I want to export Mac OS application out side App Store and I need to have Developer Id installer certificate to do the same. When I go to certificate section in developer portal - I only see option of Mac App Distribution Mac Installer Distribution Developer ID Application Does anyone know where I can check the Developer ID installer part. Developer ID application doesn't work for signing the app manually.

Hey, Just recently I realized something I have been overlooking in my build pipelines. I thought that by adding the the "hardened runtime", I disable 3rd-party library injection (I do not have the disable-library-validation entitlement added). However, I was using some checks on my code and I noticed that the "library validation" code signature check fails on my applications (e.g. adding the .libraryValidation requirement via the LightweightCodeRequirements framework) - with codesign -dvvvv /path/to/app I can check it doesn't have the CS_REQUIRE_LV flag: [...] CodeDirectory v=20500 size=937 flags=0x10000(runtime) hashes=18+7 location=embedded [...] then I used in Xcode the "Other Code Signing Flags" setting and added the -o library option, which added the flag: [...] CodeDirectory v=20500 size=937 flags=0x12000(library-validation,runtime) hashes=18+7 location=embedded [...] Is this flag something I should be explicitly setting? Because I was under the impression enabling hardened runtime would be enough. Popular Developer ID distributed applications (e.g. Google Chrome, Parallels Desktop, Slack) all have this flag set.

I suddenly started to receive the following email with the error in it stating that my uploaded app is not available to be used in TestFlight: ITMS-90886: 'Cannot be used with TestFlight because the signature for the bundle at “MyApp.app/Contents/PlugIns/MyAppWidgetExtension.appex” is missing an application identifier but has an application identifier in the provisioning profile for the bundle. Bundles with application identifiers in the provisioning profile are expected to have the same identifier signed into the bundle in order to be eligible for TestFlight.' It was all working fine and now I am not sure even where to start looking. Signing, provisioning and everything else is managed automatically.

The Developer App Certificate is not trusted.

Coming from Windows, I'm finding Mac app packaging farcically complicated, to the level of a Python sketch. I mastered Windows packaging, via Inno, in an hour or so, but it has taken me, on and off, the best part of a week to get to the point I am at with the Mac OS, and I'm nowhere near finished (rather, it hasn't finished with me). Every time I surmount one hurdle, another pops up, seemingly just for the jollies. I'm currently stuck at: 'Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired.' My account lists no agreements in this category. I understand the need for security, but not the labyrinthine nature of the process. An inner-party member in the former Soviet Union overheard a drunken Stalin say, “I trust no one; not even myself". Apple trusts no one, but has true contempt for developers. Is there a simple way to work through the packaging process? Let me rephrase that: please God, let there be a simpler way of working through the process! Regards, in extremis, Richard

I have a free developer account, and I have been creating applications. When I tried to open one of them, it said that this app has been flagged as malware. It is not malware, so I don't know why it has been flagged as this. Not just this app, but suddenly a whole bunch of my apps have been flagged as malware as well! The app I have been developing is basically a windows Taskbar for my macbook air, and it has been working well until the latest update i made where it hides in full screen, suddenly it started taking up significant energy, so i reverted to an older version while i was fixing it. Then, when i try to open it another time, it starts to open, and it says "Malware Blocked and Moved to Bin" “Taskbar.app” was not opened because it contains malware. This action did not harm your Mac”. All versions of the taskbar now contain this message. I try opening some of my other apps, a shared storage client and a shared storage server (where i was testing with app groups), and they couldn't open either, the same malware message appeared. ProPermission couldn't open either (changes permissions on files for me so i don't have to use the terminal or finder). I can run these apps through the Xcode environment (attached process), but when I archieve it into an app bundle, the malware flag appears. Please note that I am certain that these apps do not contain malware, apparently XProtect has incorrectly flagged my apps as malware. Because I do not have the paid developer account, I cannot notarize my apps. I am using MacOS Tahoe 26.1 with Xcode 26.0, and I have tested it with a iMac Intel 2017 with MacOS Ventura.

I am using a Sonoma VM (14.6) where i have installed xcode 16.2. When i try login into apple id into xcode, i am getting this error. I know i am entering the correct credentials. Not sure why this issue is. In other Sequioa and Tahoe VM , i was able to login.

