General:
DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements
Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities.
Developer > Support > Certificates covers some important policy issues
Entitlements documentation
TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series.
WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing
Certificate Signing Requests Explained DevForums post
--deep Considered Harmful DevForums post
Don’t Run App Store Distribution-Signed Code DevForums post
Resolving errSecInternalComponent errors during code signing DevForums post
Finding a Capability’s Distribution Restrictions DevForums post
Signing code with a hardware-based code-signing identity DevForums post
Mac code signing:
DevForums tag: Developer ID
Creating distribution-signed code for macOS documentation
Packaging Mac software for distribution documentation
Placing Content in a Bundle documentation
Embedding Nonstandard Code Structures in a Bundle documentation
Embedding a Command-Line Tool in a Sandboxed App documentation
Signing a Daemon with a Restricted Entitlement documentation
Defining launch environment and library constraints documentation
WWDC 2023 Session 10266 Protect your Mac app with environment constraints
TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference.
Manual Code Signing Example DevForums post
The Care and Feeding of Developer ID DevForums post
TestFlight, Provisioning Profiles, and the Mac App Store DevForums post
For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Signing Certificates
RSS for tagA signing certificate is a digital identity used for code signing during the build and archive process.
Posts under Signing Certificates tag
160 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
We have developed an electron app which we want to extend with an action extension. The action extension is written in swift in Xcode. Our plan was to build the .appex file and insert it into the PlugIns folder in our electron app, but I don't think this is the right way to do it?
If we insert the .appex file before notarization then we get an error that we are "replacing existing signature".
If we manually insert it after the notarization then we get an error with the app is damaged and can’t be opened.
Can anybody provide a procedure for this kind of merge I would imagine that it goes something like:
Sign app
Sign extension
Add extension to App
Notarize app
For signing the app we use electron-builder.
PLATFORM AND VERSION
macOS
Development environment: Other: Python
Run-time configuration: macOS 14.6.1
DESCRIPTION OF PROBLEM
We have created application using python and created .app using pyInstaller. We want to get the location access using python based application which we are trying to run on MacOS 14.6.1. Without including NSLocationUsageDescription in our info.plist, it is working fine but not getting location permission pop up. After including NSLocationUsageDescription in info.plist application got corrupted.
STEPS TO REPRODUCE
We are using below commands to sign the application
codesign --force -s "Developer ID Application: Pitney Bowes (72NX38Y9GF)" -v DeviceHub.app --deep --strict --options=runtime --entitlements ../info.plist DeviceHub.app
ditto -c -k --keepParent --rsrc --sequesterRsrc --arch 'x86_64' DeviceHub.app DeviceHub.zip
xcrun notarytool submit DeviceHub.zip --keychain-profile "DHAgentProfile" --wait
xcrun stapler staple DeviceHub.app
Hi everyone,
I maintain an app that is developed and distributed with an Apple Developer Enterprise subscription and delivered via my institution’s private site, where users download the .ipa file after logging in. From what I see, we use automatic signing in Xcode where possible.
On the 1st of January 2024, the provisioning profile expired, and the developer before me had to rush to renew it because the app stopped working.
Now, I have some questions about how to prevent this from happening again:
When should I renew the provisioning profile?
Can I renew it before the expiration without blocking the current app version that users have already downloaded?
How do I renew it? If I need to download a certificate, does it need to be converted into a different format?
Do we need to build a new .ipa file that users will have to download before the expiration date?
here a screenshot clearance and guide:
I've followed all the posts (most of which are fairly stale).
I've generated dozens of certificates both for "Apple Development" and "Apple Distribution", created several profiles of "iOS App Development" and "App Store Connect".
Up until now I have had very little problem installing my app (generated using Ionic/Capacitor v5/Angular v16, Xcode 15.4, macos 14.6).
Now when I try to install directly on a test device (I've used regularly, previously), I get "Failed to verify code signature of... The identity used to sign the executable is no longer valid..."
I've restarted Xcode and macbook. I've deleted all certificates and revoked all profiles, and started over.
I have tried using automatic signing and manual signing.
Nothing is working.
I just want be able to install the app on a test device (mostly to see logs in Xcode's console), and to be able to upload the same app to appstoreconnect.
