local/bin/wine Identifier=org.winehq.wine Format=Mach-O thin (arm64) CodeDirectory v=20400 size=275 flags=0x0(none) hashes=3+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:06 AM Info.plist entries=12 TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=176 Executable=/usr/local/bin/wineboot Identifier=wineboot Format=generic CodeDirectory v=20200 size=168 flags=0x0(none) hashes=1+2 location=embedded Signature size=9053 Timestamp=Dec 15, 2023 at 10:35:06 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=216 Executable=/usr/local/bin/winebuild Identifier=winebuild Format=Mach-O thin (arm64) CodeDirectory v=20400 size=1933 flags=0x0(none) hashes=55+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:06 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=172 Executable=/usr/local/bin/winecfg Identifier=winecfg Format=generic CodeDirectory v=20200 size=167 flags=0x0(none) hashes=1+2 location=embedded Signature size=9053 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=216 Executable=/usr/local/bin/wineconsole Identifier=wineconsole Format=generic CodeDirectory v=20200 size=171 flags=0x0(none) hashes=1+2 location=embedded Signature size=9053 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=220 Executable=/usr/local/bin/winegcc Identifier=winegcc Format=Mach-O thin (arm64) CodeDirectory v=20400 size=747 flags=0x0(none) hashes=18+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=168 Executable=/usr/local/bin/winedbg Identifier=winedbg Format=generic CodeDirectory v=20200 size=167 flags=0x0(none) hashes=1+2 location=embedded Signature size=9052 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=216 Executable=/usr/local/bin/winedump Identifier=winedump Format=Mach-O thin (arm64) CodeDirectory v=20400 size=3052 flags=0x0(none) hashes=90+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=168 Executable=/usr/local/bin/winefile Identifier=winefile Format=generic CodeDirectory v=20200 size=168 flags=0x0(none) hashes=1+2 location=embedded Signature size=9053 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=216 Executable=/usr/local/bin/winegcc Identifier=winegcc Format=Mach-O thin (arm64) CodeDirectory v=20400 size=747 flags=0x0(none) hashes=18+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=168 Executable=/usr/local/bin/winegcc Identifier=winegcc Format=Mach-O thin (arm64) CodeDirectory v=20400 size=747 flags=0x0(none) hashes=18+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=168 Executable=/usr/local/bin/winemaker Identifier=winemaker Format=generic CodeDirectory v=20200 size=169 flags=0x0(none) hashes=1+2 location=embedded Signature size=9052 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=224 Executable=/usr/local/bin/winemine Identifier=winemine Format=generic CodeDirectory v=20200 size=168 flags=0x0(none) hashes=1+2 location=embedded Signature size=9052 Timestamp=Dec 15, 2023 at 10:35:08 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=216 Executable=/usr/local/bin/winepath Identifier=winepath Format=generic CodeDirectory v=20200 size=168 flags=0x0(none) hashes=1+2 location=embedded Signature size=9053 Timestamp=Dec 15, 2023 at 10:35:08 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=216 Executable=/usr/local/bin/wineserver Identifier=wineserver Format=Mach-O thin (arm64) CodeDirectory v=20400 size=5838 flags=0x0(none) hashes=177+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:08 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=172 but I still get: default 11:47:19.051342-0500 kernel ASP: Security policy would not allow process: 1501, /usr/local/bin/wine Permissions: ls -al wine* -rwxr-xr-x 1 root wheel 28368 Dec 15 10:35 wine -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 wineboot -rwxr-xr-x 1 root wheel 245424 Dec 15 10:35 winebuild -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winecfg -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 wineconsole lrwxr-xr-x 1 root wheel 7 Dec 14 23:41 winecpp -> winegcc -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winedbg -rwxr-xr-x 1 root wheel 388400 Dec 15 10:35 winedump -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winefile lrwxr-xr-x 1 root wheel 7 Dec 14 23:41 wineg++ -> winegcc -rwxr-xr-x 1 root wheel 91840 Dec 15 10:35 winegcc -rwxr-xr-x@ 1 root wheel 95127 Dec 14 23:41 winemaker -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winemine -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winepath -rwxr-xr-x 1 root wheel 747120 Dec 15 10:35 wineserver xattr wine* wineboot: com.apple.cs.CodeDirectory wineboot: com.apple.cs.CodeRequirements wineboot: com.apple.cs.CodeRequirements-1 wineboot: com.apple.cs.CodeSignature winecfg: com.apple.cs.CodeDirectory winecfg: com.apple.cs.CodeRequirements winecfg: com.apple.cs.CodeRequirements-1 winecfg: com.apple.cs.CodeSignature wineconsole: com.apple.cs.CodeDirectory wineconsole: com.apple.cs.CodeRequirements wineconsole: com.apple.cs.CodeRequirements-1 wineconsole: com.apple.cs.CodeSignature winedbg: com.apple.cs.CodeDirectory winedbg: com.apple.cs.CodeRequirements winedbg: com.apple.cs.CodeRequirements-1 winedbg: com.apple.cs.CodeSignature winefile: com.apple.cs.CodeDirectory winefile: com.apple.cs.CodeRequirements winefile: com.apple.cs.CodeRequirements-1 etc., etc... Since this is a new machine, maybe something is missing? How do I debug this problem? The most common response to ASP would not allow progress is that there is an unsigned binary. If this is the case, how do I find what binary it is? Thanks! Gene R.
1
0
610
Dec ’23
user-assigned-device-name entitlement - HOW?????
Please help a developer out. If you have gotten the user-assigned-device-name entitlement recently with the new questions, how did you answer the questions? I ask Bard and my app DOES do all of the following and I provided screen shots and it's still rejected. But the problem is, Apple doesn't tell you WHY??? We have to guess and guess. Eligibility criteria: User-facing functionality: Your app must use the user-assigned device name solely for functionality that's visible to the user and allows them to identify their own device. YES!!!!!! Multi-device interaction: The functionality must involve interaction between multiple devices that the same user operates. YES! UI visibility: The user-assigned device name must be visible to the user in your app's UI. You need to provide screenshots of this UI when requesting the entitlement. YES!
1
0
424
Dec ’23
Issue with APNS Token Registration on iOS 16.7.1 - Firebase FCM Token Generated but Register Device Token delegate Not Called
I'm currently facing an issue with APNS token registration on iOS 16.7.1 specifically for iPhone 8+. I'm working on integrating Firebase into my iOS app for push notifications. Problem: The problem I'm encountering is that the didRegisterForRemoteNotificationsWithDeviceToken and didFailToRegisterForRemoteNotificationsWithError delegates are not being called at all, despite Firebase successfully generating the FCM token. Environment: Device: iPhone 8+ iOS Version: 16.7.1 Xcode Version: latest Swift Version: latest Firebase SDK Version: latest Observations: Firebase successfully generates the FCM token, indicating that the device is able to connect to Firebase Cloud Messaging. However, the standard APNS delegate methods (didRegisterForRemoteNotificationsWithDeviceToken and didFailToRegisterForRemoteNotificationsWithError) are not being triggered. This issue seems specific to iOS 16.7.1 on the iPhone 8+. I already tested on other iphone its work normaly. Steps Taken: 1.Ensured that APNS is properly configured in the Apple Developer Console. 2.Firebase is set up correctly, as evidenced by the successful generation of FCM tokens. 3. No relevant errors or warnings in the Xcode console. Question: Has anyone else experienced a similar issue on iOS 16.7.1 or with iPhone 8+ devices? Any insights or suggestions on how to troubleshoot and resolve this issue would be greatly appreciated. Thank you in advance for your time and assistance! Additional Information: If you need more information or code snippets, please let me know. If there's a more appropriate place to post this issue or if it has already been addressed, kindly guide me.
