Background: My app uses a third-party SDK for payments, and it uses Original StoreKit internally for IAP payments. Now I'm getting ready to migrate to StoreKit2, and during the transition, users may use either method to initiate payments, and there's no way to avoid the coexistence of StoreKit2 and Original StoreKit. Problem: When a user has an unfinished transaction, if the app is restarted, both StoreKit2 and Original StoreKit will receive a notification of the transaction: Original StoreKit's '-paymentQueue:updatedTransactions:' method StoreKit2's 'Transaction.updated' method resulting in duplicate calls to the shipping API. My current treatment is to only add '-paymentQueue:updatedTransactions:' to listen for unfinished transactions. Even if the user is using StoreKit2 to initiate the payment, if the transaction is not Finished, it will be fetched via this method after restarting the app to process this transaction. Is this approach feasible and are there any best practices for this scenario? To summarize: Is it feasible to fetch unfinished StoreKit2 transactions via Original StoreKit methods when StoreKit2 coexists with Original StoreKit? Is there a recommended way

How to legally and compliantly upload users' fitness and health data to our own server—while adhering to Apple's strict privacy policies—for analysis by our AI large model to provide personalized feedback and recommendations to users.

iOS mTLS Client Certificate Authentication Fails in TestFlight with Error -25303 Problem I'm building an iOS app that uses mTLS (client certificates received from server at runtime). Storing SecCertificate to keychain fails with error -25303 in both development and TestFlight builds, preventing SecIdentity creation needed for URLSession authentication. Environment: iOS 18.2, iPad Pro, TestFlight internal testing, keychain-access-groups properly configured Diagnostic Results Testing keychain operations shows an interesting pattern: ✅ Generic Password - Works: let addQuery: [CFString: Any] = [ kSecClass: kSecClassGenericPassword, kSecAttrAccount: "test", kSecValueData: "password".data(using: .utf8)! ] SecItemAdd(addQuery as CFDictionary, nil) // Returns: 0 (success) ✅ SecKey - Works: let addKeyQuery: [CFString: Any] = [ kSecClass: kSecClassKey, kSecValueRef: privateKey, kSecAttrApplicationTag: tag ] SecItemAdd(addKeyQuery as CFDictionary, nil) // Returns: 0 (success) ❌ SecCertificate - Fails: let addCertQuery: [CFString: Any] = [ kSecClass: kSecClassCertificate, kSecValueRef: certificate, // Created from server-provided PEM kSecAttrApplicationTag: tag ] SecItemAdd(addCertQuery as CFDictionary, nil) // Returns: -25303 Code Context Attempting to create SecIdentity for mTLS: private func createIdentity(fromCert certPEM: String, key keyPEM: String) throws -> SecIdentity { // 1. Parse PEM to DER and create SecCertificate - succeeds guard let certData = extractPEMData(from: certPEM, type: "CERTIFICATE"), let certificate = SecCertificateCreateWithData(nil, certData as CFData) else { throw CertificateError.invalidCertificate } // 2. Parse PEM key and create SecKey - succeeds guard let keyData = extractPEMData(from: keyPEM, type: "PRIVATE KEY"), let privateKey = SecKeyCreateWithData(keyData as CFData, attrs as CFDictionary, &error) else { throw CertificateError.invalidKey } // 3. Add key to keychain - SUCCEEDS (errSecSuccess) let tempTag = UUID().uuidString.data(using: .utf8)! SecItemAdd([ kSecClass: kSecClassKey, kSecValueRef: privateKey, kSecAttrApplicationTag: tempTag ] as CFDictionary, nil) // ✅ Works // 4. Add certificate to keychain - FAILS (-25303) let status = SecItemAdd([ kSecClass: kSecClassCertificate, kSecValueRef: certificate, kSecAttrApplicationTag: tempTag ] as CFDictionary, nil) // ❌ Fails with -25303 guard status == errSecSuccess else { throw CertificateError.keychainError(status) } // 5. Would query for SecIdentity (never reached) // ... } Network Behavior When mTLS fails, console shows: Connection: asked for TLS Client Certificates Connection: received response for client certificates (-1 elements) Connection: providing TLS Client Identity (-1 elements) Task received response, status 403 The -1 elements indicates no certificates were provided. Entitlements <key>keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)com.ellin.tshios</string> </array> Keychain Sharing capability is enabled. What I've Tried Both kSecValueRef and kSecValueData approaches - same error Various kSecAttrAccessible values - same error Different keychain access groups - same error TestFlight build (vs dev build) - same error PKCS#12 creation - requires complex ASN.1/DER encoding, no iOS API Questions Is error -25303 expected when adding SecCertificate in development/TestFlight builds? Will App Store distribution resolve this? Or is there a fundamental limitation? Why does SecKey succeed but SecCertificate fails with identical entitlements? Is there an alternative to create SecIdentity without keychain access? Constraints Certificates come from server at runtime (cannot bundle) Need SecIdentity for URLSession client certificate authentication Server provides PEM format certificates Tested on: Simulator (dev), iPad Pro (dev), iPad Pro (TestFlight) - all fail Any insights appreciated - specifically whether this is a provisioning profile limitation that App Store distribution would resolve.

