I was able to resolve this by dropping use of the xcode@5 task and use xcodebuild directly dropping xcodebuild -exportArchive and handling that myself by manually dropping in my provisioning profiles, manually signing with codesign, and packaging with productBuild At first, it seemed that I was using -exportArchive wrong having selected Mac-Application instead of app-connect as the export method. Fixing that worked well enough after I included my installer provisioning profile in the plist, however I ran into issues with the distribution provisioning profiles here as the embedded application (safari extension) had a different bundle-id than the top-level application. This required that I do all of that manually (though I bet resolve itself if I update the bundle identifier to match, but I'm short on time and I'm going to stick with this for now unless it causes me problems...) For posterities sake, the working pipeline is: - task: InstallAppleCertificate@2 displayName: "Install Developer Certificate" name: InstallAppleCertificate inputs: certSecureFile: $(APPLE_DEV_CERT) certPwd: $(APPLE_DEV_CERT_PASSWORD) - task: InstallAppleCertificate@2 displayName: "Install Distribution Certificate" name: InstallDistCerts inputs: certSecureFile: $(APPLE_DIST_CERT) certPwd: $(APPLE_DIST_CERT_PASSWORD) - task: InstallAppleProvisioningProfile@1 displayName: "Install Distribution Provisioning Profile" name: InstallDistProvisioningProfile inputs: provProfileSecureFile: $(PROVISIONING_PROFILE_DIST) - task: InstallAppleCertificate@2 displayName: "Install Installer Certificate" name: InstallInstallerCert inputs: certSecureFile: $(APPLE_INSTALLER_CERT) certPwd: $(APPLE_INSTALLER_CERT_PASSWORD) - task: InstallAppleProvisioningProfile@1 displayName: "Install Extension Distribution Provisioning Profile" name: InstallExtDistProvisioningProfile inputs: provProfileSecureFile: $(EXTENSION_PROVISIONING_PROFILE) - task: Bash@3 displayName: "Update Safari Bundle Version" inputs: workingDirectory: "browser-extensions" filePath: "browser-extensions/update-pbxproj-version.sh" - template: build-extension.yml - script: | sudo xcodebuild -project "browser-extensions/chrome-v2/safari/SafariDesktopExtension/SafariDesktopExtension.xcodeproj" \ -scheme SafariDesktopExtension \ -configuration Release \ archive \ -archivePath '$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.xcarchive' \ CODE_SIGNING_REQUIRED=NO \ CODE_SIGNING_ALLOWED=NO displayName: 'Archive Xcode Project' - task: DownloadSecureFile@1 displayName: "Download Provisioning Profile" name: downloadProvisioningProfile inputs: secureFile: $(PROVISIONING_PROFILE_DIST) - task: DownloadSecureFile@1 displayName: "Download Provisioning Profile" name: downloadExtensionProvisioningProfile inputs: secureFile: $(EXTENSION_PROVISIONING_PROFILE) - script: | sudo cp "$(downloadProvisioningProfile.secureFilePath)" "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.xcarchive/Products/Applications/SafariDesktopExtension.app/Contents/embedded.provisionprofile" displayName: "Embed provisioning profile in Top-Level Executable" - script: | sudo cp "$(downloadExtensionProvisioningProfile.secureFilePath)" "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.xcarchive/Products/Applications/SafariDesktopExtension.app/Contents/PlugIns/SafariDesktopExtension Extension.appex/Contents/embedded.provisionprofile" displayName: "Embed provisioning profile in Extension" - script: | # Sign the nested app extension sudo codesign --verbose --sign "$(InstallDistCerts.signingIdentity)" \ --entitlements "$(rootFolder)/safari/SafariDesktopExtension/SafariDesktopExtension Extension/SafariDesktopExtension_Extension.entitlements" \ "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.xcarchive/Products/Applications/SafariDesktopExtension.app/Contents/PlugIns/SafariDesktopExtension Extension.appex" # Sign additional components if necessary (e.g., frameworks, helper apps) find "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.xcarchive/Products/Applications/SafariDesktopExtension.app/Contents/Frameworks" -type f -name "*.dylib" -or -name "*.framework" | while read component; do sudo codesign --force --verbose --sign "$(InstallDistCerts.signingIdentity)" "$component" done # Sign the main app sudo codesign --force --verbose --sign "$(InstallDistCerts.signingIdentity)" \ --entitlements "$(rootFolder)/safari/SafariDesktopExtension/SafariDesktopExtension/SafariDesktopExtension.entitlements" \ "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.xcarchive/Products/Applications/SafariDesktopExtension.app" displayName: "Codesign" - task: Bash@3 displayName: "Package Application" inputs: targetType: "inline" script: | productbuild --sign "$(InstallInstallerCert.signingIdentity)" --component "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.xcarchive/Products/Applications/SafariDesktopExtension.app" /Applications "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.pkg" - task: PublishBuildArtifacts@1 inputs: PathToPublish: "$(Build.ArtifactStagingDirectory)" ArtifactName: "SafariDesktopExtension" displayName: "Publish Desktop Extension Artifact"