1
0
659
Dec ’23
macOS - Failed to Distribute - Invalid Code Signing Entitlements
Hi, I am trying to distribute my Flutter macOS app, but it fails systematically. The application works perfectly locally (in both Debug & Release modes). My application uses the com.apple.developer.aps-environment entitlement (Push Notifications). I set this entitlement to "production" everywhere (DebugProfile.entitlements, Release.entitlements & RunnerProfile.entitlements). I have macOS distribution provisioning profile. When I am running the 'Archive', I selected as destination: "Any Mac (Apple Silicon, Intel)". When I am trying to deliver the archive, I receive the following error: Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on macOS. Specifically, value 'development' for key 'com.apple.developer.aps-environment' in ... and this... for every single asset !! My configuration is: Flutter 3.16.2 XCode 15.0.1 Mac OS: Ventura 13.6.1 Hardware: Mac mini 2018 Any help will be more than welcome... Thanks in advance,
2
0
575
Dec ’23
Local Push Connectivity API - Got 'Provisioning profile failed qualification' while distributing an app to the store
I have an app which uses the Local Push Connectivity API. I have requested and received the entitlement and everything is working in dev-mode, but once I try to distribute the app to the AppStore I got the following error: Provisioning profile failed qualification Profile doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. I was wondering if I need an other entitlement for this, mine is called Local Push Provider iOS Dev which makes me feel like there should be a Store counterpart - but I did not see how to request it on the Entitlement Request Page. Thanks for any hints!
10
0
882
Nov ’23
Cannot add entitlement 'com.apple.developer.device-information.user-assigned-device-name' to Provisioning profile
Currently, My company application get generic device name instead of user-assigned device name on iOS 16 and iOS 17. I read Apple’s documents about the issue: https://developer.apple.com/documentation/uikit/uidevice/1620015-name https://developer.apple.com/forums/thread/721772 But on my account settings, I couldn’t see the entitlement or any way to enable the entitlement. Could you please give me instructions for my problems?
1
0
253
Nov ’23
Tap to Pay: Been waiting 26 days after submitting user flow video for review
Any tips how my company and I can proceed with our Tap to Pay implementation review with Apple? As the title says, we submitted a video 26 days ago and have no traction. I've replied to Apple's "Request Access..." email multiple times with "Case-ID: blah blah" as the first line every time. Between 4 to 6 days later I get the same auto-reply saying "Your entitlement request for the Tap to Pay for iPhone has been granted with the Development Profile restriction...". We've been release-ready for several weeks now. Our product roadmap is being adversely affected by this bottleneck. Any suggestions are welcome! We're at a loss right now. -Jordan Timeline of Events 24 Oct - Submitted TtP for iPhone entitlement request via Apple's web form 27 Oct - Received email confirming entitlement with Development Profile restriction 02 Nov - Replied with video recording of our apps TtP flow 10 Nov - Received same entitlement confirmation email as 27 Oct 13 Nov - Replied asking if Apple needs anything else from us 17 Nov - Received same entitlement confirmation email as 27 Oct 22 Nov - Resent video from a different email account 28 Nov (today) - Received same entitlement confirmation email as 27 Oct
2
2
835
Nov ’23
System pushing CPNowPlayingTemplate to Driving Task CarPlay app (crash)
Since iOS 17 is out I am getting crashes in my Driving Task CarPlay app. It is as if the System tried to push a CPNowPlayingTemplate to my app, and that template, according to the documentation, is not allowed for a Driving Task CarPlay app. I get the following error: Fatal Exception: NSInvalidArgumentException Unsupported object <CPNowPlayingTemplate: 0x283944c60> <identifier: 3195B357-D184-41BF-91CA-399C5810A8EA, userInfo: (null), tabTitle: (null), tabImage: (null), showsTabBadge: 0> passed to pushTemplate:animated:completion:. Allowed classes: {( CPInformationTemplate, CPListTemplate, CPAlertTemplate, CPActionSheetTemplate, CPTabBarTemplate, CPGridTemplate, CPPointOfInterestTemplate )} My app, from time to time, plays some sounds to warn the driver about issues in the road. Maybe that can trigger (in which cases?) the now playing template to be pushed to my app. Is this an iOS 17 bug? Is there a way to work around it? Thank you.
