You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I work on an open source app called Meteorologist (https://sourceforge.net/projects/heat-meteo/). One of the sources the users are allowed to use is Apple's WeatherKit. The app is compiled by me and free to download by anybody. My developer account has the free level of WeatherKit so 500,000 calls/month and every once in a while the app actually hits that limit, shutting that weather source/service down for the app. Is there any way to ask users of the app to somehow get their own account (or already have a developer account) and can register their license so it doesn't all bump up against the one (my) "license"? If so, how would that be passed to WeatherKit? The only thought I have is that they would need to compile the code on their own and sign their own copy. Thanks for any and all feedback and thoughts. Ed

Hello, I am attempting to request the endpoint-security.client entitlement for my app using the following form: https://developer.apple.com/contact/request/system-extension/ After submitting the form, I consistently receive an HTTP 500 error from Apple’s servers. Could you please provide guidance on whether this is a known issue or if there is something I may be doing incorrectly? I appreciate your assistance.

Made a notarization request a few hours ago and woke up to check the history and it's no longer available. Not rejected/accepted just not found. I have gone ahead to make another request but I have no confidence because I expect the same thing to happen again. Any guidance? See logs below: daramfon@MacBook-Pro-3 frontend % xcrun notarytool history --apple-id "$APPLE_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --team-id "$APPLE_TEAM_ID" Successfully received submission history. history -------------------------------------------------- createdDate: 2026-02-20T23:53:14.066Z id: 6f2fadc0-2e8f-4331-a253-68f81334ebc6 name: Speakeasy AI-0.1.0-arm64.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-20T23:47:12.897Z id: 435aec4f-5356-49a5-898d-48aaafb7949f name: Speakeasy AI.zip status: In Progress -------------------------------------------------- createdDate: 2026-02-20T22:35:23.947Z id: 95896757-873a-4e54-a527-03dc767c9cb5 name: Speakeasy AI.zip status: In Progress daramfon@MacBook-Pro-3 frontend % xcrun notarytool history --apple-id "$APPLE_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --team-id "$APPLE_TEAM_ID" No submission history. daramfon@MacBook-Pro-3 frontend % xcrun notarytool info 6f2fadc0-2e8f-4331-a253-68f81334ebc6 --apple-id "$APPLE_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --team-id "$APPLE_TEAM_ID" Submission does not exist or does not belong to your team. id: 6f2fadc0-2e8f-4331-a253-68f81334ebc6

Hi! I am encountering an issue with the notarization process. I'll leave here the outputs of a few command that I think might be useful. user@AndreisMac % pkgutil --check-signature mypkg.pkg Package "mypkg.pkg": Status: signed by a developer certificate issued by Apple for distribution Notarization: trusted by the Apple notary service Signed with a trusted timestamp on: 2026-02-18 18:46:16 +0000 Certificate Chain: ... user@AndreisMac % spctl -a -vv --type install mypkg.pkg mypkg.pkg: rejected origin=Developer ID Installer: MyComp LLC (ABCD) user@AndreisMac % xcrun notarytool submit mypkg.pkg --keychain-profile "notary-profile" --wait Conducting pre-submission checks for mypkg.pkg and initiating connection to the Apple notary service... Submission ID received id: e76f34b3-7c91-451c-a539-8fb39809a5bd Upload progress: 100,00% (13,3 MB of 13,3 MB) Successfully uploaded file id: e76f34b3-7c91-451c-a539-8fb39809a5bd path: /path/to/mypkg.pkg Waiting for processing to complete. Current status: Accepted............... Processing complete id: e76f34b3-7c91-451c-a539-8fb39809a5bd status: Accepted user@AndreisMac % spctl -a -vv --type install mypkg.pkg mypkg.pkg: rejected origin=Developer ID Installer: MyComp LLC (ABCD) As you can see: the installer is signed with a Developer ID Installer (the contents are signed and notarized as well) the first spctl check is failing(even if the installer was already notarized on our build server) trying to notarize again seems to work checking again still shows the installer as rejected I can run the installer locally by removing the quarantine flag, but this is not what I am expecting from a signed&notarized installer. Interestingly enough, trying this installer on a different MacOS machine works as expected(no quarantine) and spctl shows it as notarized(Accepted). Any idea what's wrong with my machine?

