The problem is the following: We create a keychain item called NotaryTool (There are multiple accounts that use Notary tool and we created it for all of them ) This is created in the following way: $ xcrun notarytool store-credentials This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name. Profile name: NotaryTool We recommend using App Store Connect API keys for authentication. If you'd like to authenticate with an Apple ID and app-specific password instead, leave this unspecified. Path to App Store Connect API private key: //AuthKey_ABCDEFGH.p8 App Store Connect API Key ID: <ABCDEFGH> App Store Connect API Issuer ID: ABCDEF-ABCD-1234-1234-1234567 Validating your credentials... Success. Credentials validated. Credentials saved to Keychain. To use them, specify `--keychain-profile "NotaryTool"` The key is downloaded from Apple and some other IDs are provided alongside. These should remain in the keychain for as long as the user process is running (just like any other process) A few runs are successful when we run with the profile that was created. After a few runs we start seeing a failure. Now we are seeing the following issue where the keychain item just vanishes: Error: No Keychain password item found for profile: NotaryTool\n\nRun 'notarytool store-credentials' to create another credential profile.\nError during the not process\nTue Aug 26 06:02:09 2025 Notarization failed with notarytool with exit code 17664: \nTue Aug 26 06:02:09 2025 could not upload for notarization!!!

Hello Apple Developer Community, I'm experiencing a persistent issue with App Groups configuration for an iOS app extension that I can't resolve despite trying multiple approaches. I hope someone can help identify what I'm missing. Problem Description I'm getting this error when trying to build my iOS App Extension: Provisioning profile "iOS Team Provisioning Profile: com.idlrapp.Spleeft.SpleeftDataSaver" doesn't include the com.apple.developer.app-groups entitlement. My Setup Main App Bundle ID: com.idlrapp.Spleeft Extension Bundle ID: com.idlrapp.Spleeft.SpleeftDataSaver App Group ID: group.com.idlrapp.spleeft.shared Extension Type: Action Extension (Share Sheet) What I've Verified App Group Creation ✅ Created App Group group.com.idlrapp.spleeft.shared in Apple Developer Portal ✅ App Group shows as "Active" in the portal App ID Configuration ✅ Both App IDs (com.idlrapp.Spleeft and com.idlrapp.Spleeft.SpleeftDataSaver) have "App Groups" capability enabled ✅ Both App IDs are configured with the same App Group: group.com.idlrapp.spleeft.shared Entitlements Files Main App (Spleeft.entitlements): <key>com.apple.developer.app-groups</key> <array> <string>group.com.idlrapp.spleeft.shared</string> </array> Extension (SpleeftDataSaver.entitlements): <key>com.apple.developer.app-groups</key> <array> <string>group.com.idlrapp.spleeft.shared</string> </array> Xcode Configuration ✅ Both targets use "Automatically manage signing" ✅ Same Apple Developer Team selected for both ✅ App Groups capability shows correctly in Signing & Capabilities for both targets The Issue When I examine the downloaded .mobileprovision file, I can see it contains: <dict> <key>com.apple.security.application-groups</key> <array> <string>group.com.idlrapp.spleeft.shared</string> </array> <!-- Other entitlements... --> </dict> However, Xcode expects to find: <array> <string>group.com.idlrapp.spleeft.shared</string> </array> What I've Tried Multiple regenerations of provisioning profiles: Deleted all local provisioning profiles Toggled "Automatically manage signing" off/on Downloaded manual profiles from Developer Portal Verified App Group configuration: Double-checked App Group exists and is active Confirmed both App IDs have App Groups capability enabled Verified App Group assignment in both App IDs Entitlements cleanup: Ensured consistent App Group IDs across all files Removed duplicate/conflicting entries Clean builds and cache clearing: Product → Clean Build Folder Derived Data deletion Xcode restart Key Observation The provisioning profile contains com.apple.security.application-groups (which appears to be macOS-style) but Xcode expects com.apple.developer.app-groups (iOS-style) for the App Extension. Questions Is there a known issue with App Groups entitlement generation for iOS App Extensions? Should the provisioning profile contain com.apple.developer.app-groups instead of com.apple.security.application-groups? Is there a way to force regeneration of provisioning profiles with the correct entitlements? Are there additional steps required for App Extensions that differ from main apps? Any guidance would be greatly appreciated. This is blocking our App Extension development and we've exhausted our troubleshooting options. Thank you for your time and assistance.

