Overview

Trusted execution is a generic name for a Gatekeeper and other technologies that aim to protect users from malicious code. General: Forums topic: Code Signing Forums tag: Gatekeeper Developer > Signing Mac Software with Developer ID Apple Platform Security support document Safely open apps on your Mac support article Hardened Runtime document WWDC 2022 Session 10096 What’s new in privacy covers some important Gatekeeper changes in macOS 13 (starting at 04: 32), most notably app bundle protection WWDC 2023 Session 10053 What’s new in privacy covers an important change in macOS 14 (starting at 17:46), namely, app container protection WWDC 2024 Session 10123 What’s new in privacy covers an important change in macOS 15 (starting at 12:23), namely, app group container protection Updates to runtime protection in macOS Sequoia news post Testing a Notarised Product forums post Resolving Trusted Execution Problems forums post App Translocation Notes (aka Gatekeeper path randomisation) forums post Most trusted execution problems are caused by code signing or notarisation issues. See Code Signing Resources and Notarisation Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello, I am trying out Xcode Cloud for the first time. I could connect to Github in the initial setup and had a few failed builds (package resolution error), which I resolved fairly quickly. Now whenever I am trying to build, I get the following error: Xcode Cloud is unable to connect to the repository “<respository-name>”. Reconnect the repository to resume builds. I am unable to remove the connection from settings as well because it's stuck in a loading state. Is there a way to fix this?

General: Forums subtopic: App & System Services > Core OS Forums tags: Files and Storage, Foundation, FSKit, File Provider, Finder Sync, Disk Arbitration, APFS Foundation > Files and Data Persistence documentation Low-level file system APIs are documented in UNIX manual pages File System Programming Guide archived documentation About Apple File System documentation Apple File System Guide archived documentation File system changes introduced in iOS 17 forums post On File System Permissions forums post Extended Attributes and Zip Archives forums post Unpacking Apple Archives forums post Creating new file systems: FSKit framework documentation Building a passthrough file system sample code File Provider framework documentation Finder Sync framework documentation App Extension Programming Guide > App Extension Types > Finder Sync archived documentation Managing storage: Disk Arbitration framework documentation Disk Arbitration Programming Guide archived documentation Mass Storage Device Driver Programming Guide archived documentation Device File Access Guide for Storage Devices archived documentation BlockStorageDeviceDriverKit framework documentation Volume format references: Apple File System Reference TN1150 HFS Plus Volume Format Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

My application installs a system extension. When I try to remove the app from the Applications folder (cmd + backspace) I get an error message: "The operation can’t be completed right now because another operation is in progress, such as moving or copying an item or emptying the Bin." According to systemextensionsctl the extension state is "terminating for uninstall but still running". I can see an error in the console logs: kernelmanagerd Failed to terminate dext com.my.driver-dk, error: Kernel request failed: (os/kern) invalid address (1) sysextd a category delegate declined to terminate extension with identifier: com.my.driver-dk sysextd failed to terminate extension with identifier: com.my.driver-dk: Optional(Error Domain=kernelmanagerd.KMError Code=38 "(null)") Issue occurs with macOS 13 - works fine with macOS 12 and macOS 11 What is the problem here? Have there been any changes in macOS in that regard?

