Here's my scenario. I work on a team of 3 developers. Currently I am the only one who does iphone development so at this point we have 1 project that I created, tested and then created a deployment certificate so I could build it and deploy it to a few devices. 1 developer, 1 app, it's all pretty straight forward. Here is where my problem lies.
Now lets say one of the other developers has to checkout the source code, make a change and redeploy, and I am not around, nor is the computer that I developed on. I have read everything I could find and I understand the other developer would need to download the distribution certificate and deployment provisioning profile and that I would also need to export the private key of the distribution certificate to the .p12 format for them to put on their machine. This all works as said.
The question I have and what I can't seem to figure out is that the distribution certificate I created is signed with my developer private key. I feel like that should not be the case because if I export this and give it to them they now have my private key which from what I can tell is something you are supposed to keep secret and in a safe place for me to develop on other machines or in case I need to reinstall, not something I would give to other developers just so they can deploy. And vice versa when they create an application and I need to make changes and deploy.
I have searched everywhere for an answer but I don't seem to be able to find the exact answer I need to understand what I am missing. Maybe I'm just missing some essential concept.
Is there a way to create a distribution profile with a private key of my company rather than myself? Or even a key that I can name for each project if I have to create a distribution certificate for each project.
Is sharing my personal private key attached to the distribution certificate wrong/bad?
What can they do with my private key? I feel like we should have a company private key or something.
I know this is long winded but I am really at a loss at this point. Here is another post that is similar and it also links to another post that was having the same problem that from what I can tell didn't get answered clearly, at least as far as I can tell.
Enabling multiple team admins to build an app for distribution in XCode 4.3?
Any help for how a team of developers can all build and deploy without sharing their private keys would be greatly appreciated. I assume it's simple because I can't imagine other companies are deploying from a single machine.
Jon
The answer (like the question) is somewhat longer:
1) As a rule, distribution provisioning profiles (Ad-Hoc, Enterprise InHouse and AppStore) are using different certificate/key pairs then development provisioning profiles. There are clearly marked as such in the provisioning portal (e.g. developer certificate, distribution certificate, and push certificate).
2) Companies tend to limit the access to distribution keys, as their leakage introduces significant security implications (e.g. someone could try to distribute your application with malware etc). A common practice is to have one to three designated "Signers"
3) As for one agains multiple distribution certificates: there is a limit on the number of distribution certificates you can have (I think it's two). Also, in case of distribution provisioning profiles, you are allowed to pick only one. So if you would like to use two keys/certs regularly, you would have to have two provisioning profiles for the same app. Trust me! xcode will make you regret this idea!
Bonus note: In theory it should be possible to create a CSR (certificate signing request) with a private/public key pair of your choice, instead of the default behaviour of generating a new one. More here
Your developer private key is not being used with the distribution certificate. There are two private keys involved with your scenario above.
Open Keychain Access, select your login keychain and select "My Certificates" under category.
1) Your developer private key should never need to be shared with another developer. It is unique and for your use only. Only if you are migrating to a new computer should you need to export this. In your Keychain Access application, you will see this certificate listed as "iPhone Developer: Your Name"
2) The distribution certificate has a separate private key. It is located on the computer that created the distribution certificate request and is in the Keychain Access application listed as "iPhone Distribution: Your Company Name". You will need to export this certificate (including both public and private keys) to allow someone else to create an enterprise distribution using the EXISTING provisioning profile. For information of how to export these keys, see: https://stackoverflow.com/a/9418712/600753
I recommend the above approach, but another alternative is to have the other developer create another distribution certificate and another provisioning profile. This approach has a tendency to confuse the auto selection of the provisioning profiles within Xcode and is usually more trouble than it's worth.
Related
We are struggling with the Distribution Certificate handling from Apple.
