I have a simple impossible task, to restore /var/root/Library/Application Support/multipassd/qemu/vault/instances/gcc-cobol/ubuntu-22.04-server-cloudimg-arm64.img as of 8:02 Saturday morning. Because /var/root is owned by, well, root, the usual techniques don't work. This is a VM image hosted by qemu via Canonical's Multipass. ISTM the strategy would be to first mount the NAS filesystem and then use tmutil(8) to list the backups and recover the file. But $ sudo mount -v -o rdonly -t smb //nasa.local/TimeMachine /usr/local/mnt/ mount: exec /Library/Filesystems/smb.fs/Contents/Resources/mount_smb for /usr/local/mnt: No such file or directory mount: /usr/local/mnt failed with 72 Must I defeat SIP to do this?

We are developing a native iOS financial application called Tradu: Stocks, Forex, and CFDs (Apple ID: 6473443264), which embeds a WKWebView to render all user-facing logic. All user interactions—including authentication with MFA—occur inside this WKWebView. To access native functionality, we use postMessage() to communicate between the web and native layers. This approach has worked successfully for biometric authentication, for example. We are currently integrating Apple Pay In-App Provisioning and have a few questions regarding compliance with the documentation provided by our Issuer Host (Modulr). In the document titled Getting Started with Apple Pay: In-App Provisioning, Verification, Security, and Wallet Extensions (Version 4.0, February 2023), all examples are based on a fully native application. We’ve managed to integrate most of the In-App Provisioning flow via postMessage() up to the point of passing encryptedData to the Payment View. Apple Pay button inside WKWebView In Section 7: Frontend Overview, the user initiates the provisioning by tapping a native PKPaymentButton (SwiftUI example). In our case, this button is rendered inside the WKWebView, styled according to the Apple Style Guide. While the document references this approach as a “raw mark text supplement,” is this method acceptable and compliant with Apple’s UX and technical guidelines? MFA requirement before provisioning In Section 4: Security Guidelines, it is stated that the user must have passed MFA at least once before starting the provisioning flow. In our implementation, users must complete MFA on every login (including on recognized devices) before the provisioning UI becomes available. Even though this is not tied specifically to “unrecognized devices,” is our MFA requirement sufficient to satisfy Section 4.2? Summary: Is using a web-rendered Apple Pay button inside WKWebView (instead of a native PKPaymentButton) considered compliant? Is our MFA enforcement model (required on every login) aligned with the security requirements outlined in Section 4.2 of the Apple Pay In-App Provisioning documentation?

Hi, Our project is a MacOS SwiftUI GUI application that bundles a (Sandboxed) System Network Extension, signed with a Developer ID certificate for distribution outside of the app store. The system network extension is used to write a packet tunnel provider (NEPacketTunnelProvider), as our project requires the creation of a TUN device. In order for our System VPN to function, it must reach out to a (self-hosted) server (i.e. to discover a list of peers). Being self-hosted, this server is typically not accessible via the public web, and may only be accessible from within a VPN (such as those also implemented using NEPacketTunnelProvider, e.g. Tailscale, Cloudflare WARP). What we've discovered is that the networking code of the System Network Extension process does not attempt to use the other VPN network interfaces (utunX) on the system. In practice, this means requests to IPs and hostnames that should be routed to those interfaces time out. Identical requests made outside of the Network System Extension process use those interfaces and succeed. The simplest example is where we create a URLSession.downloadTask for a resource on the server. A more complicated example is where we execute a Go .dylib that continues to communicate with that server. Both types of requests time out. Two noteworthy logs appear when packets fail to send, both from the kernel 'process': cfil_hash_entry_log:6088 <CFIL: Error: sosend_reinject() failed>: [30685 com.coder.Coder-Desktop.VPN] <UDP(17) out so b795d11aca7c26bf 57728068503033955 57728068503033955 age 0> lport 3001 fport 3001 laddr 100.108.7.40 faddr 100.112.177.88 hash 58B15863 cfil_service_inject_queue:4472 CFIL: sosend() failed 49 I also wrote some test code that probes using a UDP NWConnection and NWPath availableInterfaces. When run from the GUI App, multiple interfaces are returned, including the one that routes the address, utun5. When ran from within the sysex, only en0 is returned. I understand routing a VPN through another is unconventional, but we unfortunately do need this functionality one way or another. Is there any way to modify which interfaces are exposed to the sysex? Additionally, are these limitations of networking within a Network System Extension documented anywhere? Do you have any ideas why this specific limitation might exist?

