iOS App Signing explained

iOS App Signing explained

Posted on by Toma Velev

iOS App Signing is tightly controlled by Apple, and it involves several interconnected pieces: keys, certificates, app identifiers, provisioning profiles, and devices. Let’s break down how they all connect.

🔐 1. Private Key (on Client Machine)

  • Created when you generate a Certificate Signing Request (CSR) on your Mac using Keychain Access.
  • Lives locally in the Keychain.
  • It’s used to sign your app with a certificate.
  • If you lose the private key (and didn’t export it), you cannot sign apps with the matching certificate again.

🧾 2. Certificate (from Apple)

  • After creating the CSR, you upload it to the Apple Developer Portal to receive a Code Signing Certificate (typically a Development or Distribution certificate).
  • This certificate:
    • Matches the private key generated on your Mac.
    • Is issued by Apple to validate your developer identity.
    • Expires every 1 year.
  • Stored in your Keychain alongside the private key.

🏷️ 3. App Identifier (App ID)

  • Unique ID in Apple Developer Portal that matches your app’s Bundle Identifier (com.yourcompany.appname).
  • Can be:
    • Explicit: com.example.MyApp (specific app)
    • Wildcard: com.example.* (used for internal/dev builds, not for all services)
  • Required for associating services like iCloud, Push Notifications, Game Center, etc.

📄 4. Provisioning Profile

A provisioning profile links together:

  • ✅ Your App ID
  • ✅ The certificate (with private key on your machine)
  • ✅ Allowed devices (for development/testing)
  • ✅ Allowed entitlements (services like iCloud, push, etc.)

There are three main types:

Profile Type Used For Devices Included Certificate
Development Xcode testing/debugging Yes Dev Cert
Ad Hoc External testers Yes Distribution Cert (Dist Cert)
App Store App Store distribution No Distribution Cert (Dist Cert)

📝 You download the provisioning profile and install it on your Mac. Xcode uses it during build/signing.

🔁 How They All Work Together (Flow)

  1. You create a private key (in Keychain) and generate a CSR.
  2. Apple issues a certificate based on that CSR.
  3. You define your app’s App ID in the developer portal.
  4. You create a provisioning profile, which binds:
    • The App ID
    • The certificate
    • The target devices (for dev/ad hoc)
    • The enabled app capabilities
  5. Xcode signs the app:
    • Uses the local private key
    • Includes the certificate
    • Embeds the provisioning profile
    • Applies entitlements from the profile
  6. iOS verifies all of this:
    • Certificate is valid and from Apple
    • Provisioning profile matches App ID
    • Profile includes device (for dev/ad hoc)
    • Entitlements match allowed services

🧠 Helpful Notes

  • One certificate ↔ One private key. Lose the key? Revoke and start over.
  • You can export your cert+key as a .p12 file to use on another Mac or in CI/CD.
  • App Store builds don’t need device IDs, but they must be signed with a valid distribution cert and profile.
  • You can let Xcode manage all this automatically, but for advanced workflows or CI, manual control is needed.
  • Depending on your Role in the App Development Organization – you may have or not the permission to accomplish some of the steps above.