What is apple development certificate

Apple Developer Certificates

This article applies to macOS only.

This article applies to iOS only.

Contents

Overview

This article deals with the various certificates available to someone who has signed up and paid for the Apple Developer Program and describes which certificate to use for what. Given the number and names of the various certificates it can be somewhat daunting to figure out which certificate is used for what.

Finally, there is a description of the consequences of expired and revoked certificates.

Warning: It is not possible to use certificates from third-party providers like Comodo and DigiCert because they will not pass Gatekeeper which requires an Apple developer issued certificate. Also note that you cannot sign Windows applications with the Apple developer certificate (this time you do need a third-party Comodo, DigiCert etc certificate).

Xcode 11

Xcode 11 supports the new Apple Development and Apple Distribution certificate types. These certificates support building, running, and distributing apps on any Apple platform. Preexisting iOS and macOS development and distribution certificates continue to work, however, new certificates you create in Xcode 11 use the new types. Previous versions of Xcode don’t support these certificates.

Apple Development Certificate

This certificate is used to sign development versions of your iOS, macOS, tvOS, and watchOS applications. For use in Xcode 11 or later.

Apple Distribution Certificate

This certificate is used to sign your applications for submission to the App Store for distribution. For use with Xcode 11 or later.

macOS app distribution via the Mac App Store

Mac Development Certificate

This certificate is used to sign development versions of your Mac applications for testing and debugging. It enables certain app services during development and testing.

Mac App Distribution Certificate

This certificate is used to code sign your application and configure a Distribution Provisioning Profile for submission to the Mac App Store.

Mac Installer Distribution Certificate

This certificate is used to sign your application’s Installer Package for submission to the Mac App Store.

macOS app distribution outside the Mac App Store

The certificate types for distribution of macOS applications outside the Apple Mac App Store:

Developer ID Application Certificate

This certificate is used to code sign your application for distribution outside of the Mac App Store. Note that kernel extensions require a special certificate and that they are now deprecated anyway.

Developer ID Installer Certificate

This certificate is used to sign your application’s Installer Package (if any) for distribution outside of the Mac App Store.

Expired or revoked certificates

Mac App Distribution Certificate and Mac Installer Distribution Certificate (Mac App Store)

If your Apple Developer Program membership is valid, your existing apps on the Mac App Store will not be affected. However, you will no longer be able to upload new apps or updates signed with the expired or revoked certificate to the Mac App Store.

Developer ID Application Certificate (Mac apps)

If your certificate expires, users can still download, install, and run versions of your Mac applications that were signed with this certificate. However, you will need a new certificate to sign updates and new applications. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate. If your Mac application utilizes a Developer ID provisioning profile to take advantage of advanced capabilities such as CloudKit and push notifications, you must ensure your Developer ID provisioning profile is valid in order for installed versions of your application to run.

Developer ID Installer Certificate (Mac apps)

If your certificate expires, users can no longer launch installer packages for your Mac applications that were signed with this certificate. Previously installed apps will continue to run however new installations will not be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate.

Источник

Apple: Distributions and Certificates

Apple’s requirements

Apple requires that every iOS application must be be certified, secure and can only downloaded from its Apple store. To be downloaded on an Apple terminal (iPhone, iPad, etc.) an application must have a “certificate”, an “identifier” and a “profile”.

There are two types of “profiles”

Development profiles

This configuration is linked to the development of an application. This development configuration allows you to install an application on specific terminals (for development, testing, etc.). The file used to specify the authorized media is called a provisioning profile.

In order to generate a “provisioning profile” it is necessary to have:

• an App ID which is a two-part channel used to identify the application.
• a Development Certificate which is the certificate associated with the account of the developper or company who wishes to test the solution. This private key used to sign the application corresponds to the public key of the certificate.
• one or more Device ID which is the UUID (Unique Device Identifiers) of the authorized terminals.

If the link between these elements fail, the application will not be able to be installed on a terminal.

In Xcode this gives…

Distribution of profiles

This configuration is essential in order to allow the app to be available on the App store. It allows you to submit an application for approval to the Apple store or to a corporate store. The file allowing to precise the essential elements for a store setting are also present in a provisioning profile.