I am developing an iOS App for a Bluetooth peripheral using SwiftUI with Swift 5 or 6. I have a few past attempts that got so far (connected to a peripheral), and some downloaded examples that connect to peripherals. Lately (last month or so), my current attempt never gets BleManager to start, and every attempt ends at my View that says 'please enable Bluetooth'. The Xcode console is totally blank with no print outputs. Coding Assistant suggested the init() in my @main structure could contain print("App initializing"), but even that never prints. Coding Assistant suggests: "• Open your project's Info.plist in Xcode. • Make sure UIApplicationSceneManifest is present and configured for SwiftUI, not referencing any storyboard. • Ensure UIMainStoryboardFile is not present (or blank)." but there is no info.plist because it is no longer required. Downloaded sample code runs and connects to peripherals, so Bluetooth is working on my iPhone and the Bluetooth device is accessible. My older attempts used to work, but now have the same problem. All attempts have "Enable Bluetooth to connect to Device" in the Privacy - Bluetooth Info.plist setting. Something is fundamentally wrong with many different code attempts. I have searched all the various settings for mention of SwiftUI or Storyboard, but not found them in working or failing projects. The downloaded code which works has minimum deployment iOS 14.0 and Swift Compiler Language Version Swift 5. My latest code attempt has minimum deployment iOS 16 and Swift 5. All code is target device iPhone (I am testing on iPhone 16e running iOS 26.2.1) and developing with Xcode 26.2 on MacBook Air M1 running the latest Tahoe. I do a Clean Build Folder before every test, and have tried re-starting both Mac and iPhone. How can my coding fail so spectacularly?

We have an app that controls InDesign Desktop and InDesignServer via hundreds of AppleScripts. Some macOS security updates a while back dictated that we start communicating with other apps via ScriptingBridge. We couldn't afford to convert the hundreds of AppleScripts into direct ScriptingBridge nomenclature, so we opted to keep them as is and instead tell the external apps to: [app doScript:<the script text> language:InDesignScLgApplescriptLanguage withArguments:nil undoMode:InDesignESUMScriptRequest undoName:@"blah"] There are a handful of scripts that we did convert to direct ScriptingBridge. There are times (and under the right circumstances, it's repeatable) when a certain script will have run perfectly dozens of times, and then it will throw errOSAInternalTableOverflow. We create a new SBApplication for every job (which could be a single instance of Desktop or the multiple instances of Server). Why is this error happening seemingly randomly? Is there anything we can do to work around or prevent this?

