iOS and Xcode : How to set the code signing for deployment? - ios

I am about to submit my iOS app on iTunes connect but after hearing about multiple rejections from Apple I want to make things properly.
The only thing I am not sure about is the Code Signing part in the Build Settings of the target.
Up until now I had left the default configuration but I changed the provisioning profile to my distribution provisioning profile (that is, the provisioning profile which has the production certificate) because it seems kind of logical. But I am now wondering if I should have left the default settings. Could you tell me if what I've done is correct?

When you create an archive to submit to the store, the app will be built using the Release configuration (Top left of xCode, click on the Scheme dropdown (next to the stop button) and you choose edit scheme to see how an archive uses release)
So in Build Settings/Code Signing you will see that you can specify a different profile for Debug and Release under Code Signing Entitlements.
For debug, this to your Developer Profile, for release set this to the Distribution Profile.
If you are building the app for a development built it will use the developer profile while an archive for the store will sign with the distribution - and you won't need to keep switching back and forth.

Related

Can't use the iOS distribution in Xcode

In my Xcode 9 project I have the Automatically manage signing checked. I want to sign the application with the iOS distribution certificate. For some reasons, when I was creating the certificate I entered the name and email of another person. In the keychain Access I can see the public and private keys with the name of that person and under the private one, the iPhone distribution certificate. The problem is that in Xcode when I select the Team, I'm only getting the iPhone developer signing certificate and not the the distribution one. But from the Build Setting I can see the iPhone distribution in the select list of the Code Signing Identity. Once I select it, Xcode detect a conflict of the provisioning profile (because I change it manually and the Automatically manage signing is checked). I tried the solution of check then uncheck it and select the team but the problem is still here.
Make sure your Scheme under the Left top corner of App name Dropdown-->Edit Scheme is enabled to Release and not Debug for Archive and Testing also so automatically your Distribution is selected.
When you use the Automatic provisioning by default you are getting two profiles generated in Xocde One when you connect the device it used Dev Profile for debugging, but when you archive the build it autogenerates Distribution profile. If you have enterprise account, I would recommend having a universal distribution profile created and not Adhoc as it will always have to be updated with new Device ID added to be regenerated and recompiled the old app.
you just uncheck "Automatically signing" option. Once you uncheck only profile selection option will be enabled. Select distribution profiles as shown in image.

Wrong/AutoGenerated Provisioning Profile when Submitting Build to App Store

I am attempting to upload my iOS app build. After clicking submit from the Organizer-Archives window in Xcode, it seems to select the wrong Provisioning profile to submit. It is also not editable.
I have the correct iPhone Distribution signing identities, and App Store provisioning profile in both the project and target (under Build Settings).
I'm skeptical about submitting the app with this auto-selected Provisioning Profile ("XC: Rajib.Tho") instead of "My Parse Push App Store Profile." Am I doing something wrong here? My app uses push notifications so I want to make sure the provisioning profile is set up correctly before submitting.
Screenshot here of what I see:
I solved this by deleting the provisioning profile that Xcode was auto generating from Apple's developer portal. It appears that it was pulling it from there, and once I deleted it from there and archived and submitted it, it pulled the correct provisioning profile that I intended to use!
I'm not sure how Xcode chose another provisioning profile, when you explicitly selected another.
If I were you I would find and delete the "XC: Rajib" provisioning profile and start over (restarting Xcode in the process).
I guess you could give Xcode the benefit of the doubt, by turning down the Binary and Entitlements triangle and carefully checking the entitlements then submitting if they're right... but I wouldn't feel good about it.