Original Problem We use codesign and notarytool in a scripted environment to build and distribute binaries daily. We also do manual builds by logging into the build server using SSH. This has been working for many years, but after updating to a new "Developer ID Application" certificate, codesign was failing with errSecInternalComponent and the console logs showed errSecInteractionNotAllowed. Summary of Resolution Attempting to fix the problem resulted in multiple copies of the same Certificate which were NOT shown by Keychain Access. I had to run security delete-identity multiple times to clear out the redundant Identities and then imported the certificate using the security CLI tool. Details I originally followed these instructions for requesting and installing a new certificate: https://aninterestingwebsite.com/help/account/certificates/create-developer-id-certificates/ Tip: Use the security tool intead These instructions fail to mention two critical points: 1) they assume the machine you generate the request on is the same machine you will be using to perform signatures, and 2) KeyChain Access does not allow you to set permissions for applications like codesign. I made the mistake of following the instructions on my workstation, and then tried to import the certificate to the build machine by double clicking on the .cer file. When that did not work, I followed various forum suggestions and eventually realized I need to export the private key as a .p12 file from the workstation, and import it into the build machine. Tip: The term "Certificate" often refers to a public certificate by itself, while "Identity" to refers to the combination of a public certificate and private key. At this point, I could use codesign, but only within Terminal.app while logged into the build machine's console. I tried various security commands to reimport the Identity, set a key partition list, and unlock the keychain, but none of them allowed codesign to work from within SSH or cron scripts. Eventually I stumbled upon this: sudo security find-identity -v Password: 1) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 2) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 3) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 4) EA377…96DD "Developer ID Application: Data Expedition, Inc. (VK…8X)" 5) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 6) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 7) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 8) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 9) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 10) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 10 valid identities found Keychain Access only showed one copy of the Identity in each keychain, but with security I could see there were actually 9. Tip: Keychain Access does not accurately display keychain contents. If it shows no contents at all, type a letter in the search box. Identities are distinguished from lone Certificates by a drop-down caret to the left of the certificate name. Clicking that shows the key. To fix the redundant Identities, I had to run this command four times to delete the nine copies: security delete-identity -Z 3C255…1560 I repeated this until the identity (I used the SHA1 hash of the certificate) no longer showed up in security find-identity -v. I then re-imported the certificate and key using security import, which is what I should have done from the begininng. The Correct Way Here are the commands I used to get things going after I deleted all the problem certificates: security import mycertificate.cer -k /Library/Keychains/System.keychain -T /usr/bin/codesign This next command I ran in Terminal.app on the console so it could display a password prompt: security import ImportThisKey.p12 -k /Library/Keychains/System.keychain -T /usr/bin/codesign After this, I used security find-identity -v to verify that there was only one copy of the Identity. I then verified that codesign could be used from SSH and cron-scripts even while logged out of the console. I suspect that a lot of mysterious certificate problems might be caused by duplicate certificates, each with different permissions. As far as I can tell, there is no way to uniquely identify a certificate/identity or the permissions attached to them. The system just searches based on hash, or team-id, or other non-unique property and seems to just arbitrarily pick one. I hope this helps someone else stuck with errSecInternalComponent errors!

Hello Colleagues, We have been seeing a delay in our Apple notarization submission that hangs for hours "in progress" without completing: This issue has been occurring since Friday, October 17th. We have also checked the Apple System Status page and there is no indication of any outage for Apple notarization.

Hello, i have a problem. From one day to another i get following error (I never experienced this error with the same profile before) while trying to build and release my app via fastlane: exportArchive Provisioning profile "" doesn't support the External Link Account capability. Looking in the App developer website, it seems, that the existing and valid profile includes this capability. On the other side, inspecting the profile via xcode profile download, there is no hint that this capability is enabled. Any suggestions? Thanks!

