I have a pretty simply macOS application which I've just been trying to fix since a long time ago. It's origin is really old, using the apple 802.11 framework located in /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Apple80211 and it's supposed to just scan the area and display information about the local networks nearby. For some reason when I run the application and press the button to scan for local networks (wifi scan) It errors out and in the Xcode console I get Process WiFiInfo is missing entitlement required for Wi-Fi user-client access: <key>com.apple.private.driverkit.driver-access</key> <string>com.apple.private.wifi.driverkit</string> If I add those two lines to the entitlements, Xcode fails to sign my application and fails to build and run Provisioning profile "Mac Team Provisioning Profile: com.troger.WiFiInfo" doesn't include the com.apple.private.driverkit.driver-access entitlement. Any way I can fix this? I would really like to get this application back up to its running state as it once was before but am completely lost on how to fix this

In enterprise environments it can be tricky to develop innovative applications leveraging the full value of the hardware. The code signing capabilities on iOS are much more restrictive compared to macOS, and has been for years. Is it really too much to ask for more control over the applications we can use in development environments. For bespoke applications being able to have control over hardware is something that has been missing for a long time. The ability to sign with com.apple.security.iokit-user-client-class and com.apple.security.temporary-exception.sbpl in development and enterprise solutions would allow for far greater integration with the devices. What reasons are there to avoid allowing this on iOS when macOS has much less restrictive control, the lack of continuity between the systems does not help the "level playing field".

Hi there, My app detects connected BlackMagic devices on a user's machine and this is done using the DeckLink SDK which first tries to load /Library/Frameworks/DeckLinkAPI.framework using CFBundleCreate. I have not been able to create a notarized app which successfully detects the devices. Either the DeckLinkAPI works or the app starts up without showing "the developer cannot be verified" on my test computer but never both. This is what I've tried so far: signed app: DeckLinkAPI available hardened runtime: DeckLinkAPI not available hardened runtime + com.apple.security.cs.disable-library-validation: DeckLinkAPI available, notarization succeeds yet the "the developer cannot be verified" I've also tried to use weak linking to DeckLinkAPI.framework instead of including the SDK's CFBundleCreate code but that made no difference: I still needed the com.apple.security.cs.disable-library-validation entitlement for that to work which caused "the developer cannot be verified". DeckLinkAPI.framework is notarized: > codesign --test-requirement="=notarized" --verify --verbose /Library/Frameworks/DeckLinkAPI.framework /Library/Frameworks/DeckLinkAPI.framework: valid on disk /Library/Frameworks/DeckLinkAPI.framework: satisfies its Designated Requirement /Library/Frameworks/DeckLinkAPI.framework: explicit requirement satisfied Is there any way to successfully notarize an app to use the DeckLink SDK or any other thirdparty notarized framework which is distributed seperately?

1) The situation in general: 1A) I begun USB-DExt project for Mac & iPADsOS>=17. 1B) I started-from scratch with DriverKitSampleApp 1C) For these two different targets (Mac,iPAD; using IDE XCode15.0), I couldn't find another way to build the sample project from Apple, beside this: now I have two handmade sets of ini-profiles and two respective "command-files". 2) My current palliative solution comprises of two specific ~"command-files" (each one runs in a directory with specific DriverKitSampleApp.entitlements,project.pbxproj)_ : 2A) my current file "cpy.command" for target "MAC" ## Destination "Mac" ## DriverKitSampleApp.entitlements: "com.apple.developer.driverkit.userclient-access" ## item0: "com.ry.dexsample1.driver" ## Build Settings "DriverKitSampleApp":Signing:Code Signing Identity:"Sign to Run Locally" ## "NullDriver":Signing:Code Signing Identity:"Sign to Run Locally" ## "NullDriver":"AD_HOC_CODE_SIGNING_ALLOWED=YES" cp DriverKitSampleApp.entitlements ../DriverKitSampleApp cp project.pbxproj ../RyDExtSmpl1.xcodeproj 2B) my current file ~"cpy.command" for target "iPAD" ## Destination "iPAD" ## Build Settings "DriverKitSampleApp":Signing:Code Signing Identity:"Apple Development" ## "NullDriver":Signing:Code Signing Identity:"Apple Development" ## "NullDriver":"AD_HOC_CODE_SIGNING_ALLOWED=NO" cp DriverKitSampleApp.entitlements ../DriverKitSampleApp cp project.pbxproj ../RyDExtSmpl1.xcodeproj 2C) This state is inconvenient (predicting that I will switch between MAC and iPAD dozens thousands of times when debugging this project) 3) The question 3A) I need to build the Apple's sample project "DriverKitSampleApp" just selecting one of two possible targets (Mac,iPad) in XCode-IDE. 3B) Option1: what developer(or team's entitlements) do I need for "3A"? 3C) Option2: what adjustments of project's configuration files do I need for "3A"? .

