Demystifying iOS Signings

Why Signing

(What is this good for? Skip this if you are already convinced signing is important).

  • To allow Apple to authorize each app before it is available for users and signing the app ensures that the app has not been modified by bad people and that no malicious code into your app.
  • To allow Apple make heaps of money by limiting builds to run only on Macs and by charging for its developer’s account license.

The Signing Entities

(The participants in iOS signing hell)

  1. Who — a certificate will identify the owner
  2. What — the application to develop and install
  3. Where — on which devices the apps will be installed.
The signing identities

Device Identifier

A unique device identifier (UDID) is a 40-character string assigned to Apple devices. In the mac it can be found by accessing the hardware info. On iPhone / iPad this site can help finding it:

Application Identifier (App Id / Bundle Id)

This is a key that identifies your application. It is customary to have the App Id as a reverse order of the domain, e.g. Application IDs are owned by a team and therefore they need to be registered on the Team developer portal.


The certificate’s goal is to verify that a person or a team is the true owner of the application, and that its identity cannot be stolen by another person. A person is identified by its Apple Id, and it can also belong to a team.

Signing certificate metaphor
  • Developer certificate is generated for a specific person, or in fact a single Apple Id and can used during development (we will see how in a moment)
  • Distribution certificate, as the name implies, allows distributing the application for users who are not the developers. The distribution certificated is generated to an organization or a team (which might be only a single person).

Provisioning Profiles

(Putting them all together)

  • Development — this is used to enable a developer install the application during development to specific devices during the development process. The device needs to be connected to the development computer. This provisioning profile is using a development certificate, and the devices that will be used need to be registered and installed.
  • Ad Hoc — This enables user to install the application on a known and limited number of devices for testing purposes. The devices do not need to be physically connected to the development computer, but they are need to be known and registered on the development portal. Although this provisioning profile is a using a distribution certificate, an application signed with adhoc provisioning profile cannot be uploaded to the App Store.
  • App Store — this is the provisioning profile that is used for distributing the application to the app store. It uses a distribution certificate, but is not limited to specific devices.
  • Enterprise — a 4th type of provisioning profile is aimed for larger organizations that want to control which applications are limited on their users’ devices. It requires joining Apple Enterprise program (yes, more money!) and is using special registration.

The signing Verification Process

(What do they do with it?)

  • Keychain is a safe that knows how to store secret items (and in fact is a nice UI for the openssl protocol used for Apple security).
  • XCode build tools (and the UI) know how to sign the application with the correct signing profile.

Step 1 — Generating Signing certificate

  • An authorized user logs into the developer portal and requests a signing certificate for itself.
  • The user generates a private key locally (a half of broken heart) and sends a reflection of it to Apple via the developer portal.
  • Apple creates the certificate (the other half of the broken heart) based on the private key signed.
  • The newly created certificate is installed in the development computer of the user. The certificate is only valid when it is paired with the private key signed.

Step 2 — Generating the Provisioning profile

  • The singing certificate is registered on the portal, and now the user can log into the portal and request a provisioning profile. The user specifies the application and the type of provisioning profile that is requested.
  • For development or adhoc provisioning profiles the user specifies the devices from the list of registered devices.
  • For development provisioning profile the user may define a set of valid development certificates that can use the same provisioning profile.
  • The user downloads the provisioning profile to the development machine. The default location for storing the provisioning profiles is ~/Library/MobileDevice/Provisioning Profiles.

Step 3 — Building the application

  • Application is built and signed on a development computer. The signing is done with a provisioning profile that fits what is specifies in the xcode signing properties.
Credit: someone on the internet. I am still thankful for saving me the snapshot trouble.

Step 4 — Installing the Application

The last step occurs when a user tries to install the application.

  • If the application is downloaded from the App Store after it has been approved, it can installed on any device (there are some limitation such as regional, but this will be ignored for the time being).
  • If the app is Ad Hoc or Development, when attempting to install on a device, the UDID will be checked and the installation will be approved or rejected.


(Can we avoid the mess?)

  • Cert (alias for get_certificates)— allows managing certificates profiles
  • Sigh (alias for get_provisioning_profile) — allows managing certificates profiles
  • Match (alias for sync_code_signing ) — allows synchronizing certificates and provisioning profiles with the centrally managed repository of certificates and provisioning profiles.


I am no hacker or security expert. My first experience with iOS signing was a terrified one. I have noticed my company’s team certificate on my keychain and was sure that accidentally deleting will make our application access lost forever. The truth is that no actions done locally can harm the application in an irreversible manner. At worse, you will need to generate a new profile or certificate. (Note: Developer portal and iTunes Connect can have more destructive impact).



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tally Barak

Tally Barak


If you can’t explain it simply, you don’t understand it well enough.” — Einstein