You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I have an IME for Indic languages that I currently distribute outside of the Mac App Store because it does not seem to be supported. IMEs needs to be installed under /Library/Input Methods/ which I believe is not allowed for App Store apps. I could distribute it as an embedded helper app within my larger distribution app that I then install on start up - but I believe even that is not allowed. Is there a sanctioned way to distribute IMEs via the Mac App Store? The iOS store has support which I was able to use effectively.

I've tried to notarize my app recently and got the error:{ "logFormatVersion": 1, "jobId": "...", "status": "Rejected", "statusSummary": "Team is not yet configured for notarization", "statusCode": 7000, "archiveFilename": "myapp.dmg", "uploadDate": "2019-06-20T06:24:53Z", "sha256": "...", "ticketContents": null, "issues": null }I've never heard about "team configuration for notarization" previously. What are the steps to resolve that issue?Thanks in advance.

Hi everyone, I'm developing a macOS app using Tauri 2. I need to test In-App Purchases (IAP), which requires running the actual built .app (it doesn't work properly in the development environment).I tried two approaches: Apple Development Certificate (free account): After cargo tauri build, the app "Mind Elixir.app" shows this error when I try to open it: “Mind Elixir.app” was not opened because it contains malware. This action did not harm your Mac. Apple Distribution Certificate: The app builds successfully, but because it is not notarized, Gatekeeper completely blocks it and I cannot open it at all. I just want to test IAP locally on my own Mac during development. Is there any other way to get a properly signed and runnable .app for testing IAP? Any help or workaround would be greatly appreciated. Thanks!

I’m looking for guidance on a notarization submission that has been stuck in In Progress for over 24 hours. Details: Team ID: 94B7AVM73F Certificate: Developer ID Application: Bilal Ahmed Qureshi (94B7AVM73F) Tool: xcrun notarytool File: FlashcardGeneratorTrial-AppleSilicon.dmg Submission ID: 7817f9d0-32da-452f-9e2d-fff43478ccf6 Submission created: 2026-04-17T22:10:01.402Z Current status: xcrun notarytool info still reports In Progress This has now been ongoing for more than 24 hours The submission uploaded successfully and received a valid submission ID The Developer ID certificate is valid and correctly paired with the private key in Keychain security find-identity -v -p codesigning returns 1 valid identity Environment: First-time notarization on this developer account macOS direct distribution outside the Mac App Store DMG signed with Developer ID Application certificate Hardened runtime and timestamp enabled during signing I’ve seen some other recent reports of long notarization delays, especially for first-time submissions, so I’m trying to understand whether this is expected queueing / in-depth analysis, or whether there may be an issue with this specific submission. Questions: Is this normal for a first notarization on a new Developer ID account? Is there anything I should do besides wait? Can Apple check whether this submission is stuck in the queue? Thanks.

Hello, I'm submitting my first macOS app for notarization from a new Developer ID team. All three submissions have been stuck at "In Progress" for several hours now. notarytool log returns "Submission log is not yet available" for all of them. Submission IDs: 39856e43-46ee-45ed-b1c7-771fb6603258 (submitted 2026-04-18T10:00 UTC) 3edf2f4f-cbaf-4e14-ba3b-c1b4e111827e (submitted 2026-04-18T10:03 UTC) 858c52e7-3386-41a8-8fee-a31c49980319 (submitted 2026-04-18T10:25 UTC) Details: This is the first notarization attempt for this Developer ID team App is signed with Developer ID Application certificate, hardened runtime enabled codesign --verify --deep --strict passes All nested code (including Sparkle framework helpers) is properly signed Only public system frameworks are linked (IOKit, AppKit, Foundation, etc.) Entitlements: app-sandbox + Sparkle mach-lookup exceptions only No private API usage Is this expected for first-time submissions, or could someone check the backend queue status for these submissions? Any guidance appreciated.

