How to create Apple Certificates for App Signing
Note: During this guide you will see [email protected] used in the place of an AppleID email. You should replace that with your own AppleID email.
Step 1 – Obtain an Apple Developer Account
This is the only step that will require payment. An Apple developer account will cost you 99$/year and can be created at the Apple Developer website.
Step 2 – Create the CSR
Next we’ll create the Certificate Signing Request which we will be able to upload to Apple for, you guessed it, signing! 🙂
First open the Keychain Access App and navigate to the following button:
This will open the Certificate Assistant which will prompt you to enter your Apple ID Email and the certificate Common Name. The Common Name can be whatever you want, ie “ENATIK dev key”.
Make sure you select Saved to disk as the request saving type. The field CA Email address can be left empty.
Click Continue, this will prompt you to save the .certSigningRequest file somewhere on your device.
Once the file is created head to the Apple New Certificate menu (either navigate through the Apple Developer website or click here to go straight to it)
Step 3 – Selecting the type of Apple Certificate
If you are following our guide for App Releasing on MacOS, you will need the “Developer ID Application“. You will also need the “Developer ID Installer” if you are shipping your app within a .pkg file. You can safely ignore the rest of Step 3.
This part can be tricky and I see it tripping people up all the time, so I have created a table for reference. Make sure to choose the correct type of certificate. Picking the wrong one will result in signature validation errors that will leave you pulling your hair out.
I am not sure why Apple makes it so complicated but I am sure they have their reasons.
Step 3.1 – The In-Depth guide
For those interested in a more detailed explanation I have created a table for reference.
iDevices – iPhones, iPads, Apple Watches, Apple TVs, iPods and others
Macs – Macbooks, iMacs, Mac Pros, Mac Minis and others
Ad Hoc – Apple’s term for direct download apps. These are subject to pretty strict requirements including having to hardcode your target devices into your app before signing. Not for the faint of heart or covered here.
AppStore – The App Store on the target platform. These certificates CANNOT be used to sign apps for distribution outside the App Store unless you are targeting an Ad-Hoc distribution.
|Certificate Name||You need it for||You Can Sign|
|Apple Development||Installing testing versions of your apps on OTHER people’s iDevices. Requires Xcode 11+||iDevices apps (testFlight testing)|
Mac apps (testing*)
|Apple Distribution||Signing apps for submission to the App Store for iDevices and Macs. Requires Xcode 11+||iDevice apps (AppStore or Ad Hoc)|
Mac apps (AppStore)
|iOS App Development||Installing testing versions of your apps on OTHER people’s iDevices.||iDevices apps (testFlight testing)|
|iOS Distribution (App Store and Ad Hoc)||Signing apps for submission to the App Store for iDevices.||iDevice apps (AppStore or Ad Hoc)|
|Mac Development||Not very useful*||Mac apps(testing*)|
|Mac App Distribution||Signing apps for submission to the App Store for Macs.||Mac apps(AppStore)|
|Mac Installer Distribution||Signing installers for submission to the App Store for Macs.||Mac installers(AppStore)|
|Developer ID Installer||Signing installers for direct distribution for Macs.||Mac installers(direct)|
|Developer ID Application||Signing apps for direct distribution for Macs.||Mac apps(direct)|
Step 4 – Obtaining the certificate
After selecting the type of certificate Apple will prompt you to upload your .certSigningRequest file we generated earlier. Once that’s done it should only take a few seconds for your certificate to be approved. You can now download your certificate and should do so.
You should now install the certificate by double-clicking the .cer file you just downloaded. This will add an entry to your Keychain Access login chain. You can find your new certificate under “My Certificates“