Understanding iOS Code Signing, Certificates, Provisioning Profiles, and Re‑signing

For developers new to iOS, code signing can be a frustrating obstacle because iOS devices enforce strict security policies that prevent unsigned apps from running on non‑jailbroken devices.

Certificate (Certificate)

Signing relies on asymmetric encryption, so a certificate hierarchy is required. First, you must register for an Apple Developer account at developer.apple.com/account/ . Apple offers personal ($99) and enterprise ($299) accounts; the personal account is sufficient for most developers.

To obtain a certificate, click the "+" button in the Certificates section of the developer portal and select the appropriate type. For debugging and deployment, the "iOS App Development" certificate is sufficient.

After creating the certificate, you must generate a private key locally using macOS's Keychain Access tool.

Download the generated certificate and import it into your system. The Keychain will now display both the public and private parts of the certificate.

Having the private key allows you to sign your app; without it you can only verify signatures.

Provisioning Profile

A provisioning profile tells iOS whether an app is from a legitimate developer, has not been tampered with, and is allowed to run on specific devices. There are two types: Development and Distribution.

The profile contains an XML section with the certificate, App ID, device IDs, and other metadata.

When you build an app in Xcode 8 or later, the "Automatically manage signing" feature can create and attach the appropriate provisioning profile based on the selected certificate and device list.

If an enterprise account distributes an app via In‑House, the device may initially show a trust warning. Trust the certificate under Settings → General → Device Management.

Re‑signing

To install a jailbroken IPA on a non‑jailbroken device, you can re‑sign the IPA with your own provisioning profile.

An IPA is a zip archive; after extraction you will see an embedded.mobileprovision file that contains the original signing information.

Replace embedded.mobileprovision with your own profile and run the following command to re‑sign the app bundle:

codesign --continue -f -s "iPhone Developer: XXXX"

All embedded frameworks and extensions must also be re‑signed. Verify the signature with:

codesign -v

After re‑signing, repack the contents into an IPA and the app can be installed on your device. Open‑source tools such as iReSign automate many of these steps.

Summary

Although code signing and provisioning profiles add complexity, they are essential security mechanisms that protect iOS from malware. Understanding each step—from obtaining a developer account and certificates to managing provisioning profiles and performing manual re‑signing—helps developers maintain app security and troubleshoot deployment issues.