Creating Your Signing Certificates

Code signing uses cryptographic technology to digitally sign your app and installer package. Code signing your app lets users trust that your app has been created by a source known to Apple and that your code hasn’t been modified since you signed it. You must sign your code to submit your iOS and Mac apps to the store. For certain store technologies, you must sign your code during development and testing—well before submitting your app to the store. iOS and OS X verify the signature of your app before allowing it to run on devices or use certain technologies.

You use specialized signing certificates in your keychain to sign an app or installer package. For iOS apps, you need these signing certificates during development and to run your app on devices. For Mac apps, you don’t need signing certificates unless you enable App Sandbox (which is required by the Mac App Store) and use store technologies such as iCloud and Game Center. Both iOS and Mac apps need special signing certificates to submit your app to the store. For Mac apps, you need a type of signing certificate to distribute your app outside of the store.

Therefore, the first step to prepare for code signing is to create the certificates specific to your platform:

About Code Signing

Code signing your app allows the operating system to identify who signed your app and to verify that your app has not been modified since you signed it. Your app’s executable code is protected by its signature because the signature becomes invalid if any of the executable code in the app bundle changes. Note that resources such as images and nib files are not signed; therefore, a change to these files does not invalidate the signature.

Code signing is used in combination with your App ID, provisioning profile, and entitlements (which you will learn more about later) to ensure that:

Code signing also allows your app’s signature to be removed and re-signed by a trusted source. For example, you sign your app before submitting it to the store, but Apple re-signs it before distributing it to customers. Also, you can re-sign and submit a fully tested development build of your app to the store.

Xcode uses your code signing identity to sign your app during the build process. This code signing identity consists of a public-private key pair that is issued by Apple. The private key is stored in your keychain and used by cryptographic functions to generate the signature. The certificate contains the public key and identifies you as the owner of the key pair. The certificate is stored both in your keychain on your Mac and in your developer account. An intermediate certificate is also required to be in your keychain to ensure that your certificate is issued by a certificate authority.

To sign apps, you must have both the code signing identity and the intermediate certificate installed in your keychain. When you install Xcode, Apple’s intermediate certificates are installed in your keychain for you. You create your code signing identity and sign your app using Xcode. Thereafter, you use Keychain Access and Member Center to manage your code signing identities.

../Art/code_signing_2x.png

Signing certificates are used to sign your app or installer package. A type of signing certificate used for development is used to identify you in a development provisioning profile that allows apps signed by you to launch on devices.

Requesting Signing Certificates

Before you can code sign your app, you need to create your development certificate. You actually create all the types of signing certificates you’ll need, throughout the project life cycle, using Xcode. Xcode requests, downloads, and installs your signing certificates for you.

For a company, a team member requests their development certificate using Xcode but downloads and installs it later, after it is approved, as described in “Approving Development Certificates.”

bullet
To request signing certificates
  1. In Xcode, choose Window > Organizer to open the Organizer window.

  2. Click Devices to display the Devices organizer.

    ../Art/C3_devicesorganizer.png../Art/C3_devicesorganizer.png
  3. Select "Refresh from Developer Portal” from the Editor menu.

    ../Art/C3_editorrefreshmenu.png
  4. Enter your Apple ID user name and password, and click “Log in”.

    If you don’t have a development certificate, Xcode offers to request development certificates on your behalf for the developer programs you are enrolled in. For example, if you are enrolled in the iOS Developer Program, Xcode offers to request an iOS Development certificate.

    ../Art/C3_xcodesignin.png../Art/C3_xcodesignin.png
  5. Click Submit Request for each dialog that appears.

    Xcode offers to request development and distribution certificates depending on the type of account you have (whether its an individual or company account) and the developer programs you belong to (iOS or Mac). If you are an individual developer, wait while Xcode submits the requests for each certificate and they are approved. Refer to Table 2-1 for the types of certificates Xcode may request on your behalf. iOS developers need an iOS Development certificate and Mac developers need a Mac Development certificate to proceed.

    ../Art/C3_developmentcertificate.png
  6. At the end of the refresh process, a dialog asks whether you want to export your developer profile. Click Export.

    The private keys for your certificates are stored in your keychain, and the certificates, along with their public keys, are stored by Member Center. Therefore, you can’t move to another Mac or user account and refresh your provisioning profiles in Xcode to restore your certificates. Instead, you should back up your certificates now, after you create them, and then import them later from another Mac or later if you are missing private keys in your keychain on this Mac.

    ../Art/C3_exportdeveloperprofile_2x.png
  7. Enter a filename and password, and Click Save.

    For your protection, the exported file is encrypted and password protected.

    ../Art/C3_exportdeveloperprofile2.png../Art/C3_exportdeveloperprofile2.png

If you need to export or import your developer profile later, follow the steps in “Exporting and Importing Certificates and Provisioning Profiles.”

Verify Your Steps

Verify that your certificates are correct and ready for use. If the certificates shown in Xcode and Keychain Access don’t match your certificates in Member Center, follow the instructions in “Certificate Issues,” because if the certificates in your keychain are not valid, you won’t be able to sign your app.

The first time you verify your certificates, verify them in Xcode, Keychain Access, and Member Center to learn where they are located and how they appear in each tool. Later, you’ll use Keychain Access for troubleshooting.

Verify Using Xcode

After creating your certificates, you immediately see them displayed in Xcode.

bullet
To verify signing certificates using Xcode
  1. In the Devices organizer, select your team in the Teams section.

