NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “domain” which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, Xcode: 15.4 simulator iOS version: 17.5 in Info.plist I have this NSAppTransportSecurity NSAllowsArbitraryLoads Note: The server certificate valid.

NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, kCFStreamPropertySSLPeerCertificates=(     "<cert(0x10b811400) s: api.gevernova.com i: GE External Issuing CA 202409200901>",     "<cert(0x10b811c00) s: GE External Issuing CA 202409200901 i: GE External Intermediate CA 2.1>",     "<cert(0x10b832e00) s: GE External Intermediate CA 2.1 i: GE External Root CA 2.1>" ), _kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x600003308d20>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “domain” which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, Xcode: 15.4 simulator iOS version: 17.5 in Info.plist I have this NSAppTransportSecurity NSAllowsArbitraryLoads Note: The server certificate valid.

I'm encountering an issue after upgrading to macOS Sequoia when trying to import a PKCS12 certificate. The following code, which worked fine on previous macOS versions, now returns an error code -25293 (errSecAuthFailed): NSDictionary *options = @{(__bridge id)kSecImportExportPassphrase: @""}; CFArrayRef items = NULL; OSStatus status = SecPKCS12Import((__bridge CFDataRef)pkcs12Data, (__bridge CFDictionaryRef)options, &amp;items); The same build, using the same certificate and import process, works perfectly on earlier versions of macOS. Has anyone else experienced this issue or found a workaround for certificate imports on macOS Sequoia?

I have been facing an issue with my face ID and i am not able to change anything because i have turned on the Stolen Device Protection. What is reason behind not working Face ID? and How can i resolve it?

Hi everyone, I am trying to implement 'Sign-in with Apple' to my website using nextauth verion 4.24.5 on next.js version 14.2.7. I set up the Apple ID and generated the Apple secret. The Apple ID is set to the service ID. Whenever I try and sign in on the site using Apple, (after submitting my username and password on the redirected appleid.com page), nextauth returns this error: [next-auth][error][OAUTH_CALLBACK_ERROR] https://next-auth.js.org/errors#oauth_callback_error id_token not present in TokenSet { error: TypeError: id_token not present in TokenSet { name: 'OAuthCallbackError', code: undefined }, providerId: 'apple', message: 'id_token not present in TokenSet' } This occurs even after specifying openid in the scope, setting the checks to pkce, setting the checks to state, setting idToken to true, and other changes to the config. I have used the AppleProvider from nextauth and my own custom provider and got the same result. The nextauth GoogleProvider works just fine so I know nextauth is set up properly. Do you know how I can fix this? my apple nextauth apple provider config: const customAppleProvider = { id: "apple", name: "Apple", type: "oauth", wellKnown: "https://appleid.apple.com/.well-known/openid-configuration", authorization: { params: { scope: "name email openid", response_mode: "form_post" }, }, state: true, checks: ["pkce"], idToken: true, clientId: process.env.APPLE_ID, clientSecret: process.env.APPLE_SECRET, profile(profile) { return { id: profile.sub, name: profile.name, email: profile.email, image: null, } }, };

I exported the pkcs12 file which contains the Apple Distribution Certificate with the Private Key on macOS 14 Sonoma with no password. I was able to import the same on different macOS 14 Sonoma machines as follows: security import \ apple-distribution-hrk.p12 \ -k /Users/hrk/Library/Keychains/non-default.keychain-db \ -f pkcs12 \ -P "" \ -A But when upgraded to macOS 15 Sequoia, running the above command gives me the following error: security: SecKeychainItemImport: The user name or passphrase you entered is not correct. Workaround: I didn't have the Private Key of the original macOS 14 Sonoma from which the pkcs12 file was exported. So, I had to create the new Certificate by uploading the Certificate Signing Request, download the .cer file, import it, and then export the pkcs12 file with some password. Then I was able to import the pkcs12 file with the password. Question Can somebody point to the official documentation that refers to this Breaking Change? Or is this the bug in macOS 15 Sequoia?

