Developer Guide — Certificates, Profiles, and Code Signing in Xcode
This guide is for developers who have had a service request approved and need to use the provisioned signing assets to build, sign, and distribute their app using Xcode.
⚠️ IMPORTANT — No Administrator Access
Developers will NOT be granted “Administrator” access to any Northwestern Apple Developer Program account (neither the App Store program nor the Enterprise program).
All signing assets — including distribution certificates, provisioning profiles, APNs keys, and APNs certificates — are provisioned and managed centrally by the Northwestern IT Apple Developer Program administrators.
You will receive the specific assets you need for your approved project through a secure channel. Do not attempt to:
- Log in to the Apple Developer portal with Northwestern’s team credentials
- Create, download, or revoke certificates yourself
- Create or modify App IDs, provisioning profiles, or keys
- Invite users or modify team membership
If you need additional signing assets, capability changes, or certificate renewals, submit a new service request through TDX.
Table of Contents
- What You Will Receive
- Installing the Distribution Certificate
- Installing the Provisioning Profile
- Configuring Code Signing in Xcode
- Using Push Notification Credentials (Optional)
- Building and Archiving for Distribution
- Submitting to the App Store or Distributing Enterprise Apps
1. What You Will Receive
Depending on your approved service request, you will receive some or all of the following assets via a secure delivery channel:
| Asset | File Type | Purpose |
|---|---|---|
| Distribution Certificate | .p12 |
Signs your app for distribution. Contains the certificate and its private key, protected by a password. |
| Provisioning Profile | .mobileprovision |
Binds your app’s Bundle ID, distribution certificate, and enabled capabilities together. Required by Xcode to build for distribution. |
| APNs Auth Key (if push notifications requested — token-based) | .p8 |
A private key used to generate JWT tokens for sending push notifications via APNs. Shared along with the Key ID and Team ID. |
| APNs SSL Certificate (if push notifications requested — certificate-based) | .p12 |
An SSL certificate used to establish a direct TLS connection to APNs for sending push notifications. Provided with a password. |
Reference: Certificates Overview — Apple Developer Account Help
2. Installing the Distribution Certificate
The distribution certificate (.p12 file) must be
installed into your Mac’s Keychain so that Xcode can
use it for code signing.
Steps
- Locate the
.p12file you received via the secure channel. - Double-click the
.p12file. This opens Keychain Access. - When prompted, enter the password that was provided along with the certificate.
- The certificate and its private key will be imported into your login keychain.
- Verify the installation:
- Open Keychain Access (Applications → Utilities → Keychain Access).
- In the sidebar, select login keychain and the My Certificates category.
- You should see the distribution certificate listed (e.g., “Apple Distribution: Northwestern University (XXXXXXXXXX)” or “Developer ID Application: Northwestern University (XXXXXXXXXX)”).
- Click the disclosure triangle next to the certificate to confirm the private key is attached.
Troubleshooting: If Xcode reports “Xcode could not find a valid private-key/certificate pair,” ensure that both the certificate and its private key are present in your keychain. See Apple’s troubleshooting guidance.
Reference: - Certificates — Apple Developer Support - Synchronizing Code Signing Identities — Apple Documentation
3. Installing the Provisioning Profile
The provisioning profile (.mobileprovision file) tells
Xcode which certificate and capabilities to use when building your
app.
Steps
- Locate the
.mobileprovisionfile you received. - Double-click the file. Xcode will automatically
register the profile.
- Alternatively, drag and drop the file onto the Xcode icon in the Dock.
- Verify the installation:
- The profile is stored at:
~/Library/MobileDevice/Provisioning Profiles/ - You can also verify in Xcode: go to Settings (⌘,) → Accounts → select your team → click Download Manual Profiles (though in this case, the profile was installed manually).
- The profile is stored at:
Reference: TN3125: Inside Code Signing — Provisioning Profiles
4. Configuring Code Signing in Xcode
After installing the certificate and provisioning profile, configure your Xcode project to use them.
Steps
Open your project in Xcode.
Select your project in the Navigator, then select your target.
Go to the Signing & Capabilities tab.
Uncheck “Automatically manage signing.”
You must use manual signing because the distribution certificate and profile were provisioned by the NU team and are not associated with your personal Apple Account.
