Demystifying iOS Signings

Why Signing

  • To allow Apple to authorize each app before it is available for users and signing the app ensures that the app has not been modified by bad people and that no malicious code into your app.
  • To allow Apple make heaps of money by limiting builds to run only on Macs and by charging for its developer’s account license.

The Signing Entities

  1. Who — a certificate will identify the owner
  2. What — the application to develop and install
  3. Where — on which devices the apps will be installed.
The signing identities

Device Identifier

Application Identifier (App Id / Bundle Id)


Signing certificate metaphor
  • Developer certificate is generated for a specific person, or in fact a single Apple Id and can used during development (we will see how in a moment)
  • Distribution certificate, as the name implies, allows distributing the application for users who are not the developers. The distribution certificated is generated to an organization or a team (which might be only a single person).

Provisioning Profiles

  • Development — this is used to enable a developer install the application during development to specific devices during the development process. The device needs to be connected to the development computer. This provisioning profile is using a development certificate, and the devices that will be used need to be registered and installed.
  • Ad Hoc — This enables user to install the application on a known and limited number of devices for testing purposes. The devices do not need to be physically connected to the development computer, but they are need to be known and registered on the development portal. Although this provisioning profile is a using a distribution certificate, an application signed with adhoc provisioning profile cannot be uploaded to the App Store.
  • App Store — this is the provisioning profile that is used for distributing the application to the app store. It uses a distribution certificate, but is not limited to specific devices.
  • Enterprise — a 4th type of provisioning profile is aimed for larger organizations that want to control which applications are limited on their users’ devices. It requires joining Apple Enterprise program (yes, more money!) and is using special registration.

The signing Verification Process

  • Keychain is a safe that knows how to store secret items (and in fact is a nice UI for the openssl protocol used for Apple security).
  • XCode build tools (and the UI) know how to sign the application with the correct signing profile.

Step 1 — Generating Signing certificate

  • An authorized user logs into the developer portal and requests a signing certificate for itself.
  • The user generates a private key locally (a half of broken heart) and sends a reflection of it to Apple via the developer portal.
  • Apple creates the certificate (the other half of the broken heart) based on the private key signed.
  • The newly created certificate is installed in the development computer of the user. The certificate is only valid when it is paired with the private key signed.

Step 2 — Generating the Provisioning profile

  • The singing certificate is registered on the portal, and now the user can log into the portal and request a provisioning profile. The user specifies the application and the type of provisioning profile that is requested.
  • For development or adhoc provisioning profiles the user specifies the devices from the list of registered devices.
  • For development provisioning profile the user may define a set of valid development certificates that can use the same provisioning profile.
  • The user downloads the provisioning profile to the development machine. The default location for storing the provisioning profiles is ~/Library/MobileDevice/Provisioning Profiles.

Step 3 — Building the application

  • Application is built and signed on a development computer. The signing is done with a provisioning profile that fits what is specifies in the xcode signing properties.
Credit: someone on the internet. I am still thankful for saving me the snapshot trouble.

Step 4 — Installing the Application

  • If the application is downloaded from the App Store after it has been approved, it can installed on any device (there are some limitation such as regional, but this will be ignored for the time being).
  • If the app is Ad Hoc or Development, when attempting to install on a device, the UDID will be checked and the installation will be approved or rejected.


  • Cert (alias for get_certificates)— allows managing certificates profiles
  • Sigh (alias for get_provisioning_profile) — allows managing certificates profiles
  • Match (alias for sync_code_signing ) — allows synchronizing certificates and provisioning profiles with the centrally managed repository of certificates and provisioning profiles.





If you can’t explain it simply, you don’t understand it well enough.” — Einstein

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Interview Process in Computational and Data Sciences (CDS, IISc)

Software Career Moments in 11 Songs

Agora Releases Flutter SDK 4.0.1

Would you like to work on native apps?

The Beining & Bogen team posing in front of a christmas tree at the office.

Linux Basic Commands

Data integration at scale with Azure Data Factory — Populate slowly changing dimensions

BUYAA Will Fix All Your Problems

BUYAA is the flex tape of difficult ideas.

Daily Coding challenge #1

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tally Barak

Tally Barak

If you can’t explain it simply, you don’t understand it well enough.” — Einstein

More from Medium


Get your weapon of choice with Swift

Supporting Accessibility in your iOS app

So you want to do mock testing in XCTest?