We have an app and we want to add tap to pay for Apple Pay. We'd also like to become a certified Payment Service Provider. What is the process to become a certified PSP?

We have integrated the card provisioning in Apple wallet for quite sometime now through an external processor and we got the App Entitlement for the same. Now we are building the card provisioning in Apple Wallet flow in our app. Though everything seems to work fine (including issuer certificates, nonce etc.) but when we are clicking on ADD button on card details screen, I am getting an error saying "Could Not Add Card". When I inspect the error from didFinishAddingPaymentPass, it reads "The operation couldn’t be completed. (PKPassKitErrorDomain error 2.)". Though the Apple documentation suggests it as an unsupportedVersionError but it does not say anything beyond that. I want more detailed explanation because of which I am getting this error

When integrating the Wallet Extension, after clicking my app icon from the "From Apps on Your iPhone" list, I encountered the message: "Cannot Add Card. '***' is not responding. Wait a few minutes and try again. If the problem continues, contact the card issuer's customer service" instead of the configured login page appearing as expected. What could be causing this issue, and how should I resolve it?

When running the test app with test flight before actually opening the app, the execution region is Korea and the country code is Korea, but the currency code on the payment screen is displayed as dollars or euros instead of won. In the payment settings, the currency code is set to won for Korea and dollars for the United States, and the European region is not set at all, but in some phones it is displayed as euros, and in some phones it is not like this, and in some cases it is displayed as won normally.

Hi All, We operate a store with a single domain but multiple merchants, some of whom use PayPal as their payment gateway, while others use Stripe. We are looking to introduce Apple Pay for the various merchants. From what I understand, a .well-known file is required for each merchant to enable Apple Pay. How can we implement this, given that our merchants are using different payment gateways? Best regards, Joe

Dear Apple team and developers, We integrated Apple Pay E-Commerce on our system and made successful transaction at January using following certificates. Merchant Identity Certificate (generated from our Apple developer account) Payment Processing Certificate (generated from our Apple developer account) Payment Session Server Certificate (used following command and generated from apple-pay-gateway-cert.apple.com:443 test URL) Command: openssl s_client -connect apple-pay-gateway-cert.apple.com:443 -key MIC_priv.key -cert MIC_merchant_id.pem -showcerts | openssl x509 -outform DER > apay_ident_trusted_cert_test.der Root CA G3 (Downloaded “Apple Root CA – G3 Root” from https://www.apple.com/certificateauthority/ ) But at this month, we got new certificate problem (please check following) when we try to execute Apple Pay E-Commerce transaction. Certificate 'C=US,O=Apple Inc.,OU=Apple Certification Authority,CN=Apple Application Integration CA - G3' is not valid Certificate. What is this certificate? And Where can I download or generate this certificate from? Could you please advise/give us good information for this certificate problem? Best Regards, Bilguun Enkhbaatar

We are on a .NET ecommerce site hosted on AWS on a windows 2012R2 server. We have apple pay for the web integrated on the site and the certificates (merchant id and apple pay) were set to expire shortly. We created a new merchant id and apple pay cert, however we are now stuck as the new merchant ID certificate doesn't appear to be working although the old one did. Note there have been no code changes. Basically the apple pay process is failing on the merchant validation. Here are the steps we took: Created a CSR in Keychain Access Generated a Merchant ID cert in the Apple Developer account with that CSR. Imported the Merchant ID cert back into Keychain Access and exported as a p12 file the cert and the private key used to generate the CSR. Imported the p12 file into Windows 2012 R2. I can see in our debugging that the new certificate is being loaded but a SSL/TSL connection couldn't be made. So it seems there is an issue with the cert. Has anyone encountered this? I'm out of ideas at this point and under a lot of pressure from management to fix what was supposed to be a routine maintenance issue. If anyone has any ideas, that would be greatly appreciated.

