If you've tried to publish an iOS app and hit a wall you couldn't understand, there's a good chance code signing is where things went wrong.
It's not the most technically complex part of building a mobile app. But it's the part that causes the most confusion for first-time publishers — because it involves three separate components that all have to be correct, interconnected, and up to date at the same time.
Here's what code signing actually is, why it works the way it does, and how to get through it without losing a day to error messages.
What Code Signing Is and Why Apple Requires It
Code signing is Apple's mechanism for verifying that an app submitted to the App Store was built by a legitimate, registered developer — and that the code hasn't been modified since it left that developer's hands.
Every app in the App Store carries a cryptographic signature. When a user downloads the app, iOS verifies that signature. If the signature is valid, the app runs. If it isn't, iOS refuses to install it.
From Apple's perspective, this protects users. From a developer's perspective, it means you have to set up and maintain specific credentials before your app can be distributed.
The Three Components You Need
Code signing for App Store distribution requires three things, all of which must be configured correctly and linked to each other.
All three have to match. If your Provisioning Profile references a different App ID than your Xcode project is using, the build fails. If the certificate embedded in the Provisioning Profile doesn't match the one on your machine, the upload fails. If any component has expired, the build fails silently or with a cryptic error message.
| Component | Where Created | Common Mistake | How to Check |
|---|---|---|---|
| App ID | Developer Portal → Identifiers | Wrong Bundle ID format or typo | Must exactly match your project's Bundle ID |
| Distribution Certificate | Developer Portal → Certificates | Using Development type instead | Type must say 'Apple Distribution' |
| Provisioning Profile | Developer Portal → Profiles | Using Development or Ad Hoc type | Type must say 'App Store Distribution' |
The Mistakes That Cause Most Code Signing Failures
Using a Development Certificate Instead of a Distribution Certificate
This is the single most common error. Development Certificates are created for testing on your own devices. Distribution Certificates are required for App Store submission. They look nearly identical in the Apple Developer Portal — both are under "Certificates" and both have your name on them. The key difference is the type label.
If you upload a build signed with a Development Certificate, App Store Connect rejects it immediately. The error message isn't always obvious about the root cause.
Creating a Development Provisioning Profile Instead of Distribution
Same category of mistake. There are four types of Provisioning Profiles: Development, Ad Hoc, App Store, and Enterprise. For App Store submission, you need an App Store Provisioning Profile specifically. Development and Ad Hoc profiles won't work — and the names in the portal can be confusing if you're moving quickly.
App ID Mismatch
Your Xcode project (or Expo configuration) has a Bundle ID. Your App ID in the Apple Developer Portal must match it exactly — including capitalization. If they don't match, the Provisioning Profile won't work for your build.
Expired Credentials
Distribution Certificates expire after one year. Provisioning Profiles also expire and become invalid if the associated certificate expires. An expired certificate stops new builds from signing correctly.
If you're resubmitting an update months after your initial launch, check expiry dates before building.
How the Process Actually Works Step by Step
- Go to the Apple Developer Portal and create an App ID under Identifiers. Use the Bundle ID format:
com.yourcompany.appname - Under Certificates, create a new certificate. Select Apple Distribution — not Apple Development
- Download the certificate and install it in your Mac's Keychain
- Under Profiles, create a new profile. Select App Store Connect distribution. Link it to your App ID and your Distribution Certificate
- Download the Provisioning Profile and install it (double-click the
.mobileprovisionfile) - In Xcode or your Expo
eas.json, configure the project to use this Bundle ID, certificate, and profile - Build and archive. The resulting
.ipafile is what you upload to App Store Connect
If You're Using Expo EAS Build
EAS Build can manage code signing credentials for you. When you run eas build --platform ios, it can generate and store the required certificates and profiles automatically under your Apple developer account.
This is the fastest path for Expo-based projects. The credentials are still created in your Apple Developer Portal — EAS just handles the setup steps. You need to log in with your Apple Developer account credentials during the EAS setup flow.
One important detail: EAS stores credentials in Expo's infrastructure. If you prefer to keep everything local, you can configure EAS to use local credentials instead — documented in the EAS Build documentation.
How Froxi AI Guides You Through This
The code signing step is the one that causes the most support requests for first-time iOS publishers — not because it's fundamentally difficult, but because the terminology is confusing and the consequences of mixing up certificate types aren't immediately obvious.
Froxi AI's publishing guide walks through this step with the exact sequence and the exact portal pages, using plain language. When you're creating your Distribution Certificate, the guide tells you which option to select and why. When you're creating your Provisioning Profile, it tells you the exact type to choose.
If something goes wrong at this step, the on-page AI assistant can diagnose the error message and tell you what it means in context — not a generic explanation, but the specific issue for the step you're on.