This is my first time submitting an app for notarization. Both submissions have been stuck "In Progress" with no logs available. Body: This is my first time submitting an app for notarization. Both submissions have been stuck "In Progress" with no logs available. Submission 1: ID: 43ea68c1-5291-42c6-b0e1-3cacab4ca01a Submitted: 2026-04-09T02:05:34Z Status: In Progress (15+ hours) Submission 2: ID: 12ea49a0-64cf-495e-af7e-9aad5aabe30f Submitted: 2026-04-09T17:06:51Z Status: In Progress (1+ hour) Details: Team ID: PWTWN9N25D App: Native macOS SwiftUI app (arm64), ~84 MB zipped Signed with Developer ID Application certificate, Hardened Runtime enabled All embedded helper binaries individually codesigned with Hardened Runtime codesign --verify --deep --strict passes Submitted via xcrun notarytool submit with --keychain-profile notarytool log returns "not yet available" for both Apple System Status shows all services available

Hello, I have a question regarding Apple's policy on third-party SDK signatures. I have reviewed the official documentation here: https://developer.apple.com/support/third-party-SDK-requirements/ Our app is developed in the following environment: Minimum Target: iOS 15 Xcode: 26.2 Engine: Unreal Engine 4.27.2 We are integrating the Firebase SDK into our project. However, we are experiencing app crashes caused by an issue within the GoogleAdsOnDeviceConversion.xcframework included in the Firebase SDK (related to a memory optimization issue in UE4). According to an official response from the Firebase team, this crash can be resolved by wrapping the Firebase SDK in a dynamic XCFramework. We have confirmed that this solution does indeed fix the crash. The problem is that wrapping the Firebase SDK in a custom dynamic XCFramework removes all of the original Firebase SDK signatures. The documentation on third-party SDK signatures, which I referenced earlier, states that a signature is required for the Firebase SDK, and this requirement also applies when repackaging it. This leads me to the following questions: Question 1: When we wrap and repackage the Firebase SDK, is it mandatory for the resulting XCFramework to still include the original Google LLC signature? Question 2: To resolve the crash, we intend to use the Firebase SDK by wrapping it in our own dynamic XCFramework (e.g., FirebaseWrapper.xcframework). When we do this, the resulting XCFramework loses the Google LLC signature, and consequently, the final built IPA's signature list does not contain any Firebase-related signatures. Will this be a reason for rejection during App Store review? Question 3: If we wrap the Firebase SDK in a dynamic XCFramework and then sign it with our own developer certificate, would this be a reason for rejection during App Store review?

Hi, I’ve been successfully using notarization with notarytool for over a month (20+ submissions, all accepted within minutes). On April 4th around 07:30 (UTC), my last submissions were accepted without any issue: createdDate: 2026-04-04T07:29:08.877Z id: 38d6e6e0-1183-4fe8-ae4a-3036e1f0f025 name: MacOptimizers.dmg status: Accepted -------------------------------------------- createdDate: 2026-04-04T07:26:36.357Z id: 2abf8289-6e00-4b16-9991-fbda7e66a179 name: macopt_notary_payload.UdtfA3 status: Accepted -------------------------------------------- Later that same day (around 16:30 UTC), after minor bug fixes and UI changes, I submitted a new build. Since then, all notarization requests remain stuck in “In Progress” for more than 48 hours: -------------------------------------------- createdDate: 2026-04-05T07:13:03.369Z id: b4872e7a-e2b5-485e-9223-09f3ed94958f name: macopt_notary_payload.mZls1y status: In Progress -------------------------------------------- createdDate: 2026-04-04T20:07:35.937Z id: 375408f2-3c0a-455e-88a1-9cd08ce7dc35 name: macopt_notary_payload.CvrZNt status: In Progress -------------------------------------------- createdDate: 2026-04-04T17:09:47.481Z id: dad888b3-6aff-4c54-9608-da1f86e44db7 name: macopt_notary_payload.IH0RDr status: In Progress -------------------------------------------- createdDate: 2026-04-04T16:28:03.086Z id: 9e129b21-e682-48ce-baa7-8d2d77051bac name: macopt_notary_payload.GsrSa6 status: In Progress No errors are returned, and notarytool log is not yet available. Is this expected behavior (e.g. extended review), or could there be an issue affecting notarization for my team? Thanks for your help.