I ran into a problem. When using Storekit1 to purchase an SKU, the user payment was successful, but StoreKit1 did return paymentCancelled to my App. I would like to know under what circumstances this problem may occur? How do I fix it? Thank you

Hi, I am experiencing an issue with in-app subscriptions in my React Native application known-singles, using the react-native-iap library. When a user subscribes to a plan, the transaction executes successfully, and a receipt is returned. However, the transaction remains in a pending state indefinitely and does not update. Additionally, the transaction amount is not deposited into my bank account, even though all banking details are correctly set up in App Store Connect. We have thoroughly debugged the issue on our end but could not identify the cause. TestFlight transactions complete successfully, but real purchases remain stuck in pending status. Here are the relevant details of our implementation: React Native version: 0.60.4 react-native-iap version: 4.2.2 Could you please assist in resolving this issue? Any guidance on why transactions are not being completed and why payouts are not being processed would be greatly appreciated. Looking forward to your support.

I'm developing a macOS application that tracks the duration of a user's session using a timer, which is displayed both in the main window and in an menu bar extra view. I have a couple of questions regarding the timer's behavior: What happens to the timer if the user closes the application's window (causing the app to become inactive) but does not fully quit it? Does the timer continue to run, pause, or behave in some other way? Will the app nap feature stop the timer when app is in-active state? When the application is inactive and the system is either in sleep mode or locked, does the timer’s tolerance get affected? In other words, will the timer fire with any additional delay compared to its scheduled time under these conditions?

DEVICE:iphone 13 SYSTEM:ios 18.3.2 DESCIRBE:The app has been installed, but it flashback when opened and the dot will always exist. How to solve the problem?

Dear Apple Team, I am facing an issue with UDP networking in my watchOS app for duplex audio streaming using NWConnection. I have already added the necessary capabilities, including background mode for audio, to ensure smooth operation. Issue Details: The UDP connection works fine on the simulator since it uses macOS networking and allows low-level access. However, on a real Apple Watch (running watchOS 10), the connection remains in a "waiting" state and fails with Error 50. I am aware of Technical Note TN3135 regarding low-level networking on watchOS, but even after following these guidelines, the issue persists. Questions: Does watchOS impose additional restrictions on UDP networking compared to iOS/macOS? Are there any specific entitlements or configurations required to allow UDP connections on a real Apple Watch? Is there a workaround or debugging method to get more insights into why the connection fails? I would appreciate any guidance or recommendations on resolving this issue.

I'm developing a per-app VPN iOS app with Wireguard. For that, I created a configuration file with payload type "com.apple.vpn.managed.applayer". Using the MDM server I installed some apps which need to use the VPN connection. But when I open these apps, I could see the VPN getting enabled in the device. The VPN icon appears on the notification bar but no internet connection. The VPN and internet is working correctly if I change the payload type to "com.apple.vpn.managed" in configuration file.

We have a NEFilterDataProvider extension that intercepts all TCP and UDP IPv4/6 traffic. At times just after wakeup from sleep, it causes internet access issues, such as showing "This site can't be reached" when opening websites. The traffic is not being dropped by the extension. According to the logs, the connection is being closed after approximately 4 minutes. During the issue, the flow logs are as follows: Flow 515129771 is connecting New flow: NEFlow type = stream, app = com.google.Chrome.helper... Detaching, ref count = 2 (logged after ~4 minutes) Sending close, how = 2 Removing from group 2, ref count = 2 Destroying, app tx 0, tunnel tx 0, tunnel rx 0 Closing reads, not closed by plugin Closing writes, not sending close Any suggestions on the possible cause and how to further debug it?