Hi everyone, For the past three days I've been unable to notarize my app — every attempt fails with an HTTP 500 error from Apple's notarization service. What's unusual is that the error occurs not only during submission, but also when simply validating credentials via store-credentials. Example: $ xcrun notarytool store-credentials "notarytool-password" \ --apple-id <id> --team-id <team> --password <app-specific-password> Validating your credentials... Error: HTTP status code: 500. Internal Server Error Request ID: K6NYCMIFNM66OI2WRG3ORZEDUE.0.0 Please try again at a later time. Since the failure happens at credential validation — before any package is even uploaded — I'm fairly confident this is a server-side issue, not something wrong with my setup or the binary. I've tried across different network connections, same result. Has anyone else been hitting this? Is there a known outage or incident on Apple's notarization infrastructure? Any way to escalate or get a status update beyond checking developer.apple.com/system-status/? Thanks

Seeing my notarizations getting stuck. This is becoming a blocker for releasing. What's strange is that earlier versions of the same app (very similar) passed notarization very quickly. Any advice or recourse?

How do you renew a "Developer ID Application" certificate? Should there be a "renew" button on the expiration date? Or can you renew it sooner? Or are you required to create a new certificate? Does this count against your limit of five Developer ID Application certificates? I thought there was a way to renew it, but I don't see that option. I also couldn't find any Apple documentation about how to renew, only how to create and how there's a limit to how many you can create.

I am on a mission to secure our key material for our iOS app's code signing certificate. My first endeavor with storing the code signing certificate on a YubiKey is a marginal success - it seems that with a pin policy that requires entering the PIN at least once we must enter the PIN umpteen times per build. Creating a certificate with a policy of never would be ill-advised. On the other hand, we could chose to store the code signing certificate in the Secure Enclave. However, it seems that I am only allowed to create eliptic curve private keys and not RSA keys in the secure enclave. When I attempt to upload a certificate signing request to AppStoreConnect, I am told that only an RSA2048 key will do. What I am after is a way to authenticate access to the certificate once per boot so that we can make multiple builds per day without manual intervention whilst also ensuring that the key material is not stored on disk. A yubikey would be preferable, but I am fine with the secure enclave if need be. Is there a way to achieve this? Best regards, Emīls

I'm building a content filtering app using NEURLFilterManager and NEURLFilterControlProvider (introduced in iOS 26). The app uses a PIR server for privacy-preserving URL filtering. Everything works with development-signed builds, but App Store export validation rejects: Entitlement value "url-filter-provider" for com.apple.developer.networking.networkextension — "not supported on iOS" I have "Network Extensions" enabled on my App IDs in the developer portal, but the provisioning profiles don't seem to include url-filter-provider, and I don't see a URL filter option in the Capability Requests tab. What I've tried: Entitlement values: url-filter-provider, url-filter — both rejected at export Extension points: com.apple.networkextension.url-filter, com.apple.networkextension.url-filter-control — both rejected Regenerating provisioning profiles after enabling Network Extensions capability My setup: iOS 26, Xcode 26 Main app bundle: com.pledgelock.app URL filter extension bundle: com.pledgelock.app.url-filter PIR server deployed and functional Is there a specific request or approval process needed for the url-filter-provider entitlement? The WWDC25 session "Filter and tunnel network traffic with NetworkExtension" mentions this entitlement but I can't find documentation on how to get it approved for distribution. Any guidance appreciated. Thanks!

In the Developer portal, I'm attempting to add the "DriverKit UserClient Access" to an App ID that is assigned to a DEXT that we are developing. Once I have filled out the form and clicked "Submit" the screen goes bank and stays blank even after a long delay. The original Capability Request tab's entry for "DriverKit UserClient Access" never changes from "No Requests". I have tried this on two successive days, with the same result.

