I have an app that needs re-signing/updating to work on ios 17 (ios 17.4.1). I have renamed the IPA file to zip and extracted it to the desktop. The files in the extracted folder are: ItunesArtwork ItunesMetadata.plist Payload folder Payload folder contains the app App package contents contains all the app files, including the _CodeSignature folder. I extracted the package contents to a folder on the desktop. Xcode 15.3 (15E204a) is installed. Need the steps necessary to complete it and generate the new IPA file to test. Thanks all, Ed

I'm trying to add a feature to my app which requires OpenMP as third party library. The first time an openMP API gets called makes the app crash. The Xcode terminal reports this: OMP: Error #179: Function Can't open TEMP failed: OMP: System error #1: Operation not permitted Assertion failure at kmp_runtime.cpp(6918): temp_reg_status_file_name. OMP: Error #13: Assertion failure at kmp_runtime.cpp(6918). Console app reports this: Sandbox: deny(1) ipc-posix-shm-write-create /__KMP_REGISTERED_LIB_31975 I cannot substitute or get rid of the OpenMP library as it is used by other third party libs needed by the feature I’m developeng. Hope there is a workaround to the sandbox security restrictions that allows to use the lib. Thanks, Andrea

Many of the trusted execution problems I see are caused by folks signing their product using the --deep option. While that can work in some circumstances, I generally recommend against it. There are two issues with --deep: It applies the same code signing options to every code item that it signs, something that’s not appropriate in general. For example, you might have an app containing a nested command-line tool, where the app and the tool need different entitlements. The --deep option will apply the same entitlements to both, which is a serious mistake. It only signs code that it can find, and it only finds code in nested code sites. If you put code in a place where the system is expecting to find data, --deep won’t sign it. The first issue is fundamental to how --deep works, and is the main reason you should not use it. Indeed, on macOS it may cause the trusted execution system to block your program from running. For the details, see the Check for Entitlements on Library Code section of Resolving Library Loading Problems. The second issue is only a problem if you don’t follow the rules for nesting code and data within a bundle, as documented in Placing Content in a Bundle. However, my experience is that the products that don’t follow those rules are exactly the same sort of products that try to use --deep. The alternative to --deep is to sign each code item separately, from the inside out. If your product has lots of nested code, automate this using a script. Note One exception to the prohibition on --deep is Automator apps. If you’re signing an Automator app, see this DevForums post. For detailed information on how to correctly sign and package Mac software, see Creating distribution-signed code for macOS and Packaging Mac software for distribution. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Revision history: 2024-05-06 Update some links to reference the Real Documentation™ rather than my legacy DevForums posts. 2022-06-14 Added a link to Resolving Library Loading Problems. Replaced the link to Signing a Mac Product For Distribution with a link to Creating Distribution-Signed Code for Mac. Made other minor editorial changes. 2021-10-21 Replaced the nested code reference with one to Placing Content in a Bundle. Minor editorial changes. 2020-09-15 Adopted the correct terminology for Automator apps. 2020-03-09 First version.

Hi, we have an app that has been in development since Catalina and ever since Sonoma came out we noticed that when executing our pkg installer the application is installed correctly but the postinstall script is not executed. The weird thing is that if I run the pkg for the first time the postinstall does not execute BUT if I run it again then it DOES!! Looking through the logs I found these ones that confirm the execution of the script is being blocked. We haven't changed anything in the way we build the installer so I'm not quite sure how to fix this. 2024-04-25 16:29:51.570662-0300 0x1c62 Error 0x0 308 0 syspolicyd: [com.apple.syspolicy.exec:default] Unable (errno: 2) to read file at <private> for pid: 784 process path: <private> library path: (null) 2024-04-25 16:29:51.570662-0300 0x1c62 Error 0x0 308 0 syspolicyd: [com.apple.syspolicy.exec:default] Terminating process due to Malware rejection: 784, <private> 2024-04-25 16:29:51.570679-0300 0x1d13 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Sleep interrupted, signal 0x100 2024-04-25 16:29:51.570682-0300 0x1d13 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 784, /private/tmp/PKInstallSandbox.m5Av3O/Scripts/com.mycompany.myapp.pkg.BSOjtt/postinstall The app as well as the installer are both signed, notarized and stapled. Here you can see the script which just simply executes the app. #!/bin/bash echo "Running postinstall" /Applications/myapp.app/Contents/MacOS/myapp --load-system-extension & exit 0 Any help would be much appreciated. Thanks!

I have a personal app I use only for myself on my iPhone. I do not distribute this. Its stops working every year when my renewal comes up. Once I renew my subscription I reload the app onto my phone and it works again. Is there a way that I can have it work forever without having to reload it every year? Sometimes I forget to reload after my renewal and it does not work until I do so.