I have a bizzare issue with my Apple TV that is shown as "iPod" in Apple developer portal. It's correctly visible in Xcode as Apple TV, but when I add it to developer portal it says "iPod". The problem is since it's there as an iPod I can't use it to my provisioning profile to build on the device Anyone has any idea how this can be solved? [Edited by Moderator]

Hi, I am trying to release a small application which bundles a conda environment and a python script. I am using Platypus to turn it into a .app, and I include all necessary resources (libraries, binaries etc) inside the Resources directory. My application works correctly before code signing, and is portable between machines (so I don't think it is the case that the conda environment is missing something). However, after signing, it crashes when it runs one of the programs within the conda environment. I am first signing all .so, .dylib and all files in conda_env/bin as follows: # Within the conda environment directory in Resources find bin -type f | xargs -n1 codesign -f -o runtime --timestamp --sign "Developer ID Application: Whatever (123456789)" find . -name "*.dylib" -o -name "*.so" -type f | xargs -n1 codesign -f -o runtime --timestamp --sign "Developer ID Application: Whatever (123456789)" I am then signing the .app itself codesign -f -o runtime --timestamp --sign "Developer ID Application: Whatever (123456789)" my_app.app Finally, I convert it into a .dmg (with appdmg) and sign that. codesign -f --sign "Developer ID Application: Whatever (123456789)" --timestamp my_app.dmg I submit to the notary service, which succeeds, and then I staple the ticket to the .dmg: xcrun notarytool submit my_app.dmg --keychain-profile my_notarytool_keychain_id --wait xcrun stapler staple my_app.dmg spcl is happy with the signed .app and .dmg and accepts them both. spctl -a -vv my_app.app # my_app.app: accepted # source=Notarized Developer ID # origin=Whatever (123456789) spctl -a -vv -t install my_app.dmg # my_app.dmg: accepted # source=Notarized Developer ID # origin=Whatever (123456789) I have a valid Developer Application ID. All good, right? Except, during execution, the signed .app crashes. When I look in the Console, the error log always looks similar - something like: Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid)) Termination Reason: Namespace CODESIGNING, Code 2 Invalid Page Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_platform.dylib 0x186e15848 sys_icache_invalidate + 40 1 libllvmlite.dylib 0x2a022f8e8 llvm::sys::Memory::protectMappedMemory(llvm::sys::MemoryBlock const&, unsigned int) + 384 2 libllvmlite.dylib 0x29d765528 LLVMPY_TryAllocateExecutableMemory + 92 3 libffi.8.dylib 0x103abc04c ffi_call_SYSV + 76 etc I think all the .dylib, .so, and binaries are signed in my codesign scripts, except for the libsystem_platform.dylib mentioned in the first line of the log. Could this be the problem? How can I find if I am not signing something that is being used? Are there other types of files that I should be signing that I am missing? I've been trying to fix this for several days and I feel I have tried everything (constructing the conda env in different ways, signing in different ways, e.g. with/without --deep, with/without signing each type of library/binary) to no avail... Any help would be greatly appreciated! All the best, George

Hello there. I'm having trouble with notarization in Xcode. I'm developing a Swift Mac app with Xcode 14, but even when I enable Hardened Runtime and perform notarization, it displays the message "Hardened Runtime is not enabled" and I can't proceed. The steps for notarization are [Window] -> [Organizer] -> [Distribute App] -> [Developer ID] [Next] -> [Upload]. Could you please tell me what I should check, or any other information? I've attached screenshots. Thank you.

Getting this error on iOS 17.5.1 not sure how to solve it

A few hours ago my app could be loaded , built and run without a problem. Now, after opening the app again with Xcode I get the message Command CodeSign failed with a nonzero exit code The app cannot be built. I don't know how to solve this problem. Please, can anyone help? Best regards Gerhard

My dev Acct expired. I renewed, now when trying run/load the app from Xcode onto my phone, it complains that it's not registered or there's no cert. (sorry, don't have it with me right now to get the actual text) Instructions say to look at VPN & Device Mgt, but the info it says is not there.

