Wait, what is code signing? Code signing is required on iOS when distributing your app to customers. It assures that your app can be trusted and hasn’t been modified since it was last signed.

You have to manually renew and download the latest set of provisioning profiles every time you add a new device or a certificate expires. Additionally this requires spending a lot of time when setting up a new machine that will build your app.

When deploying an app to the App Store, a beta testing service or even installing it on a single device, most development teams have separate code signing identities for every member. This results in dozens of profiles including a lot of duplicates.

Solution:

Keep Your Keys In-Sync with Git

What if there was a central place where your code signing identity and profiles are kept, so anyone can access them during the build process? This way, your entire team can use the same account and have one code signing identity without any manual work or confusion.

Instead of registering for yet another service, you can use a separate private Git repo to sync your profiles across multiple machines.

How to use Git for code signing:

The basic requirement is to have one code signing identity shared across your team. The easiest way to do that is to create a new Apple ID for the team (e.g. ios-dev@company.com) and use that from now on. To get started:

1. First, create a new, private Git repo in which you can store the profiles.

2. Next, create a new private key and certificate for each environment, such as “Distribution” and “Development”. Then store these private keys and certificates in your Git repo.

3. Then, create a new provisioning profiles for the various targets, such as “Development”, “App Store” and “Ad hoc” with the matching certificates and store these in your Git repo.

4. Before committing the files to Git, it is recommended to encrypt those files (e.g. using openssl).

5. Now, each of your machines can access the Git repo and install the latest certificate and provisioning profiles: - The certificates and private keys should be imported into your Keychain, either using Finder or using the 'security import' command - The provisioning profiles should be copied over to '~/Library/MobileDevice/Provisioning\ Profiles/'

6. Your Xcode project must be configured to choose the provisioning profiles automatically or define it statically. The ideal solution is to pass the UUID of the provisioning profile, via an environment variable, for each of your bundle identifiers.

In the future, when you add a new device to your Ad Hoc or Development provisioning profile, you can update the profile in your Git repo.

Things to consider:

Make sure the provisioning profile is created using the correct certificate

If your app has multiple targets (e.g. Today widget) you have to repeat the above for each target

Don’t set the provisioning profile in your Xcode project to Automatic, as it doesn’t always select the correct profile

Is this secure?

Expand for more