What am I doing wrong?
At some point I had to renew my Mac App Store certificates, so I've done so, and now that I'm attempting to build for submission to the app store, I'm getting: "No certificate for team 'My Name' matching '3rd Party Mac Developer Application: My Name (MY_ID)' found".
But where to get a 3rd Party Mac Developer Application certificate? Under Xcode's "Manage Certificates", there is no "3rd Party Mac Developer Application" under the "+" button.
There are only:
Apple Development
Apple Distribution
Mac Installer Distribution
Developer ID Application
Developer ID Installer
(all of which I have).
I am using Xcode Cloud to build my Mac Catalyst app for Developer ID Distribution as a DMG package that must be codesigned and notarized. I have a ci_post_xcodebuild.sh script that runs after the Archive action.
This needs to perform the following tasks:
Produce a DMG from the provided exported archive located at CI_DEVELOPER_ID_SIGNED_APP_PATH
Codesign that DMG using the same certificate identity that Xcode Cloud used when automatic code signing the exported archive using cloud signing.
Notarize that code signed dmg with the notary service
Generate a Sparkle appcast.xml file
Upload the DMG and appcast.xml file to s3
The issue I am having is that I do not have access to the cloud signing keychain identity that Xcode Cloud uses to automatically codesign the exported archive.
I check for identities and none are found. Running:
security find-identity -v -p codesigning
There are no code signing identities available. Make sure you have a "Developer ID (Application)" certificate (with the private key) installed on your Mac with Keychain Access.
How can I access the cloud signing identity in this script so I can sign my DMG file before notarizing it?
I am currently experimenting with installing my own certificate in the build server keychain and run my own archive + export commands after the Build action completes. This is not ideal.
Thanks,
Andrew
Hi!
I develop my own NFC reader as a sole proprietor.
I would like to get the Apple VAS and Apple Access Pass certificates for my reader. How can I do that? Should I apply for Apple’s MFi program or it’s just for bigger organizations/companies?
Are there any way?
Thank you!
Daniel
Recently I noticed that when I build and archive my app with Xcode Cloud, it fails due to code signing issue. But that's weird because I have all development and distribution certificates. Does anyone have any idea how to solve this?
Hello,
We have an application which gets our HSM certificates via TKTokenWatcher, there is a snippet:
let tokens = TKTokenWatcher()
for token in tokens.tokenIDs {
// Use our HSM certs
if token.contains("SPECIFIC_IDENTIFIER") {
let tokenQuery = [kSecClass as String: kSecClassIdentity,
kSecAttrTokenID as String: token,
kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
kSecReturnRef as String: true] as CFDictionary
var item: CFTypeRef?
let result = SecItemCopyMatching(tokenQuery as CFDictionary, &item)
if result == noErr....
Normally, result is all right, but problem occurred when we added "App Groups" entitlement. This application has to share some Defaults with other app, so they need to be in the same App Group.
So, when we added this App Group entitlement, result from the code snippet is -34018, which according to OSStatus means errSecMissingEntitlement.
Does anybody know, which entitlement has to be added, so app can be in the App Group, and at the same time it is able to get certificates?
Thank you.
Hello everyone,
**I created a certificat using openssl using the steps below **
Generate a Certificate Signing Request (ecccertreq.csr)
Generate key pair in a key file
Code
openssl ecparam -genkey -name prime256v1 -out ecckey.key
Generate CSR from key pair in key file
Code
openssl req -new -sha256 -key ecckey.key -out ecccertreq.csr -subj '/O=Nahdi Merchant Identity'
Upload the Payment Processing Certificate CSR
Download the Apple signed Payment Processing Certificate
The certificate file (apple_pay.cer) appears in my Downloads folder
Generate the .p12 file (ecckeystore.p12)
Convert apple_pay.cer to PEM
Code
openssl x509 -inform DER -in apple_pay.cer -out apple_pay.pem
Import merchant certificate and private key to generate .p12
Code
openssl pkcs12 -export -out ecckeystore.p12 -inkey ecckey.key -in apple_pay.pem
But I am getting this error when testing using the curl_test.php file and also when trying to make a payment on our website, we already have a working certificat for another merchant id and we don't get the same error
Verbose info:
cURL Error
56 - OpenSSL SSL_read: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca, errno 0
Verbose information
* Trying 17.141.128.71:443...