Hi, I’m implementing a NetworkExtension content filter provider on iOS and I can’t get it to activate on device. I have an iOS app (App Store distribution) with a content filter provider extension (NEFilterDataProvider). The app builds, installs, and runs fine, and the extension is embedded correctly. Entitlements appear to be set for both the app and the extension, and the extension’s Info.plist is configured as expected. However, when I try to enable the filter via NEFilterManager (loadFromPreferences → set configuration → isEnabled = true → saveToPreferences), saveToPreferences fails with NEFilterErrorDomain code 1 and the message “Configuration invalid or read/write failed.” The extension never starts and startFilter() is never called. Main app bundle ID: uk.co.getnovi.student Extension bundle ID: uk.co.getnovi.student.NoviContentFilter Extension type: NEFilterDataProvider We are testing on an iPhone 15 running iOS 18.6.2 (22G100), the app is designed to run on iPhone. This app is intended for education use on student-owned personal iPhones installed from the App Store. The devices we are testing on are not supervised and not enrolled in MDM. We already use the Family Controls framework (ManagedSettings) for app restrictions and have the com.apple.developer.family-controls entitlement enabled for App Store distribution. I’ve read TN3134 and noticed content filter providers on iOS are described as “supervised devices only” in general, with additional notes around iOS 15.0 for “apps using Screen Time APIs” and iOS 16.0 for “per-app on managed devices,” plus a note that in the Screen Time case content filters are only supported on child devices. My question is whether this error is what you’d expect when attempting to enable a content filter provider on a non-supervised, non-managed device, or whether this should still work if the entitlement and configuration are correct. If non-supervised devices are not supported, is there any supported path for enabling NEFilter on iOS without supervision/MDM (for example via the Screen Time / Family Controls child authorization pathway), or will the system always refuse to enable the filter on standard devices? In summary: is NEFilterDataProvider supported on non-supervised devices for consumer App Store apps, or is this a platform restriction that cannot be worked around? Thanks, Matt

Hi, I’m implementing a NetworkExtension content filter provider on iOS and I can’t get it to activate on device. I have an iOS app (App Store distribution) with a content filter provider extension (NEFilterDataProvider). The app builds, installs, and runs fine, and the extension is embedded correctly. Entitlements appear to be set for both the app and the extension, and the extension’s Info.plist is configured as expected. However, when I try to enable the filter via NEFilterManager (loadFromPreferences → set configuration → isEnabled = true → saveToPreferences), saveToPreferences fails with NEFilterErrorDomain code 1 and the message “Configuration invalid or read/write failed.” The extension never starts and startFilter() is never called. Main app bundle ID: uk.co.getnovi.student Extension bundle ID: uk.co.getnovi.student.NoviContentFilter Extension type: NEFilterDataProvider We are testing on an iPhone 15 running iOS 18.6.2 (22G100). This app is intended for education use on student-owned personal iPhones installed from the App Store. The devices we are testing on are not supervised and not enrolled in MDM. We already use the Family Controls framework (ManagedSettings) for app restrictions and have the com.apple.developer.family-controls entitlement enabled for App Store distribution. I’ve read TN3134 and noticed content filter providers on iOS are described as “supervised devices only” in general, with additional notes around iOS 15.0 for “apps using Screen Time APIs” and iOS 16.0 for “per-app on managed devices,” plus a note that in the Screen Time case content filters are only supported on child devices. My question is whether this error is what you’d expect when attempting to enable a content filter provider on a non-supervised, non-managed device, or whether this should still work if the entitlement and configuration are correct. If non-supervised devices are not supported, is there any supported path for enabling NEFilter on iOS without supervision/MDM (for example via the Screen Time / Family Controls child authorization pathway), or will the system always refuse to enable the filter on standard devices? TLDR: is NEFilterDataProvider supported on non-supervised devices for consumer App Store apps, or is this a platform restriction that cannot be worked around? Thanks, Matt

I have an iOS app with a network extension that's using OSLog to log various bits of information that are useful for debugging. I'm currently trying to add a simple button that bundles up those logs with some other information and presents the user with a Share sheet so they can send it to support teams. I looked at OSLogStore but it only collects logs for the current process so the user clicking a button in my app wouldn't collect logs from my network extension. I would really like to avoid having to guide users through the process of creating and sharing a sysdiagnose but it seems like this might be the only option. How do other folks do this kind of thing? Is there a recommended way to do it?