I am able to successfully install the app on my device, but I am unable to verify the app. Steps to reproduce: Navigate to Settings -> VPN & Device Management on iPhone 14 Select developer under Developer App Select trust this computer Attempt to Verify App The "Verify App" button has no effect. The app can still be installed when built, but is not able to be opened. Navigating to ppq.apple.com in a browser results in a "cannot be trusted":

How to change Bundle ID in "Certificates, Identifiers & Profiles" (Edit your App ID Configuration) ? Which certificate is needed for a free Mac application (.app) ? The application need only save\restore disk data (no extension, no wifi, no In-App Purchase, etc). A very simple basic 3 windows application (type math Calculator). Do I need set some "Capabilities" (App Services) ?

Hi, We have an app that installs a number of system extensions. According to this documentation the app must be located in the Applications folder to be activated so when the app launches we check that it is running from /Applications (or a subfolder) and if it isn't we inform the user and exit. This has been working fine until a recent submission whereupon installing the app via TestFlight casuses it to be translocated when run and our check to fail. So, a couple of questions: Is it expected that an app installed via TestFlight (or indeed the AppStore) can be translocated when it is run? If yes to the above, how can we ensure that out app is running from Applications and can therefore activate its extensions? Thanks Alan

[7268:372225] Failed to create an FPSandboxingURLWrapper for file:///Users/####/Downloads/mod##06-9-19.pdf. Error: Error Domain=NSPOSIXErrorDomain Code=1 "couldn't issue sandbox extension com.apple.app-sandbox.read-write for 'file:///Users/####/Downloads/mod##06-9-19.pdf' PS- Used ### to hide info I am facing an error with apple sandbox in my dot NET MAUI project here is the entitlements file I don't know Why I'm getting the in my understanding with user-selected.read-write it should work

I distribute an application in a zip file from my website. the application needs access to some files next to it to run properly. The application is correctly signed and notarized and stapled.Of course if I download it from my website, it gets the quarantine attribute. When I try to open it for the first time, a gatekeeper warning saying that the application comes from the internet, but has been checked by apple and no malware has been detected is displayed. My impression is that the application has been correctly signed and notarized. but If confirm that I wan to open it, the quarantine attribute is not deleted. spctl -a -v /path/to/Myapp.app path/to/Myapp.app: accepted source=Notarized Developer ID

I'm currently befuddled by the entire signing and certificate process. I don't understand what I need, what the team admin needs to do, or how to go about doing it so that I can build the project. We've managed to have this working in the past but I guess the system has changed somewhat. Here's what we have going: A Unity project which hasn't changed from a few years ago. I build the project in unity, open the Xcode project and this: There's an issue with the Signing and Capabilities. If I choose automatic setup it shows an error saying that it requires a development team. I had the account admin add my Apple ID to the team so I'm not sure why that's an issue still. Do I need to pay the 99$ to be able to building Xcode? If I try to do it manually I select the provisioning profile that the account admin sent me and it auto selects the team associated with the provisioning profile I guess but then there's no singing certificate. The error says: There is no signing certificate "iOS Development" found. No "iOS Development" signing certificate matching team ID "V7D5YBZRMV" with a private key was found. So, if someone could explain to me like I'm 5 the entire signing and certificate process is and let me know what we're doing wrong with the team/provisioning profile/certificate setup I would be very much appreciative.

Hi, I have added associated domains support for our desktop app and it works fine on my machine. But when I deploy it on other machines, it is not launching. It throws ‘The application ““ can’t be opened” message. It works fine when I install provisioning profile on those machines. Xcode is not allowing me to code sign the app manually as part of build process. Till now we were **** the same for other apps. Associated domain need a provisioning profile and I have created one distribution profile and code signed it. Now it works fine only on my machine and not working on other machines. It works only on other machines if I install provisioning profile. What should be the issue? How do I work this macOS app on other machines without installing provisioning profile?

Hello, I am having some trouble with an application accessing and running SQlite database queries. The error I am getting is (5642) SQLITE_IOERR_SEEK when trying to sqlite_step_stement in the database. See https://www.sqlite.org/rescode.html#ioerr_seek A bit of background, it is an application in Unreal Engine, and everything was working fine in Unreal Engine 4. The application uses a SQlite database on disk to store and fetch data. This database is saved to the documents folder. (I also tried other folders to see if that would make a difference) But since switching to a new version of the engine, Unreal Engine 5, in a build I am getting errors when trying to read/write to the database. This only happens in a build .app file. The only big difference I can find is that in the new engine when making a build the codesigning is already done in the engine. I don't see why those settings would break anything though. It also has an entitlements file, but I also edited it and made sure it has the same entitlements settings as my own scripts that are run afterwards. I am overwriting the codesigning with our own CI/CD scripts afterwards. The .app file is codesigned, notarized and stapled by that script. Also I use an entitlements file to set certain values. It doesn't seem to be a code related issue, as everything is working fine when running the application "in editor". But only when creating a final .app build. It doesn't matter if this build is in Debug or Shipping. My first thought was to try more entitlements settings. But I tried the following and I am still getting the same errors: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.debugger</key> <true/> <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.automation.apple-events</key> <true/> <key>com.apple.security.app-sandbox</key> <false/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.files.downloads.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> </dict> </plist> I also am thinking that it might be a different issue as the application is able to create a database file in the documents folder, just not able to do the read write inside the database. These values are just set to try if any of these settings "fix" the issue, but thus far no luck. As there is nothing I can find in Unreal Engine related forums, and I also do not have a lot of experience with all the options when making Mac builds. I was hoping someone on this forum could think of a reason why a .app file would have problems with reading and writing to a SQlite database.

