Entitlements

RSS for tag

Entitlements allow specific capabilities or security permissions for your apps.

Entitlements Documentation

Post

Replies

Boosts

Views

Activity

macOS - Failed to Distribute - Invalid Code Signing Entitlements
Hi, I am trying to distribute my Flutter macOS app, but it fails systematically. The application works perfectly locally (in both Debug & Release modes). My application uses the com.apple.developer.aps-environment entitlement (Push Notifications). I set this entitlement to "production" everywhere (DebugProfile.entitlements, Release.entitlements & RunnerProfile.entitlements). I have macOS distribution provisioning profile. When I am running the 'Archive', I selected as destination: "Any Mac (Apple Silicon, Intel)". When I am trying to deliver the archive, I receive the following error: Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on macOS. Specifically, value 'development' for key 'com.apple.developer.aps-environment' in ... and this... for every single asset !! My configuration is: Flutter 3.16.2 XCode 15.0.1 Mac OS: Ventura 13.6.1 Hardware: Mac mini 2018 Any help will be more than welcome... Thanks in advance,
2
0
562
Dec ’23
Cannot add entitlement 'com.apple.developer.device-information.user-assigned-device-name' to Provisioning profile
Currently, My company application get generic device name instead of user-assigned device name on iOS 16 and iOS 17. I read Apple’s documents about the issue: https://developer.apple.com/documentation/uikit/uidevice/1620015-name https://developer.apple.com/forums/thread/721772 But on my account settings, I couldn’t see the entitlement or any way to enable the entitlement. Could you please give me instructions for my problems?
1
0
245
Nov ’23
System pushing CPNowPlayingTemplate to Driving Task CarPlay app (crash)
Since iOS 17 is out I am getting crashes in my Driving Task CarPlay app. It is as if the System tried to push a CPNowPlayingTemplate to my app, and that template, according to the documentation, is not allowed for a Driving Task CarPlay app. I get the following error: Fatal Exception: NSInvalidArgumentException Unsupported object <CPNowPlayingTemplate: 0x283944c60> <identifier: 3195B357-D184-41BF-91CA-399C5810A8EA, userInfo: (null), tabTitle: (null), tabImage: (null), showsTabBadge: 0> passed to pushTemplate:animated:completion:. Allowed classes: {( CPInformationTemplate, CPListTemplate, CPAlertTemplate, CPActionSheetTemplate, CPTabBarTemplate, CPGridTemplate, CPPointOfInterestTemplate )} My app, from time to time, plays some sounds to warn the driver about issues in the road. Maybe that can trigger (in which cases?) the now playing template to be pushed to my app. Is this an iOS 17 bug? Is there a way to work around it? Thank you.
1
0
573
Nov ’23
Tap to Pay: Been waiting 26 days after submitting user flow video for review
Any tips how my company and I can proceed with our Tap to Pay implementation review with Apple? As the title says, we submitted a video 26 days ago and have no traction. I've replied to Apple's "Request Access..." email multiple times with "Case-ID: blah blah" as the first line every time. Between 4 to 6 days later I get the same auto-reply saying "Your entitlement request for the Tap to Pay for iPhone has been granted with the Development Profile restriction...". We've been release-ready for several weeks now. Our product roadmap is being adversely affected by this bottleneck. Any suggestions are welcome! We're at a loss right now. -Jordan Timeline of Events 24 Oct - Submitted TtP for iPhone entitlement request via Apple's web form 27 Oct - Received email confirming entitlement with Development Profile restriction 02 Nov - Replied with video recording of our apps TtP flow 10 Nov - Received same entitlement confirmation email as 27 Oct 13 Nov - Replied asking if Apple needs anything else from us 17 Nov - Received same entitlement confirmation email as 27 Oct 22 Nov - Resent video from a different email account 28 Nov (today) - Received same entitlement confirmation email as 27 Oct
2
2
813
Nov ’23
Bug in iOS Keychain Sharing
