Developer guide on iOS code signing & provisioning
Understanding provisioning profiles & certificates.
12 Dec 2022 · 4 min read
When developing iOS applications, we need to sign them with a certificate issued by Apple before we can distribute them via App Store or to testing platforms like Testflight. The signing procedure ensures that the iOS application comes from an approved source and hasn't been tampered with.
Xcode provides automatic code signing, but more advanced or automated environments require a manual setup. This is when we need to understand how the underlying code signing & provisioning works. So let's dive in.
Provisioning profile
A provisioning profile is the core file of the signing process. It can be created through the developer portal and downloaded as a .mobileprovision file.
The provisioning profile provides information on how Apple can identify an iOS application, what the app intends to do, where it can run and more. To be more specific, a provisioning profile contains:
- the distribution type, e.g. Development, Ad Hoc or App Store
- the app's App ID which identifies the app
- the developer's identity in form of a certificate
Let's look at each component in more detail.
Distribution type
When creating a provisioning profile, we specify in which context it will be used. The following options are available:
- Development - to install the app on test devices during development
- Ad Hoc - to install the app on a limited number of registered devices
- App Store - to submit the app to the App Store
For ad hoc distribution, the provisioning profile will also include a list of device IDs.
App ID
An App ID is a string used to identify one or more apps from a development team. It consists of two parts, the Team ID and the Bundle ID separated by a period. The Team ID is supplied by Apple, while the Bundle ID is supplied by us developers.
When creating an App ID we can choose capabilities our iOS application will use. Capabilities & entitlements provide access to Apple's App Services, for example Push Notifications.
Entitlements are configured by declaring capabilities for a target in Xcode. Xcode records capabilities in a property list file with an .entitlements extension which we can also edit directly.
When code signing an iOS application, Xcode combines the entitlements file, information from the developer account, and other project information to apply a final set of entitlements to the app.
Certificates
As already mentioned, a provisioning file contains a certificate to identify the developer of the iOS application. Certificates are based on public-key cryptography and follow the X.509 standard.
We can create certificates through the Apple Developer Portal in the Certificates section. In the process of creating a certificate, we'll be asked to upload a Certificate Signing Request (CSR) so Apple can sign our certificate.
A CSR can be created by opening Keychain Access and choosing Keychain Access ▸ Certificate Assistant ▸ Request a Certificate from a Certificate Authority. Behind the scenes, Keychain Access creates a public-private key pair. The CRT file contains the public key whereas the private key is kept in the keychain.
After uploading the CSR, Apple signs it and we'll be able to download a .cert file. Double-clicking it will open it with Keychain Access and we'll be able to see the new Apple-signed certificate.
Bringing it all together
Now, that we have a provisioning profile, a certificate and a matching private key in our keychain, we can use it to build, archive and sign an iOS application.
Newsletter
Like to support my work?
Say hi
Related tags
Articles with related topics
Latest articles and tips