I'm experiencing an issue when exporting an Enterprise distribution certificate where the certificate and private key won't export together - the private key keeps getting left out. I'm running macOS Tahoe. Has anyone encountered the same issue or know of a solution? Any help would be appreciated.

Hello Apple Developer Forum Community, I’ve got a problem with the signing process of my AppClip Test App. Can someone help me? As I don’t know hot to get the certificate...

I’m facing an issue with my macOS app after code signing and notarization. The app is signed with my Developer ID and notarized using xcrun notarytool. Everything works fine on the machine where the signing was done — Gatekeeper accepts it, no warning appears, and codesign/spctl checks pass. However, when running the same .app on other Macs, users receive a Gatekeeper warning saying the app is "malicious software and cannot be opened". The signature is valid and the notarization log shows status: Accepted. What I've tried: Verified signature with codesign --verify --deep --strict --verbose=2 Checked notarization status via xcrun notarytool log Assessed Gatekeeper trust with spctl --assess --type execute Everything passes successfully on the development machine. Why would the app be treated as malicious on other systems even after notarization? I'm happy to share logs and technical details if needed.

Hello, I sent this in as a feedback several weeks ago about watchOS 26.2 beta 2 but since the issue is still active now that watchOS 26.2 is in production I'm reposting here for the community. I would also like to submit a DTS about this issue but honestly don't know the best way to go about it and would appreciate advice about that. There seems to be an issue with VPP distribution for our app on watchOS 26.2. When our watchOS companion app is launched after being installed through VPP to a supervised iPhone, it encounters a dyld error before main() or any application code is even called. The same app launches correctly in every other circumstance we could imagine and test: – Installed through VPP on supervised devices running watchOS 26.1. – Installed from the app store (using an apple id) on a supervised iPhone and paired watch running iOS 26.2 / watchOS 26.2. – Installed through Testflight on a supervised iPhone and paired watch running iOS 26.2 / watchOS 26.2. – Installed through the app store on unsupervised devices running watchOS 26.1 and 26.2. This strongly appears to be a VPP signing issue because we even did the following experiment: Install iPhone and Watch apps through the App Store on a supervised device pair running public iOS 26.2 beta 2 / watchOS 26.2 beta 2. Verify that both apps launch successfully. Use an MDM command to install from VPP over the existing installations Verify that the watch app fails to launch (the iOS app is unaffected) My feedback included some crash logs which I won't be reposting publicly here. Any feedback or ideas appreciated.

General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

The actual error: pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (DeveloperID)”. I'm trying to sign a program written with gfortran. The steps worked the last time (Mar 23) I built this code. The steps to error: a) xcrun notarytool store-credentials --apple-id "xxx" --team-id "yyy" Giving Profile Name zzz and App-specific password b) codesign --force --timestamp --options=runtime -s "Developer ID Application: My Name (yyy)" AppName c) pkgbuild --root ROOT --identifier org.aaa.bbb --version "1.1.1" --sign "Developer ID installer: My Name (yyy)" AppName.pkg ROOT contains the package contents At this point I get the error pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (yyy)” Are there steps that have changed. Any suggestions? Thanks, David