Hello! We built a macOS .pkg using pkgbuild (contains a DMG + postinstall bash script). The pkg works locally on the build machine but fails on other devices manually / via MDM unless signed. We tried signing with a Developer ID Installer certificate, but: security find-identity -p codesigning -v → 0 valid identities security find-identity -v → shows the cert Private key is present in Keychain OpenSSL check shows: X509v3 Extended Key Usage: Critical (Expected one might be: Code Signing) We recreated CSR + cert multiple times (G2 Sub-CA), ensured Login keychain, unlocked keychain, etc., but same result. Question: Why is the Developer ID Installer cert missing Code Signing usage and not recognized for signing? Is there any account restriction or step we might be missing? Any recommendations on resolving this issue. Thanks!

I've successfully signed Unix apps manually in the past. Today (after signing the new agreement) I can get it to replace the existing signature but it says "rejected" when I check it. Here are the commands I'm using: michaelleahy@Michaels-Mini ~ % sudo codesign --force --deep --options runtime --sign "Developer ID Application: Bookup Corp. (6J8PUT****)” /Users/michaelleahy/Documents/theapp /Users/michaelleahy/Documents/theapp: replacing existing signature michaelleahy@Michaels-Mini ~ % spctl -a -vvvv -t install /Users/michaelleahy/Documents/theapp /Users/michaelleahy/Documents/theapp: rejected source=Unnotarized Developer ID origin=Developer ID Application: Bookup Corp. (6J8PUT****) Here is a command (issued right after the one above) showing an older signed app is accepted: michaelleahy@Michaels-Mini ~ % spctl -a -vvvv -t install /Users/michaelleahy/Documents/olderapp /Users/michaelleahy/Documents/olderapp: accepted source=Notarized Developer ID origin=Developer ID Application: Bookup Corp. (6J8PUT****) What might I be missing? Something changed since the last time I signed an app.

Hi, All notarization submissions for our new Electron macOS app have been stuck in "In Progress" for over 24 hours, with no logs available. Environment: Team ID: T7632V8V2D Certificate: Developer ID Application (valid, identity 83AC47F44D984509D5530439DD32729076B84982) Tool: xcrun notarytool submit (Xcode CLI) App: Electron 33, signed with hardened runtime, entitlements include allow-jit and allow-unsigned-executable-memory File: zip of .app (~236MB for arm64, ~104MB for x64) codesign --verify --deep --strict passes with no issues Apple System Status shows "Developer ID Notary Service: Available" Stuck submissions (all "In Progress", no logs available): ea0fd8d4-1f2d-4266-aa84-aa3f3ba9a8fb (Apr 8, 09:40 UTC) dfaacdd2-1a11-4844-b8b7-b07bae809a7b (Apr 7, 16:49 UTC) 8256e1f0-e501-4423-8744-35b5b78ec87f (Apr 7, 10:32 UTC) a477d536-d84a-4c25-99ca-d125e0a22de1 (Apr 7, 09:07 UTC) This is our first time notarizing any app on this developer account. We understand first-time submissions may be routed to in-depth analysis, but 24+ hours with no progress on any of the 4 submissions seems unusual. Could someone from Apple check our team's queue status? Any guidance would be appreciated. Thank you.

Our team (AI Eesti OU, Team ID: W4WXCM4DLL) submitted our first app for notarization and both submissions have been stuck "In Progress" for over 20 hours. Submission IDs: 7433a69a-af1a-463a-a9fc-c80526eb6eab (submitted 2026-04-06 19:11 UTC) d033e2f1-9b33-4b7d-8f8d-271c99f1c61c (submitted 2026-04-06 21:03 UTC) The app is signed with Developer ID Application, hardened runtime enabled, and codesign --verify --deep --strict passes. This is our first notarization submission as a new team. Is this expected for first-time submissions, or is something stuck?

