Invalid code signing entitlements with app group on macOS

Code Signing Entitlements Entitlements Code Signing

Created Feb ’25

Replies 48

Boosts 12

Views 3.8k

Participants 26

I'm getting this error when uploading a build of my macOS app to App Store Connect. It has always worked before, and nothing changed about my use of app groups, and the iOS build uploaded without any problems. Cleaning the build folder and derived data folder doesn't help. I'm using automatically managed signing in Xcode.

Invalid code signing entitlements. Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “[group.<rest of app group ID>]” value for the com.apple.security.application-groups key in “<bundle identifier>.pkg/Payload/<app name>.app/Contents/MacOS/<app name>” isn’t supported. This value should be a string or an array of strings, where each string is the “group” value or your Team ID, followed by a dot (“.”), followed by the group name. If you're using the “group” prefix, verify that the provisioning profile used to sign the app contains the com.apple.security.application-groups entitlement and its associated value(s).

Answered by DTS Engineer in 826363022

It mysteriously got resolved

App groups are more complicated than you might think. I have a bunch of backstory to this in App Groups: macOS vs iOS: Fight!.

Note that the story has changed in the last few days. I suspect that the action you took here caused Xcode to rebuild your distribution profile, resulting in a new profile that includes your app group in its allowlist.

The good news here is that, now that we fully support iOS-style app groups on macOS, we’ll see a lot fewer problems like this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

wptrnpt OP

Mar ’25

Help please. I have two macOS apps, that both share an App Group to exchange information.

I use Xcode 15.2, Ventura 13.6.1

Until mid Feb 25, all was working fine, but now I get the same error message upon distribution attempt as many above: Provisioning profile failed Qualification; Profile doesn't support App Groups.

I also now have two capabilities, both called App Groups in my Signing&Capability section;

One lists my App Group, starting with the team name as it is a macOS app and another capability that just states: Application Groups entitlement may require additional configuration. With an arrow that points to my entitlement file that contains the macOS app group name.

If I try to delete the second one, that was not there before, both App Group Capabilities are deleted, together with the corresponding entitlement.

In my developer account, the app IDs have the App Group box selected but I did not further 'configure', including registration, as this is a macOS app and any name other than starting with group (for iOS app groups) is not accepted.

I deleted the provisioning profiles in MobileDevice folder, but to no avail (no UserData folder in Ventura I think)

Am I missing something? I tried to follow all the comments within this thread.

The only item I failed with was to dump the actual provisioning profile. I selected Direct Distribution for the archived project and then exported it. It is exported as an app, not an installer file And when trying to dump the app, I get the error message that the embedded provisioning profile is not found.

So what used to be a formality procedure, has now taken a day of my life ;-) and I am still no wiser.

Any help appreciated!

wptrnpt OP

Apr ’25

To whom it may concern and help:

Summary: If you have macOS Apps and use App Groups and want to distribute to the App Store, do yourself a favour and upgrade your macOS to Sequoia and Xcode to at least 16.3.

Detail: I had no issues with app groups for macOS apps until after mid Feb 25. I used Xcode 15.2 on a Ventura iMac. Then, as per posts above, it all failed upon distribution. I also saw two AppGroup capabilities in Signing&Capability. I tried everything I read here and more. Registered the app group (although it is not necessary for a macOS app), included in Build Settings the 'Register App Group' trick from Eskimo (but it is for iOS App Groups), tried to monitor what is going on with my provisioning profile (but dump on exported app does not work as macOS apps do not embed a provisioning profile I think), deleted all provisioning profiles, created my own manually etc etc. Nothing worked. Upgrading to Sequoia and Xcode 16.3 does it without any pain: no registration of the App Group necessary, only 1 App Group in Signing and Capabilities, no configuration of AppGroups in AppID identifier necessary (as this would be for iOS App Groups) - only ticking the box for the AppGroup Capability.

CodeSquid OP

May ’25

Looks like I also ran into this issue, having both an application group starting with a team identifier and one with the "group" prefix.

Please file a bug about this, then post your bug number here. I’ll use your bug to drive the escalation of this issue.

Sure thing: FB17613203