We have a developer-id application which includes a LaunchAgent, couple of LaunchDaemon and a system extension. We want to store our secure data in keychain that can read by any of our processes or at least by LaunchDaemons. We would also prefer for our data to not be visible to users, not be accessible to other processes and we did not want to use system keychain because of our prior experience where one of our app data on update corrupted the system keychain for one customer. Therefore, we have decided to create our own keychain file and store our data there. However, we noticed that SecKeychainCreate and related file based keychain APIs are deprecated. This led me to below threads: https://developer.apple.com/forums/thread/685546 https://developer.apple.com/forums/thread/712875 https://developer.apple.com/forums/thread/696431 And now I am confused. It is suggested that we should use data protection based keychain because file based keychains are on path to deprecation. However, it is also noted that data protection keychains do not work with LaunchDaemons. So which keychain is the right choice for our requirements? Also, One tricky aspect of this is that the SecItem API supports both keychain implementations I do not see any option to use file based keychain using SecItem API. How can I create a new keychain file at a given path and add data in it using SecItem APIs? Can someone please elaborate on this with example?

I have implemented basic Sign in with Apple functionality to my app. When the app is launched, the user will be presented with a Continue with Apple view, where they can authenticate. Once signed in, they will return to a view that reads "Hello, [User's Name]". However, I cannot seem to figure out why the email and name return nil after authentication. For example, when authentication is successful, the HelloView simply reads "Hello, " with no name. I have it setup so that the users name and email are saved to AppStorage variables, and then inserted into a Profile class with SwiftData. import AuthenticationServices import SwiftData import SwiftUI struct ContentView: View { @Environment(\.colorScheme) var colorScheme @Environment(\.modelContext) var modelContext @AppStorage("email") var email: String = "" @AppStorage("firstName") var firstName: String = "" @AppStorage("lastName") var lastName: String = "" @AppStorage("userID") var userID: String = "" @Query var userProfile: [Profile] private var isSignedIn: Bool { !userID.isEmpty } var body: some View { VStack { if !isSignedIn { SignInView() } else { HomeView() } } } } struct SignInView: View { @Environment(\.colorScheme) var colorScheme @Environment(\.modelContext) var modelContext @AppStorage("email") var email: String = "" @AppStorage("firstName") var firstName: String = "" @AppStorage("lastName") var lastName: String = "" @AppStorage("userID") var userID: String = "" @Query var userProfile: [Profile] var body: some View { NavigationStack { Spacer() SignInWithAppleButton(.continue) { request in request.requestedScopes = [.email, .fullName] } onCompletion: { result in switch result { case .success(let auth): switch auth.credential { case let credential as ASAuthorizationAppleIDCredential: // User ID let userID = credential.user // User Info let email = credential.email print(email!) let firstName = credential.fullName?.givenName print(firstName!) let lastName = credential.fullName?.familyName print(lastName!) self.email = email ?? "" self.userID = userID self.firstName = firstName ?? "" self.lastName = lastName ?? "" createProfile() default: break } case .failure(let error): print("Error signing in with Apple: \(error.localizedDescription)") } } .signInWithAppleButtonStyle(colorScheme == .dark ? .white : .black) .frame(height: 50) .padding() .cornerRadius(12) .navigationTitle("[App Name]") } } func createProfile() { let newProfile = Profile(firstName: firstName, lastName: lastName, email: email, userID: userID) modelContext.insert(newProfile) } } This is how I have my HomeView setup: import SwiftData import SwiftUI struct HomeView: View { @Environment(\.modelContext) var modelContext @Query var user: [Profile] var body: some View { ForEach(user) { user in Text("Hello, \(user.firstName)") } } } #Preview { HomeView() } And here's the Profile class: import Foundation import SwiftData @Model class Profile { var firstName: String var lastName: String var email: String var userID: String init(firstName: String, lastName: String, email: String, userID: String) { self.firstName = firstName self.lastName = lastName self.email = email self.userID = userID } }

Hi everyone, I’m developing an game with in-app purchases, designed for a a mixed audience(could be used by kids under 13). I understand that Apple’s Family Sharing has built-in consent mechanisms, like “Ask to Buy,” which helps manage purchases for kids. However, I’m unsure how to handle cases where Family Sharing is not set up or is disabled. Key Concerns: Kids Without Family Sharing: It’s possible for kids to have Apple IDs that are not part of Family Sharing, either because the feature is disabled, set up incorrectly, or the child is using an independent account due to an incorrect birthdate. This raises questions about whether relying solely on Apple’s built-in protections is sufficient. Is It Enough to Rely on Apple’s Systems?: Apple’s systems do a great job of managing consent when Family Sharing is in place, but I’m concerned about compliance in cases where kids are not covered by these protections. I want to ensure that my app remains compliant with COPPA and other relevant regulations, especially for users not covered by Family Sharing, without adding unnecessary layers for those who are correctly set up. Looking forward to your insights and recommendations! Thanks in advance!

