You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello, I’m currently in the process of app notarization, but my status is stuck in the "In Process" state, and I’m unsure how long this should take. I’d appreciate any advice or insights. Issue Description After submitting my app for notarization, the status has been stuck in "In Process" for an extended period. There seems to be no progress, and it’s taking longer than I expected for the process to complete. The status hasn’t changed, and it’s been 5 days since I submitted the app. Has anyone encountered a similar issue? How long does the notarization process usually take? Any advice on how to resolve this or if there’s something I might be missing? Thanks in advance for your help!

This is my submission, my earliest submission has be stuck for a couple of days can someone please help. This is blocking our launch. -------------------------------------------------- createdDate: 2026-03-01T15:57:46.893Z id: 4cd9bb60-67eb-4f59-be9b-952248da33cf name: Snip-1.0.0-arm64.dmg status: In Progress -------------------------------------------------- createdDate: 2026-03-01T15:07:04.101Z id: fc88fa42-6ffe-4fee-86b2-0cec44c4391b name: Snip.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-28T06:48:58.307Z id: e6cabf68-2963-4971-a057-fb4c5a1bdb4c name: Snip.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-27T17:02:33.195Z id: 4e038aab-e429-4dfa-abcd-afcd49241a31 name: Snip.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-27T17:02:21.907Z id: 4a908c50-812b-48c1-949d-8d6d4c9dec40 name: Snip.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-27T14:28:38.585Z id: bccbc5bc-1cc7-4417-ab57-545b0cc6cc7b name: Snip.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-27T08:35:47.185Z id: 4219d594-ee41-4905-8ea5-af89dc924b4f name: Snip.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-27T08:07:51.982Z id: 08fce978-8dc1-45bb-aac1-ea932bd08b02 name: Snip.zip status: In Progress

Le build iOS via EAS échoue systématiquement lors de la phase Xcode. Bien que les capacités Family Controls et App Groups soient activées sur le portail Apple Developer et configurées dans le app.json, les profils de provisionnement générés par EAS sont rejetés par Xcode car ils ne contiendraient pas les droits nécessaires. Configuration du projet : Targets (4) : App principale + 3 extensions (ShieldConfiguration, ShieldAction, ActivityMonitorExtension). Capabilities requises : Family Controls (Development), App Groups. EAS CLI Version : 18.0.6 (et versions antérieures testées). Erreur Xcode récurrente : error: Provisioning profile "[expo] com.*****.*** AdHoc 177230..." doesn't support the Family Controls (Development) capability.. error: Provisioning profile "... AdHoc ..." doesn't include the com.apple.developer.family-controls entitlement.. Ce qui a déjà été tenté (sans succès) : Configuration app.json : Ajout manuel des entitlements pour le bundle principal et configuration du plugin react-native-device-activity. Nettoyage Credentials : Suppression totale des profils et des identifiants sur le site Expo.dev ET sur le portail Apple Developer. +1 Forçage Sync : Utilisation de eas build --clear-cache et réponse "No" à la réutilisation des profils existants. Observation étrange : Le terminal indique souvent ✔ Synced capabilities: No updates, alors que les droits viennent d'être modifiés sur le portail Apple. Sur le portail Apple, les profils affichent pourtant bien "Family Controls (Development)" dans les capacités activées. Je met en piece jointe un des profiles.

Successfully received submission history. history -------------------------------------------------- createdDate: 2026-02-28T06:48:58.307Z id: e6cabf68-2963-4971-a057-fb4c5a1bdb4c name: Snip.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-27T17:02:33.195Z id: 4e038aab-e429-4dfa-abcd-afcd49241a31 name: Snip.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-27T17:02:21.907Z id: 4a908c50-812b-48c1-949d-8d6d4c9dec40 name: Snip.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-27T14:28:38.585Z id: bccbc5bc-1cc7-4417-ab57-545b0cc6cc7b name: Snip.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-27T08:35:47.185Z id: 4219d594-ee41-4905-8ea5-af89dc924b4f name: Snip.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-27T08:07:51.982Z id: 08fce978-8dc1-45bb-aac1-ea932bd08b02 name: Snip.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-27T07:25:12.257Z id: dcba81a6-f9a5-42bd-9e04-bffa2aeabb10 name: Snip.zip status: Invalid the first submission failed becuase i suse the wrong certificate type, however subsequent submissions are stuck for very long