Under Signing (Release) (or your distribution build configuration):
- Team: This may show “None” or the Northwestern team — either is acceptable when manually signing.
- Signing Certificate: Select the distribution certificate you installed (e.g., “Apple Distribution: Northwestern University (XXXXXXXXXX)”).
- Provisioning Profile: Select the provisioning profile you installed. Xcode will list it by name or UUID.
For Debug builds, you can continue to use your own development certificate and automatic signing if desired — the manual signing configuration only needs to apply to your Release or distribution build configuration.
Build Settings (Alternative)
You can also configure signing directly in Build Settings:
| Build Setting | Value |
|---|---|
CODE_SIGN_STYLE |
Manual |
CODE_SIGN_IDENTITY |
The name of the distribution certificate (e.g.,
Apple Distribution) |
PROVISIONING_PROFILE_SPECIFIER |
The name or UUID of the provisioning profile |
DEVELOPMENT_TEAM |
Northwestern’s Team ID (provided with your assets) |
Reference: - Distributing Your App for Beta Testing and Releases — Apple Documentation - WWDC 2021: Distribute Apps in Xcode with Cloud Signing
5. Using Push Notification Credentials (Optional)
If your app uses push notifications and you requested APNs credentials, you will receive either a p8 key (token-based) or a p12 certificate (certificate-based), depending on what you selected in your service request.
Option A: Token-Based Authentication (p8 Key) — Recommended
You will receive: - A .p8 file — the
private key - A Key ID — a 10-character identifier -
The Team ID — Northwestern’s Apple Developer Team
ID
How it works: - Your server uses
the .p8 key to generate a signed JSON Web Token (JWT) that
it includes in each push notification request to APNs. - The key
does not expire, but can be revoked if compromised. - A
single key can be used across multiple apps in the same
team. - Tokens must be refreshed at least every 60 minutes (and no more
frequently than every 20 minutes).
Usage: 1. Store the .p8 file
securely on your server. Do not include it in your app
bundle or commit it to source control. 2. Configure your push
notification server/service to use the Key ID, Team ID, and
.p8 file to generate JWTs. 3. Send push requests to the
appropriate APNs endpoint: - Production:
https://api.push.apple.com -
Development/Sandbox:
https://api.development.push.apple.com
Apple Documentation: - Establishing a Token-Based Connection to APNs - Sending Notification Requests to APNs - Create a Private Key to Access a Service
Option B: Certificate-Based Authentication (p12 Certificate)
You will receive: - A .p12 file — the
APNs SSL certificate and its private key - A password
for the .p12 file
How it works: - Your server
presents the .p12 certificate when establishing a TLS
connection to APNs. - The certificate is tied to a specific
app (Bundle ID). - The certificate expires
annually — you will need to request a renewal before it
expires.
Usage: 1. Install the .p12 file on your
provider server. 2. Configure your push notification
server/service to use the certificate for TLS authentication with APNs.
3. Send push requests to the appropriate APNs endpoint: -
Production: https://api.push.apple.com -
Development/Sandbox:
https://api.development.push.apple.com 4. Monitor
the expiry date — contact Northwestern IT to request a renewed
certificate before it expires. If the certificate expires, push
notifications will stop working.
Apple Documentation: - Establishing a Certificate-Based Connection to APNs - Sending Notification Requests to APNs
Comparison: p8 vs. p12
| Feature | Token-Based (p8) | Certificate-Based (p12) |
|---|---|---|
| File type | .p8 (private key) |
.p12 (SSL certificate + private key) |
| Expiration | Does not expire | Expires annually |
| Scope | Can be used for multiple apps | Tied to a single app |
| Setup complexity | Requires JWT generation on server | Simpler TLS certificate setup |
| Apple recommendation | ✅ Recommended | Supported (legacy) |
| Renewal needed | No (unless revoked) | Yes — every year |
Apple’s recommendation: Use token-based (p8) authentication for new implementations. It’s more flexible, doesn’t expire, and reduces management overhead. See Establishing a Token-Based Connection to APNs.
6. Building and Archiving for Distribution
Once your signing configuration is in place, you can build a distributable archive.
Steps
- In Xcode, select your target and choose a
run destination:
- For iOS apps: select Any iOS Device (not a simulator).
- For macOS apps: select My Mac.