Hi! I've been scratching my brain for a few days now to no avail. I have a Perl project that I need to embed within my app. Perl includes a pp command (https://metacpan.org/pod/pp) which takes the runtime binary and then slaps the Perl code at the end of the binary itself which in brings some woes in a sense that the binary then needs to be "fixed" (https://github.com/rschupp/PAR-Packer/tree/master/contrib/pp_osx_codesign_fix) by removing the linker-provided signature and fixing LINKEDIT and LC_SYMTAB header sections of the binary. Nevertheless, I've successfully gotten the binary built, fixed up and codesigned it via codesign -s '$CS' mytool (where $CS is the codesigning identity). I can verify the signature as valid using codesign -v --display mytool: Identifier=mytool Format=Mach-O thin (arm64) CodeDirectory v=20400 size=24396 flags=0x0(none) hashes=757+2 location=embedded Signature size=4820 Signed Time=5. 1. 2026 at 8:54:53 PM Info.plist=not bound TeamIdentifier=XXXXXXX Sealed Resources=none Internal requirements count=1 size=188 It runs without any issues in Terminal, which is great. As I need to incorporate this binary in my app which is sandboxed, given my experience with other binaries that I'm including in the app, I need to codesign the binary with entitlements com.apple.security.app-sandbox and com.apple.security.inherit. So, I run: codesign -s '$CS' --force --entitlements ./MyTool.entitlements --identifier com.charliemonroe.mytool mytool ... where the entitlements file contains only the two entitlements mentioned above. Now I add the binary to the Xcode project, add it to the copy resources phase and I can confirm that it's within the bundle and that it's codesigned: codesign -vvvv --display MyApp.app/Contents/Resources/mytool Identifier=com.xxx.xxx.xxx Format=Mach-O thin (arm64) CodeDirectory v=20500 size=24590 flags=0x10000(runtime) hashes=757+7 location=embedded VersionPlatform=1 VersionMin=1703936 VersionSDK=1704448 Hash type=sha256 size=32 CandidateCDHash sha256=0a9f93af81e8e5cb286c3df6e638b2f78ab83a9e CandidateCDHashFull sha256=0a9f93af81e8e5cb286c3df6e638b2f78ab83a9edf463ce45d1cd3f89a6a4a00 Hash choices=sha256 CMSDigest=0a9f93af81e8e5cb286c3df6e638b2f78ab83a9edf463ce45d1cd3f89a6a4a00 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=32768 Executable Segment flags=0x1 Page size=16384 CDHash=0a9f93af81e8e5cb286c3df6e638b2f78ab83a9e Signature size=4800 Authority=Apple Development: XXXXXX (XXXXXX) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=9. 1. 2026 at 5:12:22 PM Info.plist=not bound TeamIdentifier=XXXXX Runtime Version=26.2.0 Sealed Resources=none Internal requirements count=1 size=196 codesign --display --entitlements :- MyApp.app/Contents/Resources/mytool <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.inherit</key><true/></dict></plist> All seems to be in order! But not to Gatekeeper... Attempting to run this using the following code: let process = Process() process.executableURL = Bundle.main.url(forResource: "mytool", withExtension: nil)! process.arguments = arguments try process.run() process.waitUntilExit() Results in failure: process.terminationStatus == 255 Console shows the following issues: default 17:12:40.686604+0100 secinitd mytool[88240]: root path for bundle "<private>" of main executable "<private>" default 17:12:40.691701+0100 secinitd mytool[88240]: AppSandbox request successful error 17:12:40.698116+0100 kernel exec of /Users/charliemonroe/Library/Containers/com.charliemonroe.MyApp/Data/tmp/par-636861726c69656d6f6e726f65/cache-9c78515c29320789b5a543075f2fa0f8072735ae/mytool denied since it was quarantined by MyApp and created without user consent, qtn-flags was 0x00000086 Quarantine, hum? So I ran: xattr -l MyApp.app/Contents/Resources/mytool None listed. It is a signed binary within a signed app. There are other binaries that are included within the app and run just fine exactly this way (most of them built externally using C/C++ and then codesigned exectly as per above), so I really don't think it's an issue with the app's sandbox setup... Is there anyone who would be able to help with this? Thank you in advance!

