Background I've repeatedly run into codesigning (and missing provisioning profile) issues for my Ruby/Glimmer app and am looking for ways to troubleshoot this outside of Xcode. The app structure is as follows: PATHmanager.app └── Contents ├── Info.plist ├── MacOS │   └── PATHmanager ├── PkgInfo ├── Resources │   └── AppIcon.icns ├── _CodeSignature │   └── CodeResources └── embedded.provisionprofile Architecture I have a Mac mini Apple M2 Pro with macOS Ventura 13.4. Xcode is not used directly, but the underlying command line tools (e.g., codesign, productbuild, pkgutil, xcrun) are run from a custom Ruby script. xcodebuild -version Xcode 14.3.1 Build version 14E300c Questions Is the .app directory and file structure/naming sufficient? If not, can you point me in the direction of a minimal example that does not use Xcode? Info.plist is an XML text document (not binary), which I believe is in an acceptable format, but how do I lint this file and determine if it contains all of the necessary key/value pairs? <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CFBundleDevelopmentRegion</key> <string>en</string> <key>CFBundleDisplayName</key> <string>PATH manager</string> <key>CFBundleExecutable</key> <string>PATHmanager</string> <key>CFBundleIconFile</key> <string>AppIcon.icns</string> <key>CFBundleIdentifier</key> <string>com.chipcastle.pathmanager</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>PATHmanager</string> <key>CFBundlePackageType</key> <string>APPL</string> <key>CFBundleShortVersionString</key> <string>1.15</string> <key>CFBundleSupportedPlatforms</key> <array> <string>MacOSX</string> </array> <key>CFBundleVersion</key> <string>1.15</string> <key>ITSAppUsesNonExemptEncryption</key> <false/> <key>LSApplicationCategoryType</key> <string>public.app-category.developer-tools</string> <key>LSMinimumSystemVersion</key> <string>12.0</string> <key>LSUIElement</key> <false/> <key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <true/> </dict> <key>NSHumanReadableCopyright</key> <string>© 2025 Chip Castle Dot Com, Inc.</string> <key>NSMainNibFile</key> <string>MainMenu</string> <key>NSPrincipalClass</key> <string>NSApplication</string> </dict> </plist> PATHmanager is a Mach-O 64-bit executable arm64 file created by using Tebako. Does this executable need to be codesigned, or is codesigning the .app folder sufficient? Does the .app directory need an entitlements file? Here's how I codesign it: codesign --deep --force --verify --verbose=4 --options runtime --timestamp --sign 'Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' '/Users/chip/Desktop/distribution/PATHmanager.app' Does the PATHmanager binary need an entitlements file? Here's how I codesign it: codesign --deep --force --verify --verbose=4 --options runtime --timestamp --entitlements '/Users/chip/Desktop/PATHmanager.entitlements' --sign 'Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' '/Users/chip/Desktop/distribution/PATHmanager.app/Contents/MacOS/PATHmanager' How can I verify what entitlements, if any, are required for codesigning the binary? The PATHmanager.entitlements file is an XML text file containing only the following: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> </dict> </plist> Is the embedded.provisionprofile necessary, and if so, how do I know determine if it matches the certificate or entitlements that I'm using? Additionally, is it named and located properly? I submitted this to the AppStore several weeks ago and the reviewer reported that the executable would not load on their machine (even though it worked on mine.) Is it better for me to release via TestFlight for testing, and if so, do I need to following a separate process for codesigning (i.e., using different entitlements, profiles, certs, etc) when doing so? I've been playing whack-a-mole with this for too long to mention and am hoping to nail down a better deployment flow, so any suggestions for improvement will be greatly appreciated. Thank you in advance.