I just launched my watch app with alarms using WKExtendedRuntimeSession, as an api I wish it was possible to: set a small title/message on the alarm ui itself, right now all it displays is the "Alarm from < app name >" with the app icon, but it would be nice to be able to set a short 1~2 line message below it as well! be able to read the current scheduled date, right now it's only possible to know it's scheduled.

I've faced with some performance issues developing my readonly filesystem using fskit. For below screenshot: enumerateDirectory returns two hardcoded items, compiled with release config 3000 readdirsync are done from nodejs. macos 15.5 (24F74) I see that getdirentries syscall takes avg 121us. Because all other variables are minimised, it seems like it's fskit<->kernel overhead. This itself seems like a big number. I need to compare it with fuse though to be sure. But what fuse has and fskit seams don't (I checked every page in fskit docs) is kernel caching. Fuse supports: caching lookups (entry_timeout) negative lookups (entry_timeout) attributes (attr_timeout) readdir (via opendir cache_readdir and keep_cache) read and write ops but thats another topic. And afaik it works for both readonly and read-write file systems, because kernel can assume (if client is providing this) that cache is valid until kernel do write operations on corresponding inodes (create, setattr, write, etc). Questions are: is 100+us reasonable overhead for fskit? is there any way to do caching by kernel. If not currently, any plans to implement? Also, additional performance optimisation could be done by providing lower level api when we can operate with raw inodes (Uint64), this will eliminate overhead from storing, removing and retrieving FSItems in hashmap.

Hi, I'm using the Apple Maps Server API (/v1/geocode) to retrieve geocoding results for Japanese addresses. Until recently, requests like the one below returned correct results: GET https://maps-api.apple.com/v1/geocode?q=東京都千代田区千代田1-1&lang=ja-JP Authorization: Bearer <valid JWT> But now, the response is always: { "results": [] } However, when I use the same address with lang: en-US, it returns valid coordinates: GET https://maps-api.apple.com/v1/geocode?q=1-1 Chiyoda, Chiyoda-ku, Tokyo=en-US "東京都千代田区千代田1-1" is a Japanese address, and "1-1 Chiyoda, Chiyoda-ku, Tokyo" is the same address written in English. My Questions: Has there been a recent change to the geocoding behavior for Japanese addresses when lang: ja-JP is used? Does the lang parameter affect not only the response language but also the internal parsing logic? Is this a known issue or limitation? The access token is valid and I'm getting a 200 OK response, but results is always empty with lang: ja-JP. Thanks for your help!

During EEPROM reading or writing on some appliance devices, the app encounters an error after 6 steps. This issue occurs only on iPhone 14 Pro Max, 15 Pro Max, and 16 Pro models, while all other iPhone models function correctly. Any one with this problem?

The following issue has occurred: Push notifications are not being received on certain devices. What could be the possible causes? Push notifications are being sent from our own server, and we are receiving normal responses from APNs. Users have confirmed that notifications are enabled on their devices, and they report no network issues. This problem is occurring for multiple users.

以下の問題が発生しています： 特定のデバイスでプッシュ通知が受信されません。 考えられる原因は何でしょうか？ プッシュ通知は自社のサーバーから送信しており、APNs（Apple Push Notification service）からは正常な応答が返ってきています。 ユーザーはデバイスで通知が有効になっていることを確認しており、ネットワークの問題も報告されていません。 この問題は複数のユーザーに発生しています。

Hello, What is the best practice for sending customized workouts to the Apple Watch. For example, sending a running workout that entails: Run 1 mile at 8:00/mile Walk 2 minutes Run 2 mile at 7:00/mile ---- Walk 2 minutes ---- Repeat 2x Run 1 mile at 8:00/mile Any documentation or sample codes would be amazing. Thank you