We have several developers setup in the Apple Developer Portal, for the sake of the example:
Alice: Team Admin
Bob: Admin
Charles: Admin
Dan: Developer
Alice, Bob, and Charles should be able to build Apps for Distribution (Adhoc for internal testing, Testflight for external testing, and Appstore for distribution). Dan is only producing code and debugging on his local machine.
All users use individual accounts for the development.
From what we understood from the Apple documentation, Alice, Bob, Charles need a valid distribution certificate. If xCode generates it for them, they will start playing “ping pong”, and keep revoking each other’s certificate – at least this is what appears to be happening at the moment.
We are not sure why this would happen. One would think, that if you create a different new user this account can also maintain his own (distribution) certificates.
Anyway, so they will need to share a distribution certificate, by sharing the private key (p12 file) of it, as you can find in the answer here.
In our account, it appears as if we can have up to two valid distribution certificates.
We don’t really know how this ultimately worked – we didn’t do it manually over the developer portal, but used xCode for it. Alice generated her certificate, Bob revoked and regenerated, Alice did the same thing – but suddenly they both had a valid distribution certificate, instead of invalidating Bobs certificate.
In the documentation it was mentioned that you can have up to 2 valid distribution certificates. We have also manually tried to generate the distribution certificates and could confirm that it is limited to two.
However, we then got recently invited to a customer’s developer program to sign apps on his behalf.
I assume the customer was not aware that we require the private key from his distribution certificate. We therefore tried to manually generate a distribution certificate, and saw that it was not possible. To our surprise though, the customer managed to generate 3 valid distribution certificates.
Any idea how this worked?
Our questions in a nutshell:
1. What is best practice when you manage a team of developers?
Do you normally share the private key of the first developer who generated the certificate with all other team members, which should be able to sign the app?
2. What is the best practice when you work with clients?
Do you ask them to generate another private key, or is there some hidden functionality to generate as many distribution certificates as you want, given that every developer uses his own account?
3. What happens when we revoke a certificate.
It doesn’t affect the apps in the app store, but only seems to limit other developers to build their app. However, what happens with APNS / Push Server certificates? When we revoke a distribution certificate through xCode, will this also suddenly stop working for the sender?
Thank you for your help.
After a long time of investigation and trying things out, here is what we think is the best fit for us. Not sure if it is best practice but it seems to work for us just fine.
1. What is best practice when you manage a team of developers?
One person generates a distribution certificate using his mac. He then exports the certificate (public AND private key) in a p12 file, as suggested by washloops and shares it with the team.
2. What is the best practice when you work with clients?
We have two sorts of clients:
Clients working with multiple suppliers (so we are just taking care of 1 app, out of their portfolio) - We ask them to share their distribution certificate (public + private key). If they don't have it, they need to get it from another vendor.
Clients working only with us - We generate the certificate and share it with the client later on. This allows them to share it with other vendors if they need to.
3. What happens when we revoke a certificate.
From our tests: "nothing". If you revoke a distribution certificate, it will prevent developers using this certificate from submitting / building apps. However, existing APNS / Push certificates are not affected.
For us it seems as APNS / Push certificates are totally independent, and if you wish to revoke them, you need to revoke both.
You have to create just 1 distribution certificate. After that you go to Keychain Access, select the certificate and export it as ".p12", and maybe add a password to it.
After that you just install it in the other computers.
Regards :)
As a contractor I am working for a company and my job is to build an iOS app and publish it for enterprise distribution. Now the problem is that the company which employed me is kind of sitting on their certificates. Here is what they gave me:
An enterprise distribution provisioning profile
An enterprise distribution certificate (no private key)
I think this is not enough to publish the app for enterprise distribution. What else will I need?
The problem is they are very uncooperative (it is a big company and my guess is the IT department is not happy that the job was given to an outsider), I do not even have a direct contact to them.
1) If they want you to build the app, they have to give you the private key for the distribution certificate.
2) Another option would be that you check in the code in their repository (what you're probably doing anyway) and they build and upload the app themselves.
3) Or they give you access to a machine running Xcode with the proper certificates and keys already installed.
