Code signing & build

Code signing

The process of attaching a cryptographic signature to a binary so the operating system can verify who built it and that nothing has changed since. Required for every app shipped on Apple platforms.

CodesigniOS code signingApple code signing

Code signing is the cryptographic step that proves a binary came from a specific Apple Developer team and has not been modified since signing. Every app shipped on iOS, iPadOS, macOS, tvOS, watchOS, and visionOS must be signed, and the operating system verifies the signature before it launches the binary. Skipping or breaking the signature is the single biggest cause of release-day surprises in Apple development.

What actually gets signed

The Mach-O binary inside the .app bundle.
Frameworks, app extensions, and other nested bundles, each signed independently.
The bundle's resources (Info.plist, asset catalogs, localized strings) via a `_CodeSignature/CodeResources` manifest.
Entitlements, embedded inside the signature blob.

What it takes to sign a build

A valid code signing certificate (Apple Development, Apple Distribution, Developer ID, etc.).
The matching private key in a keychain or PKCS#12 bundle.
A provisioning profile that authorizes that certificate for the App ID and entitlements you are using.
A correctly-configured Xcode project: DEVELOPMENT_TEAM, CODE_SIGN_IDENTITY, and PROVISIONING_PROFILE_SPECIFIER set to values the signing material satisfies.

How verification happens

On every launch, the OS uses the public key inside the certificate to verify the signature, walks the chain through the WWDR intermediate to the Apple Root CA, checks the embedded provisioning profile is valid and matches the binary, and confirms the entitlements claimed at launch are a subset of what the profile granted. A failure at any step is what produces 'unable to verify your provisioning profile' and similar runtime errors.

Keep reading

Related terms

Code signing certificate

Umbrella term for any Apple-issued certificate used to sign a binary, installer, or push token. Covers Apple Development, Apple Distribution, Developer ID, APNs, Pass Type ID, and Mac Installer certificates.

Read definition

Provisioning profile

A signed plist Apple issues that links a specific App ID, signing certificate, list of devices (for development and Ad Hoc), and entitlements. Without a matching profile, iOS will refuse to launch your build.

Read definition

CSR (Certificate Signing Request)

A file containing a public key and team identity, signed with the matching private key. You upload it to Apple to be issued a certificate. The private key never leaves your machine in the process.

Read definition

codesign (command)

Apple's command-line tool that signs a binary or bundle, and verifies an existing signature. Lives at `/usr/bin/codesign` on macOS and is what xcodebuild calls under the hood.

Read definition

Entitlements

Apple's declarative permission system. An entitlements file lists the system capabilities (push, App Groups, iCloud, HealthKit, Sign in with Apple, etc.) your app is allowed to use, and is embedded into the code signature.

Read definition

Private key

The secret half of a key pair. Whoever holds the private key for a code signing certificate can sign builds as that developer. Lose it and you cannot rotate; leak it and someone else can sign as you.

Read definition

Next step

Help articles on this topic

Fetch signing material before xcodebuild

A simple, repeatable CI pattern: download the right certificate and provisioning profile by ID, import them, run xcodebuild.

5 min readRead article

Fix a failed App Store Connect sync

Diagnose why a sync failed, read the error in the sync history, and know when to rotate the API key vs. retry.

5 min readRead article

Fix an invalid or expired provisioning profile

What "invalid" really means in App Store Connect, why a profile flips to that state, and how to bring it back.

4 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.

Code signing & build

Code signing

The process of attaching a cryptographic signature to a binary so the operating system can verify who built it and that nothing has changed since. Required for every app shipped on Apple platforms.

CodesigniOS code signingApple code signing

What actually gets signed

The Mach-O binary inside the .app bundle.
Frameworks, app extensions, and other nested bundles, each signed independently.
The bundle's resources (Info.plist, asset catalogs, localized strings) via a `_CodeSignature/CodeResources` manifest.
Entitlements, embedded inside the signature blob.

What it takes to sign a build

A valid code signing certificate (Apple Development, Apple Distribution, Developer ID, etc.).
The matching private key in a keychain or PKCS#12 bundle.
A provisioning profile that authorizes that certificate for the App ID and entitlements you are using.
A correctly-configured Xcode project: DEVELOPMENT_TEAM, CODE_SIGN_IDENTITY, and PROVISIONING_PROFILE_SPECIFIER set to values the signing material satisfies.

How verification happens

Keep reading

Related terms

Code signing certificate

Read definition

Provisioning profile

Read definition

CSR (Certificate Signing Request)

A file containing a public key and team identity, signed with the matching private key. You upload it to Apple to be issued a certificate. The private key never leaves your machine in the process.

Read definition

codesign (command)

Apple's command-line tool that signs a binary or bundle, and verifies an existing signature. Lives at `/usr/bin/codesign` on macOS and is what xcodebuild calls under the hood.

Read definition

Entitlements

Read definition

Private key

The secret half of a key pair. Whoever holds the private key for a code signing certificate can sign builds as that developer. Lose it and you cannot rotate; leak it and someone else can sign as you.

Read definition

Next step

Help articles on this topic

Fetch signing material before xcodebuild

A simple, repeatable CI pattern: download the right certificate and provisioning profile by ID, import them, run xcodebuild.

5 min readRead article

Fix a failed App Store Connect sync

Diagnose why a sync failed, read the error in the sync history, and know when to rotate the API key vs. retry.

5 min readRead article

Fix an invalid or expired provisioning profile

What "invalid" really means in App Store Connect, why a profile flips to that state, and how to bring it back.

4 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.