I’m building a macOS app with a DNS Proxy system extension for Developer ID + notarization, deployed via MDM, and Xcode fails the Developer ID Release build with a provisioning profile mismatch for com.apple.developer.networking.networkextension. Environment macOS: Sequoia (15.7.2) Xcode: 26.2 Distribution: Developer ID + notarization, deployed via MDM Host bundle ID: com.mydns.agent.MyDNSMacProxy DNS Proxy system extension bundle ID: com.mydns.agent.MyDNSMacProxy.dnsProxy Host entitlements (Release): File: MyDNSMacProxy/MyDNSMacProxyRelease.entitlements: "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>B234657989.com.mydns.agent.MyDNSMacProxy</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>dns-proxy</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>B234657989</string> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.com.mydns.MyDNSmac</string> </array> <key>keychain-access-groups</key> <array> <string>B234657989.*</string> </array> </dict> </plist> xcodebuild -showBuildSettings -scheme MyDNSMacProxy -configuration Release : PROVISIONING_PROFILE_SPECIFIER = main MyDNSMacProxy5 CODE_SIGN_IDENTITY = Developer ID Application Host Developer ID profile main_MyDNSMacProxy5.provisionprofile (via security cms -D): "Entitlements" => { "com.apple.application-identifier" => "B234657989.com.mydns.agent.MyDNSMacProxy" "com.apple.developer.team-identifier" => "B234657989" "com.apple.security.application-groups" => [ "group.com.mydns.MyDNSmac", ..., "B234657989.*" ] "keychain-access-groups" => [ "B234657989.*" ] "com.apple.developer.system-extension.install" => 1 "com.apple.developer.networking.networkextension" => [ "packet-tunnel-provider-systemextension", "app-proxy-provider-systemextension", "content-filter-provider-systemextension", "dns-proxy-systemextension", "dns-settings", "relay", "url-filter-provider", "hotspot-provider" ] } So: App ID, team ID, keychain and system‑extension.install match. The profile’s com.apple.developer.networking.networkextension is a superset of what I request in the host entitlements (dns-proxy only). System extension (for context) DNS Proxy system extension target: NSExtensionPointIdentifier = com.apple.dns-proxy NetworkExtension → NEProviderClasses → com.apple.networkextension.dns-proxy → my provider class Entitlements: com.apple.developer.networking.networkextension = ["dns-proxy-systemextension"] This target uses a separate Developer ID profile and builds successfully. Xcode error Release build of the host fails with: …MyDNSMacProxy.xcodeproj: error: Provisioning profile "main MyDNSMacProxy5" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. (in target 'MyDNSMacProxy' from project 'MyDNSMacProxy') Xcode UI also says: Entitlements: 6 Included, 1 Missing Includes com.apple.developer.team-identifier, com.apple.application-identifier, keychain-access-groups, com.apple.developer.system-extension.install, and com.apple.security.application-groups. Doesn’t match entitlements file value for com.apple.developer.networking.networkextension. Because of this, the app bundle isn’t produced and I can’t inspect the final signed entitlements. Questions: For com.apple.developer.networking.networkextension, should Xcode accept a subset of values in the entitlements (here just dns-proxy) as long as that value is allowed by the Developer ID profile, or does it currently require a stricter match? Is the following configuration valid for Developer ID + MDM with a DNS Proxy system extension: Host entitlements: ["dns-proxy"] System extension entitlements: ["dns-proxy-systemextension"] Host profile’s NE array includes the DNS Proxy system extension types. If this is a known limitation or bug in how Xcode validates NE entitlements for Developer ID, is there a recommended workaround? Thanks for any guidance.