Hello Apple Developer Support, We are experiencing an issue when programmatically installing a trusted root certificate on EC2 macOS instances (ARM-based), running the latest version of macOS 14.7.5 (Build 23H527). We are using the following command as part of our automated setup process: sudo security authorizationdb write com.apple.trust-settings.admin allow sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$CERT_NAME" sudo security authorizationdb remove com.apple.trust-settings.admin This fails with the following message: SecTrustSettingsSetTrustSettings: The authorization was denied since no user interaction was possible In the past, as sugested in other posts (https://developer.apple.com/forums/thread/671582) we were able to bypass this issue by running: sudo security authorizationdb write com.apple.trust-settings.admin allow This worked successfully in prior versions, including earlier 14.x releases, and continues to work on Intel-based macOS instances. However, in macOS 14.7.5 (on ARM), this approach no longer works. We suspect this may be due to a change in how System Integrity Protection (SIP) is enforced, especially on EC2 ARM. Questions: Has Apple introduced any changes in macOS 14.7.5 that prevent modifying trust settings via security CLI on headless or non-interactive sessions? Is there an approved or documented way to install system-level trusted certificates programmatically on macOS 14.7.5 (ARM)? Are there alternatives for setting trustRoot certs in non-GUI environments, such as virtualized or cloud-hosted macOS instances? As further information we were thinking to use MDM Profiles but looks like it is also blocked Thanks

Hello everyone. I have a simple doubt, I receive an email informing that the Apple Distribution certificate will expire. I create one new in the Developer portal with one year duration. My doubt is, I need to do something more like open again the app in Xcode, insert new certificate and build it again, send to apple and everything? Or just creating this certification is enough? Is possible to increase this certification time or auto renew? Thank you!!!

I am responsible for the mobile app and thus also of the apple developer and app store connect accounts of a company. An external freelancer developed a software package for us which we aim to offer for installation and use on macOS systems of our customers; distributed exclusively outside of the Apple App Store. The software package has nothing to do with the mobile app. MacOS' Gatekeeper currently warns or even prevents our customers regarding the installation of the package on their device; pretty much as described here: https://developer.apple.com/developer-id/. According to a previous talk with Apple's Support, the software package (.app) the Freelancer developed must be signed with one of our own certificates. As we cannot grant selective app store connect access to third persons (only for the concerned certificates), we prefer to not provide access to our entire apple developer account to the freelancer, for the sole reason of the certificate & signing process. According to previous attempts with Apples' support regarding the most feasible solution in this case, they recommended me to manage the signing of the package of the freelancer, and simply request the package from the freelancer. I've thus generated an according Developer ID Certificate, but regarding the signing process, I'm confused. I know how signing works with mobile apps in XCode, but regarding software that is not distributed throughout the App Store on macOS, I'm unsure about the process. Also, as far as I know, the entitlements of the application are involved in the signing process. So my concern is that simply having the software package (.app) from the freelancer is not really enough to complete the signing + notarization process? Won't I need further information about the app's entitlements etc.? I would like to have a clear solution about the procedure that is required in these cases, as online documentations and / or forums as well as previous talks with your non-technical support from Apple did not resolve the issue.

Hi everyone! I've send my .dmg file for notarization, it has been accepted on March 5. Since then there weren't any updates, it hasn't changed its status. What might be the problem? Info about submission: createdDate: 2025-03-05T12:13:18.802Z id: 202d877d-d0c4-4211-bba4-6ebdb169a843 status: Accepted

Hi, I recently created and installed new code signing certificates/keys on my main Mac. How to easily copy these certificates/keys to my another Mac with the same Apple ID? Earlier Quinn suggested: "The easiest way to do this is use Xcode’s import/export feature. Launch Xcode, choose Xcode > Settings, select Accounts, select the account in question, then choose Export Apple ID and Code Signing Assets from the action (…) menu." And it worked fine in 2020-2021. However import/export options are no longer available in XCode 16 anymore. Please suggest a simple solution.

Hi everyone, I applied for CarPlay Entitlements on [Date 04. 26, 2024] using CarPlay is Case ID "13045151". I haven't received any updates or responses regarding my application yet. It's been 7 days since the application. My service requires CarPlay integration with a Black Box device. The primary purpose of this integration is to allow users to configure device settings through CarPlay. Furthermore, we plan to utilize the "Communication" category of Entitlements to notify users of parking incidents detected by the Black Box device while parked. This functionality is crucial for alerting drivers to potential issues affecting their vehicles. Could anyone share their experience with the typical turnaround time for CarPlay Entitlements, especially for applications involving device integration and the "Communication" category? Is this delay normal? Is there any way to check the application status or contact the appropriate team to inquire about its progress? Thank you for any insights or advice you can provide! Sincerely,

In XCode I create and export a notarized app for "direct distribution". I then create a tar file of the exported .app to distribute to my users. Until today this worked fine. Now when the users try to run the app it pops up a dialog saying "app is damaged and can't be opened. You should move it to the Trash." It is possible to ctrl-click on the app and force it to run but, I think, whether this works or not will depend on system settings and not all users have root access to modify settings. Even simply copying the .app folder from the command line will cause this error.