To generate a “provisioning profile” it is necessary to have:

• the App ID which is to a two-part channel used to identify the application.
• the Development Certificate, which is the certificate associated with the account of the company or developer that owns the application.

This provisioning profile will not include a Device ID but will specify the types of terminals compatible with the application.

There are two modes of distribution

The public distribution method

The development certificate is associated with the debug path. The production certificate can be associated with two types of paths:

1. Ad Hoc which is a Release provisioning usually dedicated to Alpha testers.

• Ad Hoc broadcasting works like an In-House deployment to a private server. Once the API is created, it must be deployed on a secure server so that authorized terminals (the Device IDs included in the provisioning) can download the application.
• To distribute an application in Ad Hoc you will need to create an In House distribution certificate, declare its application via Apple Developer and generate the associated provisioning profile.

2. The App Store which can also be distributed on two different environments:

• On Test Flight (https://developer.apple.com/testflight/ ) which is an environment dedicated to Beta testers hosted on the App Store.
• On the App Store which is the official Apple store

The company’s distribution method

The development certificate is associated with the debug path. The production certificate can be associated with two types of routes:

1. The Ad Hoc is a Release provisioning usually dedicated to Alpha testers.

• Ad Hoc broadcasting to a private server and only installable by authorized terminals (Device IDs included in the provisioning).
• To distribute an application in Ad Hoc you will need an In House distribution certificate and declare it via Apple Developer to generate the associated provisioning profile.

2. The In House for a private server, for internal applications and without any “Device ID” restriction.

Different types of Certificates

Service extensions

Apple Push Notification Service (APNs) Certificate: to allow notifications to be sent. This certificate varies according to the environments, namely:

1. The Development Environment says Sandbox

• The token is created for a single terminal and will not work on the production push network. This certificate is free of charge and valid for 12 months.

2. The Production (or Ad Hoc) environment

• This certificate is free of charge and valid for 13 months.

Apple Pay Payment Processing Certificate: to allow you to make transactions on mobile phones and websites with Apple Pay.

• This certificate is associated with the Merchant ID which is to identify the merchant entity. It is unique, does not expire and can be used on several media (website and applications). It is free of charge and valid for 25 months.

Apple Pay Merchant Identity Certificate: to allow you to make payments on a website with Apple Pay.

This certificate is associated with the Merchant ID which corresponds to identifying the merchant entity. This identifier is unique, does not expire and can be used on several media (website and applications). It is free of charge and valid for 25 months.

Pass Type ID Certificate (Wallet): this is the membership’s certificate in the Apple Developer Program. It allows users to update the application.

If this certificate has expired, users of the application will be able to continue using the application but will no longer be able to update it. This certificate costs $99 per year.

Distribution certificates

iOS Distribution Certificate (App Store): this certificate allows you to publish on the Apple Store.

It is associated with the Apple Developer Program. It costs $99 a year.

iOS Distribution Certificate (In House, internal use apps): this certificate allows you to publish in In House or Ad Hoc.

It is associated with the Apple Developer Program. This certificate costs $299 per year.

Development certificates

Developer ID Application Certificate (Mac applications)

Certificates created before 22 February 2017 are valid for 5 years.

Certificates created since 22 February 2017 are valid for 18 years.

Developer ID Installer Certificate (Mac applications)

Certificates created before 22 February 2017 are valid for 5 years.

Certificates created since 22 February 2017 are valid for 18 years.

The Apple Worldwide Developer Relations Certificate (WWDR)

Implemented since February 14, 2016.

Certificate that signs the conformity of Developer ID certificates.

Источник

Certificates

Apple Developer Program membership is required to request, download, and use signing certificates issued by Apple.

Using certificates

In most cases, Xcode is the preferred method to request and install digital certificates. However, to request certificates for services such as Apple Pay, the Apple Push Notification service, Apple Wallet, and Mobile Device Management, you’ll need to request and download them from Certificates, Identifiers & Profiles in your developer account. Distribution certificates can be requested only by Account Holders and Admins.

For more information on how to use signing certificates, review Xcode Help.

Protecting your account and certificates

Your Apple ID, authentication credentials, and related account information and materials (such as Apple Certificates used for distribution or submission to the App Store) are sensitive assets that confirm your identity.

