5

The company I work for has outsourced development of an iPhone app to another company. They want the binary to be signed with our certificate for distribution, but they've asked me to pass the private key (certificates.p12) used to create our certificate on to the other company. I am extremely concerned about handing the ability to sign applications as us over to another company.

How can I convince my boss this is a really bad idea? What alternative solutions can I suggest to him? I have already asked him to get the source from them so we can sign and submit it ourselves, but without the ability to conclusively state that giving them the certificate is a bad idea, I'm kinda stuck in the "just look into it for me" limbo.

Shabbyrobe
  • 12,298
  • 15
  • 60
  • 87
  • 1
    See this answer as well: http://stackoverflow.com/questions/2720193/can-i-submit-an-application-to-itunes-connect-that-is-signed-by-another-apple-dev/3171991#3171991 – Eric Nov 18 '10 at 02:44

2 Answers2

7

You don't need the source. You just need the compiled binary (make sure it's ARM, not x86) to sign with codesign.

Mehrdad Afshari
  • 414,610
  • 91
  • 852
  • 789
  • Wonderful! Thanks. I'll give this a crack now and see how it goes. I love a simple answer. – Shabbyrobe Nov 18 '10 at 00:55
  • I have accepted the answer and added another question as it is a bit unfair for me to move the goalposts this far after you've already answered: http://stackoverflow.com/questions/4243052/how-can-i-sign-a-release-iphone-binary-provided-by-a-3rd-party – Shabbyrobe Nov 22 '10 at 07:02
2

The outsource company can just build and sign the app with their own certificate. You can then resign the app with your company's certificate before submission (use codesign).

There's not too much a consultant can do with the private key to just an App store Distribution certificate but without the team agent's iTunes Connect login credentials, as Apple's review team are the only ones who can run an app signed with your Distribution certificate, and you can't submit an app to iTunes Connect without the login matching the certificate (AFAIK).

hotpaw2
  • 70,107
  • 14
  • 90
  • 153