App translocation, officially known as Gatekeeper path randomisation, comes up from time-to-time. The best resource to explain it, WWDC 2016 Session 706 What’s New in Security, is no longer available from Apple so I thought I’d post some notes here (r. 105455698 ). Questions or comments? Start a new thread here on DevForums, applying the Gatekeeper tag so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" App Translocation Notes Gatekeeper path randomisation, more commonly known as app translocation, is a security feature on macOS 10.12 and later. When you run a newly downloaded app, the system executes the app from a randomised path. This prevents someone from taking an app that loads code from an app-relative path and repackaging it to load malicious code. IMPORTANT The best way to prevent your app from being tricked into loading malicious code is to enable library validation. You get this by default once you enable the hardened runtime. Do not disable library validation unless your app needs to load in-process plug-ins from other third-party developers. If you have an in-process plug-in model, consider migrating to ExtensionKit. The exact circumstances where the system translocates an app is not documented and has changed over time. It’s best to structure your app so that it works regardless of whether it’s translocated or not. App Translocation Compatibility Most apps run just fine when translocated. However, you can run into problems if you load resources relative to your app bundle. For example, consider a structure like this: MyApp.app Templates/ letter.myapp envelope.myapp birthday card.myapp Such an app might try to find the Templates directory by: Getting the path to the main bundle Navigating from that using a relative path This won’t work if the app is translocated. The best way to avoid such problems is to embed these resources inside your app (following the rules in Placing Content in a Bundle, of course). If you need to make them easily accessible to the user, add your own UI for that. For a great example of this, run Pages and choose File > New. App Translocation Limits There is no supported way to detect if your app is being run translocated. If you search the ’net you’ll find lots of snippets that do this, but they all rely on implementation details that could change. There is no supported way to determine the original (untranslocated) path of your app. Again, you’ll find lots of unsupported techniques for this out there on the ’net. Use them at your peril! If you find yourself using these unsupported techniques, it’s time to sit down and rethink your options. Your best option here is to make your app work properly when translocated, as illustrated by the example in the previous section. App Translocation in Action The following steps explain how to trigger app translocation on macOS 13.0. Keep in mind that the specifics of app translocation are not documented and have changed over time, so you might see different behaviour on older or new systems: To see app translocation in action: Use Safari to download an app that’s packaged as a zip archive. My go-to choice for such tests is NetNewsWire, but any app will work. Safari downloads the zip archive to the Downloads folder and then unpacks it (assuming your haven’t tweaked your preferences). In Finder, navigate to the Downloads folder and launch the app. When Gatekeeper presents its alert, approve the launch. In Terminal, look at the path the app was launched from: % ps xw | grep NetNewsWire … /private/var/folders/wk/bqx_nk71457_g9yry9c_2ww80000gp/T/AppTranslocation/C863FADC-A711-49DD-B4D0-6BE679EE225D/d/NetNewsWire.app/Contents/MacOS/NetNewsWire Note how the path isn’t ~/Downloads but something random. That’s why the official name for this feature is Gatekeeper path randomisation. Quit the app. Use Finder to relaunch it. Repeat step 5: % ps xw | grep NetNewsWire … /private/var/folders/wk/bqx_nk71457_g9yry9c_2ww80000gp/T/AppTranslocation/C863FADC-A711-49DD-B4D0-6BE679EE225D/d/NetNewsWire.app/Contents/MacOS/NetNewsWire The path is still randomised. Quit the app again. Use the Finder to move it to the desktop. And relaunch it. And repeat step 5 again: % ps xw | grep NetNewsWire … /Users/quinn/Desktop/NetNewsWire.app/Contents/MacOS/NetNewsWire The act of moving the app has cleared the state that triggered app translocation.

We have developed a Parental/Self control app using Screen time API. We have used individual authentication to authorize the app, using the instructions here: https://developer.apple.com/documentation/familycontrols/authorizationcenter The problem is , that individual auth can be disabled easily , by the following steps: enter Settings app. in Settings app, click on the Parental/Self control app. click to disable screen time restriction. show the device owner's face/fingerprint. (or pin code) Why is that a problem: Parental control apps, or self-control apps, are about giving control to the software, To make it hard for the user to disable the restrictions. So using the flow I have introduced above, it's super-easy for a user to disable his Parental control restrictions, which misses the entire point of Parental/Self control idea. Furthermore, not only the user have the means to unlock his screen time restrictions, he also MUST have the means to unlock it. This makes Screen time (with individual auth) useless: I have a code ready to make a great parental control app for my clients, with amazing ideas, but I can't use the Screen time API unless this problem is fixed. Why child-parent auth is not enough: My clients are grownups people between ages of 15-40, that are interested in self-control, so they don't have iCloud child accounts. also, the child-parent auth solution forces my clients to give some control to other person, and my clients prefer their privacy. Some of them prefer self-control and not parental-control. What I suggest as a solution: 1: Give more options to users how to disable the Screen time restrictions. including: a second faceID / FingerPrint (that isn't the same as the one used to unlock the device) a second pin password. a string password 2: Give the users the option to choose to not have the device's owner Face/Finger/Pincode ID , as a method to disable the Screen time restrictions.

Updated version of this post My HomePod mini is now on version 16.4, so the the temperature and humidity sensors are enabled. The data properly shows up in the Home app on my various devices. In my HomeKit iPad app running on Mac Catalyst, however, the data does not show up. I would expect the HomePod mini to show up in HMHome.accessories with a service of type HMServiceTypeTempatureSensor. I see all of my other HomeKit accessories, just not the HomePod mini. I have tried with the latest Xcode (14.3) and highest available iOS Target and Minimum Deployment (16.4), macOS version 13.3. I have not, as of this writing, upgraded my HomeKit architecture, however. Note that I haven't tried the app on an actual iPad (and the iOS simulator doesn't expose my HomeKit environment.)