• Keep your Apple ID and authentication credentials secure and do not share them with anyone. To learn more, see Security and your Apple ID .
• Do not share Apple Certificates outside of your organization. To learn how to securely share them with trusted team members within your organization, see Maintain Signing Assets in Xcode Help.

Expired or revoked certificates

• Apple Push Notification Service Certificate
  You can no longer send push notifications to your app.
• Apple Pay Payment Processing Certificate
  Apple Pay transactions in your apps and on your websites will fail.
• Apple Pay Merchant Identity Certificate
  Apple Pay transactions on your websites will fail.
• Pass Type ID Certificate (Wallet)
  If your certificate expires, passes that are already installed on users’ devices will continue to function normally. However, you’ll no longer be able to sign new passes or send updates to existing passes. If your certificate is revoked, your passes will no longer function properly.
• iOS Distribution Certificate (App Store)
  If your Apple Developer Program membership is valid, your existing apps on the App Store won’t be affected. However, you’ll no longer be able to upload new apps or updates signed with the expired or revoked certificate to the App Store.
• iOS Distribution Certificate (in-house, internal-use apps)
  Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate.
• Mac App Distribution Certificate and Mac Installer Distribution Certificate (Mac App Store)
  If your Apple Developer Program membership is valid, your existing apps on the Mac App Store won’t be affected. However, you’ll no longer be able to upload new apps or updates signed with the expired or revoked certificate to the Mac App Store.
• Developer ID Application Certificate (Mac applications)
  If your certificate expires, users can still download, install, and run versions of your Mac applications that were signed with this certificate. However, you’ll need a new certificate to sign updates and new applications. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate. If your Mac application utilizes a Developer ID provisioning profile to take advantage of advanced capabilities such as CloudKit and push notifications, you must ensure your Developer ID provisioning profile is valid in order for installed versions of your application to run. Read more.
• Developer ID Installer Certificate (Mac applications)
  If your certificate expires, users can no longer launch installer packages for your Mac applications that were signed with this certificate. Previously installed apps will continue to run however new installations won’t be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate.
• Apple Worldwide Developer Relations Certification Intermediate Certificate
  The Apple Worldwide Developer Relations Certificate Authority issues certificates used by developers for signing third-party apps and Safari Extensions, and for using Apple Wallet and Apple Push Notification services.

The current Apple Worldwide Developer Relations Certification Intermediate Certificate is set to expire on February 7, 2023. The renewed certificate will be used to sign new iOS Distribution Certificates issued after September 2, 2020 for the Apple Developer Enterprise Program. Remaining certificates for all program types will be updated in the future and this page will be updated to reflect additional certificate changes. Read more.

Note: Apple can revoke digital certificates at any time at its sole discretion. For more information, read the Apple Developer Program License Agreement in your developer account.

Compromised certificates

If you suspect that your Pass Type ID certificate or Developer ID certificate and private key have been compromised, and would like to request revocation of the certificate, send an email to product-security@apple.com. You can continue to develop and distribute passes by requesting an additional certificate in your developer account.

I received an error message saying, «Xcode could not find a valid private-key/certificate pair for this profile in your keychain.»

This error message indicates that your system’s keychain is missing either the public or private key for the certificate you’re using to sign your application.

This often happens when you’re trying to sign and build your application from a different system than the one you originally used to request your code signing certificate. It can also happen if your certificate has expired or has been revoked. Ensure that your app’s provisioning profile contains a valid code signing certificate, and that your system’s Keychain contains that certificate, the private key originally used to generate that certificate, and the WWDR Intermediate Certificate.

For instructions on how to resolve this error, review the Code Signing support page.

What happens to my applications signed with Developer ID if my Apple Developer Program membership expires?

If your membership expires, users can still download, install, and run your applications that are signed with Developer ID. However, once your Developer ID certificate expires, you must be an Apple Developer Program member to get new Developer ID certificates to sign updates and new applications.

Feedback Assistant

Submit bug reports and request enhancements to APIs and developer tools.

Send us feedback

Developer Forums

Ask questions and find answers by Apple engineers and other developers.

Contact Us

Tell us how we can help and we’ll find a solution by phone or email.

Источник