* TCP_NODELAY set
* Connected to apple-pay-gateway.apple.com (17.141.128.71) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=California; serialNumber=C0806592; C=US; ST=California; L=Cupertino; O=Apple Inc.; CN=apple-pay-gateway.apple.com
* start date: Jul 24 19:05:42 2024 GMT
* expire date: Oct 22 19:15:42 2024 GMT
* subjectAltName: host "apple-pay-gateway.apple.com" matched cert's "apple-pay-gateway.apple.com"
* issuer: C=US; O=Apple Inc.; CN=Apple Public EV Server RSA CA 1 - G1
* SSL certificate verify ok.
> POST /paymentservices/paymentSession HTTP/1.1
Host: apple-pay-gateway.apple.com
Accept: */*
Content-Length: 131
Content-Type: application/x-www-form-urlencoded
* upload completely sent off: 131 out of 131 bytes
* OpenSSL SSL_read: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca, errno 0
* Closing connection 0
code-block
I am trying to validate my app (first one I have done). It is asking me to create a certificate buying Key chain. However, my MAC OS 15 and my phone iOS 18 use the new passwords app not key chain. So how do I get one? This is eh error I get
Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value '' for key 'com.apple.developer.icloud-container-environment' in 'Payload/StopWatch.app/StopWatch' is not supported. This value should be a string value of 'Production' (ID: c50d0cec-b221-4621-bc72-fa3c5b07200e)
Hi,
I am a developer and app manager using a personal account. I am encountering an issue where the automatic signing feature in Xcode is not working, and I receive the error message: "Signing for 'Runner' requires a development team." Additionally, I cannot access the "Certificates, Identifiers & Profiles" section, even though I have already added my account to Xcode.
How can I fix this issue? Is it possible to run or upload the app without this signing process?
Hi,
We have recently been approved for Endpoint Security entitlement on our account. We have an application (golang) that we need to assign this entitlement and sign manually. We have packaged the entitlement correctly with the application. We have tried using a Developer ID Application certificate that we created before this entitlement was given to our account and also with a newly created certificate. However the application crashes when it is launched and I see the following error in the console logs (the full crash report is too big to post). Is there anything specific we need to do to attach the Endpoint Security entitlement to our certificate? Any help would be much appreciated, we have been stuck on this for a bit.
Thanks
Sriram
Translated Report (Full Report Below)
Incident Identifier: EAA48D72-705A-420B-8179-6D9049A81657
CrashReporter Key: 4F18A957-F0B8-BE5D-A1D7-74191ABCF38A
Hardware Model: MacBookPro14,1
Process: endpoint-security-example-test [6728]
Path: /Users/USER/*/endpoint-security-example-test
Identifier: endpoint-security-example-test
Version: ???
Code Type: X86-64 (Native)
Role: Unspecified
Parent Process: zsh [2463]
Coalition: com.apple.Terminal [1663]
Responsible Process: Terminal [2417]
Date/Time: 2024-07-31 13:34:45.7397 -0700
Launch Time: 2024-07-31 13:34:45.7294 -0700
OS Version: macOS 13.6.8 (22G820)
Release Type: User
Report Version: 104
Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid))
Exception Codes: 0x0000000000000000, 0x0000000000000000
Termination Reason: CODESIGNING 1 Taskgated Invalid Signature
Triggered by Thread: 0
Thread 0 Crashed:
0 0x116b40070 _dyld_start + 0
1 ??? 0x1 ???
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000
rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ff7b0da09d0
r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000
r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
rip: 0x0000000116b40070 rfl: 0x0000000000000200 cr2: 0x0000000000000000
Logical CPU: 0
Error Code: 0x00000000
Trap Number: 0
Binary Images:
0x116b3b000 - 0x116bd6fff () <2b649d59-89d8-3db6-9ba4-a6aecba42f6e> ???
0x10f15f000 - 0x10f21afff () <9440f210-132b-3da1-b7f5-4d2d62bc8e0d> ???
0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???
