XcodesOrg · mpwg · May 12, 2026 · May 12, 2026
diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ XcodesApp is now part of the `XcodesOrg` - [read more here](nextstep.md)
 - Just click a button to make a version active with `xcode-select`.
 - View release notes, OS compatibility, included SDKs and compilers from [Xcode Releases](https://xcodereleases.com).
 - Dark/Light Mode supported
-- Security Key Authentication supported 
+- Apple ID sign-in supports trusted-device codes and SMS verification. Physical security-key-only Apple Accounts are not supported because native macOS security-key assertions require a `webcredentials` associated domain for the relying party, and Xcodes cannot claim `apple.com`; use Apple's passkey-capable sign-in flow outside this native FIDO2 path instead.
 - Support installing Platforms/Runtimes
 - Support installing Apple Silicon variants
 

diff --git a/Scripts/fix_libfido2_framework.sh b/Scripts/fix_libfido2_framework.sh
diff --git a/Xcodes.xcodeproj/project.pbxproj b/Xcodes.xcodeproj/project.pbxproj
diff --git a/Xcodes.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved b/Xcodes.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
diff --git a/Xcodes/AcknowledgementsGenerator/README.md b/Xcodes/AcknowledgementsGenerator/README.md
@@ -1,5 +1,5 @@
 # AcknowledgementsGenerator
 
-Scans an Xcode project's checked-out SPM packages for license files, then combines them into a single RTF file.
+Scans an Xcode project's checked-out SPM packages for license files, then combines them into a single Markdown file.
 
 Based on https://github.com/MacPaw/spm-licenses.
diff --git a/Xcodes/AcknowledgementsGenerator/Sources/AcknowledgementsGenerator/main.swift b/Xcodes/AcknowledgementsGenerator/Sources/AcknowledgementsGenerator/main.swift
@@ -7,7 +7,6 @@
 //
 
 import Foundation
-import AppKit
 
 let arguments = CommandLine.arguments
 guard let projectIndex = arguments.firstIndex(of: "-p"), let projectPath = arguments[safe: projectIndex + 1] else {
@@ -51,6 +50,7 @@ guard let pins = object["pins"] as? [[String: Any]] else {
     print("Invalid pins format")
     exit(EXIT_FAILURE)
 }
+let pinnedPackageNames = Set(pins.compactMap { $0["package"] as? String })
 
 let projectsURL = Xcode.derivedDataURL
 func projectsInfo(at url: URL) throws -> [Xcode.Project] {
@@ -71,7 +71,9 @@ guard let currentProject = projects.first(where: ({ $0.workspacePath == projectP
 }
 
 let checkouts = currentProject.url.deletingLastPathComponent().appendingPathComponent("SourcePackages/checkouts")
-let checkedDependencies = try fileManager.contentsOfDirectory(at: checkouts, includingPropertiesForKeys: nil, options: .skipsHiddenFiles)
+let checkedDependencies = try fileManager
+    .contentsOfDirectory(at: checkouts, includingPropertiesForKeys: nil, options: .skipsHiddenFiles)
+    .filter { pinnedPackageNames.contains($0.lastPathComponent) }
 
 let spmLicences: [Xcode.Project.License] = checkedDependencies.compactMap {
     let supportedFilenames = ["LICENSE", "LICENSE.txt", "LICENSE.md"]
@@ -95,19 +97,18 @@ for case let url as URL in enumerator where url.lastPathComponent.hasSuffix(".LI
     )
 }
 
-let licences = spmLicences + manualLicenses
+let licences = (spmLicences + manualLicenses).sorted { $0.name.localizedStandardCompare($1.name) == .orderedAscending }
 
-let acknowledgementsAttributedString = NSMutableAttributedString()
+var acknowledgements = "# Acknowledgements\n\n"
 for licence in licences {
-    acknowledgementsAttributedString.append(NSAttributedString(string: licence.name + "\n\n", attributes: [.font: NSFont.preferredFont(forTextStyle: .title2)]))
+    acknowledgements.append("## \(licence.name)\n\n")
     let licenseContents = try String(contentsOf: licence.url)
-    acknowledgementsAttributedString.append(NSAttributedString(string: licenseContents + "\n\n", attributes: [.font: NSFont.preferredFont(forTextStyle: .body)]))
+        .trimmingCharacters(in: .whitespacesAndNewlines)
+    acknowledgements.append("~~~text\n")
+    acknowledgements.append(licenseContents)
+    acknowledgements.append("\n~~~\n\n")
 }
 
