Is it ok to share our Distribution Certificate and private key?

Code Signing General
ITSD OP
Created Aug ’20
Replies 4
Boosts 0
Views 4.5k
Participants 4
My company has contracted an external company to write an app for us without providing the source code. The developer is now insisting on our distribution certificate and matching private key so they can sign and upload the app. I had been expecting to re-sign the app but they tell me that Apple doesn't allow this any more. I don't believe sharing the private key is a good idea, and Apple's docs say: Do not share Apple Certificates outside of your organization.

Is there a way to upload an app to the store for public consumption with only the .xcarchive and .ipa?

What am I risking by giving another company a .p12?


Replies  4
Boosts  0
Views  4.5k
Participants  4
Etresoft OP
Aug ’20

My company has contracted an external company to write an app for us without providing the source code. 

Bad idea.

I had been expecting to re-sign the app but they tell me that Apple doesn't allow this any more.

I don't work with any external developers so I can't comment on the details. But I can tell you that it would be a really bad idea to sign and submit to the store an app for which you don't have the source code. What if it has embedded malware or some other malicious content? All the content would then be your responsibility.

Normally what happens (and I'm guessing a little bit because I don't do this), is that you have a company account and you add the developer to your account and give them rights to sign and upload on your account. You could also then revoke those rights when the contract ends. But there is a huge caveat here - the source code. If you don't have the source code, you have nothing - absolutely nothing.

You want to be able to review the source code yourself, rebuild it yourself, or contract with another independent developer to review and build, if necessary.

Write this off as a learning experience. But really, write it off. Don't throw good money after bad. Do not submit a binary for which you don't have the source. If you like this developer and want to use the app, renegotiate the contract and get the source.
0
ITSD OP
Aug ’20
I absolutely agree with you Etresoft, this is a terrible idea and I have argued against it since I heard about it (after the contract was signed unfortunately). But they are pressing on anyway and I now have the choice of sharing our certificate and private key, or resigning the app.
0
phatfly OP
Mar ’21
I would resign the app. There are tools and command line processes that allow this to be done. I have been doing it for years now and it's completely doable.
0
DTS Engineer OP
Apple
Mar ’21

I would re-sign the app.

Agreed.

My general advice is that you use Xcode for this. That is, have the developer send you an Xcode archive and then use Xcode to upload or export from there. That handles a lot of gnarly corner cases.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
0
Is it ok to share our Distribution Certificate and private key?
First post date Last post date
 
 
Q