Invalid code signing entitlements with app group on macOS

@DTS Engineer

Thank you for the detailed instructions.

I followed each step carefully and achieved the "same" results as outlined in your guide (with different identifiers, of course). Specifically, I generated a new provision profile UUID and group identifiers starting with “group.” And in the provision profile file with the new UUID, there is key "com.apple.security.application-groups" with same value as set in Xcode. However, after uploading the archive to the App Store via Xcode Organizer, I am still encountering the same error as before.

... This value should be a string or an array of strings, where each string is the “group” value or your Team ID, followed by a dot (“.”), followed by the group name. If you're using the “group” prefix, verify that the provisioning profile used to sign the app contains the com.apple.security.application-groups entitlement and its associated value(s). ...

Additionally, when testing the widget using WidgetKit Simulator on macOS, I receive error message continually when show the timeline.

The operation couldn't be completed. (CHSErrorDomain error 1103.)

Could you kindly advise on a solution for this as well?

I’ve learnt a new trick so I wanted to expand on the steps I posted yesterday. I started off by running the steps up to “My next step was to add an app group to the app” point. From there I did this:

1. On the Development website, I confirmed that the target app group ID, group.eskimo1.test, was allocated to my team.

2. In Xcode, I navigated to the build settings for my app target.

3. I clicked the add (+) button and added a custom build setting of REGISTER_APP_GROUPS with a value of YES. This enables the iOS-style app groups UI on Xcode 16.2.

4. I navigated to Signing & Capabilities and added the App Groups capability.

5. Under the group list I clicked the add (+) button. This presents the iOS-style UI.

6. In that UI, I entered my group, group.eskimo1.test, and click OK. Xcode’s automatic code signing machinery kicked in and updated my profile. No muss, no fuss!

7. I chose Product > Build.

8. I dumped the signing state of the development app:

   % codesign -d --entitlements - Test775022E.app
   …
   [Dict]
       [Key] com.apple.application-identifier
       [Value]
           [String] SKMME9E2Y8.com.example.apple-samplecode.Test775022E
       …
       [Key] com.apple.security.application-groups
       [Value]
           [Array]
               [String] group.eskimo1.test
       …
   % security cms -D -i Test775022E.app/Contents/embedded.provisionprofile | plutil -p -
   {
     …
     "Entitlements" => {
       "com.apple.application-identifier" => "SKMME9E2Y8.com.example.apple-samplecode.Test775022E"
       …
       "com.apple.security.application-groups" => [
         0 => "group.eskimo1.test"
       ]
       …
     }
     …
   }
   

   Xcode has done the right thing. Yay!

I then continued on the process from my previous post (step 7, choosing Product > Archive). Things didn’t work out of the box; Xcode continued to use its cached provisioning profile. However, the same steps from my previous post — using the UUID to fix and nix the profile in ~/Library/Developer/Xcode/UserData/Provisioning Profiles — resolved the issue.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

So I:

• Added the REGISTER_APP_GROUPS custom build setting to all my macOS targets.
• Removed and re-added the App Groups capability using the iOS group format (it was already in this format, but I did it anyway)
• Verified that the entitlement in the built product is correct.
• Deleted the profile with the UUID found in the built product, following the same steps used by Quinn to fix the distribution build.
• Selected Product > Build

But I stil get the same error when submitting to App Store Connect. I also tried disabling automatic signing and using a manually generated profile from the Developer website, but the error continues.

Is there anything else I need to do to be able to submitting it to App Store Connect?

I resolved this issue by following these steps (with Automatically manage signing enabled):

1. Close Xcode and delete all files in ~/Library/Developer/Xcode/UserData/Provisioning Profiles.

2. On the Apple Developer website, go to Identifiers and locate the identifier mentioned in the error message.

3. Click on the identifier, find the App Groups section, and click the Edit button. In the pop-up window, check the corresponding app group name.

4. Rebuild the project in Xcode.

Thank you so much for your help—you literally saved my day! I really appreciate you taking the time to share your solution.

@DTS Engineer Still no luck for me. I have an unusual arrangement: my app is a Mac Catalyst app that embeds a non-Catalyst Mac app as a LoginItem.

All my Mac targets (Catalyst and non-Catalyst) have REGISTER_APP_GROUPS = YES and all have the App Group entitlement. When I inspect the archived build as you suggest, every provisioning profile appears to have application-groups set correctly. But I still get the same error from ASC.

I filed a Feedback and attached an archive build, if you or the ASC team could please take a look: FB16664827

my app is a Mac Catalyst app that embeds a non-Catalyst Mac app as a LoginItem.

Ah, that’s fun. And you’re not the only person to play such games [1].

I filed a Feedback … FB16664827

Thanks. That’s definitely the right path forward in your case.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Indeed, I’ve done this myself to work around a keychain issue in the Personal VPN support within Network Extension framework.

Still not resolved

Success! I finally noticed a difference between the instructions in the latest Xcode beta release notes and Quinn's instructions:

… remove related profiles from ~/Library/Developer/Xcode/UserData/Provisioning Profiles and ~/Library/MobileDevice/Provisioning Profiles

I had cleaned out that first directory but not the second. Deleting the relevant profiles in both directories seems to have fixed everything.

Thanks for sharing your update. I’m glad to hear that you got past this roadblock.

Speaking more generally, I’ve been working in private with a number of developers who’ve hit issues like this. I’m still researching various edge cases but, as far as I can tell right now, there doesn’t seem to be an App Store Connect problem here. That is, ASC is accepting what it should be accepting. Rather, there’s a caching problem causing Xcode to submit the wrong thing. And hence the workaround in the Xcode release notes.

So, for other folks hitting this problem, please try that workaround and let us know how you get along.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

After the launch of macOS 15, I migrated my app group from [group.mydomain] to [TeamID.mydomain].

Now, I need my app to support both app group identifiers simultaneously.

However, none of the methods in this thread so far have been effective. So frustrated.

I’m still researching various edge cases but, as far as I can tell right now, there doesn’t seem to be an App Store Connect problem here.

I take that back. There are four possible cases here, and I tried each one:

iOS-style macOS-style Result
--------- ----------- ------
no        no          OK
no        yes         OK
yes       no          OK
yes       yes         NG

That is, all the cases work except the one where you have an app that uses both an iOS-style and a macOS-style app group. In that case you hit one of two problems:

• If your app ships on the Mac App Store, you’ll hit a validation issue.

• If you distribute your app directly, you’ll hit an app group container protection issue when accessing at least one of the app groups.

So frustrated.

Yeah, that’s understandable. Sorry.

Please file a bug about this, then post your bug number here. I’ll use your bug to drive the escalation of this issue.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

That is the bucket we are in as well. iOS and macOS style. Filed as FB16807199.

Filed as FB16807199.

Thank you. I’ve passed this on to the relevant folks, and I’m actively monitoring this issue in general.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I submitted a case where a macOS app has both iOS-style and Mac-style App Groups at the same time. as FB17014708