Please consider this trivial C code which deals with BSD sockets. This will illustrate an issue with sendto() which seems to be impacted by the recent "Local Network" restrictions on 15.3.1 macos. #include <stdio.h> #include <stdlib.h> #include <netinet/in.h> #include <arpa/inet.h> #include "sys/socket.h" #include <string.h> #include <unistd.h> #include <ifaddrs.h> #include <net/if.h> // prints out the sockaddr_in6 void print_addr(const char *msg_prefix, struct sockaddr_in6 sa6) { char addr_text[INET6_ADDRSTRLEN] = {0}; printf("%s%s:%d, addr family=%u\n", msg_prefix, inet_ntop(AF_INET6, &sa6.sin6_addr, (char *) &addr_text, INET6_ADDRSTRLEN), sa6.sin6_port, sa6.sin6_family); } // creates a datagram socket int create_dgram_socket() { const int fd = socket(AF_INET6, SOCK_DGRAM, 0); if (fd < 0) { perror("Socket creation failed"); return -1; } return fd; } // returns a string representing the current local time char *current_time() { time_t seconds_since_epoch; time(&seconds_since_epoch); char *res = ctime(&seconds_since_epoch); const size_t len = strlen(res); // strip off the newline character that's at the end of the ctime() output res[len - 1] = '\0'; return res; } // Creates a datagram socket and then sends a messages (through sendto()) to a valid // multicast address. This it does two times, to the exact same destination address from // the exact same socket. // // Between the first and the second attempt to sendto(), there is // a sleep of 1 second. // // The first time, the sendto() succeeds and claims to have sent the expected number of bytes. // However system logs (generated through "log collect") seem to indicate that the message isn't // actually sent (there's a "cfil_service_inject_queue:4466 CFIL: sosend() failed 65" in the logs). // // The second time the sendto() returns a EHOSTUNREACH ("No route to host") error. // // If the sleep between these two sendto() attempts is removed then both the attempts "succeed". // However, the system logs still suggest that the message isn't actually sent. int main() { printf("current process id:%ld parent process id: %ld\n", (long) getpid(), (long) getppid()); // valid multicast address as specified in // https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml const char *ip6_addr_str = "ff01::1"; struct in6_addr ip6_addr; int rv = inet_pton(AF_INET6, ip6_addr_str, &ip6_addr); if (rv != 1) { fprintf(stderr, "failed to parse ipv6 addr %s\n", ip6_addr_str); exit(EXIT_FAILURE); } // create a AF_INET6 SOCK_DGRAM socket const int sock_fd = create_dgram_socket(); if (sock_fd < 0) { exit(EXIT_FAILURE); } printf("created a socket, descriptor=%d\n", sock_fd); const int dest_port = 12345; // arbitrary port struct sockaddr_in6 dest_sock_addr; memset((char *) &dest_sock_addr, 0, sizeof(struct sockaddr_in6)); dest_sock_addr.sin6_addr = ip6_addr; // the target multicast address dest_sock_addr.sin6_port = htons(dest_port); dest_sock_addr.sin6_family = AF_INET6; print_addr("test will attempt to sendto() to destination host:port -> ", dest_sock_addr); const char *msg = "hello"; const size_t msg_len = strlen(msg) + 1; for (int i = 1; i <= 2; i++) { if (i != 1) { // if not the first attempt, then sleep a while before attempting to sendto() again int num_sleep_seconds = 1; printf("sleeping for %d second(s) before calling sendto()\n", num_sleep_seconds); sleep(num_sleep_seconds); } printf("%s attempt %d to sendto() %lu bytes\n", current_time(), i, msg_len); const size_t num_sent = sendto(sock_fd, msg, msg_len, 0, (struct sockaddr *) &dest_sock_addr, sizeof(dest_sock_addr)); if (num_sent == -1) { fprintf(stderr, "%s ", current_time()); perror("sendto() failed"); close(sock_fd); exit(EXIT_FAILURE); } printf("%s attempt %d of sendto() succeeded, sent %lu bytes\n", current_time(), i, num_sent); } return 0; } What this program does is, it uses the sendto() system call to send a message over a datagram socket to a (valid) multicast address. It does this twice, from the same socket to the same target address. There is a sleep() of 1 second between these two sendto() attempts. Copy that code into noroutetohost.c and compile: clang noroutetohost.c Then run: ./a.out This generates the following output: current process id:58597 parent process id: 21614 created a socket, descriptor=3 test will attempt to sendto() to destination host:port ->ff01::1:14640, addr family=30 Fri Mar 14 20:34:09 2025 attempt 1 to sendto() 6 bytes Fri Mar 14 20:34:09 2025 attempt 1 of sendto() succeeded, sent 6 bytes sleeping for 1 second(s) before calling sendto() Fri Mar 14 20:34:10 2025 attempt 2 to sendto() 6 bytes Fri Mar 14 20:34:10 2025 sendto() failed: No route to host Notice how the first call to sendto() "succeeds", even the return value (that represents the number of bytes sent) matches the number of bytes that were supposed to be sent. Then notice how the second attempt fails with a EHOSTUNREACH ("No route to host") error. Looking through the system logs, it appears that the first attempt itself has failed: 2025-03-14 20:34:09.474797 default kernel cfil_hash_entry_log:6082 <CFIL: Error: sosend_reinject() failed>: [58597 a.out] <UDP(17) out so 891be95f3a70c605 22558774573152560 22558774573152560 age 0> lport 0 fport 12345 laddr :: faddr ff01::1 hash 1003930 2025-03-14 20:34:09.474806 default kernel cfil_service_inject_queue:4466 CFIL: sosend() failed 65 (notice the time on that log messages, they match the first attempt from the program's output log) So even though the first attempt failed, it never got reported back to the application. Then after sleeping for (an arbitrary amount of) 1 second, the second call fails with the EHOSTUNREACH. The system logs don't show any error (at least not the one similar to that previous one) for the second call. If I remove that sleep() between those two attempts, then both the sendto() calls "succeed" (and return the expected value for the number of bytes sent). However, the system logs show that the first call (and very likely even the second) has failed with the exact same log message from the kernel like before. If I'm not wrong then this appears to be some kind of a bug in the "local network" restrictions. Should this be reported? I can share the captured logs but I would prefer to do it privately for this one. Another interesting thing in all this is that there's absolutely no notification to the end user (I ran this program from the Terminal) about any of the "Local Network" restrictions.

