diff --git a/.github/workflows/release-apps.yml b/.github/workflows/release-apps.yml
index ecad790c7..646834581 100644
--- a/.github/workflows/release-apps.yml
+++ b/.github/workflows/release-apps.yml
@@ -257,6 +257,25 @@ jobs:
           cp "$RUNNER_TEMP/maccatalyst.provisionprofile" "$APP_PATH/Contents/embedded.provisionprofile"
           echo "Embedded provisioning profile in app bundle"
 
+      - name: Inject application-identifier into entitlements
+        run: |
+          # Extract application-identifier and team-identifier from provisioning profile
+          # and add them to the entitlements file. codesign doesn't do this automatically
+          # (Xcode does). Required for TestFlight eligibility.
+          PROFILE_PLIST=$(security cms -D -i "$RUNNER_TEMP/maccatalyst.provisionprofile")
+          APP_ID=$(echo "$PROFILE_PLIST" | plutil -extract Entitlements.com\\.apple\\.application-identifier raw -o - -)
+          TEAM_ID=$(echo "$PROFILE_PLIST" | plutil -extract Entitlements.com\\.apple\\.developer\\.team-identifier raw -o - -)
+          echo "Application identifier: $APP_ID"
+          echo "Team identifier: $TEAM_ID"
+
+          ENTITLEMENTS="PolyPilot/Platforms/MacCatalyst/Entitlements.AppStore.plist"
+          /usr/libexec/PlistBuddy -c "Add :com.apple.application-identifier string $APP_ID" "$ENTITLEMENTS" 2>/dev/null || \
+            /usr/libexec/PlistBuddy -c "Set :com.apple.application-identifier $APP_ID" "$ENTITLEMENTS"
+          /usr/libexec/PlistBuddy -c "Add :com.apple.developer.team-identifier string $TEAM_ID" "$ENTITLEMENTS" 2>/dev/null || \
+            /usr/libexec/PlistBuddy -c "Set :com.apple.developer.team-identifier $TEAM_ID" "$ENTITLEMENTS"
+          echo "Updated entitlements:"
+          cat "$ENTITLEMENTS"
+
       - name: Re-sign app bundle (inside-out)
         env:
           CODESIGN_KEY: ${{ secrets.IOS_CODESIGN_KEY }}