If they are concerned about the security of the certificate, 2) would probably be the best option for them.
There is a lot of information about iOS distribution. I think I understand the different distriubution models, but I am looking for best practice for distributing an app to a client.
I have a client who has an Enterprise developer account and uses AirWatch for MDM. Here is how I am going to recommend to them that we distribute the app to their organization since they have no one technical on staff that has any experience with Xcode or iOS development and they will not be given access to the source code:
Add me as a member of their developer account
I build the app using their certificate
I give them the .ipa and plist file to distribute either through MDM or website.
Is this the correct way to do this? What if I am going to sell this same app to three clients - would I do it a different way? Is there anything else that needs to be done to distribute through AirWatch?
Again, looking for best practice and how others are handling this situation. Please clarify if I have anything wrong.
UPDATE: Thank you all for the answers. From what I have learned how this is done depends directly on how the client wants to handle the situation. In the end the client added me as an admin on their account (we have worked together quite a bit). I was able to create the distribution profile, build, and deploy the app to them. Not all clients will do this for security reasons. In that case, they will need to provide you will a cert as stated below, or you will need to build the app on one of their machines as Buckeye said below...or go through Apple to distribute the app to them.
Feel free to correct any of this info if it is incorrect. I really think this is helpful information for a lot devs.
I am accepting Patrick's answer because it is the closest to what I actually did.
There are two ways you can do this, but for both you must be added as a member of your client's developer team. Once you have done this, you (or more likely your client) will choose weather to use their in-house certificate or your own distribution certificate that you will manage.
It can be done either way, it is only a matter of who will have authority in the future to submit apps with the same certificate under the same account. That authority resides in the possession of the associated key pair of the certificate. If you are added to the client's dev team and download their distribution certificate, you will NOT have this key and cannot sign distribution builds with associated provisioning profiles.
Therefore, you must either get a .p12 export of the certificate (which contains the key) from the client to install on your machine so that you may sign with it. This will allow you to submit from your machine, but you are then in possession of your clien'ts private key, which they would like to protect. Your other option is to use your own Certificate Signing Request to create a Distribution Certificate on the client's developer account. In this situation, only you have control over the certificate and the client must create new ones if they wish to work with other developers in the future.
Once you have done that, here is an informative guide for enterprise distribution.
As an Enterprise Agent I will tell you that unless your client lives under a rock (technically speaking regarding the Apple dev portal) I doubt they're going to give up the private key and cert. If they have zero legal/contractual access to the source code you've created the only course of action, speaking from experience, would be for you to visit their facility with the source code, compile it on their box that houses the private key & enterprise distribution cert, build & deliver the IPA and finally take the source back with you. That is how I have compiled every build with a 3rd party vendor where we don't own the source and need to deploy internally.
On the flip side of this argument if the client is, for some wild reason, willing to give up the keys to their enterprise castle and export the private key & enterprise distribution cert for you to use... for YOUR sake I would get in writing what the scope of your usage is with that cert and somehow document the fact you have deleted the key & cert after the process is over. Don't open yourself up to liability because if they share it with you there's a chance they may also share it with someone else and as we all know, not all development entities play by the rules. You wouldn't want to get accused of creating some rogue app under their name.
Regarding re-signing the IPA file... AirWatch won't let you do it. AW interrogates the IPA when you upload it and it will note that the embedded provisioning profile doesn't match the re-signed IPA and tank. It becomes a chicken & egg situation where you need the provisioning profile on the device before you install the app however AirWatch won't let you deploy the app unless the aforementioned embedded profile is correct.
Also, #Caleb is correct regarding B2B but the pricing model goes from the project to per-seat (iOS device). In other words if your contract is "you can install this app on an unlimited number of devices" the B2B approach is going to blow up in everyone's faces.
EDIT:
Below are your options when editing a Development Provisioning Profile in an Enterprise iOS Account:
Obviously here you can pick & choose developers and their devices from within the portal that can compile to that profile.
