iOS Code Signing breakdown
Understand the basics behind iOS code signing & provisioning profiles.
Let’s say that we have just finished developing our iOS application and now is ready to be released to the public. Before we can upload the app to the App Store (or to a third-party service for beta testing like Firebase App Distribution), we need to digitally sign the application. This process is known as iOS code signing, and in this article, I want to help you understand the different elements that play a part in this process.
What is it?
iOS code signing basically ensures the integrity of a specific application made by a specific developer (or company). Also, it controls that the application could be run on the devices that we want. If we’re uploading the application to the App Store, it’s clear that any person can download it. However, if we’re on beta testing, we might want to distribute the build to specific persons inside our company.
We’re going to need three elements to sign our application: Apple Certificate, Bundle Identifier, and Provisioning Profile. Let’s break down each one of those.
Apple Certificate
First things first, we need to identify ourselves to Apple. To do this, we need to create a Certificate and ask Apple to sign it. This is called Certificate Signing Request (CRS) and we can do it directly from the Apple Developer Portal.
There are two types of certificates that we can create: Development and Distribution. The development certificate is the one that we need to use when we’re developing our application and we want to test it in our devices running it directly from Xcode. On the other hand, a distribution certificate is used if we want to distribute the application outside Xcode. For example, through TestFlight or upload it directly to the App Store.
Bundle Identifier
The next thing that we’ll need is something that uniquely identifies our application in Apple’s ecosystem. This is called Bundle Identifier and you can see it as the package name in other languages. The only requirement that we have, is that there can not be two different applications with the same bundle ID.
We need to register our application in the Apple Developer Portal and associate it with a specific bundle identifier before we start using that bundle ID.
Provisioning Profiles
The provisioning profiles are files that put together the certificate’s information within the application’s bundle identifier. Also, it has the different entitlements required by our application (for example, if we want to use Apple Sign In).
Depending on the distribution type that we’re using, information about the devices that can run our app will be included in the provisioning profile as well.
As with certificates, we also have two different provisioning profiles types: one for development and one for distribution.
Development vs Distribution
Now that we have been through all the elements that iOS code signing needs, let’s explore the different combinations that we’ll need depending on if we’re in a development phase or in a distribution one.
Development
If we want to run the application in a simulator, we don’t need to do anything. We can run it as it is, no extra configuration is needed.
However, if we need to run it in a real device directly from Xcode, then we’ll need to use a development certificate within a development provisioning profile.
Distribution
We can distinguish three different types of distribution: Ad-hoc, Enterprise, and App Store. For all three, we need to use a distribution certificate but each one has a different provisioning profile type.
- Ad-hoc: it’s used to distributing the application outside the App Store (or Test Flight). The downside of this type of distribution is that we need to tell on which devices we want the application to be allowed to run. This is done by adding the device’s UUID in the provisioning profiles. This task can be done in the Apple Developer Portal. This is the one that we typically use at Houlak for beta testing.
- Enterprise: as the Ad-hoc type, it’s used if we need to distribute the application in a third-party service. However, there’s no need to specify the device’s UUID. The trick is that for us to be allowed to use this type of provisioning profile, we need to have a special distribution certificate called Distribution (enterprise). And Apple issue this type of certificate only to organizations that have more than a hundred employees.
- App Store: the simplest distribution type, the one that needs to pass Apple’s review process. As the application will be available in the App Store, no device’s UUID needs to be specified in the provisioning profile.
Summary
As you can see, iOS code signing can feel quite overwhelming at first. Nonetheless, it’s a must-know as you start growing in your professional career because at some point, you will be the person in charge of distributing the application to the world.
