I am in the following situation: We have an enterprise developer account and for an app we are working with an external developer.
At the moment we do not have access to the source code so we can't make builds, but we still need to have weekly builds that can be installed on devices... therefore the external developer needs to be able to build ipa files.
The developer is now a member of the developer program and has their own developer certificate. However, there can only be one distribution certificate.
From a security point of view, is it safe/recommended for us to share the distribution certificate (and the private key) and a provisioning profile so they can build ipa files?
Are there any other (safer) choices?
PS: I was also thinking that we could resign an ipa with our distribution certificate but it still leaves us in the situation where they need to be able to build an ipa - and this is only possible with a distribution certificate + provisioning installed.
You can have your external developer to sign with whatever he wants and then you can re-sign the IPA and use it. This way the source code is "safe" in the developer's perspective and you can use your IPA signed with your certificate. I normally use this, but you can do it in the command line too...
As for your Post Scriptum part, that's not true... I have the experience of working with external agencies where they use their own certificate and provisioning and when I receive their IPA I only need to re-signed it.
They can be responsible for creating their own profile, and you can simply send them your p12 key (no big deal). You can also just give them the distribution certificate.
To be honest, I've never been in a situation where an employer or contractor was hesitant to give me their certificate & p12 file. So I've never thought much of it!
Related
I have an iOS Enterprise Account, and I currently use HockeyApp for OTA app distribution. When I want to send an app to HockeyApp that utilizes this license, I make an in-house distribution profile for the app, archive it, and upload the file to HockeyApp, and it works fine. I am the agent of my team on the developer portal.
I want for other members of my team (including a Jenkins instance) to be able to sign applications with the same type of distribution profile that they can make. However, when someone tries to archive an app with the same distribution profile, they are unable to do so. Further, they are unable to apply for a distribution certificate unless they send me the .certSigningRequest file and I apply for it myself, then send it to them (I know this is incorrect but this seems like the only way to get them a certificate).
Basically, what do I need to do to enable another team member to archive an app for enterprise distribution?
Then you'll have to export your certificate and private key from Keychain Access and have others (including the Jenkins machine) import it into their keychain.
See: https://support.apple.com/kb/PH20122?locale=en_US
We are trying to supply one of our clients with an ipa to deploy on their AirWatch. There is a lot of conflicting information on what is the best way to do that, but they all seem to agree on the fact that it needs to be signed with the certificate and private keys of some account. However, the client seems to be managing their apple enterprise account through AirWatch. Does this mean that we could supply them with an unsigned ipa file and let AirWatch do its thing?
I have been scouring the internet for a while for this information and the closest ones are similar to Renew iOS Development and APNs Production for Corporate Apps [AirWatch] which is not what i was looking for
No - AirWatch does not re-sign anything IPA-wise. It can interrogate your IPA to make sure you're not trying to accidentally update App A's IPA with the IPA for App B but that's about it.
The link you provided has nothing to do with re-signing applications within AirWatch as much as it is the general practice for renewing your Enterprise Apple Developer Cert and Provisioning Profiles.
If you try to deploy an unsigned IPA to a device not in your Developer Portal you will likely run into an issue where the app will begin installation then throw an error that it cannot be installed.
Regarding what your client is doing there may be some confusion as AirWatch does not directly tie back to the Apple Developer Portal except for the MDM APNs cert which is unrelated to IPAs.
It depends on how sophisticated AirWatch's re-signing is. A good re-signer, should be able to take anything, re-sign it AND add the correct entitlements.
That said, in Xcode unsigned feels like an unsupported path - so my conservative approach is to sign a production build of the app (Ad Hoc, Enterprise or even AppStore if that makes sense) with its entitlements being as similar as possible to those of the final app's. If the app entitlements are simple (e.g. push notifications only), then this is the way to go.
But there's a problem: matching client entitlements has recently become harder, in part due to the proliferation of App Groups (which require an explicit, globally unique App ID - thanks, Apple Watch!), so your unsigned suggestion is starting to look more attractive.