Hi, I'm having some problems signing my application. Everything was working fine until recently when the certificates expired and I got these kinds of errors when I try to upload the app to AppStoreConnect. I can build the app in dev and production mode without any issue and I can create an archive. Problems occur when uploading to AppStoreConnect. The idea would be to let Xcode take care of signing everything necessary by checking the "Automatically manage signing" box. All my targets are in "Automatically manage signing" mode. I tried to delete all the certificates and provisioning profiles that I found on the Apple portal and then generate them again, but the problem is the same. There are two of us on the team, plus a CI machine (this should be the CI that takes care of signing everything needed to send a release to AppStoreConnect). If you have an idea, I'm interested! Thanks in advance, Alexandre

I am having a peculiar issue with an app I am developing. I am trying to upload it onto App Store Connect but I am getting one error, and a very odd behavior. The error message I am getting is: /Users/user/Documents/GitHub/MyApp/MyApp/DerivedData/MyApp.pub/Build/Intermediates.noindex/ArchiveIntermediates/MyApp.pub/InstallationBuildProductsLocation/Applications/MyApp.pub.app: resource fork, Finder information, or similar detritus not allowed Command CodeSign failed with a nonzero exit code I have cleaned built the directory, I have removed the Derived Data, but this always gets thrown. It was working fine a few months ago, I have only just got back to working on it. The other issue I am havving, when I set to archive the app, I set the target as Any iOS Arm Device (arm64), but when it is archiving it switches to my iPhone as the target. I don't prompt it to do this, it just does it. This is very frustrating. I'm using a MacBook Air M1, with a macOS Sonoma. I updated my Xcode the other day, that's Version 15.4 (15F31d). My App has a minimum target of iOS 15 and a project target of Xcode 13. Any help is appreciated.

Hi Devs, i have a question concerning the security set-key-partition-list -S command. I want to use it to enable a code signing certificate being used by codesign and productbuild to sign without sudo or a password prompt. Some sources indicate i need to add codesign: as partition but some don't even mention this. So my question is what partitions are even possible to add? What does partitions in this context mean? How can i find out which i need for productbuild and codesign? Thanks in advance Paul

I'm trying to upload my app with Tap to Pay on iPhone functionality. However, I'm getting error message "Profile doesn't include com.apple.developer.proximity-reader.payment.acceptance entitlement." I've confirmed many times that I have the distribution profile with this capability. Any idea what might be the issue? The development environment works perfectly. please check my post on apple forum. https://forums.developer.apple.com/forums/thread/755736

We have an iOS project that is configured with automatically managed signing. We cannot get automatic signing to work on our CI (GitHub Actions). To even get xcodebuild to archive we have to force it to not sign at all: xcrun xcodebuild \ -workspace app.xcworkspace \ -scheme prod \ -configuration 'Release' \ -destination generic/platform=iOS \ -archivePath ./build/prod.xcarchive \ CODE_SIGN_IDENTITY="" \ CODE_SIGNING_REQUIRED=NO \ CODE_SIGNING_ALLOWED=NO \ clean archive All our attempts to make xcodebuild archive do manual signing have failed. In order to have the app properly signed with the right entitlements we then call codesign: codesign -f \ -s Distribution \ --entitlements prod.entitlements \ ./build/prod.xcarchive/Products/Applications/prod.app Then we export the ipa: xcrun xcodebuild \ -exportArchive \ -archivePath ./build \ -exportOptionsPlist exportOptions.plist \ -exportPath ./build This seems to work so my question is: Is it supported to do manual signing this way? Is there a better way? If we omit the codesign step, the app will still be signed - by exportArchive we assume, but then the entitlements are missing.

I've been given an Xcode project which produces a command line tool which links to a dylib. I have the dylib, but not its source code. I change the signing option for the command line tool target so it is signed automatically by my personal team. On an attempt to run the tool, it fails to load the dylib, because the dylib is signed with a different certificate. I manually codesign the dylib with the same certificate I am using for the command line app. Now, I can build the app, but not run it. If I try to do so, I see four dialogs telling me “libXXX.dylib” can’t be opened because Apple cannot check it for malicious software, then the console tells me "'/path/to/libXXX.dylib' not valid for use in process: library load disallowed by system policy)" I found an old document about Gatekeeper (https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html) which suggests that Gatekeeper just won't let me do this - I can't just put the dylib next to the executable, although the dynamic linker finds the dylib, Gatekeeper doesn't like it because the dylib isn't inside the app bundle (there is none), and isn't in one of the well-known places. I dealt with this by making a do-nothing app which I can sign with my personal certificate. Then I replace the signature on the dylib (and its dependent dylibs) with my own. I add the command line tool and all its dylib dependencies to the do-nothing app, then add those files into the Copy Bundle Resources phase of the do-nothing app. Now, the command line tool and its dylibs all live in do-nothing.app/Contents/Resources, and I can run the tool from there without Gatekeeper complaining. Is there an easier way (aside from asking my supplier for static libraries)? And if this is the only way, is Contents/Resources the right place to put command line tools and the dylibs they link to?

