Issue #1046
Every app that runs on an Apple device must be signed with a certificate. The signature tells the OS that the code comes from a known developer and hasn’t been tampered with. Xcode manages most of this automatically, but understanding which certificate does what helps when things go wrong or when you need to set up CI.
Apple Development
The Apple Development certificate covers all Apple platforms: iOS, macOS, tvOS, and watchOS. It replaced the older platform-specific certificates (iOS Development, Mac Development) starting with Xcode 11. You use it whenever you want to run an app on a physical device during development or test app services like iCloud or push notifications.
This certificate belongs to an individual, not the team. Each developer on your team has their own Apple Development certificate. There is a limit of two active iOS development certificates and two Mac development certificates per person.
Apple Distribution
The Apple Distribution certificate is the unified equivalent for release builds. It covers all platforms and replaces the older iOS Distribution and Mac App Distribution certificates. You use it to submit apps to the App Store or to distribute builds to designated devices via TestFlight or Ad Hoc distribution.
Unlike development certificates, distribution certificates belong to the team rather than an individual. Anyone with Admin or Account Holder access can create one, and it is shared across the team. Only one Apple Distribution certificate can be active at a time per team.
Developer ID for outside App Store
If you distribute a Mac app directly, outside the App Store, you need a different type of certificate entirely. The Developer ID Application certificate signs the app binary, and the Developer ID Installer certificate signs a .pkg installer if you package your app that way.
These certificates are Mac-only. When archiving with xcodebuild, you tell it to use Developer ID signing through the export options:
<key>method</key>
<string>developer-id</string>
<key>teamID</key>
<string>YOUR_TEAM_ID</string>
<key>signingStyle</key>
<string>automatic</string>
Xcode automatically picks the Developer ID Application certificate for the given team ID. You do not need to name the certificate explicitly in most cases. After exporting, the app must be notarized and stapled before distributing to users.
Legacy certificates
The platform-specific certificates (iOS Development, iOS Distribution, Mac App Distribution, Mac Installer Distribution) still exist in App Store Connect and Xcode will use them if they are present. For any new project, use Apple Development and Apple Distribution instead. They simplify certificate management when you target multiple platforms from one project.
Ownership and limits
Development certificates are personal. Each team member requests and holds their own, and there is a cap on how many can be active at once. Distribution certificates are shared team assets. Revoking a distribution certificate affects every build signed with it, so coordinate with your team before doing so.
When Xcode’s automatic signing is enabled, it handles certificate creation and renewal silently. Manual signing gives you explicit control, which matters for CI environments where Xcode cannot prompt for authentication.
Start the conversation