Hello everybody, I have a never ending issue with appstore review, an need a QUICK HELP ! I am submitting a new app (oral training), for Iphones only. I disabled other devices (such as Ipas) via Xcode. In the appstore informations form, it is obligatory to provide ipad screens, so I provided screens showing Iphone experience. Appstore team asked me to remove it because I don't authorize Ipads. But if I remove those screens, form cannot be sent. I don't understantd how to proceed. Thanks for the help Regards Jean

Hi All! I'm being asked to migrate an app which utilizes iCloud KVS (Key Value Storage). This ability is a new-ish feature, and the documentation about this is sparse [1]. Honestly, the entire documentation about the new iCloud transfer functionality seems to be missing. Same with Game Center / GameKit. While the docs say that it should work, I'd like to understand the process in more detail. Has anyone migrated an iCloud KVS app? What happens after the transfer goes through, but before the first release? Do I need to do anything special? I see that the Entitlements file has the TeamID in the Key Value store - is that fine? <key>com.apple.developer.ubiquity-kvstore-identifier</key> <string>$(TeamIdentifierPrefix)$(CFBundleIdentifier)</string> Can someone please share their experience? Thank you! [1] https://developer.apple.com/help/app-store-connect/transfer-an-app/overview-of-app-transfer

I set the location permission to Always but it changes back to “when shared” after a few days. Is this a bug?

Hi folks, there's currently a known issue in TipKit due to which it won't show popover tips on buttons that are inside a SwiftUI ToolbarItem. For example, if you try this code, the popover tip will not appear: ToolbarItem { Button(action: {...}) { Label("Tap here", systemImage: "gear") } .popoverTip(sampleTip) } There's an easy workaround for this issue. Just apply a style to the button. It can be any style. Some examples are bordered, borderless, plain and borderedProminent. Here's a fixed version of the above code: ToolbarItem { Button(action: {...}) { Label("Tap here", systemImage: "gear") } .buttonStyle(.plain) // Adding this line fixes the issue. .popoverTip(sampleTip) } Hope this helps anyone running into this issue.

IMPORTANT Improvements in the New Post form have eliminated the gotcha described below. DevForums has the concept of public and private tags: Public tags are available to everyone, per the rules outlined in Developer > Support > Developer Forums. Private tags are limited to a specific set of developers. The canonical example of a private tag is Universal App Quick Start, which is only available to folks who had an Apple silicon DTK. If you have access to any private tags, the New Post form has an extra field, Post Visibility. Its default value is Private but you can switch it to Public. The Tags field adjusts accordingly. So, if you select Private you only see a limited set of private tags. Use these if your post is about one of those private topics. OTOH, if your post is about a public topic, change Post Visibility to Public and apply the appropriate public tags. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello! I have placed orders to pay for my developer account, but the payments are not going through. What ways are there to solve the payment problem?

I am new to swiftui and have a very small project I am working on to practice passing data between views. I have this error on a form "Trailing closure passed to parameter of type 'FormStyleConfiguration' that does not accept a closure" If I comment the first section in the form then I get three errors in the ForEach. If anyone can help explain what is going on and what steps I could take to determine where the problem is coming from I would appreciate the help. This is the model I created: import Observation import SwiftUI @Model final class Client { var id = UUID() var name: String var location: String var selectedJob: Person init(id: UUID = UUID(), name: String, location: String, selectedJob: Person) { self.id = id self.name = name self.location = location self.selectedJob = selectedJob } } extension Client { enum Person: String, CaseIterable, Codable { case homeOwner = "Home Owner" case contractor = "Contractor" case designer = "Designer" } } @Model class Enclosure { var id = UUID() var room: String = "" var unitType: String = "" init(id: UUID = UUID(), room: String, unitType: String) { self.id = id self.room = room self.unitType = unitType } } This is the detail view where the error is happening: import SwiftData import SwiftUI struct DetailView: View { @Environment(\.modelContext) private var modelContext @Environment(\.dismiss) private var dismiss @Query(sort: \Enclosure.room, order: .forward, animation: .default) private var enclosures: [Enclosure] @State private var showingAddEnclosure = false @State private var showingAddMirror = false @State private var name: String = "" @State private var location: String = "" @State private var selectedJob = Client.Person.homeOwner @State var clients: Client var body: some View { NavigationStack { Form { Section("Details") { TextField("Full Name", text: Client.$name) TextField("Location", text: Client.location) Picker("Job Type", selection: $selectedJob) { ForEach(Client.Person.allCases, id: \.self) { selected in Text(selected.rawValue).tag(selected) } } } Section("Enclosures") { List { ForEach($clients.enclosures) { enclosure in NavigationLink(destination: EnclosureDetailView()) { VStack { Text(enclosure.room) Text(enclosure.unitType) } } .swipeActions { Button("Delete", role: .destructive) { modelContext.delete(enclosure) } } } } } } .navigationTitle("Project Details") .navigationBarTitleDisplayMode(.inline) .toolbar { ToolbarItem(placement: .topBarTrailing) { Menu { Button { showingAddEnclosure.toggle() } label: { Text("Add Enclosure") } Button { showingAddMirror.toggle() } label: { Text("Add Mirror") } } label: { Label("Add", systemImage: "ellipsis.circle") } } } .sheet(isPresented: $showingAddEnclosure) { EnclosureView() } .sheet(isPresented: $showingAddMirror) { EnclosureView() } } } }

