Cease worrying about code signing!

Code signing is without doubt one of the most painful duties that each iOS dev has to do. On this article, I’ll clarify the entire process.


How does code signing work?

As I discussed in my earlier article iOS gadgets can solely run apps which can be signed by trusted builders. The provisioning course of is only the start of a a lot greater story. Profiles are used throughout the code signing part, however what precisely is a code signature, and most significantly, how can I signal an iOS app efficiently?

Code signing is the method of digitally signing an app, to make sure that it comes from a sure developer. It is just like while you signal your real-world contracts, but it surely’s a lot safer as a result of a cryptographic hash is far more distinctive than a splash of ink. Code signing additionally ensures the integrity of the code, this can be a assure that the app has not been modified or corrupted because the developer made it. In different phrases, you possibly can’t get any malware or virus if you happen to solely obtain code signed apps. 😊

The preliminary expertise for signing executable apps appeared across the time when the primary iPhone was launched because the code signing course of was essential for a mass-market product. Apple launched a technique to defend each their prospects and the App Retailer. iOS merely will not run unsigned code, nevertheless, you can disable this safety gate by jailbreaking your telephone. That is a really harmful course of, you should not do it in any respect.

Now that the explanations, it is time to study how code signing works underneath the hood. Let’s have a look at what sort of instruments and recordsdata are concerned throughout the signing course of.

Certificates, keys and a little bit little bit of cryptography

Let’s have a fast overview of certificates, non-public and public keys.

Certificates Signing Request

The Certificates Signing Request (CSR) is a file that it’s a must to ship to a certificates authority (on this case Apple, by the developer portal) to use for a digital id certificates. The method of making a CSR is a part of the Public Key Infrastructure (PKI). The applicant has to generate a public and a non-public key on the native machine, then a CSR file could be generated from the general public key file with some further private information, like title, electronic mail and many others. Applicant retains the non-public key secret, which means you must NEVER give out your non-public key to the general public! 🤫


A certificates is a public key mixed with a number of further info signed by a Certificates Authority (CA), on this case, Apple. You possibly can generate a certificates by importing a CSR file to the developer portal or these days Xcode can routinely handle them for you. The certificates expires sooner or later in time, if that occurs it’s a must to renew it. Apple may revoke your certificates if you happen to break the principles, if that occurs, you will not be capable of code signal your apps anymore. Please word that you’re going to additionally want the corresponding non-public key throughout the code signing course of.

Public-key cryptography, or uneven cryptography, is a cryptographic system that makes use of pairs of keys.

Public key

The general public key could be shared with everybody, it is normally out there underneath a publicly accessible listing. An individual who has the general public key can encrypt some knowledge for a particular receiver. The receiver with the non-public key can solely decode the message. The digital signature course of additionally depends on this elementary idea of uneven cryptography. Guess what? That is additionally a part of the Public Key Infrastructure. 🔑

Personal key

The non-public secret is a secret key that’s used to decrypt some particular knowledge or message. It’s important to use the non-public key to code signal your app, with out it, you can not use the certificates and public key to signal something. You must by no means share your secret key, however the one exception is perhaps when you’ve got a number of members in your developer crew and multiple particular person is liable for the signing course of. The non-public secret is perhaps crucial part of the complete signing course of. You possibly can’t obtain a non-public key from the developer portal, so at all times maintain it secret. If you happen to lose it, you possibly can nonetheless apply for a model new cert, however that may be fairly time-consuming.

As you possibly can see, I am not going an excessive amount of into the main points of cryptosystems like (RSA)), you do not actually need to know them so as to have the ability to signal an app. Clearly, it is helpful to have some superior data of cryptography, however that alone might be a subject of a for much longer article. Let’s simply give attention to methods to create your signing keys and the method of acquiring your certificates from Apple this time. 🍎

Manually signing your apps

This methodology requires extra work, however if you happen to observe the directions you’ll study quite a bit about how computerized code signing works behind the scenes. It is at all times good to know the elemental constructing blocks. If you’re dealing with some code signing points, the debugging course of will likely be a lot more durable if you happen to do not perceive the fundamentals. 🐛

Making a CSR

The straightforward manner: by the Keychain Entry software

Begin the Keychain Entry software, from the Keychain Entry menu merchandise, choose the Certificates Assistant choice and click on the Request a Certificates From a Certificates Authority… choice. If you’re seeing the Keys class, and there’s a key chosen in the correct panel, that particular key will likely be used to your new CSR file. If there isn’t any key chosen, a brand new one will likely be made for you.

