General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello, We have an internal enterprise app. After the provisioning profile (certificate) expired, some employees' iPhones still retained the old certificate when updating the app, causing the app to fail to open. We’ve tried restarting and reinstalling the app, but the issue persists. Having each employee manually reset network or device settings would be too operationally costly. Since this involves a large number of devices, we cannot use Apple Configurator to remove and reinstall certificates one by one. Therefore, we’d like to ask if there is a more efficient, batch-oriented solution to quickly resolve the certificate residue issue. We’d appreciate any suggestions for large-scale deployment methods. Thank you very much!

Hi everyone, I’ve been struggling with an issue related to the com.apple.developer.fonts-provided-by-application entitlement in Xcode. Despite configuring everything correctly, I’m still encountering an error stating that the fonts provided by application are missing. Here’s a breakdown of what I’ve done so far: Entitlements File: My entitlements file includes the com.apple.developer.fonts-provided-by-application key set as an array with 28 font items listed (e.g., Lato-Bold.ttf, Montserrat-SemiBold.ttf, etc.). All font names match the actual filenames, including extensions, and are spelled correctly. Info.plist: I’ve listed all the fonts under the UIAppFonts key, and they match the entries in the entitlements file. Font Files in Xcode: All font files are present in my project and included in Build Phases > Copy Bundle Resources. Provisioning Profile: The Fonts capability is enabled in my App Identifier in the Apple Developer Program, and I’ve regenerated my provisioning profile to ensure it reflects this entitlement. What’s Working: Other entitlements in the entitlements file (like keychain access and sandboxing) are functioning correctly, so the entitlements file is linked properly to my app target. The provisioning profile shows everything else is in sync. What’s Not Working: Xcode consistently shows the error "missing fonts provided by application", even though I’ve verified the fonts, file paths, and plist entries multiple times. Questions: Could this issue be related to the placement of the fonts folder within my project structure? Do I need to remove unused fonts or adjust file extensions (like .ttf vs .otf)? Is there another step I might be missing in Xcode or the Apple Developer Program? Any guidance would be greatly appreciated. This has been a challenging problem to resolve, and I’d love to hear from anyone who has encountered something similar.

Hello, we are currently encountering a similar issue. We need to inject our capabilities into a third-party app by re-signing it (not a full re-signing process—just requiring the provisioning profile and certificate to match). However, this seems to affect the functionality of universal links. We've found that this issue only occurs on iOS 18. We noticed that when re-signing the app, the entitlements related to associated domains are changed to a wildcard: [Key] com.apple.developer.associated-domains [Value] [Array] [String] * However, this doesn’t cause any issues on iOS 17. Through further testing, we discovered that in order for universal links to work properly, we need to restore the original value of com.apple.developer.associated-domains and use a provisioning profile that matches the app's bundle ID. This means our previous re-signing approach using a certificate and provisioning profile from another bundle will no longer work. We’d like to ask: is this a new restriction introduced in iOS 18? If we manually restore the original com.apple.developer.associated-domains entitlement and use a provisioning profile that matches the app’s bundle ID, will universal links function correctly going forward?

May I know the checking mechanism for the ios Provisioning profile? Is my Apple app distributed by MDM inside the organisation? If the Provisioning profile is expired , what is the behaviour when user run the App and how to perform the checking mechanism , is it performed at user client side device or Apple server via online access.

Hi everyone, I recently migrated my individual Apple Developer account to an Organization account for my company "". My Team ID remained the same. I'm now facing persistent issues with code signing and push notifications for my iOS app (Bundle ID: com.).
 Current Problems:
 "Untitled" Certificates in Xcode: When I go to Xcode -> Settings -> Accounts -> [My Apple ID] -> Select "" Team -> "Manage Certificates...", a number of my newly created Apple Development and Apple Distribution certificates are listed древ "Untitled". Some older ones are "Revoked". (See attached screenshot if possible).
 "No App ID" for Push Notifications Console: In my app target's "Signing & Capabilities" tab, I've added the "Push Notifications" capability. However, when I click the info button to open the "Push Notifications Console", it states: "no app IDs: Register an App ID with the Push Notifications capability enabled to use the Push Notifications console." This is despite the fact that the Push Notifications capability IS enabled for my App ID com. in the Developer Portal, and I've configured an APNs Auth Key (.p8) for it.
 Push Notifications Not Received (from Backend): While I can successfully send a test push notification directly from the Firebase Console to my device's FCM token, notifications triggered by my backend (Firebase Cloud Functions writing to a Firestore collection, which then triggers another function to send via FCM) are not being delivered to iOS devices. (Android seems to be working more reliably now).
 Setup: Using an APNs Authentication Key (.p8) linked to my Organization Team ID in Firebase Cloud Messaging. Main App ID com. has "Push Notifications" capability enabled. Notification Service Extension com..ImageNotification also has its App ID and Provisioning Profile set up for the Organization team. Created new Development and Distribution certificates and Provisioning Profiles specifically for the Organization team. Using "Automatically manage signing" in Xcode with the Organization team selected for both the main app target and the extension target.
 Troubleshooting Done: Revoked old/problematic certificates and profiles. Recreated CSRs and new Development/Distribution certificates under the Organization team multiple times. Recreated Provisioning Profiles. Cleaned Derived Data in Xcode. Ensured Bundle Identifiers are consistent. Verified APNs Auth Key details (Key ID, Team ID) in Firebase.
 I suspect there's a fundamental issue with how Xcode is recognizing or linking the signing assets for my Organization team after the account type change, despite the Team ID being the same. The "Untitled" certificates are a major red flag.
 Has anyone encountered similar issues, particularly the "Untitled" certificates or the "No App ID" message for the Push Console, after an account migration or when working with Organization accounts? Any insights on how to resolve this would be greatly appreciated.
 Thanks,
Benni