Hello. We are facing very silent and hardly replicable issue. All UserDefaults.standard data the application saved and was using to determine the state of app is lost and app behaves as if it was freshly installed. The issue always occurs only if we leave app on background for long time or if we manually swipe the app from the background apps. In case we swipe, this issue can occur in minutes, hours or up to 2 days by our latest testing. One important factor is that the app was developed using iOS18 in which issue never occured. Next it was being tested on iOS26 and it did everytime. Any currently available version of iOS26 reported this issue, all the way up to 26.2.1 (23C71). Our application is going through major upgrade of its whole lifecycle and services so it is possible this issue is caused by a bug in development as the production version does not report this issue neither on iOS26 of any version. The following list contains how we tried to fix this issue but none of which helped. App prewarming in the background (postpone all initialization including searching UserDefaults.standard for when isProtectedDataAvailable) Calling UserDefaults.standard.synchronize() everytime after saving data despite it is not recomended Built app using different SDK's (tested on iOS18 and iOS26 SDK) Distributed the app from local machine aswell as on TestFlight itself We searched through currently opened and closed issues for third-party libraries app uses regarding 'iOS26' and 'UserDefaults', especially those who were added recently with no success. The structure using which we save data into UserDefaults.standard did not change, we have only added few more settings to save through the lifecycle of the app after update. We estimate the overall increase is merely 30% more of what it used to be in previous version. Any ideas are much appreciated. We are considering to use different or fully custom ways to store app's settings.

Currently, I have implemented Unwanted Communication Extension, But I wanted to send the reported call or message to my backed server. How can I achieve this and can I send message body to the server ?

When printing image/photo files via AirPrint, selected finishing options (e.g., Punch) are not applied unless a preset is chosen. reproduction steps: Select an image on iOS Tap Print → choose printer/server Set Finishing Options → Punch Print Observed: Finishing options not applied IPP trace shows no finisher attributes in the request working scenario: Select any Preset (e.g., Color) before printing Finishing options are then included in IPP and applied Note: Issue does not occur when printing PDFs from iOS; finisher attributes are sent correctly. Is this expected AirPrint behavior for image jobs, or could this be a bug in how iOS constructs the IPP request for photos?

With the same firmware, OTA testing on the DCL test network was successful in September 2025, and the Home app was able to deliver software update notifications. Since the beginning of 2026, however, the Home app no longer delivers software update notifications. This is bug number: FB21922369

Hi everyone, We are currently exploring ways to implement a frictionless Wi-Fi setup for our hardware devices without requiring a dedicated third-party application. We are interested in leveraging Apple's WAC (Wireless Accessory Configuration) to sync Wi-Fi credentials directly from iOS devices. However, we have struggled to find comprehensive technical documentation or specifications regarding the WAC service. Could anyone point us to the official source for these materials? Additionally, we have a couple of technical questions: 1.We are testing WAC provisioning and found that the Home app can discover our device and successfully get it online. However, it always ends with a "Failed to add accessory" message. Does WAC support imply that a device should be addable via the Home app? If not, why is the Home app able to discover and start the setup for a non-HomeKit WAC device? 2. Our device is already Apple AirPlay certified. Does implementing WAC require additional standalone certification, or is it covered under the existing MFi/AirPlay certification umbrella? Any insights or guidance would be greatly appreciated. Thank you!

I'll try to ask a question that makes sense this time :) . I'm using the following method on NSFileManager: (BOOL) getRelationship:(NSURLRelationship *) outRelationship ofDirectoryAtURL:(NSURL *) directoryURL toItemAtURL:(NSURL *) otherURL error:(NSError * *) error; Sets 'outRelationship' to NSURLRelationshipContains if the directory at 'directoryURL' directly or indirectly contains the item at 'otherURL', meaning 'directoryURL' is found while enumerating parent URLs starting from 'otherURL'. Sets 'outRelationship' to NSURLRelationshipSame if 'directoryURL' and 'otherURL' locate the same item, meaning they have the same NSURLFileResourceIdentifierKey value. If 'directoryURL' is not a directory, or does not contain 'otherURL' and they do not locate the same file, then sets 'outRelationship' to NSURLRelationshipOther. If an error occurs, returns NO and sets 'error'. So this method falsely returns NSURLRelationshipSame for different directories. One is empty, one is not. Really weird behavior. Two file path urls pointing to two different file paths have the same NSURLFileResourceIdentifierKey? Could it be related to https://developer.apple.com/forums/thread/813641 ? One url in the check lived at the same file path as the other url at one time (but no longer does). No symlinks or anything going on. Just plain directory urls. And YES calling -removeCachedResourceValueForKey: with NSURLFileResourceIdentifierKey causes proper result of NSURLRelationshipOther to be returned. And I'm doing the check on a background queue.