iOS provisioning profiles and signing identities

I am a bit lost in all the certificates/provisioning profiles.
When I am doing ad-hoc distribution by first doing "archive" and then "distribute" in XCode and chose then my ad-hoc distribution profile, does it matter at all what I have set up in the Project->Target->Build Settings->Code Signing?
On one hand I read in different places that when you archive a build, you can (and really should) use that same archive both for beta testing with ad-hoc and then when ready just sign/distribute the same archive with an appstore profile and upload to app store. That kind of makes sense. It also tells me that I can really leave blank the provisioning profile in the project settings, the one that is chosen during "distribute" action is actually used, and the signing identity is actually the private key associated with the distribution certificate listed in that provisioning profile. Right?
On the other hand, testflight instructions (http://help.testflightapp.com/customer/portal/articles/1333914) clearly state that project settings should be set to use Ad-hoc profile as well, and the same profile must be used in the project settings and in "distribute". That means that I can not use the same archive both for ad-hoc and app-store distribution, can I? Do I need to change project settings every time I want to release for this or that distribution?
Also, if project settings are making any differences in archive/distribute scenario, it is not clear what Code Signing Identity should be used there. Testflight screenshots show iOS Developer is set both for debug and release, yet neither ad-hoc nor app store distribution have the individual iOS developer certificate associated with them, distribution profiles usually are associated with one and one only distribution certificate.
Can someone please shed some light and explain how is it actually supposed to be working?
Thanks
Yes, your build settings matter. Xcode picks up various entitlements from your initial code signing/provisioning profile configuration and it only makes minimal changes to them in the Distribute... phase.
So if Xcode chooses the incorrect profile during the Archive step you can end up with incorrect bundle seed ID, keychain groups, APN environment and iCloud entitlements.
The Distribute... button calls the PackageApplication script, which makes sure that get-task-allow is false (debuggers can't connect), embeds a provisioning profile, then re-signs and zips your app (although I may have the order wrong).
PackageApplication is worth reading. One could fault it for not being very smart, but I think it should be stricter and refuse to package an app whose entitlements differ from the provisioning profile it is using.
You can find it here Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/PackageApplication
I think one stable workflow for distributing Ad Hoc builds is
remove all wildcard provisioning profiles from your system
select your App Store profile in Release Configuration (used in Archive phase)
in Distribute select your Ad Hoc profile
The reason for 1. is that wildcard profiles (profiles that match multiple BundleIDs, created either manually by you or automatically by Xcode) are not worth the trouble. Yes, they get you running code on a device quicker, but you soon have to abandon them if you want to use push notifications or any other interesting service and then they hang around on your system and sooner or later Xcode will silently pick one of them and sabotage your App Store submission.
As for point 2. (selecting the App Store provisioning profile), I'm a little hesitant of specifying profile in the project, but the App Store one only needs to change once a year when your certificate expires (unless you edit the App Identifier in the Certificates, Identifiers & Profiles portal, then you'll need to regenerate your profile & re-select it in your project settings).
Since the Ad Hoc and App Store profiles are based on the same App Identifier, their entitlements will always be in sync.
Point 2. should make point 1. unnecessary, but wildcard profiles will also happily screw up your dev builds too, so why give them the chance to stab you in the back?
Point 3. - you can change your Ad Hoc profile as much as you like - just remember to select the right one in Distribute; the entitlements are taken from the App Store profile which should change rarely. There's nothing stopping you distributing to the App Store from here. That's perfectly natural.
p.s. I don't know why TestFlight recommend selecting Ad Hoc in release instead of App Store.

XCode doesn't honor the "iOS Distribution" Code Signing Entity setting

I want correctly understand the Code Signing Identity setting: I want to use the automatic setting in Xcode and not specify a specific identity. The automatic setting has 2 choices: iOS Developer and iOS Distribution. Based on which one you use, it's supposed to switch to choose a developer or a distribution signing identity from your keychain.
I have my build settings configured as follow, in order to use an "iOS Distribution" identity on build:
When I Archive my app (the Archive scheme is correctly set to use the Release build configuration), I see that Xcode is not using the correct code signing identity:
Anyone would know why this is the case? I'm looking for an explanation and not a workaround solution (I know I can work around the problem by directly setting the Code Signing Identity to my iPhone Distribution: Company Name identity from the keychain)
Thanks!
So interestingly this doesn't actually matter in the latest Xcode as long as the profile you are eventually going to sign with is for the same bundle identifier as the one its signing with now...
As long as the team setting is set Xcode is capable of generating the profile you need automatically. Don't try to fight it.
Here is the Team setting from the Target's General settings screen:
Then when you archive Xcode puts the archive in the organiser. When you click distribute on the archive in the organiser window it prompts you to select a new signing identity and actually re-signs the app.
It actually works to sign apps with the team provisioning profiles generated by Xcode. You also don't need to make an ad-hoc specific provisioning profile as your testers can now install apps signed using the development provisioning profiles with no issues. The only time you will need to make your own provisioning profile is if you are using any of the concrete bundle id features like push notifications, game centre, data protection, iCloud, inter-app audio, passbook, keychain access groups or in-app purchase.
If you make your own provisioning profiles for specific bundle ids then Xcode will either automatically select, or have available for selection, the relevant provisioning profile at the point of choosing the identity in the organiser window.
You can refresh Xcode's cache of provisioning profiles from the Accounts pane of Xcode's settings. Click on your team, Click "View Details" and then click the tiny refresh button in the bottom left corner

submitting app to apple

i have a question regarding submitting app to apple. I have my program written and tested on actual devices. I have a certificate and provision profile set up so i can load it unto my device. However, when i go on the apple official web site to see the steps that i need to take before submitting, it requires me to get a certificate and provisoin profile again? So what do i do? Do i delete my old provisioning profile or what do i do? Confused
You don't need to delete your Developer certificate or mobile-provisions. You do need to request and download a Distribution certificate and a distribution profile before building a submittable app.
The process is kind of confusing at first, but after some time you get used to it:
For distributing the app, you have to have a distribution certificate.
Do not delete your developing certificate. Leave it there ;)
after downbloading and installing the certificate on your Xcode (on organizer), change the signing identity from your project settings (if you have XCode 4, on the navigation menu click on your project main item, then go to build settings and change the signing identity for your project to the distribution profile).
After that you will be able to archive your application (on the product menu from your Xcode).
After archiving, you can test the build and upload it to apple from your Organizer Window...
Hope to have helped!
Best of luck...

Resources