My scenario
I wrote an iOS app for a client. The project is almost over and now it’s time for them to put it in the App Store. I’ve been sending them development builds throughout the development process. Those builds had a bundle id based on my company and my client’s project like so: com.mycompany.clientname.projectname. I signed those Ad Hoc builds with an Ad Hoc Distribution Provisioning Profile that I created in my own Provisioning Portal account.
Now that it’s time to go to the App Store, I need to do a Release Build and send that for them to sign with their own App Store Distribution Provisioning Profile. This also implies setting a new Bundle ID for the project.
My problem
I need to get a compiled app to the client for them to sign with their provisioning profile. However, I need to set the Bundle ID to what they’re going to use first. Let’s say it’s com.bestclientever.appname. Xcode 4 won’t let me archive the project now because doing so requires code signing. I can not code sign it because I can not create a provisioning profile with the same Bundle ID as what they have set up in their Provisioning Portal (the Provisioning Portal enforces uniqueness—as it should).
Have I made any incorrect assumptions or misunderstandings here? ie. Do I really have to set the Bundle ID to what they’re going to sign with?
The Question
Is there any way to archive, or otherwise build, an iOS app without code signing it? Like a “sign later” setting or something?
Or, is there a way to build the app with one bundle id but then someone else be able to sign it with a provisioning profile for another bundle id (either by changing the bundle id of the compiled app or some other signing method)?
How can I build the final release build but have someone else sign the app for distribution to the App Store?
What I’ve tried or explored
- Acting for the client.
- With other, less savvy clients, I’ve ended up just getting their Provisioning Portal and iTunesConnect credentials and just doing the final build as them. That won’t fly with this client. It’s a big company with strict security guidelines and a lot of red tape.
- Spoofing as the client.
- This is similar to the one above and won’t work for the same reasons. It sounds really fishy to ask my client “can you export your private keys and send them to me”? This technique is described in this answer: How can I send iOS app to client, for them to code-sign
- Sending the client my project source code and letting them do the release build.
- A license to the source code was not in our agreement. Additionally, this client does not want to get involved with source code (hence outsourcing it). I would entertain this as a last-resort option, but there’s gotta be a better way!
- Getting set up as an Admin-level developer in their Developer Member Center.
- Unfortunately, only the Agent-level user can create a Provisioning Profile (as far as I can tell). It seems like there ought to be a way to either let me create a profile that I can use to sign the build or generate a profile for me. I can’t find either option.
Most of these answers seem complicated and out dated. I think the simple answer is to make an archive with a Developer profile.
This is a solution which I am currently investigating for my own purposes (not fully tested):
You just need developer access (not team agent) to their account and create a Development provisioning profile that authorizes you to build the specified App ID (you need to specify the App ID, because it gets compiled in). Then Archive the app with the Development profile, and share the archive with your client. They can then re-sign the archive with their own Distribution profile.
One complication is that when you build an archive with a developer profile, the entitlement attribute get-task-allow gets set to true, but needs to be set to false for distribution, so you have to work around that by setting it manually your Entitlements.plist – see my question here: Can I archive with a Developer certificate, then re-sign it during submission with a Distribution certificate?