App Groups Entitlement: ad hoc signing

Question

Created Mar ’25

Replies 3

Boosts 0

Participants 2

On MacOS, I know that App Groups (com.apple.security.application-groups) do not require a provisioning profile.

I was wondering if it's possible to sign them "ad hoc" and have it work? So maybe use a random TEAMID prefix and have it work?

I would only need the app to work locally (for testing), not be distributed in that fashion, of course.

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’25

Accepted Answer

Recommended

App groups are used for a variety of different things. If you’re specifically interested in accessing an app group container then, no, this won’t work. App group container protection, introduced in macOS 15, is based on your Team ID. See App Groups: macOS vs iOS: Fight! for more on that.

I would only need the app to work locally (for testing

I general recommend development signing (so an Apple Developer: TTT code signing identity) for day-to-day work. That’s the best balance between convenience and good integration with Apple’s APIs.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

devfunshark OP

Mar ’25

I am trying to explore this a bit further, just to make sure. I understand with your answer that I cannot use an adhoc profile.

However, could I create a self-signed certificate, add a team ID to this self-signed certificate, and sign the app with this?

I tried to do this, but the binary still appears with "team id=not set".

Is there anyway to force setting the team id, from a self-signed certificate?

0

Answer 3

DTS Engineer OP

Apple

Mar ’25

Be care when using the word ad hoc in the context of code signing and distribution. There’s a difference between:

Ad-hoc code signing, a macOS technology that allows code to be signed without a digital identity.
Ad Hoc distribution, an iOS technology for distributing apps outside of the App Store.

The latter relies on Ad Hoc provisioning profiles. The former can’t use a provisioning profile because there’s no way to tie the code to its profile. That’s done via the App ID, as explained in TN3125 Inside Code Signing: Provisioning Profiles.

Is there anyway to force setting the team id, from a self-signed certificate?

No. Team IDs only makes sense in the context of a code-signing identity whose certificate was issued by Apple.

Again, I recommend that you use an Apple Development code-signing identity for day-to-day development.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1