iOS signing and provisioning

When an ipa is secured, it needs to be re-signed with a valid provisioning profile in order to be deployed on an Apple device.

When creating provisioning profiles, there are two types of App IDs that can be associated with them.

  • Wildcard App ID. Provisioning profiles with Wildcard App IDs are recommended for most iPhone OS development because a single Wildcard App ID can be used to build and install most applications, including the sample code projects provided in the iPhone Reference Library. Wildcard App IDs are created by entering an asterisk in the Identifier portion of your App ID. The wildcard asterisk character must be the last character in the App ID string. If you use a Wildcard App ID, remember to replace the asterisk with an appropriate string using the reverse-DNS format when you fill in the Bundle Identifier field in your Xcode project.
  • Explicit App ID. This type of App ID restricts a provisioning profile to only allow the installation of one application. Explicit App IDs are required to enable certain iOS features such as In App Purchase and Apple Push Notification service in your applications. Explicit App IDs are created by entering a specific string in the Identifier portion of your App ID. The recommended practice is to use a reverse-DNS formatted string for the Bundle Identifier portion of the App ID.

App ID is not to be confused with bundle seed ID. The bundle seed ID is the 10-character prefix of the app ID associated with the provisioning profile. The term bundle seed ID is synonymous with App ID prefix and Team ID.

Bundle seed ID

(App ID prefix, Team ID)

A1B2C3D4E5
Wildcard app ID A1B2C3D4E5.*
Explicit app ID A1B2C3D4E5.com.company.myGreatApp

See the App ID DevPedia Article for more information on App IDs and their prefixes.

Blue Cedar suggests that a wildcard app id be used in the provisioning profile used to sign apps, as you will re-sign not only your in-house developed apps, but also apps developed by Blue Cedar and third party vendors.

To import your provisioning profile into Xcode:

  1. In the Xcode Preferences window, click Accounts.
  2. Click the Action button (the gear icon) in the lower-left corner.
  3. Select Import Accounts from the pop-up menu.
  4. Locate and select the file containing your mobile distribution profile. The file should have a .mobileprovision extension.
  5. Enter the password you used to encrypt the file, and click Open.

The importation process installs the certificates, private keys, and provisioning profiles that are stored in the developer-profile file.

The signing certificate is located in the keychain of your signing server (simply an Mac running OSX and Xcode). The value entered in the policy console for bundle seed ID should be the same as the user ID value in your signing certificate. To verify, open your keychain, find your iOS distribution certificate, and open it. The user ID field is the first field under subject name.