I need to verify if key-value store is actually needed in the widget or if that can be limited to the app target. Assuming the widget does not need key-value store access, can the app target be left using the old team id?

In the test app, OTHER_TEAM_ID.$(CFBundleIdentifier) works. In the real app which includes a widget extension, it only works if the app target uses OTHER_TEAM_ID.$(CFBundleIdentifier) and the widget target uses TEAM_ID.$(CFBundleIdentifier).

You are correct that the profile from step 3 has no entry for key-value storage. However, the profile from step 5 still uses the old team ID. One thing I realized while looking at this is that I'm still a member of the old team. That team's developer subscription is no longer active but I'm still a member. I almost left it when I realized but decided to only follow the steps you suggested. Step 3 (iCloud not enabled) "Entitlements" => { "application-identifier" => "TEAM_ID.com.ORGANIZATION.APP" "aps-environment" => "production" "beta-reports-active" => true "com.apple.developer.team-identifier" => "TEAM_ID" "com.apple.security.application-groups" => [ 0 => "group.ORGANIZATION" ] "get-task-allow" => false "keychain-access-groups" => [ 0 => "TEAM_ID.*" 1 => "com.apple.token" ] } Step 5 (iCloud re-enabled) "Entitlements" => { "application-identifier" => "TEAM_ID.com.ORGANIZATION.APP" "aps-environment" => "production" "beta-reports-active" => true "com.apple.developer.icloud-container-development-container-identifiers" => [ 0 => "iCloud.ORGANIZATION.APP" ] "com.apple.developer.icloud-container-environment" => [ 0 => "Production" 1 => "Development" ] "com.apple.developer.icloud-container-identifiers" => [ 0 => "iCloud.ORGANIZATION.APP" ] "com.apple.developer.icloud-services" => "*" "com.apple.developer.team-identifier" => "TEAM_ID" "com.apple.developer.ubiquity-container-identifiers" => [ 0 => "iCloud.ORGANIZATION.APP" ] "com.apple.developer.ubiquity-kvstore-identifier" => "OTHER_TEAM_ID.com.ORGANIZATION.APP" "com.apple.security.application-groups" => [ 0 => "group.ORGANIZATION" ] "get-task-allow" => false "keychain-access-groups" => [ 0 => "TEAM_ID.*" 1 => "com.apple.token" ] }

Yes, the app builds fine when disabling key-value storage. Dumping the provisioning profile shows this: "Entitlements" => { "application-identifier" => "TEAM_ID.com.ORGANIZATION.APP" "aps-environment" => "development" "com.apple.developer.icloud-container-development-container-identifiers" => [ 0 => "iCloud.ORGANIZATION.APP" ] "com.apple.developer.icloud-container-environment" => [ 0 => "Production" 1 => "Development" ] "com.apple.developer.icloud-container-identifiers" => [ 0 => "iCloud.ORGANIZATION.APP" ] "com.apple.developer.icloud-services" => "*" "com.apple.developer.team-identifier" => "TEAM_ID" "com.apple.developer.ubiquity-container-identifiers" => [ 0 => "iCloud.ORGANIZATION.APP" ] "com.apple.developer.ubiquity-kvstore-identifier" => "OTHER_TEAM_ID.com.ORGANIZATION.APP" "com.apple.security.application-groups" => [ 0 => "group.ORGANIZATION" ] "get-task-allow" => true "keychain-access-groups" => [ 0 => "TEAM_ID.*" 1 => "com.apple.token" ] } So it does appear that the old team ID for com.apple.developer.ubiquity-kvstore-identifier.

I created a new project with the same bundle id and capabilities. Same error.

I've created a dummy test app with the same setup as the real one and signing works. However, after deleting derived data and all provisioning profiles, the real app still cannot sign.

It's just preferences stored in the key-value store. So yes, it is acceptable for that data to be lost. To clarify, I have updated the entitlement value with the correct Team ID.