We have an app with the default email entitlement that was granted several years ago. During our latest deployment, we received an error from our pipeline. When testing a manual submission in Xcode, we saw this error: Entitlement com.apple.developer.mail-client not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file. We checked the provisioning profile, and the default email entitlement is still present. It is visible on the certificate portal and also in the embedded.mobileprovision file. Can you suggest what we can do to release a new version of our app?

I signed all the agreements yesterday what is going on Agreements Apple Developer Program License Agreement Issued March 30, 2026. Accepted April 5, 2026. Apple Developer Agreement Issued June 7, 2015. Accepted December 29, 2017. Uploading the disk image for notarization... Error: HTTP status code: 403. Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired. `notarytool` command status: 1 notarytool returned no output at all. Error output: > > Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired. > >

Hello! All notarization submissions for our team (i.e., me) have been stuck "In Progress" since my first attempt on 2026-03-31. This includes a trivial Hello World CLI binary (single print statement, ~8KB), confirming the issue is account/team-level, not related to package content. Team ID: KK4X4YSB8V (Selitic B.V.) This is our first time notarizing. Binary is properly signed with Developer ID Application certificate, hardened runtime enabled, valid timestamp. codesign --verify and spctl pass locally. Submission history (all stuck): Successfully received submission history. history -------------------------------------------------- createdDate: 2026-04-01T11:29:01.416Z id: 39f5e536-d1a6-429b-947d-1a3ac497c03d name: hello-test2.zip status: In Progress -------------------------------------------------- createdDate: 2026-04-01T09:21:47.585Z id: 46322e0f-026c-4b9d-ab1f-d15d7013c6c6 name: hello-test.zip status: In Progress -------------------------------------------------- createdDate: 2026-04-01T07:23:47.576Z id: 8199ab8c-7897-461e-8a85-329d3eb22568 name: nekode-notarize.zip status: In Progress -------------------------------------------------- createdDate: 2026-04-01T05:49:10.593Z id: 410ebd83-8f7d-436a-b30e-2106e9847b2a name: nekode-notarize.zip status: In Progress -------------------------------------------------- createdDate: 2026-04-01T05:48:52.555Z id: 3d096415-46f9-4743-9dee-692f1c359249 name: nekode-notarize.zip status: In Progress -------------------------------------------------- createdDate: 2026-03-31T20:07:52.318Z id: a0e2e5a5-e0ea-4815-86d4-d1c335c4680a name: nekode-notarize.zip status: In Progress -------------------------------------------------- createdDate: 2026-03-31T20:07:15.593Z id: 1684585c-c454-479d-add6-7fd33ae8da2a name: nekode-notarize.zip status: In Progress notarytool log returns "Submission log is not yet available" for all submissions, indicating Apple's backend has not started processing. No pending agreements visible on developer.apple.com/account. Certificate is valid (expiry 2031). Could someone check the backend queue status for my team? Any guidance appreciated.

Hi, I’m hoping someone can help clarify the correct entitlement format for the Enhanced Security capability in a macOS App Store build. Context Our app is a sandboxed macOS app built with Xcode 26.4. We enabled the Enhanced Security capability in Signing & Capabilities, and we configured the entitlements based on the current documentation. What’s confusing me The Xcode 26.4 release notes say apps that already adopted Enhanced Security should remove: com.apple.security.hardened-process.enhanced-security-version com.apple.security.hardened-process.platform-restrictions and replace them with: com.apple.security.hardened-process.enhanced-security-version-string with value 1 com.apple.security.hardened-process.platform-restrictions-string with value 2 Reference: https://developer.apple.com/documentation/xcode-release-notes/xcode-26_4-release-notes The entitlement reference pages also seem consistent with that: https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.security.hardened-process.enhanced-security-version-string https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.security.hardened-process.platform-restrictions-string So our app currently uses the new -string entitlements with values "1" and "2". Our App Review rejection said: The app incorrectly implements sandboxing, or it contains one or more entitlements with invalid values. Entitlement "com.apple.security.hardened-process.enhanced-security-version-string" value must be boolean and true. Entitlement "com.apple.security.hardened-process.platform-restrictions-string" value must be boolean and true. That’s the part I can’t reconcile with the documentation. Questions For a Mac App Store submission built with Xcode 26.4, should these two entitlements use the new string-based form, or Boolean true? If the expected format has changed, is there any updated guidance beyond the Xcode 26.4 release notes and current entitlement reference? If Apple staff or anyone familiar with this can clarify what format is currently expected, I’d really appreciate it. Thanks.