iOS BLE Background Scanning Stops After Few Minutes to Hours Hi everyone, I'm developing a Flutter app using flutter_blue_plus that needs continuous BLE scanning in both foreground and background. Foreground scanning works perfectly, but background scanning stops after a few minutes (sometimes 1-2 hours). Current Implementation (iOS) Foreground Mode: Scans for 10 seconds with all target service UUIDs Batches and submits results every 10 seconds Works reliably ✅ Background Mode: Rotates through service UUIDs in batches of 7 Uses 1-minute batch intervals Maintains active location streaming (Geolocator.getPositionStream) Switches modes via AppLifecycleState observer // Background scanning setup await FlutterBluePlus.startScan( withServices: serviceUuids, // Batch of 7 UUIDs continuousUpdates: true, ); // Location streaming (attempt to keep app alive) LocationSettings( accuracy: LocationAccuracy.bestForNavigation, distanceFilter: 0, ); Lifecycle Management: AppLifecycleState.paused -> Start background mode AppLifecycleState.resumed -> Start foreground mode Questions: Is there a documented maximum duration for iOS background BLE scanning? My scanning stops inconsistently (few minutes to 2 hours). Does iOS require specific Background Modes beyond location updates to maintain BLE scanning? I have location streaming active but scanning still stops. Are there undocumented limitations when scanning with service UUIDs in background that might cause termination? Should I be using CoreBluetooth's state preservation/restoration instead of continuous scanning? Info.plist Configuration: <key>UIBackgroundModes</key> <array> <string>bluetooth-central</string> <string>location</string> </array> Additional Context: Total service UUIDs: ~20-50 (varies by company) Scanning in batches of 7 to work around potential limitations Android version works fine with foreground service Location permission: Always iOS 14+ target Any insights on iOS BLE background limitations or best practices would be greatly appreciated. Thanks!

I have a network extension that hosts a NEFilterDataProvider & NETransparentProxyProvider. One of the use case that this caters to is : Proxy some flows (depending on originating app) while Content filter is also filtering flows based on business logic. The issue I am running into happens when FilterDataProvider sees a flow & responds with filterDataVerdict(withFilterInbound: false, peekInboundBytes: 0, filterOutbound: true, peekOutboundBytes:1024 to handleNewFlow(_ flow: NEFilterFlow) [wants to peek more bytes on outbound connection before making a decision] TransparentProxyProvider sees the flow & responds with NO to handleNewFlow(_ flow: NEAppProxyFlow) as it is not interested in in proxying that flow. When this occurs, we see connection being dropped by kernel. I wanted to know if this is expected behavior. Logs when this occurs: 2026-02-06 14:57:09.725854-0600 0x17c918f Default 0x0 569 0 com.test.networkextension: (NetworkExtension) [com.apple.networkextension:] [Extension com.test.network]: provider rejected new flow TCP headless_shell[{length = 20, bytes = 0xe69023e655b6065e1a2f94fa508807fa43f6ac8a}] remote: 100.72.0.3:443 interface utun9 2026-02-06 14:57:09.725874-0600 0x17ca166 Debug 0x0 569 0 com.test.networkextension: (NetworkExtension) [com.apple.networkextension:] New flow verdict for D89B5B5D-793C-4940-D955-37BE33F18005: drop = NO remediate = NO needRules = NO shouldReport = YES pause = NO urlAppendString = NO filterInbound = NO peekInboundBytes = 0 filterOutbound = YES peekOutboundBytes = 1024 statisticsReportFrequency = low 2026-02-06 14:57:09.726009-0600 0x17ca24a Default 0x0 569 0 com.test.networkextension: (libnetworkextension.dylib) [com.apple.networkextension:] (410011084): Closing reads (sending SHUT_WR), closed by plugin (flow error: 0) 2026-02-06 14:57:09.726028-0600 0x17ca24a Default 0x0 569 0 com.test.networkextension: (libnetworkextension.dylib) [com.apple.networkextension:] (410011084): Closing writes, sending SHUT_RD 2026-02-06 14:57:09.726040-0600 0x17ca24a Debug 0x0 569 0 com.test.networkextension: (libnetworkextension.dylib) [com.apple.networkextension:] (410011084): Dropping the director 2026-02-06 14:57:09.726047-0600 0x17ca24a Default 0x0 569 0 com.test.networkextension: (libnetworkextension.dylib) [com.apple.networkextension:] (410011084): Destroying, client tx 0, client rx 0, kernel rx 0, kernel tx 0 I wanted to know how neagent is handling this when for a flow, filterDataProvider wants to look at the traffic while transparentProxy is not interested in handling that flow

