3

My employer recently entered into an agreement with another company to share the source code for an iOS app that we developed. We haven't yet published this app in the App Store but plan to do so in the future. During the course of development, we've obviously created an app ID, provisioning profiles, certificates for development and remote notifications, etc. all of which are (obviously) tied to my employer's enrollment in the Apple Developer Program (ADP). The app itself is currently configured to allow Xcode to manage signing automatically.

Before we deliver the source code for this app to the other company, I need to make sure that none of my employer's information is present in the project source (so that the other company has to use their own info). I've looked through all the project-related files I could find and the only thing I really saw was a small section in the project.pbxproj file that looks like it is related to signing.

I would guess that this is something that a lot of people who decide to share their source on Github do but I'm still fairly new to iOS/Xcode app development so I was hoping that someone who has dealt with this before could offer some insight? Thanks very much!

bmt22033
  • 6,880
  • 14
  • 69
  • 98

2 Answers2

3

If you just want to make sure they cannot get your company's signing identity, you can just send them the project. Since you are using automatic code signing, they would need to have your company's Apple developer ID credentials to sign in to the developer account in order to have Xcode generate a certificate and profile to sign as your company. None of the critical signing files are included in the Xcode project folder.

When you enable automatic code signing and sign into the Apple ID, Scode will generate a certificate and private key, which go into that Mac's Keychain, and a provisioning profile is generated and downloaded, which goes into a specific directory that is common for all projects (https://stackoverflow.com/a/45642752/3708242) and outside of the project directory.

As @Jack states in his answers, there are other pieces of information in the files you might want to scrub, but there is no risk you would be giving them access to your code signing information by sending them the project as is with automatic code signing turned on.

Long story, short, just send them the project directory.

wottle
  • 13,095
  • 4
  • 27
  • 68
1
  • Just clear the bundle identifier in Project->General->Bundle identifier -> set it empty.
  • For notification other company/Vendor will use there separate certs with respective Apple account.
  • In every top lines of .swift files there is commented by default code which includes Mac name, you can remove it.

enter image description here

Jack
  • 13,571
  • 6
  • 76
  • 98
  • But the bundle ID is considered public information, and is related to signing, but does not expose your company to any risk if someone knows it. Also, disabling automatic code signing doesn't technically provide any benefit either. This partner **knows who the other company is**, the OP just wants to ensure they can't sign the app (or other apps) as the OP's comany. You don't need to do any of these things to prevent that. Code signing identities aren't stored with the project. – wottle Jul 19 '18 at 11:53
  • Dear @wottle as in question **I need to make sure that none of my employer's information is present in the project source** so if you put bundle id which contains company name & app name, which op don't want to share. :) – Jack Jul 19 '18 at 12:01
  • @Jack - I'm afraid the confusion is my fault for not being able to clearly explain what I was asking. I'm actually not so concerned that they know the bundle ID but just wanted to make sure that the other company wouldn't have access to any of my employer's signing info. Thank you for your answer! I appreciate it! – bmt22033 Jul 19 '18 at 12:09
  • @bmt22033 practically we have to sign in into xcode(__Xcode->Preference->Account__). So your account is safe. No need to worry to share source code. – Jack Jul 19 '18 at 12:11