Airwatch only resigns IPAs if you wrap it with their App Wrapper, because it will alter the original IPA and invalidate the Signature.
You have to provide both the Certificate and the Provisioning Profile to allow that.
If the IPA has to be signed with the Enterprise Certificate of your customer, you either require access to their Member Center or let them do it.
Apps like AppSign or iReSign can do that for you or your customer, if you provide them with the IPA.
I developed an iOS app that my client is going to use internally. They sent me their enterprise distribution provisioning profile. When I add it to XCode it says "Valid signing identity not found". How do I build the app so that my client can run it on their devices?
Your computer is unable to sign with the distribution profile, since you don't have the private key for this certificate.
Alternative 1
Apple intends that building a project for distribution will only take place on a single machine - the machine that the certificate was originally created on. So, in their eyes, you should ask your clients to build the project internally (for distribution only - for development you should have no problems building yourself).
Alternative 2
There is a way to override it.. and it involves exporting the private key from that special distribution machine and emailing it to you.
These are the steps (also outlined here):
Access the computer where the certificate was created, open the "Keychain Access" program on the computer
In "Category" panel, select "Certificates"
Find the correct distribution certificate and expand it
Highlight both the iPhone distribution certificate line and the private key line under it.
Right click and select "Export 2 items"
Save the .p12 file, choose a password that can share, you will need it to import this file later
Email the saved file to you
Once you import this and type in the password from step 6, you will have the private key on your computer too and all will be good.
Alternative 3
There's a chance that when you ask your clients to export the private key, they will have no idea what you're talking about and no idea where the machine that created it is (this is what actually happened to me). This is usually the case if they are not regularly building for distribution on their own.
In this case, you can simply delete the certificate and create a new one (for the distribution profile). If you create the certificate on your machine, then you will have the private key. You should also export it to them just in case (using the same steps of alternative 2).. so they have the ability to build without you if need be.
Each provisioning profile is paired with a certificate. If you subscribe to the Apple developer service, you should have access to create and download a development cert (tied to the apple ID) and a distribution cert (tied to the organization). The enterprise distribution provisioning profile needs to be paired with the distribution cert. So in order to use their provisioning profile, you will have to get the distribution certificate from them. This will also involve you getting their private key, which they might not be so fond of. Alternatively, they can set you up as a developer on their portal, then you can distribute through the machine that already has the distribution cert installed on it.
We have had a number of apps built by a 3rd party developer. I cannot remember how this was done in the past, but they have just updated 2 of our apps to work correctly with iOS 5.x
The agreement is that they will build and sign the files ready for us to upload to iTunes. We cannot build the code as the agreement doesn't include the source.
I have sent them the Distribution Provisioning Profile (.mobileprovision) but they have asked for the "Certificate for Keychain access"
Perhaps I am being overly cautious, but am I right in thinking I need to export my Developer Certificate as a .cer file and email that to them? We do trust the company, but is this the correct way to do things? Is it allowed by Apple?
The 3rd party have no access to our accounts (developer centre / iTunes connect) and we have no access to the source code.
Thank you
If they're going to build things as you, they'll need your certificate and private key as well as the provisioning profile. I don't think there's any way round that if they're going to do the building and code-signing.
I think it's a fairly typical way to do things, in a situation where the client has the dev account but the developer owns the source.
Even if the development company did have access to your iTunes account, you'd still need to send them the private key that your certificate was created with.
Not tried it myself, but seems like there is a way to re-sign the binary (IPA file). Check this link It uses a utility called iReSign
I am creating my apple developer certificates - just redoing them to have a clean up.
I can create both my developer and my distribution certificates fine, however they have a different name.
Will this affect the final product?
The reason I am doing a clean up is that it kept giving me errors about not matching certificates.
Any advice would be great:-)
Jeff
The distribution certificate have the name of your company and the developer certificate have your name.
You have to use distribution certificates to release program in app store or create ad-hoc program and the developer is only to compile and run in iPhone/iPad.
But, by nameyou are saying the identifier you can use the same for both certificates or create, like I do, 2 different, than the app store program will not overwrite your dev program.