Hello, I sent this in as a feedback several weeks ago about watchOS 26.2 beta 2 but since the issue is still active now that watchOS 26.2 is in production I'm reposting here for the community. I would also like to submit a DTS about this issue but honestly don't know the best way to go about it and would appreciate advice about that. There seems to be an issue with VPP distribution for our app on watchOS 26.2. When our watchOS companion app is launched after being installed through VPP to a supervised iPhone, it encounters a dyld error before main() or any application code is even called. The same app launches correctly in every other circumstance we could imagine and test: – Installed through VPP on supervised devices running watchOS 26.1. – Installed from the app store (using an apple id) on a supervised iPhone and paired watch running iOS 26.2 / watchOS 26.2. – Installed through Testflight on a supervised iPhone and paired watch running iOS 26.2 / watchOS 26.2. – Installed through the app store on unsupervised devices running watchOS 26.1 and 26.2. This strongly appears to be a VPP signing issue because we even did the following experiment: Install iPhone and Watch apps through the App Store on a supervised device pair running public iOS 26.2 beta 2 / watchOS 26.2 beta 2. Verify that both apps launch successfully. Use an MDM command to install from VPP over the existing installations Verify that the watch app fails to launch (the iOS app is unaffected) My feedback included some crash logs which I won't be reposting publicly here. Any feedback or ideas appreciated.

I’m unable to notarize the executable and the .app — the status has been showing “In Progress” for over an hour. Upon checking the xcrun logs, it indicates that the submission ID was not received. I also noticed there’s an Apple Developer Service outage reported since October 8, 2025. Could you please let me know when this outage is expected to be resolved? It would be very helpful.

Hi the best community! When I try to submit the app to Testflight I receive the following error: "codesign command failed (/var/folders/j9/yh_rkh114rbgvmglf4gycj8w0000gn/T/XcodeDistPipeline.~~~OW0Dwk/Root/Payload/Application.app/Frameworks/Alamofire.framework: replacing existing signature /var/folders/j9/yh_rkh114rbgvmglf4gycj8w0000gn/T/XcodeDistPipeline.~~~OW0Dwk/Root/Payload/Application.app/Frameworks/Alamofire.framework: invalid or corrupted code requirement(s) Requirement syntax error(s): line 1:155: unexpected token: NPH )" I have never stuck with this issue before. Xcode Version 16.0 I assume that there is something related to code signing and our company name in App Store connect: Medical Institution “NPH” (The company name has been anonymized for privacy purposes.) Appreciate any help. Thank you!

I'm working on an app that needs access to device activity. When I add device activity entitlement, I'm getting Provisioning profile "..." doesn't include the com.apple.developer.deviceactivity entitlement. This is failing for both, the main app and the extension, and both have entitlements added. It is not clear how to add it to the profile, the provisioning profile is created/managed by XCode. When I remove the entitlement, I can build my app but it won't be able to use device activity data I reached out to Developer Support, and they sent me here. What is the right way to add device activity entitlement? I'm also seeing another issue with XCode Cloud builds. When I remove device activity entitlement. I can build my app w/o any issue, and I can also install it directly on my iPhone. However, XCode Cloud builds fail wit Run command: 'xcodebuild -exportArchive -archivePath /Volumes/workspace/tmp/d41fc2f1-4f39-4906-8941-112488e75f6c.xcarchive -exportPath /Volumes/workspace/adhocexport -exportOptionsPlist /Volumes/workspace/ci/ad-hoc-exportoptions.plist '-DVTPortalRequest.Endpoint=http://172.16.68.193:8089' -DVTProvisioningIsManaged=YES -IDEDistributionLogDirectory=/Volumes/workspace/tmp/ad-hoc-export-archive-logs -DVTSkipCertificateValidityCheck=YES -DVTServicesLogLevel=3' I suspect that it could be related to my app having DeviceActivityExtension but no device activity entitlement is present. Thanks, Peter.

I want to help contribute a feature in a virtual-machine app in macOS that supports PCIe device passthrough over thunderbolt. I have a question about the entitlements. Since I do not represent the GPU vendors, would I be allowed to get a driver signed that matches GPU vendor IDs? Is there such a thing as wildcard entitlement for PCIDriverKit? I don't want end-users to have to disable SIP to be able to use this. Any suggestions/leads? Thank you.