Hey everyone, I've been trying to notarize my Electron macOS app for the past two days without any success. My longest attempt took nearly 4 hours, and my current attempt has already been running for 2 hours and 26 minutes. From what I can see in the logs, the signing step has completed successfully, and the app is currently in the notarization stage. But it's been stuck there with no real updates or progress indicators. Is this kind of delay normal? Has anyone else experienced such long notarization times? Any help or insight would be greatly appreciated! Thanks in advance.

I have a binary which I have signed with a valid developer certificate. Here is how I verify the signature was correctly applied: % codesign -dvv ./test_program.exe Executable=/Users/REDACTED/code_signing/test_program.exe Identifier=com.REDACTED.hello_world Format=Mach-O thin (arm64) CodeDirectory v=20500 size=489 flags=0x10000(runtime) hashes=9+2 location=embedded Signature size=9071 Authority=Mac Developer: REDACTED NAME (REDACTED_ID) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Timestamp=Apr 16, 2025 at 11:26:43 AM Info.plist=not bound TeamIdentifier=REDACTED Runtime Version=14.2.0 Sealed Resources=none Internal requirements count=1 size=192 ============================== Additionally, I have confirmed in keychain access that my certificate is valid. Here is the output from the GUI: Issued by: Apple Worldwide Developer Relations Certification Authority Expires: Wednesday, April 15, 2026 at 3:50:14 PM Eastern Daylight Time This certificate is valid ============================== When I zip then send the executable for notarization, I get an "Invalid" response. Here is the log from that response: % xcrun notarytool submit ./test_program.zip --keychain-profile REDACTED --wait Conducting pre-submission checks for test_program.zip and initiating connection to the Apple notary service... Submission ID received id: 0d64c285-eb59-4b34-b911-0e6cbb1dbc16 Upload progress: 100.00% (6.39 KB of 6.39 KB) Successfully uploaded file id: 0d64c285-eb59-4b34-b911-0e6cbb1dbc16 path: /Users/REDACTED/code_signing/test_program.zip Waiting for processing to complete. Current status: Invalid......... Processing complete id: 0d64c285-eb59-4b34-b911-0e6cbb1dbc16 status: Invalid =============================== And here is the log indicating the reason for the notarization failure: xcrun notarytool log "0d64c285-eb59-4b34-b911-0e6cbb1dbc16" --keychain-profile REDACTED "./log_file.txt" { "logFormatVersion": 1, "jobId": "0d64c285-eb59-4b34-b911-0e6cbb1dbc16", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "test_program.zip", "uploadDate": "2025-04-16T16:23:38.993Z", "sha256": "9e3bd03301f4930a0e4015873b435c8d64c291e7c63d0552f17652dc7ce16195", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "test_program.zip/test_program.exe", "message": "The binary is not signed with a valid Developer ID certificate.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "arm64" } ] } ============================== The notarization server saying that it's not signed by a valid developer certificate, but to the best of my ability I have confirmed that a valid developer certificate is being used.

I am distributing a macOS application outside the App Store using Developer ID and need to provide provisioning profiles to customers for installation during the package installation process. I have two questions: How can I package and provide the provisioning profile(s) so that the customer can install them easily during the application installation process? Are there any best practices or tools that could simplify this step? In my case, there are multiple provisioning profiles. Should I instruct the customer to install each profile one by one, or is there a way to combine them and have them installed all at once? Any insights, resources, or recommendations would be greatly appreciated.

I have an app that runs as a status bar app, mostly. I have set the following in the info.plist file for the app: <key>Application is agent (UIElement)</key> <true/> However, I get a compile error: Provisioning profile Mac Team Provisioning Profile: yout.Drive doesn't include the Application is agent (UIElement) entitlement. Checking the entitlements, I do not see this entitlement anywhere. Where and how do I set this?