Hi all, I'm currently implementing Live Activities using ActivityKit and facing a real-world limitation that I hope the community (or Apple) can clarify. 🔹 I can successfully start a Live Activity via APNs push (event: "start") even when the app is terminated — the Live Activity appears as expected on the Lock Screen and Dynamic Island. However, I need to update that Live Activity using the name I assigned in the push payload (e.g., match-123). This requires calling: Airship.channel.trackLiveActivity(activity, name: activity.attributes.matchID) …or equivalent code in native implementations to associate the activity with its push token. ❓The problem: If the user has never launched the app, or hasn't opened it after the Live Activity was started via push, then there’s no chance for the app to run this tracking code. So: ✅ Live Activity starts fine via APNs ❌ I can't track the activity and register it for future push updates (by name) until the app is launched ❌ Therefore, I can't update the Live Activity without knowing the token-name mapping 🔍 My question: Is there any way to programmatically track or associate a Live Activity (started via push) with a name for APNs updates, without requiring the app to launch? Or put differently: Can the system automatically track the name → token mapping if the activity is started via push? Is there any way (via entitlement, plist config, or system event) to allow registering the activity in the background (without user launch)? 💡 Notes: I already use pushType: .token and NSSupportsLiveActivitiesFrequentUpdates Live Activity content is fine; only the ability to send future updates is blocked without initial app launch Using Airship SDK for push + activity tracking, but the question is general to iOS + ActivityKit behavior Any insight on how apps like FotMob, Uber, or sports apps handle this situation would be really helpful! Thanks in advance.

I had a two CS from customers that they couldn't buy a cookies(IAP). they got an alert "Purchases in this app are already purchased items." I was wondering if anyone has any similar experiences.

I tried with VSUserAccountManager.shared.requestAutoSignInAuthorization(). It did prompt a popup but with errors. I do have 'com.apple.smoot.subscriptionservice' configured in the entitlement. I don't know what's happened? Could you help me out.

On iOS 26 beta 3, after a user purchases an item, initiating a second order for the same product fails to process payment. The system returns the same transaction ID and displays an interface message stating: "You've already purchased this In-App Purchase. It will be restored for free."​​ ​​I’ve tested this – not only did the legacy StoreKit finishTransaction method fail to work, but StoreKit2 finish method also malfunctioned.​​ ​​When will Apple fix this issue? If unresolved, it will prevent a large number of users from making purchases normally, leading to disastrous consequences.​

Background: We are developing a cross-platform mobile application that communicates with a custom NFC-enabled hardware device. The hardware expects ISO7816-style APDU commands for data exchange and functions correctly with Android using the IsoDep protocol. Observed Issue on iOS: On iOS, the tag is only detectable via NFCNdefReaderSession, which provides access to INFCNdefTag. Attempting to use NFCTagReaderSession with NFCPollingOption.Iso14443 (which is required for APDU communication) results in no tag detection. As a result, the tag is inaccessible for APDU-based communication on iOS. Since NFCNdefReaderSession does not support APDU, we are unable to establish the required command channel. Constraints: The hardware firmware cannot be changed to support NDEF-based command interpretation. The device expects raw ISO-DEP APDU commands (i.e., Class-Instruction-Param1-Param2-Data-Le). Impact: The lack of ISO7816 tag detection on iOS prevents the app from sending APDU commands, resulting in a platform-specific feature limitation. Functionality that relies on secure, structured APDU communication is unavailable to iOS users, even though it works seamlessly on Android.

Hi All, I’m working on a football live score app with Dynamic Island support, using iOS 18 Broadcast Notifications for Live Activities. Our workflow is: We use the Push-to-Start token to initiate the Live Activity. For updates, we use the Channel ID. Start, update, and end events for Live Activities are all handled via remote notifications. We tested on 3-4 devices simultaneously, but noticed inconsistent UI updates: some devices update properly while others do not, even when using the same Channel ID. Checking the notification console dashboard, last week we had around 1,397 notifications published but only 555 delivered — a significant discrepancy. All devices are active and connected to reliable internet, so we’re unsure why delivery rates are so low. Additional details: For the start event, we set notification priority to 10. For updates, we lowered priority to 5 per Apple’s documentation, to reduce throttling. This adjustment improved the situation compared to sandbox testing where all notifications were priority 10. Despite this, during weekend matches, we observed a drastic drop: out of 140 published notifications, only 2 were delivered. This large delivery gap risks missing critical update deadlines in our app. Could anyone help us understand what might be causing this and how to improve notification delivery reliability? Thanks in advance!