I’m attempting to use a Locked Camera Capture Extension (created from Xcode’s template / following Apple’s “Creating a camera experience for the Lock Screen” guidance). The extension builds, embeds, and installs on a physical device, but I cannot get it provisioned with the required entitlement com.apple.developer.locked-camera-capture. Environment Xcode: 26.0.1 (17A400) iOS: 26.2.1 (device) Apple Developer Program: paid Individual (Team ID: FT55UW9363) Key issue: provisioning profile for the ExtensionKit appex lacks the locked-camera entitlement The locked camera capture target is embedded as an ExtensionKit extension: .../DirectionalCamera.app/Extensions/LockedCapture.appex I decoded the embedded provisioning profile inside that .appex and printed its Entitlements dictionary: security cms -D -i ".../DirectionalCamera.app/Extensions/LockedCapture.appex/embedded.mobileprovision" > /tmp/locked_profile.plist /usr/libexec/PlistBuddy -c "Print:Entitlements" /tmp/locked_profile.plist Entitlements present in the embedded profile: Dict { com.apple.developer.avfoundation.multitasking-camera-access = true application-identifier = FT55UW9363.arp.geocam.LockedCapture keychain-access-groups = Array { FT55UW9363.* com.apple.token } get-task-allow = true com.apple.security.application-groups = Array { group.arp.geocam } com.apple.developer.team-identifier = FT55UW9363 } Critically, the required entitlement is absent: /usr/libexec/PlistBuddy -c "Print:Entitlements:com.apple.developer.locked-camera-capture" /tmp/locked_profile.plist Print: Entry, ":Entitlements:com.apple.developer.locked-camera-capture", Does Not Exist Build behavior If I manually add com.apple.developer.locked-camera-capture to the extension’s .entitlements, Xcode refuses to sign with: “Provisioning profile failed qualification: Profile doesn't include the com.apple.developer.locked-camera-capture entitlement.” Notes The only other embedded extension is a widget/control extension under .../DirectionalCamera.app/PlugIns/... with a separate profile (expected). Question Has anyone successfully provisioned a Locked Camera Capture Extension on a standard paid developer account? Is com.apple.developer.locked-camera-capture gated/restricted (requiring Apple to enable it for a specific Team ID / App ID), or is there a specific capability in the Developer portal that maps to it? If it’s restricted, what is the official process to request enablement for a team/app-id? Any pointers appreciated.

Original Problem We use codesign and notarytool in a scripted environment to build and distribute binaries daily. We also do manual builds by logging into the build server using SSH. This has been working for many years, but after updating to a new "Developer ID Application" certificate, codesign was failing with errSecInternalComponent and the console logs showed errSecInteractionNotAllowed. Summary of Resolution Attempting to fix the problem resulted in multiple copies of the same Certificate which were NOT shown by Keychain Access. I had to run security delete-identity multiple times to clear out the redundant Identities and then imported the certificate using the security CLI tool. Details I originally followed these instructions for requesting and installing a new certificate: https://developer.apple.com/help/account/certificates/create-developer-id-certificates/ Tip: Use the security tool intead These instructions fail to mention two critical points: 1) they assume the machine you generate the request on is the same machine you will be using to perform signatures, and 2) KeyChain Access does not allow you to set permissions for applications like codesign. I made the mistake of following the instructions on my workstation, and then tried to import the certificate to the build machine by double clicking on the .cer file. When that did not work, I followed various forum suggestions and eventually realized I need to export the private key as a .p12 file from the workstation, and import it into the build machine. Tip: The term "Certificate" often refers to a public certificate by itself, while "Identity" to refers to the combination of a public certificate and private key. At this point, I could use codesign, but only within Terminal.app while logged into the build machine's console. I tried various security commands to reimport the Identity, set a key partition list, and unlock the keychain, but none of them allowed codesign to work from within SSH or cron scripts. Eventually I stumbled upon this: sudo security find-identity -v Password: 1) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 2) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 3) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 4) EA377…96DD "Developer ID Application: Data Expedition, Inc. (VK…8X)" 5) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 6) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 7) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 8) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 9) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 10) 3C255…1560 "Developer ID Application: Data Expedition, Inc. (VK…8X)" 10 valid identities found Keychain Access only showed one copy of the Identity in each keychain, but with security I could see there were actually 9. Tip: Keychain Access does not accurately display keychain contents. If it shows no contents at all, type a letter in the search box. Identities are distinguished from lone Certificates by a drop-down caret to the left of the certificate name. Clicking that shows the key. To fix the redundant Identities, I had to run this command four times to delete the nine copies: security delete-identity -Z 3C255…1560 I repeated this until the identity (I used the SHA1 hash of the certificate) no longer showed up in security find-identity -v. I then re-imported the certificate and key using security import, which is what I should have done from the begininng. The Correct Way Here are the commands I used to get things going after I deleted all the problem certificates: security import mycertificate.cer -k /Library/Keychains/System.keychain -T /usr/bin/codesign This next command I ran in Terminal.app on the console so it could display a password prompt: security import ImportThisKey.p12 -k /Library/Keychains/System.keychain -T /usr/bin/codesign After this, I used security find-identity -v to verify that there was only one copy of the Identity. I then verified that codesign could be used from SSH and cron-scripts even while logged out of the console. I suspect that a lot of mysterious certificate problems might be caused by duplicate certificates, each with different permissions. As far as I can tell, there is no way to uniquely identify a certificate/identity or the permissions attached to them. The system just searches based on hash, or team-id, or other non-unique property and seems to just arbitrarily pick one. I hope this helps someone else stuck with errSecInternalComponent errors!

