Effortless iOS Code Signing With Match

If you’re an Apple developer, it’s no news to you that iOS apps cannot be released or even installed on real devices without signing them, making code signing an integral part of a developer’s everyday work. Yet, the whole code signing business might prove to be a headache, especially when you work in a team and need to manage a number of provisioning profiles and signing certificates.

Luckily, fastlane provides a tool called match that will manage the signing files for you after one-time setup. And the best part is that it seamlessly integrates with Nevercode, really giving a boost to your entire continuous integration and delivery (CI/CD) cycle.

This post will explain how you can benefit from using match to sign your iOS apps and how to set it up on Nevercode.

iOS code signing: The basics

Apple requires every iOS app to be signed before it can integrate app services, be installed on a real device or distributed to iTunes or Apple Store. Unsigned apps simply won’t run on iOS unless the device is jailbroken. Although you can do a lot of testing on simulators, you won’t get away with simulators only as physical devices are slower and have less memory, plus there are some APIs that work on real devices only. If you intend to deliver high-quality apps and reach masses, code signing is a must.

Simply put, you will need a certificate and a provisioning profile to sign an app.

The certificate is issued by Apple on registering as an iOS developer and enables to identify who developed the code. When you enroll as a company, each developer gets a personal certificate to sign the code they develop while a shared team certificate is used for app distribution.

A provisioning profile contains information about the app ID, the devices on which the app can be installed and the certificates that can be used for signing the app. Just as there are separate certificates for development and distribution purposes, there are different types of provisioning profiles depending on whether you’re using it for development, testing or launching your app to the public. Additionally, you’ll need more than one provisioning profile if your app contains app extensions.

For successful signing, the certificate and the provisioning profile must be in accordance with each other and can be mapped in the following way:

Certificate and the provisioning profile must be in accordance with each other.

The hassle with code signing

If you’re an individual developer in a one-man team, code signing won’t be too big of an issue. However, if you work in a team of developers, which results in a pile of certificates and profiles, you may easily find yourself being frustrated about code signing issues several times a day.

Keeping provisioning profiles synced

A provisioning profile must be regenerated every time you want to include new devices or when a new developer joins the team. All developers must separately refresh the profile on their machine to be in sync.


In most iOS teams, each developer typically has a separate code signing identity, which results in tons of profiles, including duplicate ones.

Expired certificates and disabled device IDs

Certificates are valid only for a year. When a certificate included in a provisioning profile expires, the profile will expire too, making code signing or starting the app (if this was a development profile) impossible. Similarly, when a device ID contained in the provisioning profile is disabled, the profile becomes invalid.

No deployable build

If code signing fails, you won’t get a working build to carry on with writing code or hand the app over for testing. This will surely slow you down, but time is often critical in the world of continuous integration and fast release cycles.

How match can help

Fastlane match is a tool that will help to solve the issues described above. It represents a new approach to code signing where a single code signing identity can be shared across the team. With match, the signing files will be stored in your private Git repository, always accessible for your CI tool when the app needs signing.

Here’s how match makes iOS code signing effortless:

Enables to use a single account per team

With match, there is no need for every developer to register an iOS developer account. Instead, a single account with a shared signing certificate and distribution profile is used by all developers, significantly reducing the time it takes to maintain the signing files.

Manages and creates your certificate and provisioning profile

You can have match create both the certificate and the provisioning profile for you and automatically repair broken and expired credentials.

Automatically includes new devices

There’s an option to automatically renew the provisioning profiles to include all your registered devices.

Keeps the certificates and profiles synced

All machines and developers are always in sync without any manual intervention.

Helps to avoid potential code signing issues

Since there will always be one certificate and provisioning profile per environment (development or distribution), the provisioning profile will always match the correct certificate.

Setting up match  is a one-time job and will eventually save you a considerable amount of time on code signing, so take a look at the instructions on how to set it up for your iOS project. Read further to see how easy it is to configure match for automatic code signing on Nevercode.

Using match for code signing in Nevercode

Once you have set up match for your iOS project, configuring it as a signing method on Nevercode takes just a few clicks.

In the Code signing section of your app settings, select Using Fastlane Match as the certificates and profiles management method, choose the appropriate provisioning profile type, provide the bundle ID(s), the match passphrase and the SSH key — and that’s it!

Code signing using Fastlane Match in Nevercode

See also our documentation on iOS code signing and workflows if you’d like to set up different configurations of your app.

In conclusion

Code signing is a two-way street. While it may seem a tedious task, it helps to ensure that no one tampers with your app on its way to the end user. And Apple’s apps are known to be the safest ones when it comes to hacking. Since there’s no way out of it, wouldn’t it feel good to sign code effortlessly with the help of Nevercode and match?