I need help, when I run code without a sandbox it works well. however, when I enabled it, it gave me (Thread 3: "launch path not accessible")! How can I fix that? let task = Process() task.launchPath = "/Users/alielzieny/Documents/TerrierSectraFix/TerrierSectraFix/Frameworks/python3" task.arguments = ["/Users/alielzieny/Documents/TerrierSectraFix/TerrierSectraFix/SectraFix.py", selectedDirectoryURL.path, destinationDirectoryURL.path] let pipe = Pipe() task.standardOutput = pipe task.launch() task.waitUntilExit() let data = pipe.fileHandleForReading.readDataToEndOfFile() if let output = String(data: data, encoding: .utf8) { print(output) }

In order to facilitate management, we integrate some SDKs such as Firebase into one of our own internally used SDKs. Recently, when submitted to the appstore, we were prompted that FirebaseCrashing included in the SDK lacked the necessary signature (ITMS-91065). The information that can be confirmed is that after packaging the SDK through secondary packaging, the original signature is lost. And we have a static reference. So what I want to ask is whether we can only manually sign our secondary packaging sdk (the signature is our own certificate different from the original Firebase) to solve this ITMS-91065 problem. According to the description of the Apple Developer Conference, Apple only verifies the consistency and security of the SDK and does not record the signature of each SDK on Apple's servers. Therefore, you should only need to ensure that the SDK is in a signed state to comply with Apple's review requirements. (My guess is still being verified)

Hi! I am fairly new to Mac/ Python development. I have written a python script that includes the lovely customTkinter Library. the app works, I have checked it extensively, but after creating an executable with both Pyinstaller and Py2app, my app keeps failing notarization. I have the developer account, I have the Developer ID application: Name (xxxxxxxxxx). My last attempt with py2app, I try to codesign the .app bundle with : codesign --deep --force --verbose --options=runtime --timestamp --sign "Developer ID Application: Lennert Esser (5823RMSZ52)" XYZ\ 2\ OSC.app if I do that, I receive a clean message that XYZ 2 OSC.app: signed app bundle with Mach-O universal (x86_64 arm64) [com.myname.appname.app] the verify of the code signature gives nice messages as well: --prepared:/Users/lennert/Documents/SoftwareDevelopment/PythonLocal/Pozyx/dist/XYZ 2 OSC.app/Contents/MacOS/python --validated:/Users/lennert/Documents/SoftwareDevelopment/PythonLocal/Pozyx/dist/XYZ 2 OSC.app/Contents/MacOS/python .... XYZ 2 OSC.app: valid on disk XYZ 2 OSC.app: satisfies its Designated Requirement So I would say, so far so good...? BUT.... if I try to notarize my archived .app bundle. the notarization fails, with looadddssss of errors, with both: "The signature does not include a secure timestamp." and "The binary is not signed with a valid Developer ID certificate." I am completely stuck. Believe me, I have tried everything. Google, ChatGTP, multiple tries to codesign everything separately with: find /path/to/my/app/contents -type f -exec codesign -s "Developer ID application: Name (xxxxxxxxxx)" {} ; please, please someone help me explain what I am doing wrong....

We have trying to programmatically send data to Final Cut Pro by using Apple Event as decribed in Sending Data Programmatically to Final Cut Pro : tell application "Final Cut Pro" activate open POSIX file "/Users/JohnDoe/Documents/UberMAM/MyEvents.fcpxml" end tell This works fine in Script Editor but we run into problems when trying to do the same in our macOS app. We found interesting information in Workflow Extensions SDK 1.0.2 Release Notes.pdf. A) Hardened runtime has "Apple Events Enabled" checked. B) Info.plist contains NSAppleEventsUsageDescription: <key>NSAppleEventsUsageDescription</key> <string>Test string</string> C) We added following entitlements: <key>com.apple.security.scripting-targets</key> <dict> <key>com.apple.FinalCut</key> <array> <string>com.apple.FinalCut.library.inspection</string> </array> <key>com.apple.FinalCutTrial</key> <array> <string>com.apple.FinalCut.library.inspection</string> </array> </dict> <key>com.apple.security.automation.apple-events</key> <true/> With this configuration in place, our app is able to call AppleScript to activate Final Cut Pro application but it is unable to open the file. Following error is returned: Error executing AppleScript: { NSAppleScriptErrorAppName = "Final Cut Pro Trial"; NSAppleScriptErrorBriefMessage = "A privilege violation occurred."; NSAppleScriptErrorMessage = "Final Cut Pro Trial got an error: A privilege violation occurred."; NSAppleScriptErrorNumber = "-10004"; NSAppleScriptErrorRange = "NSRange: {56, 64}"; } Also there is no prompt asking user to allow Automation from our app to Final Cut. I am not sure whether the prompt is to be expected when developing an application in Xcode. Our current workaround is to add (or even replace com.apple.security.scripting-targets with): com.apple.security.temporary-exception.apple-events entitlement like this <key>com.apple.security.temporary-exception.apple-events</key> <array> <key>com.apple.FinalCutTrial</key> </array> However while this approach might work in development we know this would probably prevent us from publishing the app to Mac App Store. I think we are missing something obvious. Could you help? :-)