When I first tried to sign my local unit test with the identity generated by Xcode, it failed because the intermediate certificate was missing. In that case, the error message explained that the trust chain could not be completed. But after installing the correct intermediate, codesign still fails, but no longer gives any explanation: codesign -f -s '0EFE7E591A4E690842094B8EC5AFDFE059637D3C' build/Darwin-Xcode-arm64_obf/bin/Release/UNITTEST build/Darwin-Xcode-arm64_obf/bin/Release/UNITTEST: replacing existing signature build/Darwin-Xcode-arm64_obf/bin/Release/UNITTEST: errSecInternalComponent It's the same error line "errSecInternalComponent". Is there a log somewhere that might explain what exactly is the error?

I created a distribution certificate for my app release build and have manually loaded this cert (link to xcode image at the bottom of this paragraph). All things look good until I build the app and I get the following error. I'm first pasting the image of my project and then the error information. [https://madshot.net/10c6e510875e.png) Could not launch “Madshot360” Domain: IDELaunchErrorDomain Code: 20 Recovery Suggestion: Runningboard has returned error 5. Please check the system logs for the underlying cause of the error. User Info: { DVTErrorCreationDateKey = "2025-06-10 19:58:02 +0000"; DVTRadarComponentKey = 968756; IDERunOperationFailingWorker = IDELaunchServicesLauncher; } The operation couldn’t be completed. Launch failed. Domain: RBSRequestErrorDomain Code: 5 Failure Reason: Launch failed. Launchd job spawn failed Domain: NSPOSIXErrorDomain Code: 153 Event Metadata: com.apple.dt.IDERunOperationWorkerFinished : { "device_identifier" = "00008112-0004052C22D8A01E"; "device_model" = "Mac14,15"; "device_osBuild" = "15.5 (24F74)"; "device_platform" = "com.apple.platform.macosx"; "device_thinningType" = "Mac14,15"; "dvt_coredevice_version" = "443.19"; "dvt_coresimulator_version" = "1010.10"; "dvt_mobiledevice_version" = "1784.120.3"; "launchSession_schemeCommand" = Run; "launchSession_state" = 1; "launchSession_targetArch" = arm64; "operation_duration_ms" = 235; "operation_errorCode" = 20; "operation_errorDomain" = IDELaunchErrorDomain; "operation_errorWorker" = IDELaunchServicesLauncher; "operation_name" = IDERunOperationWorkerGroup; "param_debugger_attachToExtensions" = 0; "param_debugger_attachToXPC" = 1; "param_debugger_type" = 3; "param_destination_isProxy" = 0; "param_destination_platform" = "com.apple.platform.macosx"; "param_diag_113575882_enable" = 0; "param_diag_MainThreadChecker_stopOnIssue" = 0; "param_diag_MallocStackLogging_enableDuringAttach" = 0; "param_diag_MallocStackLogging_enableForXPC" = 1; "param_diag_allowLocationSimulation" = 1; "param_diag_checker_tpc_enable" = 1; "param_diag_gpu_frameCapture_enable" = 0; "param_diag_gpu_shaderValidation_enable" = 0; "param_diag_gpu_validation_enable" = 0; "param_diag_guardMalloc_enable" = 0; "param_diag_memoryGraphOnResourceException" = 0; "param_diag_mtc_enable" = 1; "param_diag_queueDebugging_enable" = 1; "param_diag_runtimeProfile_generate" = 0; "param_diag_sanitizer_asan_enable" = 0; "param_diag_sanitizer_tsan_enable" = 0; "param_diag_sanitizer_tsan_stopOnIssue" = 0; "param_diag_sanitizer_ubsan_enable" = 0; "param_diag_sanitizer_ubsan_stopOnIssue" = 0; "param_diag_showNonLocalizedStrings" = 0; "param_diag_viewDebugging_enabled" = 1; "param_diag_viewDebugging_insertDylibOnLaunch" = 1; "param_install_style" = 2; "param_launcher_UID" = 2; "param_launcher_allowDeviceSensorReplayData" = 0; "param_launcher_kind" = 0; "param_launcher_style" = 99; "param_launcher_substyle" = 0; "param_runnable_appExtensionHostRunMode" = 0; "param_runnable_productType" = "com.apple.product-type.application"; "param_structuredConsoleMode" = 1; "param_testing_launchedForTesting" = 0; "param_testing_suppressSimulatorApp" = 0; "param_testing_usingCLI" = 0; "sdk_canonicalName" = "macosx15.4"; "sdk_osVersion" = "15.4"; "sdk_variant" = macos; } System Information macOS Version 15.5 (Build 24F74) Xcode 16.3 (23785) (Build 16E140) Timestamp: 2025-06-10T12:58:02-07:00

