What, if any "screw it up permanently" situations are there in the App Store certificate/key-pair code signing process?

Question

My company works with several other companies to handle their iPhone development needs, and in many cases the other companies already have some existing app(s) on the App Store.

We handle the App Store submission for them as well and in the situations where they do already have an existing app, their iOS Dev Center account already has a Distribution certificate created. In which case we have to acquire the key pair that was generated when they (or the third party developer they hired) created the certificate. It's been my understanding this whole time that this is the necessary process in order to work with the App Store.

But as time goes on, I find myself wondering about several things

1. What happens when the certificates expire? I know we create new ones but that means that the apps on the App Store are signed with a certificate/keypair different than the one they were created with. Is that significant? Or can I still update existing apps on the App Store even with a new certificate/keypair (from the same iOS Dev Center account)

2. What happens if the the keypair is lost for an existing certificate? Let's say the company made an app before but the Macintosh that they used prior was hit by a meteorite. And no backups of course. I'd have to revoke and recreate the certificate - would that mean anything for the existing published app? If I had the source code to that app and had to put out an update, would I be able to?

Basically I'm asking: are there any "screw it up permanently" scenarios involved with iOS development and distribution certificates that would keep you from being able to update existing apps? I know that if you don't backup the keystore in Android development then you're just hosed with regards to publishing updates but is there any way to just completely screw up with iOS development?

And a bonus question: If I can just revoke development certificates and re-issue them without consequence, has it always worked this way? Or have they modified the process? I can see where the "chain of evidence" could always be tied to the iOS Dev Center Agent account and that would be the root of things, but is this a new thing?

Answer 1

A Distribution certificate is used only for submission to iTunes Connect (and Ad Hoc stuff). Once approved, Apple signs the app with a different non-expiring certificate before putting the app in the App store, so the state of the developer's Distribution certificate no longer matters.

A downloaded or purchased app will stay running on a customer's device even if the developer's certificates and iOS enrollment expires. But a developer does have to re-enroll ($99/annum) in time if they want their app to stay visible in the App store.

Typically, Distribution certificates expire annually, maybe a bit more often, new ones can be created, and an updates for existing apps can just be submitted with the newest (and valid) Distribution certificate.

If you lose a key pair, the team leader will have to revoke and the generate new certificates and provisions, and update all their Keychains and Xcode provisioning and possibly project/target settings as well. Confusion about which certificates and provisions are live and which are dead has caused some developers some serious headaches.