I have several macOS systems (Apple Silicon) running various flavours of macOS 26 (26.2 and 26.3 RC). I also have a couple of Centos 10 Linux (ARM64) systems. All are connected to my 10 GbE switch, so not routers or anything else in the path that could mess with ECN flags. The network is dual stack. The CentOS systems are configured to offer / accept ECN for both outgoing and incoming connections (net.ipv4.tcp_ecn = 1). The macOS systems have their default settings which also supposedly behave the same way: $ sysctl -a | grep ecn net.inet.tcp.ecn_timeout: 5 net.inet.tcp.ecn_setup_percentage: 100 net.inet.tcp.accurate_ecn: 0 net.inet.tcp.ecn_initiate_out: 1 net.inet.tcp.ecn: 1 net.inet.ipsec.ecn: 0 net.inet.mptcp.probecnt: 5 net.inet6.ipsec6.ecn: 0 net.classq.fq_codel.enable_ecn: 0 I have a simple throughput test program (written in C and using the standard socket API) that runs as both a client and a server which I have ported to both OS. When I run it between the two Linux systems using either IPv4 or IPv6 a tcpdump / Wireshark trace shows that ENC is active in both directions. Internet Protocol / Differentiated Services shows Explicit Congestion Notification: ECN-Capable Transport code point '10' for both flows. When I run the same test between one of the macOS systems and one of the Linux systems what I observe is that when using IPv4 the Linux -> macOS flow has Not ECN_capable Transport (0) while the macOS -> Linux flow has ECN-Capable Transport code point '10'. This seems wrong. I even tried enabling LS4 (defaults write -g network_enable_l4s -bool true) but unsurprisingly this made no difference. If I run the same test over IPv6 then both flows have ECN-Capable Transport code point '10'. How can I ensure that macOS tries to negotiate ECN for outgoing IPv4 connections? Or is this a macOS bug?

At least on $ uname -r -v -m 25.2.0 Darwin Kernel Version 25.2.0: Tue Nov 18 21:09:55 PST 2025; root:xnu-12377.61.12~1/RELEASE_ARM64_T8103 arm64 running the Posix program test.c #include <errno.h> #include <signal.h> #include <stdio.h> #include <stdlib.h> #include <sys/wait.h> #include <unistd.h> int main() { pid_t ch = fork(); if (ch == -1) { perror("fork"); return EXIT_FAILURE; } if (ch == 0) { return EXIT_SUCCESS; } if (setpgid(ch, ch) == -1) { perror("setpgid"); return EXIT_FAILURE; } siginfo_t stat; if (waitid(P_PID, ch, &stat, WEXITED | WNOWAIT) == -1) { perror("waitid"); return EXIT_FAILURE; } if (kill(-ch, SIGKILL) == -1) { perror("kill"); return EXIT_FAILURE; } return EXIT_SUCCESS; } as $ clang test.c $ ./a.out kill: Operation not permitted fails with EPERM even though the lifetime of the process group has not yet ended (due to the WNOWAIT).

I’d like to confirm the expected behavior of StoreKit 2 in the Sandbox environment regarding unfinished consumable transactions across devices. Scenario: Device A and Device B are signed in with the same Sandbox Apple ID A consumable in-app purchase is completed on Device A The transaction may be verified or unverified, but transaction.finish() is not called The app is then launched on Device B and listens for Transaction.updates Question: In this scenario, is it expected that Device B will or will not receive a callback for this unfinished consumable transaction? Or is it by design that unfinished consumable transactions are not guaranteed to be delivered across devices, regardless of verification state?