5

I am in the following situation: We have an enterprise developer account and for an app we are working with an external developer.

At the moment we do not have access to the source code so we can't make builds, but we still need to have weekly builds that can be installed on devices... therefore the external developer needs to be able to build ipa files.

The developer is now a member of the developer program and has their own developer certificate. However, there can only be one distribution certificate.

From a security point of view, is it safe/recommended for us to share the distribution certificate (and the private key) and a provisioning profile so they can build ipa files?

Are there any other (safer) choices?

PS: I was also thinking that we could resign an ipa with our distribution certificate but it still leaves us in the situation where they need to be able to build an ipa - and this is only possible with a distribution certificate + provisioning installed.

Andrei Stanescu
  • 6,353
  • 4
  • 35
  • 64
  • You can do one thing, don't give any access of your developer account. Just create everything from your side, give them private key, certificate, and provisioning profile. And ask for ADHOC ipa from them.. – iphonic Apr 04 '13 at 07:10
  • 1
    And what does it solve? They are now a "member" of the program with very limited actions available to them. They pretty much can't create or delete anything in the developer account. – Andrei Stanescu Apr 04 '13 at 07:16

2 Answers2

4

You can have your external developer to sign with whatever he wants and then you can re-sign the IPA and use it. This way the source code is "safe" in the developer's perspective and you can use your IPA signed with your certificate. I normally use this, but you can do it in the command line too...

As for your Post Scriptum part, that's not true... I have the experience of working with external agencies where they use their own certificate and provisioning and when I receive their IPA I only need to re-signed it.

Rui Peres
  • 25,741
  • 9
  • 87
  • 137
  • 1
    Ok, but how does it work. They need to use valid bundle id, and I also need to use the same bundle id. But apple doesn't allow using the same bundle id in different developer accounts (i just tested it between our normal developer program and the enterprise developer program). The only way would probably be for us to use a catch-all provisioning profile, and just go with the bundle id they use. Do I make any sense? – Andrei Stanescu Apr 04 '13 at 07:11
  • You can modify the bundle ID. Check this answer... http://stackoverflow.com/questions/6896029/re-sign-ipa-iphone – Rui Peres Apr 04 '13 at 07:16
  • I now see it's written in the comments that you can change the app plist before resigning it, so it could solve the issue with different bundle ids. Thank you. – Andrei Stanescu Apr 04 '13 at 07:23
  • 1
    I can confirm this works. I just tested it with an ad-hoc ipa file created with our normal developer account, which I then resigned it and changed the bundleid using our enterprise developer account – Andrei Stanescu Apr 04 '13 at 10:00
  • And what is the reason why I can not share my p12 certificate with external companies? What bad they can do with it? – Ramis Aug 22 '13 at 09:40
-1

They can be responsible for creating their own profile, and you can simply send them your p12 key (no big deal). You can also just give them the distribution certificate.

To be honest, I've never been in a situation where an employer or contractor was hesitant to give me their certificate & p12 file. So I've never thought much of it!

jakenberg
  • 2,125
  • 20
  • 38
  • I understand, but we are on the first project with this team, and they are also in another country. We need to build trust. Now, I just wanted to explore the recommended paths for this work situation. If they are too cumbersome or create too much overhead then in the end I would probably send them the certificate – Andrei Stanescu Apr 04 '13 at 07:13
  • 1
    In big companies, sharing certificates it's a **no**, for small things, I guess it wouldn't be a problem. – Rui Peres Apr 04 '13 at 07:17
  • Well, then I would just let them create all provisioning profiles through their own developer account, and then send them the p12 key. If they need the distribution certificate, I'd just give them that as well. And then when they send you builds, you are both using the same key, so you just create your own provisioning profiles, and add them to the portal. – jakenberg Apr 04 '13 at 07:18