I'm trying to run my app on my iPhone and XCode is unable to detect it. Versions (as of time of writing, these are all the latest versions) XCode: 15.0.1 iOS: 17.1.2 macOS: Sonoma 14.1.2 What I've tried Updating all hardware to the latest versions. Restarting all hardware. Clearing cache/derived data. Using different USBC ports/cables. Using the XCode 15.1-Beta 3 (the latest beta) Clearing trusted computers and re-trusting Disabling Multipath Networking (solution for someone else on the dev forums) Creating a brand new xcode project. Disabling all wifi/bluetooth and reconnecting Using different wifi networks Calling mac support (they directed me back here) Scouring forums What happens I start by disconnecting my phone from my computer, clear trusted computers, restart xcode, and start (basically) from a completely blank slate. First I open XCode to my project. Then I connect my iPhone via USBC. I see that XCode says "iPhone not eligible while pairing in progress" (or something like that). I see on my phone that I must trust this computer, I hit trust, I enter my phone's passcode, then that disappears on my phone, and in XCode the message about eligibility disappears. I then click on the device selector to choose between either a simulator or a hardware device and under hardware I only see a message that says "No eligible devices connected to my mac". If I open the "Manage Run Destinations" organizer I see all the simulators there in the simulators tab, but when I go to the Devices tab, I see nothing. Sometimes when I go through this process, I can get a banner to appear up top, but still no device shows up on the left. The banner will show me that it is indeed my iPhone, but it will be missing information like "Serial Number" or "Capacity". Here's a screenshot of what I see. Keep in mind, this banner up top does not always show up when I go through this process. iPhone CAN be detected on my other laptop When I do this exact same thing on my other laptop, everything works just fine. Here are the specs I'm running on that laptop. (using the same cable/wifi network/etc) XCode 15.0.1 macOS: Ventura 13.6.1 iPhone 17.1.2 (I'm using the same iPhone) The only difference here being the macOS version. However, the problem started on my "broken" computer while I was running a previous major macOS version. This problem is actually what prompted my to do a system update to Sonoma. Please for the love of god, halp!!!

Hey everyone, I purchased an Apple Developer Program for 99 USD on January 1 2024, filled out my credit card that I use for iCloud+ storage plan, got my confirmation email that within 48h my developer account should be activated, but it never did. Plus after waiting more than 48h I wrote to support, describing everything, but never heard back from them. One thing I noticed during the checkout was I was asked for everything (name, address, CC number, expiry date) but not the CVV number. Is this normal, and would Apple be able to process the payment without it? I though about going through the enrolment process again, but am afraid of a double charge, in case my original enrolment gets accepted... Please advise and share your experiences when enrolling to the developer program. Thanks!

Hi Team, Its been 4 weeks and still my enrollment is reflecting in pending status. I want to set up my application and to do it we have to enroll for the development to give access to the the tech team to configure the application. I am not able to find the contact us info to raise the issue.

I am trying to create a developer account for my organization. I have validated our DUNS number and Entity Name on https://developer.apple.com/enroll/duns-lookup/. However, when I try to add this number to create a developer account, I get a pop-up suggesting a mismatch in the entity and DUNS number. I have tried this several times without any success. Request you to please help me resolve this issue. Thanks. Sanket

Hi! Our app has been rejected several times now. We first selected the "made for kids" category because that was the age recommended by apple. Everything went fine at first but now, two updated later, we are starting to get rejected. We unchecked the made for kids box but even after that we are still not getting approved. We have tried to explain our issue to apple support but they aren't giving us any good answers. Is there any way to resolve this issue? We are really in the need of help.

When running a SwiftUI Multiplatform app in Xcode Cloud I'm getting the following error: CIWatcher encountered an error in CIWatcherTests failed with: Failed to install or launch the test runner. (Underlying Error: Could not launch “CIWatcherTests”. Runningboard has returned error 5. Please check the system logs for the underlying cause of the error. (Underlying Error: The operation couldn’t be completed. Launch failed. (Underlying Error: Launchd job spawn failed))) This runs fine on iOS and all those tests pass. The SwiftUI app on Mac is a menu bar app so I'm not sure if this could be the issue as it's not launching for some reason on the Xcode Cloud system? Maybe I need to add some run option to make this work? When run locally both iOS and macOS pass all the tests successfully