We've got an in-house Swift macOS desktop app with a FileProvider extension, which has been working fine on various machines up through Sonoma (and still does). We've just installed it on a Sequoia machine, and on it the FileProvider extension has lost the ability to access the shared app group. It can neither log to the Group Containers folder under ~/Library, nor access the pipe to the main app. The group name is formatted as group.XXXXXXXXXX.com.orgname.appname in both targets. I'm not sure why it combines the iOS and macOS conventions, with both the group prefix and the teamIdentifier one -- it was first built some time before the point in 2025 when macOS supported iOS-style groups -- but again, it's been working. For the record, The provisioning profile for EMPFileProvider has the App Groups capability enabled, and the App Groups capability is present in both build targets in Xcode. The existing group identifier is registered on the website; I've also manually registered the team-ID-less group name, so I can migrate. The question is, is this actually the right approach? Will such a change break the app on pre-Sequoia machines? And if I proceed, what do I need to do to complete the migration? The app was built back in Xcode 12.5; will I need to update the entire build environment to take advantage of Xcode 16.3's explicit support for iOS-style group names, or can I get away with it since I've manually registered the new group?

I've seen a few posts about this online and it seems that Xcode generates random team ID's with it's automatic signing system. But I haven't seen any way to make this work properly. If I log into the dev portal and look at my account, in the upper right I can see my team ID. If I manually generate a cert, I get a totally different one. Question: How can I generate a cert with my proper team ID (my paid account) where the ID's on my certs, identifiers and profiles all match? I've never had this issue before and am unsure how to solve it.

Every recent attempt to create a Installer certificate has failed, and now we've hit the maximum. We can't revoke them either — the portal only shows "Download," not "Revoke." Xcode also fails with: "Signing Certificates Error: There is a problem with the request entity. You already have a current Developer certificate or pending certificate request." This is completely blocking notarization and distribution of our macOS app. Has anyone resolved this, or does it require Apple to intervene on the backend? (This is a relatively new issue, we have successfully done this in the past hundreds of times over the years.)

I've submitted a few first notarizations for my electron app - I've verified with all the QA and resources that I am doing the correct thing - but its silently just holding all my notarization requests on apples side with no logs. I'm trying to launch my app this week - how should I proceed?

Two months ago I requested the subject entitlement. I'm still waiting for it to be added to our account. Who or how can I find out what going on with it. I have no correspondence from Apple yet saying it was denied and why. https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.developer.persistent-content-capture?language=objc Thank you.

Hello, I am attempting to request the endpoint-security.client entitlement for my app using the following form: https://developer.apple.com/contact/request/system-extension/ After submitting the form, I consistently receive an HTTP 500 error from Apple’s servers. Could you please provide guidance on whether this is a known issue or if there is something I may be doing incorrectly? I appreciate your assistance.

Made a notarization request a few hours ago and woke up to check the history and it's no longer available. Not rejected/accepted just not found. I have gone ahead to make another request but I have no confidence because I expect the same thing to happen again. Any guidance? See logs below: daramfon@MacBook-Pro-3 frontend % xcrun notarytool history --apple-id "$APPLE_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --team-id "$APPLE_TEAM_ID" Successfully received submission history. history -------------------------------------------------- createdDate: 2026-02-20T23:53:14.066Z id: 6f2fadc0-2e8f-4331-a253-68f81334ebc6 name: Speakeasy AI-0.1.0-arm64.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-20T23:47:12.897Z id: 435aec4f-5356-49a5-898d-48aaafb7949f name: Speakeasy AI.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-20T22:35:23.947Z id: 95896757-873a-4e54-a527-03dc767c9cb5 name: Speakeasy AI.zip status: In Progress daramfon@MacBook-Pro-3 frontend % xcrun notarytool history --apple-id "$APPLE_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --team-id "$APPLE_TEAM_ID" No submission history. daramfon@MacBook-Pro-3 frontend % xcrun notarytool info 6f2fadc0-2e8f-4331-a253-68f81334ebc6 --apple-id "$APPLE_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --team-id "$APPLE_TEAM_ID" Submission does not exist or does not belong to your team. id: 6f2fadc0-2e8f-4331-a253-68f81334ebc6