I am distributing a macOS application outside the App Store using Developer ID and need to provide provisioning profiles to customers for installation during the package installation process. I have two questions: How can I package and provide the provisioning profile(s) so that the customer can install them easily during the application installation process? Are there any best practices or tools that could simplify this step? In my case, there are multiple provisioning profiles. Should I instruct the customer to install each profile individually, or is there a way to combine them and have them installed all at once? Any guidance on the best practices for this process would be greatly appreciated.

Hi, I'm using Xcode 15.4. (always export as "Ad Hoc" with automatic signing) and just ran into a weird problem when I tried to run my app with the "play" button on a new iOS 18 iPhone: The build fails every time with the following error message in the "Signing & Capabilities" tab: Device "..." isnt' registered in your developer account. I added the iPhone's UDID to my developer account yesterday but I'm still getting the same error today. There's a "Register Device" button below the error message and when I click it, there are two new errors: There is a problem with the request entity: A device with number '...' already exists on this team. Provisioning profile "iOS Team Provisioning Profile: ...." doesn't include the currently selected device "...." (Identifier ...) The "try again" button below the first part doesn't do anything. How do I fix this?

We have created provisioning profile from apple developer account for our iPadOS app, the expiry date shown in the profile is 20-Aug-2026. However, when when I build the app with this provisional profile the expiry date shown in the app is 6-May-2026. My Certification expires on 2027. I see a embeded.mobileprovision profile inside the app, and it has an expiry of 6-May-2026. I did a clean build, cleared unnecessary profiles from profile folder, created a new provisional profile and tried, but nothing seems help. We have a few apps, and no other app has this issue, only those two apps have this issue. As the expiry date the shorten, we also need to special handle these two apps, Will you please help me to resolve this issue? Thanks.

I am trying to sign a enterprise app with provisioning profile which shows the tap to pay entitlement on Dev portal, but when downloaded on Xcode, it says the profile is missing the tap to pay capability and entitlement The capability was enabled by apple already, it was working fine until the provisioning profile got renewed.

Anyone know how long it takes to get Apple to respond to a request for provisioning for endpoint security?

I have added an in-app purchase function into my app, and have enabled in-app purchase profile in developer portal(it's on by default and is marked gray in developer portal, I don't know if that's how it supposed to look like). I have issued the agreements and tried signing the app both manually and automatically, but neither of that worked. App can be built successfully in simulator but does not show the simulation window, but cannot build on real device or archive. Errors: Missing com.apple.developer.in-app-purchase, com.apple.developer.in-app-purchase.non-consumable, and com.apple.developer.in-app-purchase.subscription entitlements. Automatic signing failed Xcode failed to provision this target.

Hi, I am developing a iOS app with Packet Tunnel Provider Network Extension. I manage signing manually. I created a distribution provisioning profile. Then when I archive and click "validate" I get this error: Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value 'url-filter-provider' for key 'com.apple.developer.networking.networkextension' So I run security cms -D -i profiles/vpn_distribution.mobileprovision and I see there <key>Entitlements</key> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider</string> <string>content-filter-provider</string> <string>packet-tunnel-provider</string> <string>dns-proxy</string> <string>dns-settings</string> <string>relay</string> <string>url-filter-provider</string> <string>hotspot-provider</string> </array> Where are those coming from. My entitlement file has <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> </array> <key>com.apple.security.application-groups</key> <array> <string>group.my-app-group</string> </array> </dict> </plist> What is happening here. How can I get a provisioning profile that only has the entitlements that I actually need?