I'd like to set the recordingYear in my Spotlight File Importer extension but the property is missing from CSSearchableItemAttributeSet e.g. in the resulting in mdls I'd like to see: kMDItemRecordingYear = 2008; This would allow me to search in Finder by the recording year criteria. There is a recordingDate property and I tried setting it to Date that only has a year but it didn't work. It just resulted in this: kMDItemRecordingDate = "2008-01-01 00:00:00 +0000";

I'm unable to have stickers show in messages even with a new iOS app and a sticker pack extension target. I do see the iMessage App Icon but after tapping it nothing shows and I see a warning: "Error creating the CFMessagePort needed to communicate with PPT" This was tested on simulator and on real device. Xcode 16.1 (16B40) iOS 18.1 & 18.2

I'm developing a ticket app with Host card emulation. The session starts correctly the first time, but when trying to emulate a second ticket, after the first one has been read by the reader, or after the emulation has been canceled by the user, it doesn't work correctly for a while. This is my CardSessionManager: import CoreNFC @available(iOS 17.4, *) class CardSessionManager { private static var cardSession: CardSession? = nil private static var presentmentIntent: NFCPresentmentIntentAssertion? = nil static func initCardSession(_ accessCode: String) { cardSession?.invalidate() cardSession = nil let ProcessAPDU: (_: Data) -> Data = { capdu in var response = Data(accessCode.utf8) response.append(0x90) response.append(0x00) return response } Task { guard NFCReaderSession.readingAvailable, CardSession.isSupported, await CardSession.isEligible else { return } do { presentmentIntent = try await NFCPresentmentIntentAssertion.acquire() cardSession = try await CardSession() } catch { return } if let cardSession { for try await event in cardSession.eventStream { switch event { case .sessionStarted: cardSession.alertMessage = String(localized: "Searching reader...") try await cardSession.startEmulation() case .readerDetected: cardSession.alertMessage = String(localized: "Reading...") case .readerDeselected: cardSession.alertMessage = String(localized: "Successful reading!") await cardSession.stopEmulation(status: .success) case .received(let cardAPDU): cardSession.alertMessage = String(localized: "Communicating with reader.") do { try await cardAPDU.respond(response: ProcessAPDU(cardAPDU.payload)) } catch { cardSession.alertMessage = error.localizedDescription } case .sessionInvalidated(reason: _): cardSession.alertMessage = String(localized: "Ending communication with reader.") presentmentIntent = nil @unknown default: break } } } } } }

A team observed lots of timeouts from the Apple Pay session endpoint: https://apple-pay-gateway-cert.apple.com/paymentservices/paymentSession Is it expected or some kind of an implementation issue from the caller side? Thanks!

So if one were to start the attempt of porting an existing kext VFS filesystem, to use the new FSKit (Since presumably kexts could go away), how would that look now? Is it ready? Are there any samples out there that already works (Filesystem using FSKit) ? How is the documentation? ChatGPT did not seem to know much at all. What would be Apple's reception to that? How flexible is FSKit ? Is it locked to the idea of a mount is connected to a physical device (or partition)? Or is it more virtual, in that I will have a pool of disks, and present 1, or many, mount points?