    Xcode adds a Teams section to the Devices organizer that displays all your team certificates that are managed by Member Center and appear in your keychain. The list should include all the certificates you recently and previously requested.

    For iOS apps, two certificates appear in the Teams section:

    ../Art/C3_xcodeteamcerts.png../Art/C3_xcodeteamcerts.png

    For Mac apps, five certificates appear in the Teams section:

    ../Art/C3_xcodeteamcerts_mac.png
  2. Verify that the certificates are valid.

    If the certificate is valid in your keychain, a green circle containing a checkmark badge appears next to the name of your certificate in Xcode. This checkmark means that the certificate authority (for example, Apple) that issued the intermediate certificate authorized your certificate.

Verify Using Keychain Access

Keychain Access shows the private and public keys for each of your certificates.

bullet
To verify signing certificates using Keychain Access
  1. Launch Keychain Access located in ~/Applications/Utilities.

    When you request a development or distribution certificate using Xcode, the certificate is automatically installed in your login keychain.

  2. Select “login” in the Keychains section, and Certificates in the Category section.

    The development certificate should appear in the Certificates category in Keychain Access. The name of the development certificate begins with the text “iPhone Developer” for the iOS Developer Program and “Mac Developer” for the Mac Developer Program, followed by your name (development certificates belong to a person).

    ../Art/C3_keychaincerts.png../Art/C3_keychaincerts.png

    Other types of certificates also appear in the Certificates category of Keychain Access.

  3. Verify that there is a disclosure triangle to the left of the certificate.

    If you click the disclosure triangle next to the certificate name, your private key appears. If the disclosure triangle doesn’t appear, you are missing your private key.

    ../Art/C3_keychaincerts2.png../Art/C3_keychaincerts2.png
  4. Verify that the certificates are valid.

    When you select a certificate, a similar green circle containing a checkmark appears in Keychain Access above the list of certificates. The text next to the checkmark should read “This certificate is valid.”

Verify Using Member Center

Member Center should show the same certificates you see in Xcode and Keychain Access because it stores the public keys.

bullet
To verify signing certificates using Member Center
  1. In Certificates, Identifiers & Profiles, select Certificates.

  2. In the Certificates section, select Development.

    The names, types, and expiration dates of the development certificate should match the information that you view in Xcode.

    ../Art/C3_portalcerts1.png
  3. In the Certificates section, select Distribution.

    The names, types, and expiration dates of the development certificate should match the information that you view in Xcode.

    ../Art/C3_portalcerts2.png

Troubleshooting

If the certificates shown in Xcode and Keychain Access don’t match your certificates in Member Center, read “Certificate Issues” for information about how to resolve the discrepancies.

Your Signing Certificates in Depth

Your code signing identities, stored in your keychain, represent your iOS and Mac program development and distribution credentials. You should be familiar with the names of these certificates, because they appear in menus, and the types of certificates, because they appear in lists, so that you don’t accidentally remove them from your keychain or Member Center.

There are different types of signing certificates for different purposes. Development certificates identify a person on your team and are used to run an app on a device. During development and testing, you are required to sign all iOS apps that run on devices and Mac apps that use certain technologies like iCloud and Game Center.

Distribution certificates identify the team and are used to submit your app to the store or for a Mac app, distribute it outside of the store. If you are a company, distribution certificates can be shared by team members who have permission to submit your app. There are multiple kinds of distribution certificates, each associated with a specific method of distribution. Different code signing identities are also used for iOS and Mac apps.

Signing certificates are issued and authorized by Apple. You must have the intermediate certificate provided by Apple installed in your system keychain to use your certificate; otherwise, it is invalid. The intermediate certificates provided by Apple and installed by Xcode are:

Refer to Table 2-1 for the mapping between the type of the certificate and name of the certificate as it appears in Keychain Access, and for the purpose of each.

The Devices organizer in Xcode and Member Center display the team name (or person’s name) and type for each certificate. Keychain Access and the Code Signing Identity build setting pop-up menu in Xcode display the name of the certificate.

There’s one Mac or iOS development certificate per team member. Therefore, development certificate names contain the person’s name. All other types of certificates are owned by the team (shared by multiple team members) and therefore, contain the team name. Individual developers are a one-person team, and so your name and the team name are the same.

Table 2-1  Certificate types and names

Certificate type

Certificate name

Description

iOS Development

iPhone Developer: Team Member Name

Used to sign an iOS app during development.

iOS Distribution

iPhone Distribution: Team Name

Used to sign an iOS app for ad hoc testing and submission to the App Store.

Mac Development

Mac Developer: Team Member Name

Used to sign a Mac app during development.

Mac App Distribution

3rd Party Mac Developer Application: Team Name

Used to sign a Mac app for submission to the Mac App Store.

Mac Installer Distribution

3rd Party Mac Developer Installer: Team Name

Used to sign a Mac Installer Package for submission to the Mac App Store.

Developer ID Application

Developer ID Application: Team Name

Used to sign a Mac app for distribution outside the Mac App Store.

Developer ID Installer

Developer ID Installer: Team Name

Used to sign a Mac Installer Package for distribution outside the Mac App Store.

Recap

In this chapter, you learned how to create your development and distribution signing certificates that you’ll use in later chapters. You also learned how to identify the different types of certificates in Xcode, Keychain Access, and Member Center.