[quote='826809022, Moleskyth, /thread/775022?answerId=826809022#826809022, /profile/Moleskyth'] Could you please list all the steps you took to recreate the certificates and profiles on the Apple Developer website? [/quote] This is how I did it: Add correct app group capability Go to https://developer.apple.com/account/resources/identifiers/list and open the identifier belonging to your app/extension (you have to do follow all of these steps for every target included in your app) Enable the 'App Groups' capability, click 'Configure', and enable the app group that you need. Then save. Generate provisioning profile Go to https://developer.apple.com/account/resources/profiles/list, click the plus button next to the Profiles title Select 'macOS App Development', then continue Select the correct App ID, then continue Select the development certificate that you use in Xcode, then continue Select your device, then continue Give the profile a name, then click 'Generate' Download the certificate Select provisioning profile in Xcode Go to the 'Signing & Capabilities' tab of the target settings Disable 'Automatically manage signing' In the macOS section of Signing, select the dropdown next to Provisioning Profile, select 'Import Profile', and select the profile you just downloaded [quote='826809022, Moleskyth, /thread/775022?answerId=826809022#826809022, /profile/Moleskyth'] did you upload the archive using those newly created certificates, or did you switch back to using automatic ones afterward? Did you have to remove any existing certificates to get it to work? [/quote] You have to upload using the new certificates, because those are the only ones with the right entitlements. If you're already using a custom certificate I guess you have to unselect those in Xcode, but otherwise, no need to go around and explicitly delete stuff.

[quote='826635022, DTS Engineer, /thread/775022?answerId=826635022#826635022'] When I did this the profile included my iOS-style app group in its allowlist. [/quote] This seems to be correct. So, the actual issue seems to be that Xcode managed signing does not generate the correct provisioning profiles for app extensions, because it doesn't include iOS-style app groups in the profile. This is broken in Xcode 16.2 and 16.3 beta. This recently became an issue because App Store Connect started to reject builds without the 'correct' provisioning profiles. So now the only way to create a build with the correct profile is to generate the profile manually. So the way I see it, this is an issue that needs to be fixed in Xcode. In the meantime, developers running into this should work around the issue by creating manual provisioning profiles. (Of course, ideally ASO would stop rejecting the builds that use auto-signing until this is fixed, but that's beyond the scope of this thread I guess.)

The problem for me seems to be related to the app extensions and plugins bundled with my Mac app, such as an App Intents extension and a Widgets extension. The embedded.provisionprofile generated by Xcode for the Mac app itself correctly contains the com.apple.security.application-groups entitlement for my iOS style prefixed group. However, all the related extensions do not, and this is what Xcode is throwing an error about when uploading. When building the same app for iOS, the com.apple.security.application-groups entitlement is correctly included in the embedded.mobileprovision files of the extensions. I've tried this with Xcode 16.2 using automatically managed signing. I haven't had the chance to try this with the 16.3 beta yet. Perhaps that version fixes how the provisioning profiles are created.