I have developed multiple applications in the past using windows Visual studio 2022 and have never had any issues during development. However this time I am receiving the same error The specified iOS provisioning profile '{profile}' could not be found. Please enable Automatic Provisioning from the iOS Bundle Signing page. Everytime I try to deploy even though I can see that all the appropriate entries are in my apple developer portal, and I can see the profiles have been automatically downloaded to my computer. (The App identifier also matches the one establisehd in the apple developer portal and is linked to the profile). The only thing I can think of, is that my renewal of my developer account got rejected by my bank at first, but on another attempt (about 2 weeks ago) it all went through fine.

Hello, we have a product package which is structured like this: / Installer.pkg / Distribution / Main Component.pkg / Scripts / preinstall / postinstall / helper [ Mach-O executable ] / Payload / Application Bundle.app / Another Component.pkg ... The helper is our custom CLI helper tool which we build and sign and plan to use it in pre/post install scripts. I'd like to ask if we need to independently notarize and staple the helper executable or just the top level pkg notarization is sufficient in this case? We already independently notarize and staple the Application Bundle.app so it has ticket attached. But that's because of customers who often rip-open the package and pick only the bundle. We don't plan to have helper executable used outside of installation process. Thank you, o/

trying to deploy the LotBot app to my physical device, rtd2, which is listed as a device in the App Developer Portal. when I create a provision file it is always for W246SX52AS, as seen in the developer portal, but from Xcode I am showing a app id of "Apple Development: Richard Dukes (86537MF8N2)". Message: I am unable to create a "Apple Development: Richard Dukes (W246SX52AS)" so I may deploy to the device and the App Store. I have signed out and back in to Xcode with my account but when creating the profile it is always the 86537MF8N2. 95E07D345D31D45E4589FA7EA6FDF161E079C100 "Apple Distribution: Richard Dukes (W246SX52AS)" 5AC76CE9331F80AE953C4C76FC21DE5C2416293E "Apple Development: Richard Dukes (86537MF8N2)" How can I get Xcode to use W246SX52AS? I have these help tickets open as well. case ID is 102678952862 case ID is 102678950460 I have been fighting this for a while. Please help me figure out to get this resolved.

Hello, I'm currently trying to upload a new version of an existing application. But each time I try to validate the archive of the application, I got the following error in Xcode (v16.2) : Invalid code signing entitlements. Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “37CG5MY799.com.example.app” value for the com.apple.application-identifier key in “com.example.app.pkg/Payload/app.app/Contents/MacOS/app” isn’t supported. This value should be a string that starts with your Team ID, followed by a dot (“.”), followed by the bundle ID. I suspect that there is a problem with the App ID Prefix (that is 37CG5MY799 for the app) when our team ID is E4R7RJ7LA3 but I cannot find a solution. I asked the Apple Developer Support for help and I have read the documentation they sent but it couldn't solve this problem so they redirected me to the forums. https://aninterestingwebsite.com/library/archive/qa/qa1879/_index.html https://aninterestingwebsite.com/library/archive/technotes/tn2318/_index.html#//apple_ref/doc/uid/DTS40013777-CH1-OVERVIEW https://aninterestingwebsite.com/library/archive/technotes/tn2318/_index.html#//apple_ref/doc/uid/DTS40013777-CH1-TNTAG33 There isn't any obvious App ID Prefix mismatch in the entitlement between the Application's signature entitlement and the Embedded provisioning profile entitlement . Application's signature entitlement : <dict> <key>com.apple.application-identifier</key> <string>37CG5MY799.com.example.app</string> <key>com.apple.developer.team-identifier</key> <string>E4R7RJ7LA3</string> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.com.example.app</string> </array> <key>com.apple.security.files.user-selected.read-only</key> <true/> </dict> Embedded provisioning profile entitlement : <dict> <key>com.apple.security.application-groups</key> <array> <string>group.com.example.app</string> <string>E4R7RJ7LA3.*</string> </array> <key>com.apple.application-identifier</key> <string>37CG5MY799.com.example.app</string> <key>keychain-access-groups</key> <array> <string>37CG5MY799.*</string> </array> <key>com.apple.developer.team-identifier</key> <string>E4R7RJ7LA3</string> </dict> The app also have a browser extension that correctly use the Team ID. How to solve this problem ? Thanks for your time, Qeg