I have an non-appstore application, using developer id which I want to transfer to another developer account. How can I go about doing this? How do I transfer the app ID? Will past versions of that app signed with the old account continue to work? Will I have to re-sign them?

I have two apps written in MAUI Mac Catalyst Framework -- one is main app, second is app updater. My updater works this way: it is located in the same directory as main app: firstly it deletes MainApp.app/Contents folder, then unzips new Contents folder that was downloaded from server. I added NSUpdateSecurityPolicy dictionary as in https://developer.apple.com/documentation/bundleresources/information_property_list/nsupdatesecuritypolicy and create application like . It looks that I wrote everything fine pkgbuild --install-location '/Library/Application Support/First' --root root --ownership preserve # aslo signing, etc But on user's macOS, system does not allow to delete Contents folder: I have IO_Access denied exception. Can it be because main app is sandboxing or something else? What I can do wrong? Thanks a lot in advance!

Hey guys! Please, its not possible to remove or reuse an identifier (new app by removing the old one) through the developer portal? https://developer.apple.com/account/resources/identifiers/list Everytime we try to remove there is a message we can't: There is a problem with the request entity The App ID 'xxxxxxxxxxx' appears to be in use by the App Store, so it can not be removed at this time. But the app has been removed!!! Does anyone knows how to delete/reuse an identifier by doing some action in the portal? NOTE: we are low code - no Xcode (yes, so poor) Thank u guys!

I am not enrolled in the Apple developer program and need to create a small Safari app extension helper that will be shared with my colleagues within the company. Is it somehow possible for me to distribute the app in some way without forcing everyone to disable a gatekeeper?

I have two apps that installed by .pkg . They are both signed by Developer Application . One of my apps has purpose of updating another app. It is implemented by deleteting it from folder, and unzipping archive with new .app to it's folder. Even if new app is signed and notarized, has stepled ticket on it, I get error "App is damaged and can't be opened". In Secrity and Confidentiality preferences I have warning that developer is unauthorized, even if this new app is notarized and signed. How can I implement app update to not throw error that app is damaged> Thanks a lot in advance

Hello, I'm create an app using QT on MacOs with Generate to Xcode, when submitting it to the App Store the upload process was successful but I got email feedback with the message containing the following: ITMS-90238: Invalid Signature - The main app bundle Tren at path Tren.app has following signing error(s): a sealed resource is missing or invalid . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple .com/library/mac/technotes/tn2206/_index.html for more information. ITMS-90296: App sandbox not enabled - The following executables must include the 'com.apple.security.app-sandbox' entitlement with a Boolean value of true in the entitlements property list: [[Tren.app/Contents/MacOS/Tren ]] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. I've done the methods available in the community, but it still doesn't work. I hope someone will provide a solution, thank you

I am having trouble submitting the next build of my macOS app to the App Store Connect. I keep getting a variation of this error: ITMS-90238: Invalid Signature - The main app bundle MyApp at path MyApp.app has following signing error(s): code has no resources but signature indicates they must be present In subcomponent: MyApp.app/Contents/Frameworks/GoogleAppMeasurement.framework . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information. ITMS-90238: Invalid Signature - The main app bundle MyApp at path MyApp.app has following signing error(s): code has no resources but signature indicates they must be present In subcomponent: MyApp.app/Contents/Frameworks/GoogleAppMeasurementIdentitySupport.framework . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information. ITMS-90238: Invalid Signature - The main app bundle MyApp at path MyAppt.app has following signing error(s): code has no resources but signature indicates they must be present In subcomponent: MyApp.app/Contents/Frameworks/FirebaseAnalytics.framework . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information. I am using Firebase framework as a Swift package. I tried updating Swift package to the latest version and that didn't help. I also tried to revert to the last version that was successfully used on the App Store/TestFlight and that didn't help. I have no control over this framework other than not use it or choose a specific version. I also tried to export the app and use the Transporter app and that didn't help. Any suggestions?