Now here are your "options" for editing the Enterprise Provisioning Profile:
As you can see you don't get an option to edit which portal users or devices can use this profile because it's tied to the Agent's CSR/private key and is deployed globally.
You would need:
Their certificate.
Their provisioning profile.
It's a quite common practise to do this.
My question is, is this the correct way to do this?
Yes.
What if I am going to sell this same app to 3 clients, would I do it a different way?
No, you'll do the same thing. You'll need to build the app separately for each client using each client's distribution certificate.
Another option is to build the app and sell it to your clients using the B2B distribution mechanism.
I developed an iOS app that my client is going to use internally. They sent me their enterprise distribution provisioning profile. When I add it to XCode it says "Valid signing identity not found". How do I build the app so that my client can run it on their devices?
Your computer is unable to sign with the distribution profile, since you don't have the private key for this certificate.
Alternative 1
Apple intends that building a project for distribution will only take place on a single machine - the machine that the certificate was originally created on. So, in their eyes, you should ask your clients to build the project internally (for distribution only - for development you should have no problems building yourself).
Alternative 2
There is a way to override it.. and it involves exporting the private key from that special distribution machine and emailing it to you.
These are the steps (also outlined here):
Access the computer where the certificate was created, open the "Keychain Access" program on the computer
In "Category" panel, select "Certificates"
Find the correct distribution certificate and expand it
Highlight both the iPhone distribution certificate line and the private key line under it.
Right click and select "Export 2 items"
Save the .p12 file, choose a password that can share, you will need it to import this file later
Email the saved file to you
Once you import this and type in the password from step 6, you will have the private key on your computer too and all will be good.
Alternative 3
There's a chance that when you ask your clients to export the private key, they will have no idea what you're talking about and no idea where the machine that created it is (this is what actually happened to me). This is usually the case if they are not regularly building for distribution on their own.
In this case, you can simply delete the certificate and create a new one (for the distribution profile). If you create the certificate on your machine, then you will have the private key. You should also export it to them just in case (using the same steps of alternative 2).. so they have the ability to build without you if need be.
Each provisioning profile is paired with a certificate. If you subscribe to the Apple developer service, you should have access to create and download a development cert (tied to the apple ID) and a distribution cert (tied to the organization). The enterprise distribution provisioning profile needs to be paired with the distribution cert. So in order to use their provisioning profile, you will have to get the distribution certificate from them. This will also involve you getting their private key, which they might not be so fond of. Alternatively, they can set you up as a developer on their portal, then you can distribute through the machine that already has the distribution cert installed on it.
we have a little Problem here and I hope you guys can help me out!
Situation:
We are enrolled in Apples Developer Program (for distributing Apps in the App Store). Since last week we're also enrolled in the Enterprise Program (for in-house App distribution).
Problem:
We proceeded with the development and building of the Apps. But we didn't knew that we have to use two different developer certificates for the different Programs. We have now 2 certificates with the same name and XCode is producing an error message each time we want to build the app saying "the certificate cannot be assigned exactly".
Question:
How do we change the name of one of the developer certificates?
Many thanks for your help in advance!!!
You already have default login keychain So you can add one certificate in login keychain. And then create new saperate keychain with different name and add your second certificate to that keychain. Now in your Xcode target setting find keychain certificate path to be used for target and choose appropriate keychain path.
e.g. For one certificate path ........./login/.....
For another certificate change path to ......../mynewkeychain/......
I feel your pain, as I have been in the same situation before. You can't easily change the certificates' names. Apple usually does not allow that. Dhawal's answer is correct, in that you will have to put your certificates into different keychains.
If you want to script your build process, you have to unlock and lock the appropriate keychains security unlock-keychain before you call xcodebuild. So that only the one certificate you want to sign with is accessible.
There are two very good projects that make managing the keychains and building a lot easier:
Openbakery's Gradle Xcode Plugin
rayh's xcoder for use with rake