About code signing strategy - what happens when we archive a project without code signing, and export it with profile later?

Code Signing Certificates, Identifiers & Profiles
Anttree OP
Created Aug ’21
Replies 3
Boosts 1
Views 3.4k
Participants 2

Hello, all developers.

I have some questions about code signing strategy, according to the sequence of signing (which I couldn't reached the answer by searching).

That is,

  • What happens when we DON'T provide any code signing identity and profile on ARCHIVE, and then we DO provide them on EXPORTING step? for example,
xcodebuild archive \
    -project <ProjectName>.xcodeproj \
    -sdk iphoneos \
    -scheme <SchemeName>
    -configuration Release \
    CODE_SIGN_IDENTITY="" \#disable code sign 
    CODE_SIGNING_REQUIRED=NO \#disable code sign
    CODE_SIGNING_ALLOWED=NO \#disable code sign

Above is the code for archive without code sign. And below, for exporting, I provide profile using exportOptions.plist.

xcodebuild -exportArchive -archivePath <ProjectName>.xcarchive -exportOptionsPlist <ProjectName>/exportOptions.plist -exportPath <ProjectName>.ipa

Is this available for app-store distribution, if I used profile with distribution option?

  • Are these right option to provide details of provisioning profile, when archiving the project? I've search lots of examples but the answers are slightly different.
xcodebuild archive \
    -project <ProjectName>.xcodeproj \
    -sdk iphoneos \
    -scheme <SchemeName> \
    -configuration Release \
    CODE_SIGN_IDENTITY="****D21C78" \
    PROVISIONING_PROFILE="********-****-..."

the code above keeps making the error : <ProjectName> requires a provisioning profile. Select a provisioning profile in the Signing & Capabilities editor, even though I'm working on CLI.

If there's any solution for questions, please guide me. Any document / paper or other materials are fine too.

Replies  3
Boosts  1
Views  3.4k
Participants  2
Anttree OP
Nov ’21

(Self answering my question)

So, for the first question, I've done number of experiments and found out that empty-signed archive can be exported, but cannot be deployed to the device.

To correctly deploy the ipa(exported) file, the archived one should be signed using codesign command.

And to do so, they should contain entitlements and codesign identity.

codesign -s {IDENTITY} --entitlements {PATH_TO_ENTITLEMENTS_FILE} ... {PROJECT_PATH}/~~~/{NAME}.app

For the second question, I couldn't find the answer, but using the strategy like empty-signing-archive -> codesign -> export can be the alternative.

0
Metaverse OP
Sep ’22

@Anttree Thanks for sharing this. With the new Cloud Signing introduced in Xcode 13, we also want to try this strategy out.

To correctly deploy the ipa(exported) file, the archived one should be signed using codesign command

Can you elaborate a bit more on this comment? Is there any special entitlement you're using that has been missed if you skip this step? My experiment shows that simply do empty-signing-archive -> export will work. No need to add the code sign step between. The final IPA will have the correct provisioning profile that has all entitlements we use. Maybe because we use just a few entitlements?

0
Metaverse OP
Sep ’22

Okay, it turns out there is an issue with this strategy. We got ITMS-90078: Missing Push Notification Entitlement error after uploading the IPA to App Store. Very annoying.

0
About code signing strategy - what happens when we archive a project without code signing, and export it with profile later?
First post date Last post date
 
 
Q