Consider a scenario: There are two iOS apps, App1: com.example.app1 App2: com.example.app2 App1 has no keychain access groups, other than its default group that is .com.example.app1 However, App2 has keychain access groups added which is bundle identifier of App1 i.e. .com.example.app1, So App2 access groups are as follows: [.com.example.app1, .com.example.app2] This way App2 has access to App1’s private access group. Which means App2 can Create, Read, Update and Delete ALL the keychain items inside App1’s private group. But, Apple’s Developer documentation says otherwise. Referring to this document: https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps In section “Establish your app’s private access group” (https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps#2974916), it says that “Because app IDs are unique across all apps, and because the app ID is stored in an entitlement protected by code signing, no other app can use it, therefore no other app is in this group”. Focus on “therefore no other app is in this group”. But as proved from above scenario, App2 can be part of App1’s private access group.
2
0
513
Nov ’23
Does an Endpoint Security system-extension requires paid app enabled?
Hello! we are trying to request of a new Entitlment for "com.apple.developer.endpoint-security.client" for our desktop app. Issue is that we are not able to insert the request for an "Unathorized" error, with the mesage below in which seems that we lack some agreements on our account: _Unathorized: If you’re a member of a developer program, make sure your Account Holder has agreed the latest license agreement. _ The only agreements we are curretly missing is the one for "Paid app", wiht bank account informaition and so on. Does anyone know anything about it, if it is mandatory to fill this to proceed with the request? Thanks!
4
0
667
Nov ’23
Provisioning profile doesn't support the HealthKit capability, doesn't include com.apple.developer.healthkit and com.apple.developer.healthkit.access entitlements. Your account does not have sufficient permissions to modify containers.
When I try to add HealthKit capabilities to my app, I get the following signing errors: Communication with Apple failed. Your account does not have sufficient permissions to modify containers. Provisioning profile "iOS Team Provisioning Profile: com.domain.app" doesn't support the HealthKit capability. Provisioning profile "iOS Team Provisioning Profile: com.domain.app" doesn't include the com.apple.developer.healthkit and com.apple.developer.healthkit.access entitlements. In my developer account, the HK capability is enabled. And the entitlements needed are automatically generated by Xcode when I add HK capability, if I try to add them, it says they're already there. I have automatically managed signing selected. Clinical health records are not enabled for Health Kit. Common solutions like cleaning, derived data, and restarts don't help. Does anybody know what this is?
2
1
2.2k
Jul ’21
Webiview fails to load multimedia items(Audio/Video) with error tag
Error logs: ProcessAssertion::acquireSync Fail(ed to acquire RBS assertion 'WebKit Media Playback' for process with PID=11722, error: Error Domain=RBSServiceErrorDomain Code=1 "originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)" UserInfo={NSLocalizedFailureReason=(originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)}
1
0
757
Nov ’23
Associated Domains stopped working after updating app Bundle ID
I updated the app bundle ID of my app in my associated domains file on my server which can be viewed using the Apple CDN at (https://app-site-association.cdn-apple.com/a/v1/myApp.app) and on my server at (https://myApp.app/.well-known/apple-app-site-association). All I did was update the app Bundle ID of my app in Xcode and likewise in the associated domains file, and now it is no longer working and I'm getting the error Application with identifier ABCDE12345.app.myApp.MyApp is not associated with domain myApp.app. This error is thrown when attempting to use the webcredentials portion of the associated domain file for logging in via Passkey. I've waited for 6 days to let the changes propagate through the CDN but the issue is persisting. Strangely enough, it has worked a few times since I changed it but almost always fails. This intermittent behavior leads me to believe it might be something up with the CDN? The only thing I changed about my appID was the domain, e.g. ABCDE12345.io.oldDomain.MyApp to ABCDE12345.app.myApp.MyApp. My file is structured as so: { "applinks": { "apps": [], "details": [ { "appID": "ABCDE12345.app.myApp.MyApp", "components": [ ... ] } ] }, "webcredentials": { "apps": [ "ABCDE12345.app.myApp.MyApp" ] } } Likewise I updated the entitlements in my app to webcredentials:myApp.app from webcredentials:oldDomain.io and similarly for the appLinks. I've tried deleting the app, restarting Xcode, clean builds, all that jazz to no avail. Any advice you have for remedying this would be greatly appreciated. This has brought my beta to a halt because no one can log in or sign up. Thank you.