I am successfully generating apple_sso_session_url by using apple clientId, which is opening apple login window and asking for email and password and after that it is calling my redirectSuccessUrl and passing code to redirectSuccessUrl. I am successfully using that code and other params of apple like keyId, key(p8 file path) and team id by using those params I am able to successfully generate apple client secret export const generateClientSecret = (): string => { const privateKey = fs.readFileSync(process.env.APPLE_PRIVATE_KEY_PATH as string, 'utf8'); const claims = { iss: process.env.APPLE_TEAM_ID, iat: Math.floor(Date.now() / 1000), exp: Math.floor(Date.now() / 1000) + 15777000, // 6 months aud: 'appstoreconnect-v1', sub: process.env.APPLE_CLIENT_ID, }; return jwt.sign(claims, privateKey, { algorithm: 'ES256', keyid: process.env.APPLE_KEY_ID, }); }; after that using same clientId, redirectUrl and apple_client_secret when i am calling apple api for getting token we are getting error invalid_client. const clientSecret = generateClientSecret(); const response = await axios.post('https://appleid.apple.com/auth/token', null, { params: { client_id: process.env.APPLE_CLIENT_ID, client_secret: clientSecret, code: body.code, grant_type: 'authorization_code', redirect_uri: process.env.APPLE_SSO_REDIRECT_URL, }, headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, });

I'm using the SwiftUI .fileImporter() modifier to present a file open panel to the user, and then I access the returned file URL using String(contentsOf:encoding:). Then I get an error, "The file “order_history.csv” couldn’t be opened because you don’t have permission to view it." The thing is, my app (recently created in Xcode 16.1 beta from macOS template) has the User Selected File entitlement set to "Read Only." It should allow reading such a file, should it not?

Hi Team, I am trying to explore ESF events specifically generated by cloudsync extensions built on File Provider framework. Brief: I have high-level understanding of how various cloud vendors have provided their extensions to sync data from cloud/remote storage to local filesystem (and vice-versa). e.g.iCloudDriveFileProvider (icloud), DFSFileProviderExtension (google drive). There are 2 ESF AUTH events for file provider I can see namely: ES_EVENT_TYPE_AUTH_FILE_PROVIDER_MATERIALIZE , ES_EVENT_TYPE_AUTH_FILE_PROVIDER_UPDATE. and respectively their NOTIFY events. Observation: Observed that these events are generally triggered by fileproviderd process during download scenario i.e. syncing files from cloud/remote storage to local file system. i.e. 'materialize' for new file creation and 'update' for updating existing file. Question/Problem: Is there a correct way to find which cloud provider has triggered this download event? i.e. weather it is iCloudDriveFileProvider or DFSFileProviderExtension (there is this instigator field in Materialize event struct, but could not find similar for Update event. Are there similar ESF events for upload scenario? (I have fair understanding of how file-to-upload is copied to temp location and then uploaded by respective extensions to remote storage, but then they work with original files clone created in their temp location, so the AUTH events generated by this extension will wont reveal the original file name even if I am able to get the Fileprovider name) To Summarize: Basically I am looking for ESF event that will be triggered during upload scenario that can also let me know original file name as well the cloudprovider extension process name. As of now 'fileproviderd' process name is obtained from filesystem ESF events like AUTH_OPEN etc.

Hello Apple We have been facing lot of SSL issues when we are connecting to iOS devices with OS 17.5.1, 7.6.1 and 18. Need more clarification on the latest parameters to be used on the server side like -&gt; TLS Version and Cipher Suites Please do update us on the above. Error message-&gt; "An SSL error has occurred and a secure connection to the server cannot be made."

Hi Apple Developers, I'm facing an issue that call to https://appleid.apple.com/auth/token and it raised an error: invalid_client There is my URL that i'm getting a code: "https://www.facebook.com/v20.0/dialog/oauth?client_id=526484129769843&redirect_uri=https://abc.example-api.ss-ss.com/api/v1/accounts/facebook/callback&response_type=code&scope=email I'm using Key Id and Private Key in the file AuthKey_K5HK3H23KZ.p8 to generate to a Client Secret, Client ID is abc.example-api.ss-ss.com (It is the service id) and the code that i give at the above request. When i'm call to exchange access token, the error is showed My project is writing by dotnet core. I dont know why the client should be invalid. Can anyone help me please?