App translocation, officially known as Gatekeeper path randomisation, comes up from time-to-time. The best resource to explain it, WWDC 2016 Session 706 What’s New in Security, is no longer available from Apple so I thought I’d post some notes here (r. 105455698 ). Questions or comments? Start a new thread here on DevForums, applying the Gatekeeper tag so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" App Translocation Notes Gatekeeper path randomisation, more commonly known as app translocation, is a security feature on macOS 10.12 and later. When you run a newly downloaded app, the system executes the app from a randomised path. This prevents someone from taking an app that loads code from an app-relative path and repackaging it to load malicious code. IMPORTANT The best way to prevent your app from being tricked into loading malicious code is to enable library validation. You get this by default once you enable the hardened runtime. Do not disable library validation unless your app needs to load in-process plug-ins from other third-party developers. If you have an in-process plug-in model, consider migrating to ExtensionKit. The exact circumstances where the system translocates an app is not documented and has changed over time. It’s best to structure your app so that it works regardless of whether it’s translocated or not. App Translocation Compatibility Most apps run just fine when translocated. However, you can run into problems if you load resources relative to your app bundle. For example, consider a structure like this: MyApp.app Templates/ letter.myapp envelope.myapp birthday card.myapp Such an app might try to find the Templates directory by: Getting the path to the main bundle Navigating from that using a relative path This won’t work if the app is translocated. The best way to avoid such problems is to embed these resources inside your app (following the rules in Placing Content in a Bundle, of course). If you need to make them easily accessible to the user, add your own UI for that. For a great example of this, run Pages and choose File > New. App Translocation Limits There is no supported way to detect if your app is being run translocated. If you search the ’net you’ll find lots of snippets that do this, but they all rely on implementation details that could change. There is no supported way to determine the original (untranslocated) path of your app. Again, you’ll find lots of unsupported techniques for this out there on the ’net. Use them at your peril! If you find yourself using these unsupported techniques, it’s time to sit down and rethink your options. Your best option here is to make your app work properly when translocated, as illustrated by the example in the previous section. App Translocation in Action The following steps explain how to trigger app translocation on macOS 13.0. Keep in mind that the specifics of app translocation are not documented and have changed over time, so you might see different behaviour on older or new systems: To see app translocation in action: Use Safari to download an app that’s packaged as a zip archive. My go-to choice for such tests is NetNewsWire, but any app will work. Safari downloads the zip archive to the Downloads folder and then unpacks it (assuming your haven’t tweaked your preferences). In Finder, navigate to the Downloads folder and launch the app. When Gatekeeper presents its alert, approve the launch. In Terminal, look at the path the app was launched from: % ps xw | grep NetNewsWire … /private/var/folders/wk/bqx_nk71457_g9yry9c_2ww80000gp/T/AppTranslocation/C863FADC-A711-49DD-B4D0-6BE679EE225D/d/NetNewsWire.app/Contents/MacOS/NetNewsWire Note how the path isn’t ~/Downloads but something random. That’s why the official name for this feature is Gatekeeper path randomisation. Quit the app. Use Finder to relaunch it. Repeat step 5: % ps xw | grep NetNewsWire … /private/var/folders/wk/bqx_nk71457_g9yry9c_2ww80000gp/T/AppTranslocation/C863FADC-A711-49DD-B4D0-6BE679EE225D/d/NetNewsWire.app/Contents/MacOS/NetNewsWire The path is still randomised. Quit the app again. Use the Finder to move it to the desktop. And relaunch it. And repeat step 5 again: % ps xw | grep NetNewsWire … /Users/quinn/Desktop/NetNewsWire.app/Contents/MacOS/NetNewsWire The act of moving the app has cleared the state that triggered app translocation.

We have an application which keeps throwing the error "application is damaged and cannot be opened. You should move it to Trash" I have already referred to the documentation: https://developer.apple.com/forums/thread/706379 and https://developer.apple.com/forums/thread/706442 I have checked the following possible root causes: Codesign of the application using the codesign command Notarization of the application using the spctl command Executable permissions Checked for the presence of "com.apple.quarantine" flag for the application using xattr -l <path to executables" Checked the bundle structure None of the above listed items seemed to be a problem and are as expected. Can you please help us understand what could cause this issue and how to resolve this without recommending an uninstall/reinstall of the application?

I've signed an app, zipped it, and uploaded it to github. When I download it on another Mac, I get "it can't be opened because it could not be verified for malware". But on that computer, I can verify it with codesign, and it appears to be correct (as far as I can tell). I can copy/paste the app from my other Mac, and that copy will run without problem. sys_policy, however, gives: Notary Ticket Missing File: ReView.app Severity: Fatal Full Error: A Notarization ticket is not stapled to this application. Type: Distribution Error This is the same for the copy that runs, and the copy that doesn't. The difference between them appears to be a quarantine xattr. I can delete this, and the app launches without incident. Is this expected? Why should a signed app be quarantined just because it's been downloaded? The whole point of paying the fee is to avoid the security obstacles...! ;-)