1
0
1.7k
Nov ’23
Can't open usb device after signing my app with sandbox in entitlements.plist
This is my entitlements.plist: <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.device.usb</key> <true/> Check signing result, I run codesign -d --entitlements :- ./dist/My.app codesign -vv ./dist/My.app and I get this Executable=/dist/My.app/Contents/MacOS/main Warning: Specifying ':' in the path is deprecated and will not work in a future release <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.device.usb</key><true/><key>com.apple.security.network.client</key><true/><key>com.apple.security.network.server</key><true/><key>com.apple.security.temporary-exception.files.absolute-path.read-only</key><array><string>/private/etc/apache2/mime.types</string></array></dict></plist> ./dist/My.app: valid on disk ./dist/My.app: satisfies its Designated Requirement But when I run my app, I got ['/dev/cu.Bluetooth-Incoming-Port', 'n/a', 'n/a'] ['/dev/cu.usbmodem23401', 'GD32 USB CDC ACM in FS Mode', 'USB VID:PID=28E9:018A SER=GD32F30X-3.0.0-7z8x9yer LOCATION=2-3.4'] (1, "could not open port /dev/cu.usbmodem23401: [Errno 1] Operation not permitted: '/dev/cu.usbmodem23401'") My app can't access to my usb device, how can I solve this? My app is worked without setting this <key>com.apple.security.app-sandbox</key> <true/>
1
1
554
Nov ’23
Issues with macOS Microphone Permissions Not Prompting After Code Signing with Hardened Runtime
Hello everyone, I'm developing a macOS app with Python and PyInstaller, and I've hit a roadblock with microphone permissions. The app prompts for microphone access correctly when running unsigned. However, after signing with the hardened runtime option, the prompt no longer appears, and the app can't access the mic. Here's what my setup looks like: Python app packaged with PyInstaller Entitlements file with com.apple.security.device.microphone and com.apple.security.cs.allow-unsigned-executable-memory Signing command: codesign --deep --force --verify --timestamp --verbose --sign "Developer ID Application: [******]" --options=runtime --entitlements ./entitlements.plist main.app I've tried resetting microphone permissions and PRAM to no avail. entitlements.plist looks like: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <!-- 允许应用使用未签名的可执行内存 --> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <!-- 其他你的应用可能需要的键 --> <!-- 比如麦克风使用权限 --> <key>com.apple.security.device.microphone</key> <true/> </dict> </plist> Testing without the --options=runtime flag works perfectly - the mic prompt appears, and the log file is created. With the flag, neither the prompt nor the log file appears. Has anyone faced a similar issue or can offer insight into why the hardened runtime option might be causing this? Any guidance or workaround to have the microphone permission prompt appear with hardened runtime enabled would be highly appreciated. Thanks in advance for your help!
1
0
789
Nov ’23
DDDevicePickerViewController tvOS com.apple.runningboard.process-state
let devicePicker = DDDevicePickerViewController(browseDescriptor: .applicationService(name: "Demo"), parameters: applicationServiceParameters()) devicePicker.modalTransitionStyle = .coverVertical self.show(devicePicker, sender: nil) let endpoint = try await devicePicker.endpoint self.peerConnection = PeerConnection(endpoint: endpoint, delegate: self) on tvOS,but error: Error acquiring assertion: &lt;Error Domain=RBSServiceErrorDomain Code=1 "(originator doesn't have entitlement com.apple.runningboard.primitiveattribute AND originator doesn't have entitlement com.apple.runningboard.assertions.frontboard AND target is not running or doesn't have entitlement com.apple.runningboard.trustedtarget AND Target not hosted by originator)" UserInfo={NSLocalizedFailureReason=(originator doesn't have entitlement com.apple.runningboard.primitiveattribute AND originator doesn't have entitlement com.apple.runningboard.assertions.frontboard AND target is not running or doesn't have entitlement com.apple.runningboard.trustedtarget AND Target not hosted by originator)}&gt; Received port for identifier response: &lt;&gt; with error:Error Domain=RBSServiceErrorDomain Code=1 "Client not entitled" UserInfo={RBSEntitlement=com.apple.runningboard.process-state, NSLocalizedFailureReason=Client not entitled, RBSPermanent=false} elapsedCPUTimeForFrontBoard couldn't generate a task port How to solve this problem?
1
0
464
Nov ’23