Hi! I am encountering an issue with the notarization process. I'll leave here the outputs of a few command that I think might be useful. user@AndreisMac % pkgutil --check-signature mypkg.pkg Package "mypkg.pkg": Status: signed by a developer certificate issued by Apple for distribution Notarization: trusted by the Apple notary service Signed with a trusted timestamp on: 2026-02-18 18:46:16 +0000 Certificate Chain: ... user@AndreisMac % spctl -a -vv --type install mypkg.pkg mypkg.pkg: rejected origin=Developer ID Installer: MyComp LLC (ABCD) user@AndreisMac % xcrun notarytool submit mypkg.pkg --keychain-profile "notary-profile" --wait Conducting pre-submission checks for mypkg.pkg and initiating connection to the Apple notary service... Submission ID received id: e76f34b3-7c91-451c-a539-8fb39809a5bd Upload progress: 100,00% (13,3 MB of 13,3 MB) Successfully uploaded file id: e76f34b3-7c91-451c-a539-8fb39809a5bd path: /path/to/mypkg.pkg Waiting for processing to complete. Current status: Accepted............... Processing complete id: e76f34b3-7c91-451c-a539-8fb39809a5bd status: Accepted user@AndreisMac % spctl -a -vv --type install mypkg.pkg mypkg.pkg: rejected origin=Developer ID Installer: MyComp LLC (ABCD) As you can see: the installer is signed with a Developer ID Installer (the contents are signed and notarized as well) the first spctl check is failing(even if the installer was already notarized on our build server) trying to notarize again seems to work checking again still shows the installer as rejected I can run the installer locally by removing the quarantine flag, but this is not what I am expecting from a signed&notarized installer. Interestingly enough, trying this installer on a different MacOS machine works as expected(no quarantine) and spctl shows it as notarized(Accepted). Any idea what's wrong with my machine?

Hi everyone, For the past three days I've been unable to notarize my app — every attempt fails with an HTTP 500 error from Apple's notarization service. What's unusual is that the error occurs not only during submission, but also when simply validating credentials via store-credentials. Example: $ xcrun notarytool store-credentials "notarytool-password" \ --apple-id <id> --team-id <team> --password <app-specific-password> Validating your credentials... Error: HTTP status code: 500. Internal Server Error Request ID: K6NYCMIFNM66OI2WRG3ORZEDUE.0.0 Please try again at a later time. Since the failure happens at credential validation — before any package is even uploaded — I'm fairly confident this is a server-side issue, not something wrong with my setup or the binary. I've tried across different network connections, same result. Has anyone else been hitting this? Is there a known outage or incident on Apple's notarization infrastructure? Any way to escalate or get a status update beyond checking developer.apple.com/system-status/? Thanks

Seeing my notarizations getting stuck. This is becoming a blocker for releasing. What's strange is that earlier versions of the same app (very similar) passed notarization very quickly. Any advice or recourse?

How do you renew a "Developer ID Application" certificate? Should there be a "renew" button on the expiration date? Or can you renew it sooner? Or are you required to create a new certificate? Does this count against your limit of five Developer ID Application certificates? I thought there was a way to renew it, but I don't see that option. I also couldn't find any Apple documentation about how to renew, only how to create and how there's a limit to how many you can create.