Hi everyone, I am attempting to generate an Ad Hoc provisioning profile for my iOS app that includes MusicKit capabilities, but the generated .mobileprovision file consistently lacks the required entitlement, despite the configuration appearing correct in the developer portal. The Issue: I have enabled MusicKit under the "App Services" tab for my App ID. I have saved this configuration, verified it is checked in the UI, and then regenerated and downloaded my provisioning profile. However, when I inspect the internal contents of the .mobileprovision file, the Entitlements dictionary does not contain the com.apple.developer.music-kit key. It only contains the standard keys (Team ID, App ID, etc.). Steps Taken: Created a brand new App ID to rule out legacy data issues. Explicitly enabled "MusicKit" under the App Services tab for this new identifier. Created a fresh Ad Hoc Distribution profile linked to this new ID. Downloaded the profile and inspected the file structure: the MusicKit entitlement is completely absent. Attempted toggling the service off and on, saving, and regenerating the profile multiple times. Has anyone experienced a specific bug where "App Services" (like MusicKit) fail to propagate to the Provisioning Profile generator? Is there a secondary "Capability" (e.g., Media Library) that must also be enabled to trigger the inclusion of the MusicKit entitlement? Any guidance would be appreciated.

Certificate Details Certificate Name Expro International Group Ltd Certificate Type iOS Distribution Expiration Date 2029/02/11 Created By Thavaseelan Kudarsamy Enabled Capabilities iCloud, In-App Purchase, Personal VPN, Push Notifications App ID ESTSMobile (com.exprogroup.estsmobile) This profile is not installing.

One of our apps (built with Xcode 26.1.1 and distributed via TestFlight) crashes upon launch on iOS 17 with Exception Type: EXC_BAD_ACCESS (SIGKILL) and Termination Reason: CODESIGNING 2 Invalid Page. I have never seen this before. Any pointers? On iOS 18 & 26 this does not happen btw.

My provisioning profile isn't installing when I double-click it on my MacBook. Also no profile on this path ~/Library/MobileDevice/Provisioning Profiles. just empty folder

I am trying to notarize my app but it rejected with this error after 5 days of being in progress. { "logFormatVersion": 1, "jobId": "8291ad9e-4c8e-4974-8753-af1a78e5a4a2", "status": "Rejected", "statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.", "statusCode": 7000, "archiveFilename": "SkanVirtualAssistant-1.0.0.dmg", "uploadDate": "2026-02-05T03:13:41.280Z", "sha256": "eb95cc25a382e5ce36fc2b7e195c20a1a09cfbfb71a057e754306ad400300d38", "ticketContents": null, "issues": null } Can anyone help with this? I have an urgent product launch deadline in a week! I have contacted developer program support but have received no response.

I am trying to sign my Mac app to use Network Extensions capability. But every time I create a profile it displays that to me: on the other hand on the website it displays this to me:

Not accepted yet (all are still processing, none are rejected) 387af103-42d3-4d95-ae22-0289f90a8559 — In Progress 2d836594-9fb2-41a5-990c-7ea4e0870af0 — In Progress e61ba9e3-5ff1-4856-8e9d-39c08445ff63 — In Progress 1defdeec-50b4-45c5-b32d-53ca6e4538bb — In Progress 34e60b80-20c3-4ea7-93a7-2bb9e7c6f05c — In Progress 09222b71-eae1-4c5c-aca4-368f697b2a39 — In Progress eb5327e8-161e-4185-9920-3facf60b7b4b — In Progress 784fc210-d0bf-4924-b0a6-eb8bbac0f2c8 — In Progress 74bc8f31-b1b0-4bed-9142-0c03100a062a — In Progress 4739620c-894a-4283-a43b-df57b29a1771 — In Progress have created new certificate as well same result. waiting for apple support to give any answers.

When completing signing on Xcode, it shows the following error message "No certificate for team '' matching 'Developer ID Application' found" I have already followed the steps to generate a certificate from keychain and made a new certificate on developer portal, along with its associated provisioning profile. Viewing "Manage Certificate" window shows the newly created certificate, but Xcode seems to not be able to locate it.