-guard let data = acknowledgementsAttributedString.rtf(from: NSRange(location: 0, length: acknowledgementsAttributedString.length), documentAttributes: [:]) else {
-    print("Failed to create RTF data")
-    exit(EXIT_FAILURE)
-}
-try data.write(to: URL(fileURLWithPath: outputPath.expandingTildeInPath))
+try acknowledgements.write(to: URL(fileURLWithPath: outputPath.expandingTildeInPath), atomically: true, encoding: .utf8)
 
 print("Licenses have been saved to \(outputPath)")
diff --git a/Xcodes/AppleAPI/Package.swift b/Xcodes/AppleAPI/Package.swift
@@ -13,7 +13,7 @@ let package = Package(
             targets: ["AppleAPI"]),
     ],
     dependencies: [
-        .package(url: "https://github.com/xcodesOrg/swift-srp", branch: "main")
+        .package(url: "https://github.com/adam-fowler/swift-srp", from: "2.3.0")
     ],
     targets: [
         // Targets are the basic building blocks of a package. A target can define a module or a test suite.

diff --git a/Xcodes/AppleAPI/Sources/AppleAPI/Client.swift b/Xcodes/AppleAPI/Sources/AppleAPI/Client.swift
@@ -59,7 +59,7 @@ public class Client {
                             .eraseToAnyPublisher()
                     }
 
-                    let sharedSecret = try client.calculateSharedSecret(password: encryptedPassword, salt: [UInt8](decodedSalt), clientKeys: clientKeys, serverPublicKey: .init([UInt8](decodedB)))
+                    let sharedSecret = try client.calculateSharedSecret(password: [UInt8](encryptedPassword), salt: [UInt8](decodedSalt), clientKeys: clientKeys, serverPublicKey: .init([UInt8](decodedB)))
 
                     let m1 = client.calculateClientProof(username: accountName, salt: [UInt8](decodedSalt), clientPublicKey: a, serverPublicKey: .init([UInt8](decodedB)), sharedSecret: .init(sharedSecret.bytes))
                     let m2 = client.calculateServerProof(clientPublicKey: a, clientProof: m1, sharedSecret: .init([UInt8](sharedSecret.bytes)))
@@ -160,9 +160,12 @@ public class Client {
                 case .twoStep:
                     return Fail(error: AuthenticationError.accountUsesTwoStepAuthentication)
                         .eraseToAnyPublisher()
-                case .twoFactor, .securityKey:
+                case .twoFactor:
                     return self.handleTwoFactor(serviceKey: serviceKey, sessionID: sessionID, scnt: scnt, authOptions: authOptions)
                         .eraseToAnyPublisher()
+                case .securityKey:
+                    return Fail(error: AuthenticationError.accountUsesSecurityKeyAuthentication)
+                        .eraseToAnyPublisher()
                 case .unknown:
                     let possibleResponseString = String(data: data, encoding: .utf8)
                     return Fail(error: AuthenticationError.accountUsesUnknownAuthenticationKind(possibleResponseString))
@@ -182,9 +185,6 @@ public class Client {
         } else if authOptions.canFallBackToSMS {
             option = .smsPendingChoice
             // Code is shown on trusted devices
-        } else if authOptions.fsaChallenge != nil {
-            option = .securityKey
-            // User needs to use a physical security key to respond to the challenge
         } else {
             option = .codeSent
         }
@@ -361,6 +361,7 @@ public enum AuthenticationError: Swift.Error, LocalizedError, Equatable {
     case unexpectedSignInResponse(statusCode: Int, message: String?)
     case appleIDAndPrivacyAcknowledgementRequired
     case accountUsesTwoStepAuthentication
+    case accountUsesSecurityKeyAuthentication
     case accountUsesUnknownAuthenticationKind(String?)
     case accountLocked(String)
     case badStatusCode(statusCode: Int, data: Data, response: HTTPURLResponse)
@@ -390,6 +391,8 @@ public enum AuthenticationError: Swift.Error, LocalizedError, Equatable {
             return "You must sign in to https://appstoreconnect.apple.com and acknowledge the Apple ID & Privacy agreement."
         case .accountUsesTwoStepAuthentication:
             return "Received a response from Apple that indicates this account has two-step authentication enabled. xcodes currently only supports the newer two-factor authentication, though. Please consider upgrading to two-factor authentication, or explain why this isn't an option for you by making a new feature request in the Help menu."
+        case .accountUsesSecurityKeyAuthentication:
+            return "This Apple ID requires physical security-key authentication, which Xcodes does not support. Use Apple's passkey-capable sign-in flow outside Xcodes, or sign in with a trusted device code or SMS verification instead."
         case .accountUsesUnknownAuthenticationKind:
             return "Received a response from Apple that indicates this account has two-step or two-factor authentication enabled, but xcodes is unsure how to handle this response. If you continue to have problems, please submit a bug report in the Help menu."
         case let .accountLocked(message):
@@ -444,7 +447,6 @@ public enum TwoFactorOption: Equatable {
     case smsSent(AuthOptionsResponse.TrustedPhoneNumber)
     case codeSent
     case smsPendingChoice
-    case securityKey
 }
 
 public struct FSAChallenge: Equatable, Decodable {

diff --git a/Xcodes/Backend/AppState+Install.swift b/Xcodes/Backend/AppState+Install.swift
@@ -3,7 +3,6 @@ import Foundation
 import Path
 import AppleAPI
 import Version
-import LegibleError
 import os.log
 import DockProgress
 import XcodesKit