Codesigning concepts

If you are just starting a new project, it's important to think about how you want to handle code signing. This guide will help you choose the best approach for you.

For existing projects it might make sense to switch from a manual process to the match approach to make it easier for new team-members to onboard.

If you are new to code signing, check out the WWDC session that describes the fundamentals of code signing in Xcode.

Using match

The concept of match is described in the codesigning guide.

With match you store your private keys and certificates in a git repo to sync them across machines. This makes it easy to onboard new team-members and set up new Mac machines. This approach is secure and uses technology you already use.

Getting started with match requires you to revoke your existing certificates.

Make sure to follow Setting up your Xcode Project to set up your project properly.

Using cert and sigh

If you don't want to revoke your existing certificates, but still want an automated setup, cert and sigh are for you.

  • cert will make sure you have a valid certificate and its private key installed on the local machine
  • sigh will make sure you have a valid provisioning profile installed locally, that matches the installed certificate

Add the following lines to your Fastfile

lane :beta do

Make sure to follow Setting up your Xcode Project to set up your project properly.

Using Xcode's code signing feature

Occasionally the Automatic setting as the provisioning profile doesn't work reliably as it will just select the most recently updated provisioning profile, no matter if the certificate is installed.

That's why it is recommended to specify a specific provisioning profile somehow:

Xcode 8 and Xcode 9

The instructions below are more advanced, and take more time to setup than other approaches.

Automatic & Manual Signing

To simplify development workflow you could use Automatic code signing for development, and Manual for release builds. You have to configure your Xcode project to use automatic code signing, and on the release configuration specify the $() match env variable.


in your Fastfile you then use a lane like this:

lane :release do
  disable_automatic_code_signing(path: "my_project.xcodeproj")
  enable_automatic_code_signing(path: "my_project.xcodeproj")

this way you can profit of the automatic code signing on development machines. and also stay in control on release builds to be sure the right cert/provisioning profiles are used.

Xcode 7 and lower

You should avoid clicking the Fix Issue button (There is an Xcode plugin that disables the button), as it sometimes revokes existing certificates, and with it the provisioning profiles.

Unfortunately you can't specify the name of the provisioning profile in Xcode 7. Instead you can specify the UUID of the profile, which changes every time the profile gets re-generated (e.g. when you add a new device).

To work around this issue, check out Setting up your Xcode Project on how to pass a provisioning profile to Xcode when building your app.


You can always manually create and manage your certificates and provisioning profiles using the Apple Developer Portal. Make sure to store the private key (.p12) of your certificates in a safe place, as they can't be restored if you lose them.

You can always download the certificate (.cer) and provisioning profile (.mobileprovision) from the Apple Developer Portal.

Where to go from here