Team ID: LA64G2ZMY2. Submission f28e6a62-5a46-4554-a4b9-666269b3017f has been "In Progress" for over 24 hours. App is signed with hardened runtime, valid Developer ID certificate, HFS+ DMG format (not APFS - aware of DTS r. 134264492). Codesign verifies clean. All requirements met per Apple documentation. Is notarization provisioning needed for new accounts?

Hi, I'm notarizing my Electron macOS app (DMG) for the first time with our new Developer ID, and most submissions have been stuck in "In Progress" for over 24 hours. Environment: Team ID: BSS9KAH6Z2 Certificate: Developer ID Application (valid until 2031) Tool: xcrun notarytool submit (Xcode CLI) App: Electron 28, signed with hardened runtime File: DMG (~131MB), 104 files inside .app What happened: Total 19 submissions over the past 24 hours Only 4 were Accepted (2 DMGs + 2 zips) The other 15 are still "In Progress" with no log available The 4 Accepted ones took 1~1.5 hours each codesign --verify --deep --strict passes with no issues Accepted submission log shows "issues": null Apple System Status shows "Developer ID Notary Service: Available" What I've tried: Submitting as DMG directly Submitting as ditto zip of .app Submitting via electron-builder's built-in notarize Using both app-specific password and keychain profile auth Verified entitlements (allow-jit, disable-library-validation) Since some submissions did get Accepted, I don't think there's an issue with my signing or configuration. Is this expected for first-time submissions from a new team? Is there anything on Apple's side that needs to be configured for my team? Any help would be appreciated. Thank you.

We've been notarizing apps for a while now and have been through agreement changes before. But we still keep getting the following error when trying to notarize: Conducting pre-submission checks for myapp.dmg and initiating connection to the Apple notary service... Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired. We've been through every document in our account to ensure it is signed. Is there any way to determine what document is not signed or what our issue is ? ...thanks

Hello, I am a new macOS developer. I've been working on my first Mac application and I am trying to notarize it for distribution using notarytool. However, I've encountered a persistent issue where all my submissions are stuck in the "In Progress" status for several days. As this is my first time going through this process, I initially thought I might have done something wrong. However, I have verified my app with codesign --verify --verbose --deep and it returns "valid on disk" and "satisfies its Designated Requirement". I have also tried bumping the version from 0.1.0 to 0.1.1 and removing spaces from the file names, but the new submission is also stuck. Stuck Submission History (Total 4 submissions): ID: 8cb4aebb-e2d5-4091-b279-18272c3a6ca9 (Created: 2026-04-03 - Latest) ID: 0e9a3584-1a21-471a-bc72-4da3f98e2683 (Created: 2026-04-02) ID: 59b70ef1-0b8e-480d-ba33-df872a691610 (Created: 2026-04-01) ID: 685d8fdb-1e55-4cdd-8203-688991c50dd3 (Created: 2026-04-01) As a first-time developer, it’s frustrating to see these initial submissions hang for so long without any logs or errors to troubleshoot. Is there any specific reason why a first-time submission for a new Mac app might be queued this long? I would appreciate it if someone from Apple could help clear these stuck submissions or provide some guidance as to what might be causing this delay. Thank you very much.