Dears, this is my first ever piece of code on Mac. I wanted to try ShazamKit. I created App Id and enabled App Service ShazamKit. I properly configured my app (a very small test app) with the proper boundle id, Team and entitlements file. I keep receiving this error in the Signing in section: Automatic signing failed Xcode failed to provision this target. Please address the following issues preventing automatic signing from creating a valid profile. Entitlement com.apple.developer.shazamkit not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file I noticed the message is mentioning "profile"...does it refer to a "Profile" as in "Certificate"/"Identifiers"/"Devices"/"Profiles"/"Keys"/"Services" option? I did not create any "Profile". I just enabled the App Service under "Certificates, Identifiers & Profiles"=>"Identifiers"=>"Edit your App ID Configuration"=>"App Services" Thx!

Hey, when I try to launch my app it prompts me with a "Apple could not verify" popup. The thing is the app has been signed and stapled. xcrun stapler validate .app for my app returns "The validate action worked!" If I also run syspolicy_check distribution .app it returns: "App passed all pre-distribution checks and is ready for distribution" Any idea?

Hi! We are trying to request the SensorKit entitlement (com.apple.developer.sensorkit.reader.allow) for a research app we’re working on. When we go to Apple Developer → Certificates, Identifiers &amp; Profiles → Identifiers, we see the SensorKit capability listed under "Capability Requests", but: There’s no form or button to submit the request, unlike with other capabilities. We tested this using an Account Holder role, and also tried requesting other capabilities — which do show the form correctly, so this seems to be an issue specific to SensorKit. We’d appreciate any guidance on: Whether this is a known issue with the SensorKit request flow. If there’s an alternative way to request this capability while the form is unavailable. Thanks in advance!

i am creating a app on "appmysite" while it runs its build test an error message pops up saying build failed. "it seems your app build has encountered an issue. the certificate used to generate the uploaded provisioning profile does not match the uploaded certificate." I understand why its saying it because the uploaded certificate had to be uploaded as ".p12". The certificate in the provisioning profile is made of ".cert". I am using a apple mac book and a xenovo windows computer. Im simply trying to figure out how to put the ".p12" certificate into the provisioning profile? whenever i go to my developer account and try to create a new provisioning account with the new ".p12" certificate. The only options that pop up for me to select are only the certificates that are in ".cert" form. I've tried exporting through "key access" and they show up in my files but no way to transfer to my developer account to combine it with a provisioning account. Any help is greatly appreciated, this is literally the only thing keeping my app from being ready for submission to review. ive been stuck on this for 3 days.

Hi, I am experiencing an issue where Xcode displays a "Provisioning profile doesn't support the capability" error for the User Assigned Device Name capability, despite it being approved by Apple and visible in our provisioning profile on the Developer Portal. Background We have completed and submitted the required capability request form to Apple for the User Assigned Device Name capability and received approval. The capability appears correctly in our provisioning profile on the Apple Developer Portal and shows among the enabled capabilities alongside other standard capabilities like In-App Purchase and Push Notifications. Issue However, Xcode consistently displays the error message when trying to enable the User Assigned Device Name capability in our project settings, preventing successful builds with this functionality. Troubleshooting Steps Attempted We have tried multiple troubleshooting steps including: Regenerating provisioning profiles Performing clean builds Clearing DerivedData Manually installing profiles Adding the com.apple.developer.device-information.user-assigned-device-name entitlement manually to our entitlements file Toggling automatic signing on and off Environment Details Xcode Version: 16.4 (16F6) iOS Deployment Target: iOS 13 Profile Type: Distribution provisioning profile Capability: User Assigned Device Name Despite the capability being approved by Apple and visible in our provisioning profile, Xcode does not recognize it. This appears to be a synchronization issue between the Apple Developer Portal and Xcode's capability validation system. Has anyone encountered similar issues with recently approved capabilities, specifically the User Assigned Device Name capability? Could you please provide guidance on how to resolve this capability recognition issue? Any suggestions for resolving this discrepancy between the Developer Portal and Xcode would be greatly appreciated.

我是一名开发人员。除了App Store，我们公司的官方网站也是软件下载的一种方式。DMG签名提交后，通过网站下载安装软件时，仍然有提示说来自身份不明的开发者。您能告诉我如何解决这个问题吗？如果你能用中文回复就最好了。