Certificates & identities

Code signing certificate

Umbrella term for any Apple-issued certificate used to sign a binary, installer, or push token. Covers Apple Development, Apple Distribution, Developer ID, APNs, Pass Type ID, and Mac Installer certificates.

Signing certificateApple Developer certificateCodesign certificate

Code signing certificate is the umbrella term for the Apple-issued certificates that prove a binary, installer, or token came from a specific developer team. Every certificate type has a narrow scope and a paired use, so picking the right one is most of the battle.

The types you will actually encounter

Apple Development: Signs builds for the developer's registered devices. Daily debugging. Universal across iOS, iPadOS, macOS, tvOS, watchOS, visionOS.
Apple Distribution: Signs builds for TestFlight, the App Store, and Ad Hoc distribution. The modern unified replacement for iOS Distribution and Mac App Distribution.
Developer ID Application: Signs Mac apps distributed outside the Mac App Store. Required input for notarization.
Developer ID Installer: Signs the .pkg installer that wraps a Developer ID Application-signed Mac binary.
Mac Installer Distribution: Signs the .pkg installer for Mac App Store submissions. Paired with an Apple Distribution certificate for the inner app binary.
Apple Push Services / APNs: Signs the token your server sends to APNs to send push notifications. Increasingly replaced by an APNs auth key (.p8), which never expires.
Pass Type ID: Signs Apple Wallet passes. One per pass type identifier (boarding passes, loyalty cards, event tickets).
Apple Pay Merchant ID: Identifies a merchant for Apple Pay. Paired with a Payment Processing certificate that decrypts payment tokens.

Every type shares the same plumbing

Issued from a certificate signing request (CSR) generated by an Apple Developer Program member.
Chains up to the Apple Root CA through a WWDR intermediate certificate.
Has a fixed expiration (one year for most, longer for Developer ID and Pass Type ID).
Can be revoked from the Apple Developer portal, which invalidates the signature on every binary that depended on it.

Keep reading

Related terms

Apple Development certificate

An Apple-issued certificate that lets a developer sign builds for running and debugging on their own registered devices, but not for distribution.

Read definition

Apple Distribution certificate

An Apple-issued certificate that signs builds for TestFlight, the App Store, Ad Hoc distribution, and Mac App Store submission.

Read definition

Developer ID Application certificate

An Apple-issued certificate that signs Mac apps distributed outside the Mac App Store, so Gatekeeper and notarization can verify them on first launch.

Read definition

WWDR intermediate certificate

Apple's intermediate certificate authority that signs every Apple Developer certificate. It chains every developer signing identity back to the Apple Root CA.

Read definition

CSR (Certificate Signing Request)

A file containing a public key and team identity, signed with the matching private key. You upload it to Apple to be issued a certificate. The private key never leaves your machine in the process.

Read definition

APNs auth key

A .p8 private key created in the Apple Developer portal that authenticates token-based push notification sending to APNs. One key serves every app on your team and does not expire.

Read definition

Next step

Help articles on this topic

Create and revoke Apple Developer certificates

Issue a new iOS or macOS certificate from a CSR and revoke certificates without breaking dependent profiles.

6 min readRead article

Rotate an expiring signing certificate without breaking releases

A safe sequence for swapping a soon-to-expire certificate for a new one across every dependent provisioning profile.

5 min readRead article

Configure expiration alerts: email, chat, and incident tools

Set thresholds, route alerts to email, Slack, Microsoft Teams, Jira, PagerDuty, JSM, or incident.io, and send a test before enabling delivery so a release never breaks because of a forgotten certificate.

5 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.

Certificates & identities

Code signing certificate

Signing certificateApple Developer certificateCodesign certificate

The types you will actually encounter

Apple Development: Signs builds for the developer's registered devices. Daily debugging. Universal across iOS, iPadOS, macOS, tvOS, watchOS, visionOS.
Apple Distribution: Signs builds for TestFlight, the App Store, and Ad Hoc distribution. The modern unified replacement for iOS Distribution and Mac App Distribution.
Developer ID Application: Signs Mac apps distributed outside the Mac App Store. Required input for notarization.
Developer ID Installer: Signs the .pkg installer that wraps a Developer ID Application-signed Mac binary.
Mac Installer Distribution: Signs the .pkg installer for Mac App Store submissions. Paired with an Apple Distribution certificate for the inner app binary.
Apple Push Services / APNs: Signs the token your server sends to APNs to send push notifications. Increasingly replaced by an APNs auth key (.p8), which never expires.
Pass Type ID: Signs Apple Wallet passes. One per pass type identifier (boarding passes, loyalty cards, event tickets).
Apple Pay Merchant ID: Identifies a merchant for Apple Pay. Paired with a Payment Processing certificate that decrypts payment tokens.

Every type shares the same plumbing

Issued from a certificate signing request (CSR) generated by an Apple Developer Program member.
Chains up to the Apple Root CA through a WWDR intermediate certificate.
Has a fixed expiration (one year for most, longer for Developer ID and Pass Type ID).
Can be revoked from the Apple Developer portal, which invalidates the signature on every binary that depended on it.

Keep reading

Related terms

Apple Development certificate

An Apple-issued certificate that lets a developer sign builds for running and debugging on their own registered devices, but not for distribution.

Read definition

Apple Distribution certificate

An Apple-issued certificate that signs builds for TestFlight, the App Store, Ad Hoc distribution, and Mac App Store submission.

Read definition

Developer ID Application certificate

An Apple-issued certificate that signs Mac apps distributed outside the Mac App Store, so Gatekeeper and notarization can verify them on first launch.

Read definition

WWDR intermediate certificate

Apple's intermediate certificate authority that signs every Apple Developer certificate. It chains every developer signing identity back to the Apple Root CA.

Read definition

CSR (Certificate Signing Request)

A file containing a public key and team identity, signed with the matching private key. You upload it to Apple to be issued a certificate. The private key never leaves your machine in the process.

Read definition

APNs auth key

A .p8 private key created in the Apple Developer portal that authenticates token-based push notification sending to APNs. One key serves every app on your team and does not expire.

Read definition

Next step

Help articles on this topic

Create and revoke Apple Developer certificates

Issue a new iOS or macOS certificate from a CSR and revoke certificates without breaking dependent profiles.

6 min readRead article

Rotate an expiring signing certificate without breaking releases

A safe sequence for swapping a soon-to-expire certificate for a new one across every dependent provisioning profile.

5 min readRead article

Configure expiration alerts: email, chat, and incident tools

5 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.