Yes, this is very likely the completely wrong way to do things but I would like to ask regardless. Currently with windows/linux I can perform an in-situ upgrade of an application by performing a download of the binary 'foo' and then doing a rename-and-replace and subsequently requesting the licencee to restart the program and all is good. With macOS, as the binary is within the foo.app ( Contents/macOS/foo ) I imagine I cannot perform a similar operation without breaking the signing of the foo.app itself? ....or, can I individually sign the binary foo for macOS and perform the same type of operation? Download new foo as foo.new rename current foo.app/Content/macOS/foo -> foo.old rename foo.new -> foo Restart application Again, I know this is very likely an un-macOS way of performing the task but as you can imagine with supporting cross-platform development it's usually easier to maintain a consistent method even if it's "not ideal".

I am experiencing an issue when publishing my .NET MAUI application for iOS using Visual Studio Code. During the publishing process, I encountered a codesign error. Hope someone can help me. This is the error: Warning: unable to build chain to self-signed root for signer "Apple Distribution: SOFTBUILDER SDN. BHD. (********)" /Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/bin/Release/net8.0-ios/ios-arm64/MLBusinessCafe_Maui.app: errSecInternalComponent /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : /usr/bin/codesign exited with code 1: [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios] /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : Warning: unable to build chain to self-signed root for signer "Apple Distribution: SOFTBUILDER SDN. BHD. (U44UY7DYY7)" [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios] /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : /Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/bin/Release/net8.0-ios/ios-arm64/MLBusinessCafe_Maui.app: errSecInternalComponent [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios] /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : Failed to codesign '/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/bin/Release/net8.0-ios/ios-arm64/MLBusinessCafe_Maui.app': Warning: unable to build chain to self-signed root for signer "Apple Distribution: SOFTBUILDER SDN. BHD. (U44UY7DYY7)" [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios] /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : /Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/bin/Release/net8.0-ios/ios-arm64/MLBusinessCafe_Maui.app: errSecInternalComponent [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios] /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios] /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios]

I created an MadOS app with xcode 16.5 with a developer id certificate. I've been trying to install a distribution certificate for over a week with several co-workers. I can add a distribution certificate to my key chain, and created a provisioning profile. I've tried every combination but none work. I put xcode in automatic signing but can only see my developer id, if I put it in manual with and without a provisioning profile but if I give the app binary, other users can't run the app because the certificate isn't working. I need support to work with me to look the developer portal and my system to figure this out.

This math-educational 3D-graphics courseware utilizes Java3D, which sits on top of hardware-dependent JOGAMP binaries (which instruct at the GPU-level). This code signing command applied to the installer .dmg: codesign -s "myName" --force --options runtime ~/DFG2D_MacOS_Manufacturing/MacOSInstallers/DFG2D_Mac_J1602_x86/DataflowGeometry2D-1.0.300.dmg is supposed to force signing of all the embedded binaries, BUT the notary tool finds about 25 jogamp-fat dynamic libraries (/ *.dylib) UNSIGNED. Processing complete id: 23d81a99-4087-48d2-a567-8072dd2820fe status: Invalid pierrebierre@Pierres-iMac ~ % xcrun notarytool log 17d2fe94-f38a-47d4-9568-cf4dc65f24c9 --apple-id "xxxxxxxxxxx" --team-id "XXXXXXXXX" --password pwpwpwpwpw { "logFormatVersion": 1, "jobId": "17d2fe94-f38a-47d4-9568-cf4dc65f24c9", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "DataflowGeometry2D-1.0.300.dmg", "uploadDate": "2025-07-13T21:28:21.147Z", "sha256": "57320c4ad4a07f144336084152bf7e3328f8c5694dd568d2cfd23a596b5b3b13", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "DataflowGeometry2D-1.0.300.dmg/DataflowGeometry2D.app/Contents/app/DFG2D_Mac_x86_300.jar/lib/jogamp-fat/jogamp-fat.jar/natives/macosx-universal/libnativewindow_awt.dylib", "message": "The binary is not signed.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "x86_64" }, { "severity": "error", "code": null, "path": "DataflowGeometry2D-1.0.300.dmg/DataflowGeometry2D.app/Contents/app/DFG2D_Mac_x86_300.jar/lib/jogamp-fat/jogamp-fat.jar/natives/macosx-universal/libnativewindow_awt.dylib", "message": "The signature does not include a secure timestamp.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733", "architecture": "x86_64" }, What is your advice on how to get these binaries signed?