I am on a mission to secure our key material for our iOS app's code signing certificate. My first endeavor with storing the code signing certificate on a YubiKey is a marginal success - it seems that with a pin policy that requires entering the PIN at least once we must enter the PIN umpteen times per build. Creating a certificate with a policy of never would be ill-advised. On the other hand, we could chose to store the code signing certificate in the Secure Enclave. However, it seems that I am only allowed to create eliptic curve private keys and not RSA keys in the secure enclave. When I attempt to upload a certificate signing request to AppStoreConnect, I am told that only an RSA2048 key will do. What I am after is a way to authenticate access to the certificate once per boot so that we can make multiple builds per day without manual intervention whilst also ensuring that the key material is not stored on disk. A yubikey would be preferable, but I am fine with the secure enclave if need be. Is there a way to achieve this? Best regards, Emīls

I'm building a content filtering app using NEURLFilterManager and NEURLFilterControlProvider (introduced in iOS 26). The app uses a PIR server for privacy-preserving URL filtering. Everything works with development-signed builds, but App Store export validation rejects: Entitlement value "url-filter-provider" for com.apple.developer.networking.networkextension — "not supported on iOS" I have "Network Extensions" enabled on my App IDs in the developer portal, but the provisioning profiles don't seem to include url-filter-provider, and I don't see a URL filter option in the Capability Requests tab. What I've tried: Entitlement values: url-filter-provider, url-filter — both rejected at export Extension points: com.apple.networkextension.url-filter, com.apple.networkextension.url-filter-control — both rejected Regenerating provisioning profiles after enabling Network Extensions capability My setup: iOS 26, Xcode 26 Main app bundle: com.pledgelock.app URL filter extension bundle: com.pledgelock.app.url-filter PIR server deployed and functional Is there a specific request or approval process needed for the url-filter-provider entitlement? The WWDC25 session "Filter and tunnel network traffic with NetworkExtension" mentions this entitlement but I can't find documentation on how to get it approved for distribution. Any guidance appreciated. Thanks!

In the Developer portal, I'm attempting to add the "DriverKit UserClient Access" to an App ID that is assigned to a DEXT that we are developing. Once I have filled out the form and clicked "Submit" the screen goes bank and stays blank even after a long delay. The original Capability Request tab's entry for "DriverKit UserClient Access" never changes from "No Requests". I have tried this on two successive days, with the same result.

I’m attempting to use a Locked Camera Capture Extension (created from Xcode’s template / following Apple’s “Creating a camera experience for the Lock Screen” guidance). The extension builds, embeds, and installs on a physical device, but I cannot get it provisioned with the required entitlement com.apple.developer.locked-camera-capture. Environment Xcode: 26.0.1 (17A400) iOS: 26.2.1 (device) Apple Developer Program: paid Individual (Team ID: FT55UW9363) Key issue: provisioning profile for the ExtensionKit appex lacks the locked-camera entitlement The locked camera capture target is embedded as an ExtensionKit extension: .../DirectionalCamera.app/Extensions/LockedCapture.appex I decoded the embedded provisioning profile inside that .appex and printed its Entitlements dictionary: security cms -D -i ".../DirectionalCamera.app/Extensions/LockedCapture.appex/embedded.mobileprovision" > /tmp/locked_profile.plist /usr/libexec/PlistBuddy -c "Print:Entitlements" /tmp/locked_profile.plist Entitlements present in the embedded profile: Dict { com.apple.developer.avfoundation.multitasking-camera-access = true application-identifier = FT55UW9363.arp.geocam.LockedCapture keychain-access-groups = Array { FT55UW9363.* com.apple.token } get-task-allow = true com.apple.security.application-groups = Array { group.arp.geocam } com.apple.developer.team-identifier = FT55UW9363 } Critically, the required entitlement is absent: /usr/libexec/PlistBuddy -c "Print:Entitlements:com.apple.developer.locked-camera-capture" /tmp/locked_profile.plist Print: Entry, ":Entitlements:com.apple.developer.locked-camera-capture", Does Not Exist Build behavior If I manually add com.apple.developer.locked-camera-capture to the extension’s .entitlements, Xcode refuses to sign with: “Provisioning profile failed qualification: Profile doesn't include the com.apple.developer.locked-camera-capture entitlement.” Notes The only other embedded extension is a widget/control extension under .../DirectionalCamera.app/PlugIns/... with a separate profile (expected). Question Has anyone successfully provisioned a Locked Camera Capture Extension on a standard paid developer account? Is com.apple.developer.locked-camera-capture gated/restricted (requiring Apple to enable it for a specific Team ID / App ID), or is there a specific capability in the Developer portal that maps to it? If it’s restricted, what is the official process to request enablement for a team/app-id? Any pointers appreciated.

