I am in the following situation: We have an enterprise developer account and for an app we are working with an external developer.
At the moment we do not have access to the source code so we can't make builds, but we still need to have weekly builds that can be installed on devices... therefore the external developer needs to be able to build ipa files.
The developer is now a member of the developer program and has their own developer certificate. However, there can only be one distribution certificate.
From a security point of view, is it safe/recommended for us to share the distribution certificate (and the private key) and a provisioning profile so they can build ipa files?
Are there any other (safer) choices?
PS: I was also thinking that we could resign an ipa with our distribution certificate but it still leaves us in the situation where they need to be able to build an ipa - and this is only possible with a distribution certificate + provisioning installed.
You can have your external developer to sign with whatever he wants and then you can re-sign the IPA and use it. This way the source code is "safe" in the developer's perspective and you can use your IPA signed with your certificate. I normally use this, but you can do it in the command line too...
As for your Post Scriptum part, that's not true... I have the experience of working with external agencies where they use their own certificate and provisioning and when I receive their IPA I only need to re-signed it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With