I need to post an app so how do you do it

Hello, I would like to clarify how link association and app-opening preferences work in iOS, specifically when a user opens a URL in a browser that can be handled by an installed application. I have noticed the following behavior: When a user taps a URL that can be opened by an app, iOS sometimes asks whether to open the link in the app or continue in the browser. After choosing an option once (for example, "Open in App" or "Stay in Browser"), it seems that this preference becomes persistent. Even after deleting the application and reinstalling it, the browser (Safari or third-party browsers) sometimes continues to open the link directly in the browser without asking the user again. In some cases, it appears impossible to reset or clear this association, and the user is not prompted again to choose how the link should be opened. My questions are: How exactly does iOS store link-handling preferences between apps and browsers? Are these preferences saved on the system level, inside Safari, or associated with the app installation itself? Is there a way for a user to manually reset or clear these link-opening associations? Should deleting and reinstalling the app reset these preferences, or is the behavior expected to persist? Is this behavior different for Universal Links, App Clips, or for regular URL scheme associations? This situation is important for us because it affects user experience, and at the moment it is difficult to understand or reproduce the internal logic behind these link associations. Thank you in advance for your clarification.

I am encountering a cloud signing permission error when archiving and uploading an iOS app using Xcode with Automatically manage signing enabled. Xcode reports that it cannot access or create cloud-managed distribution certificates, and therefore cannot find any App Store provisioning profiles for either the main app target or an associated Notification Service Extension. The error message returned by Apple’s certificate API indicates that access to cloud-managed distribution certificates is forbidden. Error messages Cloud signing permission error You haven't been given access to cloud-managed distribution certificates. Please contact your team's Account Holder or an Admin to give you access. No profiles were found Xcode couldn't find any iOS App Store provisioning profiles matching the app or extension targets. Environment Xcode: 16.x Signing method: Automatic signing (App Store distribution) Apple Developer Program team with existing distribution certificates Apple ID role: Admin (recently upgraded from a lower role) What I have verified Automatic signing is enabled for all targets The correct team is selected Bundle identifiers are valid and already registered The app and extension exist in App Store Connect Distribution certificates already exist in the team (previously created manually) Observed behavior Xcode attempts to access cloud-managed distribution certificates Apple certificate service responds with a permission-denied error As a result, provisioning profiles cannot be generated automatically Question After being upgraded to an Admin role, is there a known delay or additional requirement before an account can access cloud-managed distribution certificates, especially for teams that previously used manually managed distribution certificates? Is there any recommended action (besides waiting or having the Account Holder perform an initial signing operation) to unblock automatic signing in this situation?

The profile expiration date is approaching, and no amount of inquiries will solve it. Create a new profile Download a new profile from Xcode Press archive, press Distribute App, press Enterprise, and distribute Invalid expiration date in profile of summary of review app.ipa content I've tried everything that comes out by Googleing profiles, such as regenerating profiles, erasing caches, updating Xcode, updating macOS, deleting existing profile information, etc. Expiration date different from the expiration date of the profile created in that menu is displayed. The expiration date of the profile I created is December 8, 2026, and the previous certificate is January 22, 2026. However, the profile information of the generated ipa is February 12, 2026. So I can't distribute this app because I'm scared, and the expiration date is coming up. Users should have a period of time to update. Get me a novice developer who's choking up.

Provisioning profile doesn't match the entitlements file's value for the com.apple.developer.nfc.hce.iso7816.select-identifier-prefixes entitlement. Although when we created the request, we added a list of AIDs which is the same as the list registered in Inof.plist <key>com.apple.developer.nfc.hce.iso7816.select-identifier-prefixes</key> <array> <string>XXXXXX</string> <string>XXXXXX</string> <string>XXXXXX</string> </array> How can we get a better message of diffs between them?

I've upgraded to a new Macbook recently, just when I was setting up my Xcode, I realized I there is a this red "X" showing up next to my development team as I was signing in to my account I have checked my permission on App Store Connect, everything seemed fine. I have also deleted my old Apple development certificate and requested for another one. Nothing worked.

Hi, I do have a strange behavior in my development environment on a Mac mini (M4) running 26.2 and Xcode 26.3. Everything was working as expected. My project had a stable state and I wanted to enable iCloud support. As result I could not run the app any more because code signing failed with the message that my profile does not include the above entitlement. On my notebook (M2) with XCode 26.3 everything is working. Im am using GIT and both computers have identical code. The code compiling and running on my notebook will not run any more on my Max mini. Any help to find what might have broken the code signing and how it could be fixed? Thanks in advance.

Hello, I'm working in the team with 70 i(Pad)OS test devices running 24/7, and 40 of them are iOS 18 or 26. The problem is: for enterprise apps to be tested (signed with ADEP inhouse profile) the devices over iOS 18 require Enterprise App developers to be allowed at least once with physical control on-device after reboot, which is quite burdensome because we put all the devices in the restricted area, supposed to be used from the remote. Devices are logged into Apple ID for the prevention of Activation Lock but no preparation nor management via MDM over Apple Configurator 2. Is there any binary, tool, app that can check (letting us allow devices for those developers would be even better) if the Enterprise App developer(s) are allowed for the device via terminal or VNC?