Original Problem We use codesign and notarytool in a scripted environment to build and distribute binaries daily. We also do manual builds by logging into the build server using SSH. This has been working for many years, but after updating to a new "Developer ID Application" certificate, codesign was failing with errSecInternalComponent and the console logs showed errSecInteractionNotAllowed. Summary of Resolution Attempting to fix the problem resulted in multiple copies of the same Certificate which were NOT shown by Keychain Access. I had to run security delete-identity multiple times to clear out the redundant Identities and then imported the certificate using the security CLI tool. Details I originally followed these instructions for requesting and installing a new certificate: https://developer.apple.com/help/account/certificates/create-developer-id-certificates/ Tip: Use the security tool intead These instructions fail to mention two critical points: 1) they assume the machine you generate the request on is the same machine you will be using to perform signatures, and 2) KeyChain Access does not allow you to set permissions for applications like codesign. I made the mistake of following the instructions on my workstation, and then tried to import the certificate to the build machine by double clicking on the .cer file. When that did not work, I followed various forum suggestions and eventually realized I need to export the private key as a .p12 file from the workstation, and import it into the build machine. Tip: The term "Certificate" often refers to a public certificate by itself, while "Identity" to refers to the combination of a public certificate and private key. At this point, I could use codesign, but only within Terminal.app while logged into the build machine's console. I tried various security commands to reimport the Identity, set a key partition list, and unlock the keychain, but none of them allowed codesign to work from within SSH or cron scripts. Eventually I stumbled upon this: sudo security find-identity -v Password: 1) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 2) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 3) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 4) EA377…96DD "Developer ID Application: Data Expedition, Inc. (VK…8X)" 5) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 6) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 7) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 8) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 9) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 10) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 10 valid identities found Keychain Access only showed one copy of the Identity in each keychain, but with security I could see there were actually 9. Tip: Keychain Access does not accurately display keychain contents. If it shows no contents at all, type a letter in the search box. Identities are distinguished from lone Certificates by a drop-down caret to the left of the certificate name. Clicking that shows the key. To fix the redundant Identities, I had to run this command four times to delete the nine copies: security delete-identity -Z 3C255…1560 I repeated this until the identity (I used the SHA1 hash of the certificate) no longer showed up in security find-identity -v. I then re-imported the certificate and key using security import, which is what I should have done from the begininng. The Correct Way Here are the commands I used to get things going after I deleted all the problem certificates: security import mycertificate.cer -k /Library/Keychains/System.keychain -T /usr/bin/codesign This next command I ran in Terminal.app on the console so it could display a password prompt: security import ImportThisKey.p12 -k /Library/Keychains/System.keychain -T /usr/bin/codesign After this, I used security find-identity -v to verify that there was only one copy of the Identity. I then verified that codesign could be used from SSH and cron-scripts even while logged out of the console. I suspect that a lot of mysterious certificate problems might be caused by duplicate certificates, each with different permissions. As far as I can tell, there is no way to uniquely identify a certificate/identity or the permissions attached to them. The system just searches based on hash, or team-id, or other non-unique property and seems to just arbitrarily pick one. I hope this helps someone else stuck with errSecInternalComponent errors!