Best Practices for Signing iOS Applications

By |2019-03-14T06:00:41+00:00March 14th, 2019|

Signing iOS apps outside of Xcode isn’t a walk in the park. This is unlike Android, where signing apps outside of the IDE’s is straight forward. To sign Android apps, all you need is a standard Java Keystore, two command lines, and you are done. Google also published a useful guide to follow.

Apple, on the contrary, has all its signing documentation related to signing while developing. Information on how to sign iOS apps locally outside of Xcode is hard to come across.

In iOS, you need to sign the application executable, not the ipa container. As a consequence, if an app contains more than one executable or framework, each has to be signed by itself and in the correct order. For example, an app with a share extension, or a watchkit, has several executables, and each one must be signed correctly.

3 Things You Need for Signing iOS Applications

In order to sign an iOS executable, there are 3 major factors in play:

  1. Signing Certificate – An iOS signing certificate (aka the signing identity) is comprised of a p12 file and password. One signing certificate must be used to sign all the application’s executables. More on how to create and export a signing certificate can be found here.
  2. Provisioning Profile – Each executable must have a designated provisioning profile. Each profile is generated by Apple for a specific App ID and Certificate (and in some cases for specific iOS devices). There are 4 different types of provisioning profiles (Development, App Store, Ad Hoc and In House), each for a different use case and to enable different features. You can read more about the different provisioning profiles here.
  3. Entitlements – Each executable’s capabilities and permissions are defined by its entitlements. The entitlements are part of the signature and are embedded into the executable. If the app does not require an entitlement, the OS will not allow the matching application service at run time. Example entitlements are push notification, App-Groups (allow IPC between applications on the same device), Keychain access groups, iCloud and more.

Common Errors When Signing iOS Applications

Entitlements can present the first source for errors. Each entitlement requested by the app must be allowed by the provisioning profile that is signing that executable. Any mismatch will mark the code signature as invalid and the app will fail to install on the iOS device.

Another reason signing errors typically occur is when you sign 3rd-party applications outside of Xcode. To do this, you must first create App IDs that use the same entitlement as the executable needs. However, you cannot create an App ID that was already used by a different developer (like the original developer of the app), anywhere in the Apple ecosystem. The next step is to create the correct provisioning profile for deployment. After that, you must change the entitlements of the application itself and sign each executable correctly in the correct order. As you can see, this process has many opportunities for error.

Appdome’s Sign-Right™ makes Signing Mobile Applications Fast and Easy

Using Appdome’s Sign-Right signing, Appdome automatically matches the best provisioning profile for each executable, detects signing mismatches between the provisioning profiles and the entitlements of each executable and corrects them on the fly. Signing iOS applications on Appdome guarantees that your app is signed correctly and will install without problems on your device.

In our new release of Appdome-DEV, we are now offering this extended support for local signing of apps. Appdome’s Auto-DEV private signing allows the user to download a script bundled with the apk/ipa to sign. Running the local script (that does not access the internet or leave the internal network) signs the apps while fixing all the mismatches and performs all the Appdome validations locally.

Auto-DEV private signing for Android or iOS ensures the signing of apps with certainty, without the private signing credentials leaving an organization’s internal network and meeting compliance rules.

The downloadable signing scripts are also built for API and CI/CD integration out of the box. This feature allows building applications and signing locally easy and streamlined within the organization.

See for yourself how easy signing iOS applications on Appdome is. Start a free trial today.

About the Author:

Scroll Up