Error Formulating Crash Report:
dyld_process_snapshot_get_shared_cache failed
EOF
macOS application Mulligan's Eagle (403115926)
macOS deployment - macOS 10.14 (Mojave) through Sonoma 14.5
macOS targets - Mac App Store, ad hoc direct drag-to-install image
Xcode version 15.4, various development Macs (Intel, M1, M2)
Eagle delivered since pre-Mac App Store days - derived from System 7 MacApp development. App most recently delivered with min system Mac OS 10.12 through current Sonoma 14.5, dual target for Mac App Store automatically signed with Apple Development credentials and for outside release automatically signed with Developer ID credentials.
Recent revisions to the software to bump min system to 10.14 (Mojave) with typical continuing development for tech, reqm'ts, etc. Updates (a couple since previous release) to Xcode - now using version 15.4, which recommended some config changes that made sense, except min system. Popular application with lots of older (uh... elder) users running Macs servicing golfers.
The application is ready to distribute with automatic signing, but wasn't able to do so with Developer ID credentials, but Xcode note (and reading of tips in this forum and my poor understanding) managed to submit for notarization - failed.
Tried to manually sign...
and reviewed signing info in Xcode...
So I reviewed Certificate(s) etc. that should have been used when previously signing Dev ID for notarization and release. I have (I think) six Developer ID Application certs and six Developer ID Installer certs and I can't find any combination of those certificates - some with duplicate dates or expirations - that allows me to use one to automatically sign code to notarization or delivery. What do I do? I've lived a peaceful solo developer life for 25 years delivering and signing code for the Mac and as long as iOS has existed. I'm terrified about this issue however...
My early Mac OS using customers (since Lion - pre sandbox) still have serial numbers for this software and have bought a Mac every 6 - 10 years so they could get my latest release. We've never required that they re-purchase from the App Store... they have a perpetual license. Sandboxing was a shock they never felt - we kept delivering updates to them and if they decided sandboxing mattered, they purchased from Apple and we included the container-migration entitlement in the App Store version to move their data to the new sandbox. Pretty slick. Until we built an install disk to test it on an unsandboxed version of Eagle in our office. It "lost" its data - vanished by remaining in the old Application Support directory while the new hardened runtime version looked for it in the sandbox - finding nothing. Just imagine encountering that if you're 80 years old running a golf league.
How can I "reset" the futzed-up certificate Developer ID mess? I have multiple machines, all with varying subsets of what seem to be good certificates. And Xcode builds new provisioning profiles just for the heck of it, it seems. I'm afraid to revoke or throw out any certificates because I can't tell which ones are good, bad or duplicates - they're all valid. And I can't create any more Developer ID certs because there's a max to control certificate-miscreants like me (yes, I've read Quinn's protection of your Dev ID note - I screwed it up with only 1 employee). I depend on automatic signing because I'm still, after 58 years of coding, just a novice.
Is it true that I should still specify in my build settings that I'm using Developer ID credentials for my ad hoc development and distribution schemes? And that the proper settings for those should NOT enable hardened runtime or app sandboxing?
Sorry for my intensity here.... It's been 2 weeks since App Review bonked an initial submission with just an "it's broken" reject message, and DTS decided this is not such an emergency that the Developer Forum shouldn't be able to handle it. I'm truly hoping it's so.
Hello, I am getting the following error in Xcode Cloud:
/Volumes/workspace/repository/macos/Runner.xcodeproj: error: No signing certificate "Mac Development" found: No "Mac Development" signing certificate matching team ID "22649D52Q5" with a private key was found. (in target 'Runner' from project 'Runner')
I have automatic signing turned on in Xcode and the program compiles/runs fine in Xcode.
Below is my ci_post_clone.sh script
#!/bin/sh
# Fail this script if any subcommand fails.
set -e
# The default execution directory of this script is the ci_scripts directory.
cd $CI_PRIMARY_REPOSITORY_PATH # change working directory to the root of your cloned (cloud) repo.
