3

We have an enterprise developer account and for an app we are working with an external developer.

External developer needs to be able to build ipa files for us.

From a security point of view, is it safe/recommended for us to share the distribution certificate (and the private key) and a provisioning profile so they can build ipa files?

If we share distribution certificate (and the private key) will there be any problem ?

San9211
  • 191
  • 1
  • 12

1 Answers1

5

You should not be sharing your private key. This is not safe. Please read through this article. https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html

It clearly states "Worse, if someone else has your private key, that person may be able to impersonate you. In the wrong hands, someone might attempt to distribute an app that contains malicious code. Not only could that cause the app to be rejected, it could also mean your developer credentials could be revoked by Apple. Private keys are stored only in the keychain and can’t be retrieved if lost."

barryjones
  • 2,149
  • 1
  • 17
  • 21
  • I agree. Do not share your enterprise distribution signing identity with another company. Have them build the binary and then you sign / re-sign it with your credentials before distribution internally. With the private key, they would be able to distribute app to your company's users and the app would open without prompting the end user to trust the new company, because it would look like the app was distributed by you. Also, as @barryjones states, if they do something malicious with your cert / key, your cert would be revoked by Apple and then **your** apps will no longer work. – wottle Sep 03 '16 at 20:25