- Choose Product → Archive from the menu bar.
- Xcode builds your app and creates an archive. When complete, the Organizer window opens showing your archive.
- You can click Validate App to run a preliminary check before distributing.
Reference: Distributing Your App for Beta Testing and Releases — Apple Documentation
7. Submitting to the App Store or Distributing Enterprise Apps
App Store Distribution
- In the Organizer (Window → Organizer), select your archive.
- Click Distribute App.
- Select TestFlight & App Store (or Custom → App Store Connect for more options).
- Follow the prompts:
- Choose Manually manage signing when prompted.
- Select the Northwestern distribution certificate and provisioning profile.
- Xcode uploads the build to App Store Connect.
- In App Store Connect, submit the build for App Review.
Reference: - Submit for Review — App Store Connect Help - App Store Review Guidelines
Enterprise (In-House) Distribution
- In the Organizer, select your archive.
- Click Distribute App.
- Select Enterprise (or Custom → Enterprise).
- Follow the prompts:
- Choose Manually manage signing when prompted.
- Select the Northwestern enterprise distribution certificate and provisioning profile.
- Xcode exports the signed
.ipafile. - Deploy the
.ipathrough your MDM solution (e.g., Jamf) or your secure internal distribution system.
Reference: Distributing Your App for Beta Testing and Releases — Enterprise Distribution
Mac App Signing (Developer ID)
- In the Organizer, select your archive.
- Click Distribute App.
- Select Direct Distribution (or Custom → Developer ID).
- Follow the prompts:
- Choose Manually manage signing when prompted.
- Select the Northwestern Developer ID Application certificate.
- Xcode signs and (optionally) notarizes the app.
- Distribute the notarized app through your chosen channel (website, file share, etc.).
Reference: - Creating Distribution-Signed Code for macOS — Apple Documentation - Notarizing macOS Software Before Distribution — Apple Documentation
Frequently Asked Questions
Can I use automatic signing?
No — for distribution builds, you must use manual signing because the distribution certificate is provisioned centrally and not tied to your personal Apple Account. You can still use automatic signing for your development/debug builds with your own Apple Account.
What if I need a new capability added to my app?
Submit a new service request through TDX. The NU Apple Developer Program administrators will update your App ID, create a new provisioning profile with the additional capability, and share the updated profile with you.
What if my certificate or profile is about to expire?
Contact Northwestern IT through TDX. The team will generate renewed certificates and profiles and share them with you. Do not wait until expiry — plan ahead to avoid disruption.
Can I use Xcode Cloud?
Xcode Cloud requires App Store Connect access and cloud-managed signing. If you are interested in using Xcode Cloud for your project, discuss this with Northwestern IT during your service request.
Can I use CI/CD tools (Fastlane, GitHub Actions, etc.)?
Yes — the .p12 certificate and
.mobileprovision profile can be used in CI/CD pipelines.
Store them securely (e.g., as encrypted secrets in your CI/CD platform).
Do not commit them to source control or store them in plain text.
⚠️ Reminder — All Signing Assets Are Centrally Managed
- Do not create, download, or revoke any certificates, profiles, or keys yourself.
- Do not share the provisioned signing assets outside of your authorized project team.
- Do not commit certificates (
.p12), provisioning profiles (.mobileprovision), or APNs keys (.p8) to source control repositories.- Store all signing assets securely and restrict access to authorized team members only.
If you need any changes to your signing configuration, a new certificate, a renewed profile, or additional capabilities, submit a service request through TDX.
For questions, contact Northwestern IT through the TDX service request system.
Apple Documentation References
- Certificates Overview — Apple Developer Account Help
- Certificates — Apple Developer Support
- TN3125: Inside Code Signing — Provisioning Profiles
- Distributing Your App for Beta Testing and Releases — Apple Documentation
- Creating Distribution-Signed Code for macOS — Apple Documentation
- Notarizing macOS Software Before Distribution — Apple Documentation
- Establishing a Token-Based Connection to APNs — Apple Documentation
- Establishing a Certificate-Based Connection to APNs — Apple Documentation
- Registering Your App with APNs — Apple Documentation
- Sending Notification Requests to APNs — Apple Documentation
- Code Signing Resources — Apple Developer Forums
- App Store Review Guidelines