Enter each your electronic mail deal with and your title and choose the Saved to disk choice. Press the Proceed button, and save the CSR file someplace on the disk. A brand new private and non-private keys will likely be routinely added to the login keychain for the CSR.

Producing a CSR file utilizing the command line

If you happen to go along with the command line, you possibly can manually generate the CSR and the key-pair in a .pem file format. You additionally should import the keys to the keychain manually.

openssl genrsa -out private-key.pem 2048

openssl req -new -key private-key.pem 
    -out CertificateSigningRequest.certSigningRequest 
    -subj "/[email protected], CN=My Developer Title, C=US"

openssl req -in CertificateSigningRequest.certSigningRequest 
    -noout -pubkey -out public-key.pem

safety import private-key.pem -k ~/Library/Keychains/login.keychain-db
safety import public-key.pem -k ~/Library/Keychains/login.keychain-db

Now you are able to get a certificates! 📋

Acquiring a certificates from Apple

Simply go to the developer portal (it has a model new look by the best way), and choose the certificates menu merchandise within the left sidebar. There’s a plus button subsequent to the title, you must press that too and the next display screen will seem:

The primary two choices are additionally new ones. From Xcode 11 on, you possibly can submit your apps for all of the platforms, so a single certificates can do the job for you. For older variations of Xcode, you possibly can go along with the iOS / macOS growth certificates. You must word that iOS certificates had been used each for iOS, tvOS, and watchOS.

You possibly can select between growth and distribution certificates. The final one is for publishing your apps to the App Retailer, the primary one is for code signing growth variations. Additionally, there generally is a most of two legitimate distribution certificates at a time per particular person. Subsequent, it’s a must to add the CSR file, as a way to get a certificates.

After you press the Proceed button, you possibly can obtain the generated certificates. You must double click on the file and add it to your login keychain. If there’s a little arrow proper subsequent to it on the left facet meaning there’s an related non-public key file, and also you’re prepared to make use of the certificates to signal your functions… or not? 🤔

Making a provisioning profile

Properly, it isn’t that easy, you continue to have to get a sound provisioning profile from Apple. As I discussed in my earlier article, provisioning performs a key function within the code signing course of. Luckily, every thing could be completed by the dev portal.

First, it’s a must to choose the kind of your provisioning profile. I already defined these varieties, please learn my article about provisioning if you wish to know extra about it.

As a second step, it’s a must to choose the applying that you’ll make a provisioning profile for. If you do not have an software identifier, you possibly can register one by utilizing the Identifiers menu merchandise. It is actually easy.

On the following display screen, it’s a must to choose the certificates that you just’d like to make use of throughout the code signing course of with the provisioning profile.

As you may already know, developer profiles have related system identifiers, so when you’ve got registered take a look at gadgets within the developer portal, right here you possibly can affiliate them with the given profile. You possibly can’t set up the app on the bodily system if the UUID just isn’t included within the profile, so it is value to double examine them. This may be fairly problematic generally.

Lastly, you will see an outline of your profile. It’s important to title your profile, and if you happen to press the Generate button, you possibly can obtain it by your browser. That is it.

After you will have downloaded each your signing certificates and provisioning profile, you must double click on each. The certificates must be imported to the login keychain, and the provisioning profile must be saved underneath a given location, so Xcode can use it throughout the code signing course of.

Now if you happen to open Xcode and go to the Signing & Capabilities tab (it is underneath the Normal earlier than Xcode 11), you possibly can examine or uncheck the Robotically handle signing checkbox. It’s important to choose a sound provisioning profile from the drop-down menu merchandise. If you happen to did every thing proper, Xcode ought to be capable of see each the profile and the related certificates. Because of this all of the pink error indicators needs to be gone and you must be capable of construct and signal your app in your bodily take a look at system. 🙏

Automation: Xcode, Bitrise and codesigndoc

Computerized code signing is a chunk of cake. Let me present you what must be completed as a way to allow this highly effective function in Xcode first.

