It's just preferences stored in the key-value store. So yes, it is acceptable for that data to be lost. To clarify, I have updated the entitlement value with the correct Team ID.

I've created a dummy test app with the same setup as the real one and signing works. However, after deleting derived data and all provisioning profiles, the real app still cannot sign.

I created a new project with the same bundle id and capabilities. Same error.

Yes, the app builds fine when disabling key-value storage. Dumping the provisioning profile shows this: "Entitlements" => { "application-identifier" => "TEAM_ID.com.ORGANIZATION.APP" "aps-environment" => "development" "com.apple.developer.icloud-container-development-container-identifiers" => [ 0 => "iCloud.ORGANIZATION.APP" ] "com.apple.developer.icloud-container-environment" => [ 0 => "Production" 1 => "Development" ] "com.apple.developer.icloud-container-identifiers" => [ 0 => "iCloud.ORGANIZATION.APP" ] "com.apple.developer.icloud-services" => "*" "com.apple.developer.team-identifier" => "TEAM_ID" "com.apple.developer.ubiquity-container-identifiers" => [ 0 => "iCloud.ORGANIZATION.APP" ] "com.apple.developer.ubiquity-kvstore-identifier" => "OTHER_TEAM_ID.com.ORGANIZATION.APP" "com.apple.security.application-groups" => [ 0 => "group.ORGANIZATION" ] "get-task-allow" => true "keychain-access-groups" => [ 0 => "TEAM_ID.*" 1 => "com.apple.token" ] } So it does appear that the old team ID for com.apple.developer.ubiquity-kvstore-identifier.

You are correct that the profile from step 3 has no entry for key-value storage. However, the profile from step 5 still uses the old team ID. One thing I realized while looking at this is that I'm still a member of the old team. That team's developer subscription is no longer active but I'm still a member. I almost left it when I realized but decided to only follow the steps you suggested. Step 3 (iCloud not enabled) "Entitlements" => { "application-identifier" => "TEAM_ID.com.ORGANIZATION.APP" "aps-environment" => "production" "beta-reports-active" => true "com.apple.developer.team-identifier" => "TEAM_ID" "com.apple.security.application-groups" => [ 0 => "group.ORGANIZATION" ] "get-task-allow" => false "keychain-access-groups" => [ 0 => "TEAM_ID.*" 1 => "com.apple.token" ] } Step 5 (iCloud re-enabled) "Entitlements" => { "application-identifier" => "TEAM_ID.com.ORGANIZATION.APP" "aps-environment" => "production" "beta-reports-active" => true "com.apple.developer.icloud-container-development-container-identifiers" => [ 0 => "iCloud.ORGANIZATION.APP" ] "com.apple.developer.icloud-container-environment" => [ 0 => "Production" 1 => "Development" ] "com.apple.developer.icloud-container-identifiers" => [ 0 => "iCloud.ORGANIZATION.APP" ] "com.apple.developer.icloud-services" => "*" "com.apple.developer.team-identifier" => "TEAM_ID" "com.apple.developer.ubiquity-container-identifiers" => [ 0 => "iCloud.ORGANIZATION.APP" ] "com.apple.developer.ubiquity-kvstore-identifier" => "OTHER_TEAM_ID.com.ORGANIZATION.APP" "com.apple.security.application-groups" => [ 0 => "group.ORGANIZATION" ] "get-task-allow" => false "keychain-access-groups" => [ 0 => "TEAM_ID.*" 1 => "com.apple.token" ] }

In the test app, OTHER_TEAM_ID.$(CFBundleIdentifier) works. In the real app which includes a widget extension, it only works if the app target uses OTHER_TEAM_ID.$(CFBundleIdentifier) and the widget target uses TEAM_ID.$(CFBundleIdentifier).

I need to verify if key-value store is actually needed in the widget or if that can be limited to the app target. Assuming the widget does not need key-value store access, can the app target be left using the old team id?