Hi, I have a question regarding data protection in ios 7. Qustion 1 : if the passcode is turned off, and data protection is disabled, in this case, will the files in nand flash still be encrypted? Or will it just disable all hardware encryption and all the files in nand flash will be decrypted and stored in plain text? The security paper says even the NSFileProtectionNone class has some level of hardware encryption, but my question is if someone disable the passcode and disable the data protection, will the newly created file still be encrypted using UID key so the chiping-off the nand flash and reading off the nand directly does not work due to encryption even though the passcode is disabled and data protection is not active? Question 2 : if they are still encrypted, do the files in the storage have the data protection NSFileProtectionNone class if the passcode is disabled and data protection is inactive?

Hello, If a user allows access to, for example, Removable Volumes (TCC permission) to the main app, does these permissions will be inherited by a bundled Finder Extension from the main app? More specific, I have an app that bundles a Finder Extension and both the main app and the bundled extension need access to Removable Volumes. Only the main app can request it, since the main app is the only that can prompt the user. If the user allows, will the bundled extension also receive the permissions? If not, is there any workaround? Regards.

The last 12 months or longer have been a hacked life nightmare. Today I discovered multiple blacklists inc a level 2 threat blacklist from Apple engineering. I am a victim not a hacker, I have found malware on my MacBook (spyware), refusal of service notifications from google inc the hackers address which I tracked to Amsterdam, blackmail threats, retaliation and death threats but no help from anyone inc police and government or Apple and this potentially effects many Apple users. Please Apple tell me why I was blacklisted and investigate the spyware incident so I can get my life back. Any suggestions welcome.

Hi, we are looking for a solution to install an extension to Microsoft PowerPoint app in a way that's compatible with the new macOS 15 behavior for Group Containers content. PowerPoint extensions Microsoft PowerPoint can be extended by PowerPoint Add-in (.ppam) files. These files must be installed in the app's container at this location: ~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/ The PPAM file must be also registered in the MicrosoftRegistrationDB.reg file which is a sqlite database stored at this location: ~/Library/Group Containers/UBF8T346G9.Office/MicrosoftRegistrationDB.reg These locations can be access by non-sandboxed app on macOS 14 and earlier. Slido integration Our Slido app for macOS is distributed outside the Mac App Store, it is not sandboxed and it signed and notarized. The Slido app will install the PPAM file to the documented location and register it in the database. This installation did not require additional user approval on macOS 14 and older. With changes to macOS 15, a new permissions dialog is shown with this text: "Slido" would like to access data from other apps. This will allow Slido to integrate with Microsoft PowerPoint app. [Don't Allow] [Allow] We understand this is a security feature, yet we would like to make the experience for customers much better. As users are able to save PPAM files to the location by themselves without additional permissions, they expect the Slido app would be able to do so as well when run in the user context. Slido installs its files to this location: ~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/SlidoAddin.localized/ Can we obtain com.apple.security.temporary-exception.files.home-relative-path.read-write to the SlidoAddin.localized folder? Even when we are different TeamID? Can we obtain a user permission which will be persisted so next time the Slido app can verify its files and uninstall them without further prompts? By having access to the SlidoAddin.localized folder our app would not be able to access any other data in Microsoft PowerPoint. We understand accessing the MicrosoftRegistrationDB.reg file is more sensitive and getting exception to access it would not be feasible. But we are trying to find out our options to make the experience seamless as that's what is expected by our customers on Apple platform. I am thankfully for any guidance and constructive feedback. Jozef, Tech Leader at Slido integrations team

Hi, im trying to make a Platform single sign-on app for my Idp, and I have tried online to try and find some code/ a demo app for this I cannot find anything for the Mac OS Side, there is someone who's created the server, but no info for that on what the Mac extension should do. I have tired implementing the 2 function to required, but to no luck. After reading what I think is all of the document I'm still really confused as to how this is all supposed to work. I have got to the stage where it create the popup that says you need to authenticated with your idp but cannot work out the bugs for the rest of it. manly im getting an issue in the console that says no login config for (username) and im not sure what im doing wrong.

Hello, I developed a file provider extension that can access files from multiple locations. With the new macOS Sequoia I cannot access files from volumes, here is the error from Console: Refusing TCCAccessRequest for service kTCCServiceSystemPolicyRemovableVolumes from extension Sub:{com.app.ext}Resp:{TCCDProcess: identifier=com.app.ext-Driver, pid=26706, auid=501, euid=501, binary_path.... Driver}, extension point disallows prompting I added "Privacy - Removable Volumes Usage Description" values for both the main app and extension Info.plist, I click Allow on the alert, but still I receive this error message. Any solution? Thank you.