Computerized code signing utilizing Xcode

The entire guide signing factor I simply confirmed you is the previous. These days you possibly can merely use Xcode to handle all of the certificates and profiles for you. You simply have to attach your developer account underneath the settings menu.

After coming into your legitimate developer credentials, Xcode can create and obtain every thing for you that is required to correctly signal an app. Nevertheless, generally there could be some points, and there are some actions that you just nonetheless should do manually like making a Push notification certificates, but it surely’s actually useful to overlook about the remainder, if you happen to simply need to check out your app on an actual system.

Oh and do not forget that you must examine the Robotically handle signing checkbox & it’s a must to choose the developer crew that you just’d like to make use of for the signing course of.

That is it, no extra guide CSR, certificates or provisioning creation. 💫

Bitrise & codesigndoc

There are two methods (steps) to signal your app by utilizing Bitrise:

If you happen to go along with the primary one, it’s a must to add your certificates with the key-pair and the provisioning profile to Bitrise. Underneath the workflow editor there’s a devoted tab for this particular motive, it is known as: Code Signing. 😅

Utilizing codesigndoc to add code signing recordsdata to Bitrise

Luckily, Bitrise made an incredible open supply device known as codesigndoc, that may assist you with the entire add process. You simply should run one line of code in your terminal window & codesigndoc will care for the remainder. If you happen to arrange your Bitrise credentials, you do not even should add the exported code signing recordsdata manually, codesigndoc could make that occur for you too.

That is what the code signing tab appears like, there’s a devoted part for provisioning profiles, one for the certificates. There’s even a secure generic file storage that can be utilized throughout the code signing course of when you’ve got some actually particular wants. Truthfully talking, I’ve by no means used that earlier than. 🤷‍♂️

Computerized vs guide provisioning on Bitrise

My advice is that you must merely go along with the iOS Auto Provision step.

Do not waste your time on the export and the pointless file add. Auto provisioning is simple, since you simply should enter a couple of configuration properties and join a developer account. I normally set the Distribution kind to growth, enter The Developer Portal crew id and lastly set the Ought to the step attempt to generate Provisioning Profiles even when Xcode managed signing is enabled within the Xcode challenge? choice to sure.

Generally this methodology works.

Simply codesign or ought to I re-sign?

Yet another factor: there’s a standalone codesign command line device.

With the assistance of the codesign command you possibly can examine the standing of an software, and even higher, you possibly can signal or re-sign the executable. The codesign command may offer you details about the signing standing, which could be extraordinarily useful if issues go incorrect. You possibly can at all times examine the guide of the codesign device, and if you would like to get some information about your apps code signature you possibly can merely enter this command:

codesign -vv -d Instance.app

codesign --verify Instance.app

codesign -s 'Certificates title' Instance.app

codesign -f -s 'Certificates title' Instance.app

I might not suggest utilizing this device for signing apps, as a result of there’s one other useful gizmo known as XReSign with a correct person interface that can be utilized to re-sign your apps. If you really want to go this manner, it is higher to make use of XReSign, as a result of it could actually auto-update the underlying entitlements file primarily based on the given provisioning. It additionally has a command line interface, so all in all, it is extra handy to make use of. 😉


Code signing is certainly troublesome to know & work with, however there are many nice instruments that may make you life simpler. The method these days is manner simpler than it was a few years in the past, because of Xcode and the automated code signing choice.

If you happen to use Bitrise to automate your builds, you must at all times use codesigndoc or the iOS Auto Provision step if you wish to keep away from the wrestle. They’ll prevent loads of time, particularly in case your certs and provisioning profiles change quite a bit. 👍

Apple simply made some wonderful little modifications, like the brand new mixed certificates for all of the platforms, redesigning the UI for the developer account or the devoted tab in Xcode 11 for managing code signing and capabilities.

I actually hope that this text will assist you perceive the complete course of higher. 😊