I have been trying to package a FileMaker 18 runtime app* for Mac distribution for - oh - a year and a half on and off (the Windows version was packaged in an afternoon). I succeeded - or thought I had - until I updated to Tahoe. Now my packaging process does everything it did formerly (creates the DMG, etc.), but when opened, fails to see/load a third-party plugin (BaseElements.fmplugin). Does anyone know why this should be? I have attached 4 of my build files in the hope that someone can point me in the right direction. Thanks in advance for any advice you may provide. Regards, L *Claris deprecated the runtime feature years ago, but it still runs and is useful for proof of concept. P.S. A contributor to an earlier query kindly suggested I go down the zip file or pkg installer route, rather than the DMG route. I tried doing as much but found both as susceptible to Mac spaghetti signage. build_all.txt repair_and_sign.txt build_dmg.txt notarize_dmg.txt

To ship a product outside of the Mac App Store, you must notarise it. The notary service issues a notarised ticket, and the ultimate consumer of that ticket is Gatekeeper. However, Gatekeeper does not just check the ticket; it also applies a variety of other checks, and it’s possible for those checks to fail even if your notarised ticket is just fine. To avoid such problems showing up in the field, test your product’s compatibility with Gatekeeper before shipping it. To do this: Set up a fresh machine, one that’s never seen your product before. If your product supports macOS 10.15.x, x < 4, the best OS version to test with is 10.15.3 [1]. Download your product in a way that quarantines it (for example, using Safari). Disconnect the machine from the network. It might make sense to skip this step. See the discussion below. Install and use your product as your users would. If the product is signed, notarised, and stapled correctly, everything should work. If not, you’ll need to investigate what’s making Gatekeeper unhappy, fix that, and then retest. For detailed advice on that topic, see Resolving Trusted Execution Problems. Run this test on a fresh machine each time. This is necessary because Gatekeeper caches information about your product and it’s not easy to reset that cache. Your best option is to do this testing on a virtual machine (VM). Take a snapshot of the VM before the first test, and then restore to that snapshot when you want to retest. Also, by using a VM you can disable networking in step 3 without disrupting other work on your machine. The reason why you should disable networking in step 3 is to test that you’ve correctly stapled the notarised ticket on to your product. If, for some reason, you’re unable to do that stapling, it’s fine to skip step 3. However, be aware that this may cause problems for a user if they try to deploy your product to a Mac that does not have access to the wider Internet. For more background on this, see The Pros and Cons of Stapling. [1] macOS 10.15.4 fixes a bug that made Gatekeeper unnecessarily strict (r. 57278824), so by testing on 10.15.3 you’re exercising the worst case. The process described above is by far the best way to test your Gatekeeper compatibility because it accurately tests how your users run your product. However, you can also run a quick, albeit less accurate test, using various command-line tools. The exact process depends on the type of product you’re trying to check: App — Run syspolicy_check like this: % syspolicy_check distribution WaffleVarnish.app This tool was introduced in macOS 14. On older systems, use the older spctl tool. Run it like this: % spctl -a -t exec -vvv WaffleVarnish.app Be aware, however, that this check is much less accurate. Disk image — Run spctl like this: % spctl -a -t open -vvv --context context:primary-signature WaffleVarnish.dmg Installer package — Run spctl like this: % spctl -a -t install -vvv WaffleVarnish.pkg Other code — Run codesign like this: % codesign -vvvv -R="notarized" --check-notarization WaffleVarnish.bundle This command requires macOS 10.15 or later. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Revision history: 2024-12-05 Added instructions for using syspolicy_check. Made other minor editorial changes. 2023-10-20 Added links to Resolving Trusted Execution Problems and The Pros and Cons of Stapling. Made other minor editorial changes. 2021-02-26 Fixed the formatting. 2020-04-17 Added the section discussing spctl. 2020-03-25 First version.

One of our apps (built with Xcode 26.1.1 and distributed via TestFlight) crashes upon launch on iOS 17 with Exception Type: EXC_BAD_ACCESS (SIGKILL) and Termination Reason: CODESIGNING 2 Invalid Page. I have never seen this before. Any pointers? On iOS 18 & 26 this does not happen btw.