We have some users who have upgraded to iOS 26 beta3. Currently, we observe that when these users make in-app purchases, our code calls [[SKPaymentQueue defaultQueue] finishTransaction:transaction]; method, and we clearly receive the successful removal callback in the delegate method - (void)paymentQueue:(SKPaymentQueue *)queue removedTransactions:(NSArray<SKPaymentTransaction *> *)transactions. However, when users click on products with the same productId again, the method - (void)paymentQueue:(SKPaymentQueue *)queue updatedTransactions:(NSArray *)transactions still returns information about previously removed transactions, preventing users from making further in-app purchases.

We have some users who have upgraded to iOS 26 beta3. Currently, we observe that when these users make in-app purchases, our code calls [[SKPaymentQueue defaultQueue] finishTransaction:transaction]; method, and we clearly receive the successful removal callback in the delegate method - (void)paymentQueue:(SKPaymentQueue *)queue removedTransactions:(NSArray<SKPaymentTransaction *> *)transactions. However, when users click on products with the same productId again, the method - (void)paymentQueue:(SKPaymentQueue *)queue updatedTransactions:(NSArray *)transactions still returns information about previously removed transactions, preventing users from making further in-app purchases.

Hey all, This is my first app with Swift, and first app using CloudKit / iCloud - although I have launched other iOS app successfully. When I created the app, I selected "none" for storage my bundle identifier looks like this: io.mysite.appname I have the iCloud capability added, with CloudKit checked, and the container also checked that looks like this: iCloud.io.mysite.appname Push Notificaitons capability is also added, but there is no configuration. I have tried automatically managed signing, as well as a manually created provisioning profile.. Every time I build the app onto my device - when I check it out in settings, icloud is not listed. When I go through iCloud into icloud drive, the app is also not listed. I have cleaned the build many times, deleted and reinstalled the app on my phone many times. I am definitely logged into iCloud etc. Obviously I have spent plenty of times trying to debug with various LLMs, but we all seem to be at a loss for what I'm missing or doing wrong. Would love any tips or pointers I may be missing, thank you!

SMAppService Error 108 "Unable to read plist" on macOS 15 Sequoia - Comprehensive Test Case Summary We have a fully notarized SMAppService implementation that consistently fails with Error 108 "Unable to read plist" on macOS 15 Sequoia, despite meeting all documented requirements. After systematic testing including AI-assisted analysis, we've eliminated all common causes and created a comprehensive test case. Error: SMAppServiceErrorDomain Code=108 "Unable to read plist: com.keypath.helperpoc.helper" 📋 Complete Repository: https://github.com/malpern/privileged_helper_help What We've Systematically Verified ✅ Perfect bundle structure: Helper at Contents/MacOS/, plist at Contents/Library/LaunchDaemons/ Correct SMAuthorizedClients: Embedded in helper binary via CREATE_INFOPLIST_SECTION_IN_BINARY=YES Aligned identifiers: Main app, helper, and plist all use consistent naming Production signing: Developer ID certificates with full Apple notarization and stapling BundleProgram paths: Tested both Contents/MacOS/helperpoc-helper and simplified helperpoc-helper Entitlements: Tested with and without com.apple.developer.service-management.managed-by-main-app What Makes This Different Systematic methodology: Not a "help me debug" post - we've done comprehensive testing Expert validation: AI analysis helped eliminate logical hypotheses Reproduction case: Minimal project that demonstrates the issue consistently Complete documentation: All testing steps, configurations, and results documented Use Case Context We're building a keyboard remapper that integrates with https://github.com/jtroo/kanata and needs privileged daemon registration for system-wide keyboard event interception. Key Questions Does anyone have a working SMAppService implementation on macOS 15 Sequoia? Are there undocumented macOS 15 requirements we're missing? Is Error 108 a known issue with specific workarounds? Our hypothesis: This appears to be a macOS 15 system-level issue rather than configuration error, since our implementation meets all documented Apple requirements but fails consistently. Has anyone encountered similar SMAppService issues on macOS 15, or can confirm a working implementation?