1
0
589
Nov ’23
Bug in iOS Keychain Sharing
Consider a scenario: There are two iOS apps, App1: com.example.app1 App2: com.example.app2 App1 has no keychain access groups, other than its default group that is .com.example.app1 However, App2 has keychain access groups added which is bundle identifier of App1 i.e. .com.example.app1, So App2 access groups are as follows: [.com.example.app1, .com.example.app2] This way App2 has access to App1’s private access group. Which means App2 can Create, Read, Update and Delete ALL the keychain items inside App1’s private group. But, Apple’s Developer documentation says otherwise. Referring to this document: https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps In section “Establish your app’s private access group” (https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps#2974916), it says that “Because app IDs are unique across all apps, and because the app ID is stored in an entitlement protected by code signing, no other app can use it, therefore no other app is in this group”. Focus on “therefore no other app is in this group”. But as proved from above scenario, App2 can be part of App1’s private access group.
2
0
528
Nov ’23
Does an Endpoint Security system-extension requires paid app enabled?
Hello! we are trying to request of a new Entitlment for "com.apple.developer.endpoint-security.client" for our desktop app. Issue is that we are not able to insert the request for an "Unathorized" error, with the mesage below in which seems that we lack some agreements on our account: _Unathorized: If you’re a member of a developer program, make sure your Account Holder has agreed the latest license agreement. _ The only agreements we are curretly missing is the one for "Paid app", wiht bank account informaition and so on. Does anyone know anything about it, if it is mandatory to fill this to proceed with the request? Thanks!
4
0
680
Nov ’23
Shallow Depth and Pressure entitlement
I wrote my app with the entitlement "com.apple.developer.submerged-shallow-depth-and-pressure" and also with underwater-depth for WKBackgroundMode. All is working fine when I tested the app. When I want to put the app in the store I got the following error: **Missing entitlement. The Info.plist for the watchOS app bundle at “Watch App.app” uses the underwater-depth value for WKBackgroundModes without the com.apple.developer.submerged-depth-and-pressure entitlement signed into the bundle. ** I wonder why the entitlement in the error message is without -shallow- and why I get this message.
2
0
991
Oct ’23
SensitiveContentAnalysis iOS 17
My development certificate is configured with SensitiveContentAnalysis, and this configuration has also been added to xcode. Error after running: MAD request(1) returns error: Error Domain=NSOSStatusErrorDomain Code=-18 "User Safety either not entitled for client or not enabled" UserInfo={NSLocalizedDescription=User Safety either not entitled for client or not enabled}
1
0
454
Oct ’23
Tap to Pay Entitlement only for development
Hi, We applied for Tap to Pay on iPhone entitlement and were approved, but on distribution support it's only showing Development. We can build and debug Tap to Pay on development, but unable to build release. We opened ticket with Apple support but they were saying it was configured correctly. I attached screenshot of our developer account entitlement for Tap to Pay. It clearly said Development only.
5
1
1.2k
Oct ’23
In-App Purchases Entitlement Key????
Hello, What is the key for In-App Purchases entitlement I can add to my app.entitlements file in my project, so that I can autonomously enable the In-App Purchase capability? I have searched far a wide for this, however, it's unclear where it can be located. I know I can enable this capability manually by opening Xcode -> Selecting the "Signing & Capabilities" tab -> selecting "+ Capability" -> selecting "In-App Purchase" capability. However, this is not really an ideal solution for adding the capability to my app, especially when automated processes for building, testing, distributing via CI/CD are integrated. It would beneficial to be able to reference some documentation or resources for enabling capabilities (or any other build settings) autonomously in a project as opposed to having to manually click my way through enabling them. Looking forward to hearing back. Thanks!
3
0
1.7k
Sep ’23