# Install Flutter using git.
git clone https://github.com/flutter/flutter.git --depth 1 -b stable $HOME/flutter
export PATH="$PATH:$HOME/flutter/bin"
# Install Flutter artifacts for iOS (--ios), or macOS (--macos) platforms.
flutter precache --macos
# Install Flutter dependencies.
flutter pub get
# Install CocoaPods using Homebrew.
HOMEBREW_NO_AUTO_UPDATE=1 # disable homebrew's automatic updates.
brew install cocoapods
# Install CocoaPods dependencies.
cd macos
pod deintegrate
pod update
cd ..
# Install Flutter dependencies.
flutter pub get
dart run build_runner build -d
# flutter build macos
flutter build macos --release
Hi…
I’m struggling with Sign in With Apple and the problem is exacerbated by it being in a Qt6 / C++ MacOS app which uses ObjC to do interact with Apple Frameworks. Outsude XCode, of course, because we use QT Creator.
I’m pretty sure that I set it up correctly by implementing an
@interface CWAppleAuthenticationServiceImpl : NSObject <ASAuthorizationControllerPresentationContextProviding,ASAuthorizationControllerDelegate>
- (id)initWithOwner:(MyAppleAuthenticationService *) owner;
and all the rest.
Code compiles an runs, and when when I call
[controller performRequests] the
presentationAnchorForAuthorizationController gets called.
But nothing visible happens in the app. Instead it jumps right into didCompleteWithError , so I guess I did connect everything correctly – except that it doesn’t work correctly.
So I sign the app, providing the entitlements
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.applesignin</key>
<array>
<string>Default</string>
</array>
</dict>
</plist>
Signing and Notarisation works, but when I start the app, it crashes. The entitlesments are part of the app, i checked that with codesign which claims that everything is fine.
The crash appears to be the same as described in https://forums.developer.apple.com/forums/thread/698870, i.e. "Error of invalid code signature" . This is backed by me signing it without entitlements, which yields a working and running application, albeit without signIn capabilities.
I’m a bit stumped.
I am currently attempting to set up iOS app building via CI (using GitHub Actions). I would like to use automatic signing via xcodebuild -allowProvisioningUpdates and an App Store Connect API key. However, this will only work properly on the first CI run, since a certificate will be created, but is not available for subsequent runs since it is on a new machine (failing with Your account already has an Apple Development signing certificate for this machine, but its private key is not installed in your keychain).
Is there a way to do either of the following?
Via the CLI, generate a new p12 certificate on-demand which I can cache and add to the keychain for future signing
Make just the RSA private key available to xcode so that in the automated signing process, it can create a CSR with that key if needed and download the cer (which may already exist for that key) and generate the p12 on demand
"Certificates, Identifiers & Profiles" have two "Developer ID Installer" certificates,
two "Development" certificates and two "Mac Installer Distribution" certificates.
Is it a problem ?
How to delete duplicated certificates ?
How to fix it ?
Can I submit an Mac application to Apple Store with old OS:
Big Sure ?
Ventura ?
Hello All, I am getting following popup for our application,
I have implemented PTT Push To Talk framework by following https://developer.apple.com/documentation/pushtotalk/creating-a-push-to-talk-app
We are using following VoIP entitlements, Our app support from iOS 12
i) com.apple.developer.pushkit.unrestricted-voip
ii) com.apple.developer.pushkit.unrestricted-voip.ptt
We have updated app with new Push To Talk framework and it's working fine. Our app's minimum deployment target is iOS-12.0 , So app will also work without using PTT framework for older iOS.
Question,
Why popup display even after new Push To Talk framework implementation?
what should I do to remove this popup from showing? Should I do any other setting to complete this framework?
Thanks.
Hello all
I am hoping I can get some assistance on an expired certificate. I received an email from Apple saying that my distribution certificate was expiring and that I needed to generate a new certificate. I did try and reach out to support but they suggested that I post my question here!
Firstly, I am not sure what type of certificate I need?
S
e
condly, I do not have an apple Mac. I do all my activiies on App Store Connect on my Windows PC so I dont have the abililty to generate a CSR file?
Thirdly, I have always been on my windows PC so I would never have been able to use a "mac" to generate my previous certicate.
Lasty, do I even need a new certificate? I regulary publish updates to my existing apps but have no plans to produce any new ones.
I look forward to your reply.
Regards
Joanne Cooper