How to submit app made by third party to iTunes Connect without giving away the distribution certificate?

Question

I'm developing apps for other companies. My customers want their app in App Store to show as published by their own company, not mine. Also, they don't want to give me their private key for signing apps for App Store distribution. I don't want the key myself, because I don't want any legal responsibility related to the key being lost or stolen.

They can add me as a developer on their company's team inside the Apple Developer portal, and this gives me access to publish new builds for testing. In this situation, I must sign my app with their distribution certificate, or my builds would be rejected when uploading them. Is that correct?

A possibility is that I send them the app as an IPA-file, using their app's bundle id, and sign it with my own certificate. They would then resign the app with their distribution certificate and submit it to iTunes Connect using Application Loader or similar. What is the easiest way for them to do the re-signing? Will they have to use Xcode to upload the IPA, or manually run codesign on the command line?

I'm looking to make this as easy as possible. The people receiving the builds (IPA-files) are not developers.

Per Christian Henden · Accepted Answer

In this scenario, the customer will have to resign the IPA file they recieve from the developer and upload it to iTunes Connect themselves using Apple AppLoader or Xcode. To resign it, they will need the codesign binary provided by the Xcode command line tools (full Xcode not required, but will also work). Optionally, they can use Xcode to upload and re-sign an xcarchive. There are some apps that give a UI to codesign, like iResign and AirSyncApp, that are more user-friendly than the command line.

Thanks to @alanc-liu for contributing information.

How to submit app made by third party to iTunes Connect without giving away the distribution certificate?

Answers (2)

Related Questions