If I open the invalid .app (after the codesign), in Contents/info.plist, I see the entitlements saying 7... (my Developer ID) but the certificates all say Apple Development (4...) Is that what's wrong?

I have found that I can sign using the key: codesign -s "A6BED0BFC51147B1D08CF9C38E568B58546928D0" --timestamp -f -o runtime ./Build/Release/Meteorologist.app That gets me around the ambiguous match. Before the codesign, /Build/Release/Meteorologist.app runs fine (albeit with Apple Developer). After the codesign, the app launches but immediately says: Location services are denied. This is covered in the existing entitlements. I found that I can ensure the entitlement is added/replaced as part of codesign by adding --entitlements: codesign -s "A6BED0BFC51147B1D08CF9C38E568B58546928D0" --timestamp --entitlements ./Meteorologist/Meteorologist.entitlements -f -o runtime ./Build/Release/Meteorologist.app But then I get the message: The application "Meteorologist can't be opened. Looking around in the Console, I see this: mac_vnode_check_signature: /Users/ed/Documents/Xcode-Projects/meteorologist/trunk/Build/Release/Meteorologist.app/Contents/MacOS/Meteorologist: code signature validation failed fatally: When validating /Users/ed/Documents/Xcode-Projects/meteorologist/trunk/Build/Release/Meteorologist.app/Contents/MacOS/Meteorologist: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: com.apple.developer.weatherkit While makes me think I'm back to square 1, except that when I use the Xcode GUI, it does work.

I'm building via a sh script. Using Xcode GUI is not what I'm shooting for.

xcodebuild Doing my best to follow here: https://developer.apple.com/forums/thread/701514 First, I did these two steps: xcodebuild -project Meteorologist.xcodeproj -scheme Meteorologist -configuration Release -derivedDataPath ./Build -allowProvisioningUpdates --options=runtime clean archive -archivePath ./Build/Archive.xcarchive xcodebuild -exportArchive -archivePath ./Build/Archive.xcarchive -exportOptionsPlist exportOptions.plist -exportPath ./Build/Release I then get to this step: security find-identity -p codesigning -v which yields: 1) 1135D8B42869FDE86A1AC385DAE5D8193FF9FAB7 "Apple Development: Edward Danley (4..)" (CSSMERR_TP_CERT_REVOKED) 2) 6BD49D05978A4EB8ED7AC2E80685D346F4631D3A "Apple Development: Edward Danley (4..)" 3) A6BED0BFC51147B1D08CF9C38E568B58546928D0 "Developer ID Application: Edward Danley (7..)" 4) 0C34E70124438F42668E9E3097E888B0E0390A8C "Developer ID Application: Edward Danley (7..)" When I get to: codesign -s "Developer ID Application: Edward Danley" ./Build/Release/Meteorologist.app I receive: Developer ID Application: Edward Danley (7..): ambiguous (matches "Developer ID Application: Edward Danley (7..)" and "Developer ID Application: Edward Danley (7..)" in /Users/ed/Library/Keychains/login.keychain-db) How do I clean up my certificates? You have another article here: https://developer.apple.com/forums/thread/674115 I was following the article you referenced here: https://help.apple.com/xcode/mac/11.4/index.html?localePath=en.lproj#/dev8a2822e0b and all I managed to do was end up with 3 copies of Developer ID :( Ed

Ah, another big change from ALTOOL. You no longer receive an email notification from Apple (like I've been waiting for). The message the Xcode window quietly changes and allows you to click the Export button. Still no progress on getting xcodebuild working in my batch build script.

I did the second part. In Xcode, Product > Archive, select the new archive, click on Distribute App, selected Developer ID, Upload, Automatically Manage Signing, wait, then click on Upload. Message says "Uploaded "Meteorologist" to Apple notary service. You will receive a notification when your app is ready for distribution." I've done this 3 times now and never received any messages from Apple.

Progress on a minuscule front. I didn't realize the archive action was separate from the -exportArchive option. Once I split them into 2 xcodebuild commands I was able to create an archive. Along the way I discovered that with the archive action, -archivePath is the name of the archive, not the path as the name implies. However with the -exportArchive option, -archivePath is the path as the name implies. Moving past that, my xcodebuild -exportArchive option now throws the following error: Error Domain=IDEFoundationErrorDomain Code=1 "exportOptionsPlist error for key "method": expected one of {}, but found development" UserInfo={NSLocalizedDescription=exportOptionsPlist error for key "method": expected one of {}, but found development} The gotcha is that I don't have the "method" key in my plist file. According to xcodebuild -help, that is a default value. { destination = export; signingCertificate = "Developer ID Application"; signingStyle = automatic; teamID = 7**...; }

@Quinn - how should should the Xcode archive take to process? It's ben over 24 hours with no feedback. I also experimented with xcodebuild options for archive (-exportArchive -exportPath ./Build/Release -archivePath ./Build/Archive -exportOptionsPlist exportOptions.plist) and I get this message: error: archive at path '/Users/ed/Documents/Xcode-Projects/meteorologist/trunk/Build/Archive' is malformed If it matters, my exportOptions.plist file looks like this: { destination = export; signingCertificate = "Developer ID Application"; signingStyle = automatic; teamID = 7WN...; }

I've read your article (before) and I'll admit I can't follow it. I'll go back and try again. That said, how can make this work with xcodebuild?

I hope it's not too late to jump on this thread. I'm having a similar issue (except RC=0). I'm macOS, not iOS. In Xcode I have WeatherKit included in Signing and Capabilities: In my developer account, https://developer.apple.com/account/resources/services/list, I have WeatherKit listed. The one thing I notice, my account key is listed as 7WN... whereas in Xcode my signing certificate is listed as 4V7... The code runs fine in Xcode. However when I move to a Mac does is not registered as a developer machine, I get the error: The operation couldn’t be completed. (WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors error 0.) I am building via a shell script using the 7WN account: xcrun notarytool store-credentials --apple-id "..." --team-id "7WN..." --password "..." notary-scriptingosx Thanks.

When I try to launch on 10.15, this is what I see in system.log: Jan 20 06:53:59 edwardd20 com.apple.xpc.launchd[1] (com.apple.xpc.launchd.oneshot.0x10000002.Meteorologist[6679]): removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Applications/Meteorologist.app/Contents/MacOS/Meteorologist:   Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements:  Jan 20 06:53:59 edwardd20 com.apple.xpc.launchd[1] (com.apple.xpc.launchd.oneshot.0x10000002.Meteorologist[6679]): Binary is improperly signed.

Thank you Quinn. I will summarize the one step I was missing, from your link https://developer.apple.com/forums/thread/701514, was this (emphasis on the final sentence): To create a distribution provisioning profile, follow the instructions in Developer Account Help. Make sure to choose a profile type that matches your distribution channel (Mac App Store or Developer ID). Once you have a distribution provisioning profile, copy it into your program’s bundle. For information about where to copy it, see Placing Content in a Bundle. ... % cp "ConfigApp-Dist.provisionprofile" "to-be-signed/ConfigApp.app/Contents/embedded.provisionprofile" Modifying the app in this way will break the seal on its code signature. This is fine because you are going to re-sign the app before distributing it. IMPORTANT If you’re building your product with Xcode then you might find that Xcode has embedded a provisioning profile within your bundle. This is a development provisioning profile. You must replace it with a distribution provisioning profile.