Hello, I'm encountering an issue when trying to build and launch a Flutter app on a physical iOS device using Android Studio. Here is the full log: `Launching lib/main.dart on （iPhone Name） in debug mode... Automatically signing iOS for device deployment using specified development team in Xcode project: （Project ID） Running Xcode build... Xcode build done. 19.7s Failed to build iOS app Could not build the precompiled application for the device. Error (Xcode): Target debug_unpack_ios failed: Exception: Failed to codesign （Project Names）/build/ios/Debug-iphoneos/Flutter.framework/Flutter with identity （identity ID）. Error launching application on （iPhone Name）.` This only happens when using Android Studio. When I build the same project using Xcode, it runs fine on the same device. Background: I accidentally deleted all Apple accounts from Xcode recently. In Keychain Access, I had three identical certificates; I deleted the older two and kept the newest one. I suspect this may be related to provisioning or code signing, but I’m not sure how to resolve it within Android Studio. Any advice or steps to fix this would be greatly appreciated. Thanks in advance!

Hello. I have an enterprise application that requires specific privileges to execute correctly on MacOS. One of these privileges is SystemPolicyAllFiles (aka Full Disk Access), as we use the endpoint security framework. When we distribute our application, we generate: A signed, notarized pkg consisting of our application binaries. An MDM-compatible .mobileconfig, which contains the SystemPolicyAllFiles setting. We expect our users to install both to get the application to function correctly. However, we have three environments we deploy to: Internal (local development on a developer's workstation), "development" (where features are integrated prior to release) and "production" (what our customers get). For local, our developers create an Apple account and use a Mac Development certificate for signing. They also generate their own embedded.provisionprofile and drop that into their local installation config. For development/production, we use our Developer ID certificate and Developer Installer certificate, with an endpoint security embedded.provisionprofile bound to those. However, when we generate a .mobileconfig, we need to include a CodeRequirement (CR) for SystemPolicyAllFiles. I've been retrieving this using codesign -dr - ... (i.e., the designated requirement aka DR). However, the designated requirement is very specific to the certificate, which is problematic specifically for local development, where each developer has their own Mac Development certificate. Here's what the relevant section of our generated mobileconfig looks like right now: &lt;dict&gt; &lt;key&gt;SystemPolicyAllFiles&lt;/key&gt; &lt;array&gt; &lt;dict&gt; &lt;key&gt;Allowed&lt;/key&gt; &lt;true/&gt; &lt;key&gt;CodeRequirement&lt;/key&gt; &lt;string&gt;identifier "com.example.app and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = &lt;TEAMID&gt;&lt;/string&gt; &lt;key&gt;Comment&lt;/key&gt; &lt;string&gt;app&lt;/string&gt; &lt;key&gt;Identifier&lt;/key&gt; &lt;string&gt;com.exmple.app&lt;/string&gt; &lt;key&gt;IdentifierType&lt;/key&gt; &lt;string&gt;bundleID&lt;/string&gt; &lt;key&gt;StaticCode&lt;/key&gt; &lt;false/&gt; &lt;/dict&gt; &lt;/array&gt; &lt;/dict&gt; That's in a format that works for our Developer ID cert, but the DR for the Mac Development certificate looks like: identifier "com.example.app" and anchor apple generic and certificate leaf[subject.CN] = "Mac Developer: John Doe (12ABC34567)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */ Question: Is it possible to relax the code requirement so that it is generic enough to cover all Mac Developer certificates and Developer ID certificates we use? If not, is there a way to have one code requirement for our Mac Developer certificates and a separate CR for our Developer ID certificate? My use case is deploying a static "local" .mobileconfig using our internal company MDM (Apple Business Essentials) to all developer workstations so we don't have to have each developer manually configure their system for the software to run. Thanks! D