Is it safe to share the iOS Enterprise Distribution Certificate with external developers?

I am in the following situation: We have an enterprise developer account and for an app we are working with an external developer.

At the moment we do not have access to the source code so we can’t make builds, but we still need to have weekly builds that can be installed on devices… therefore the external developer needs to be able to build ipa files.

  • can i debug ios app installed from ipa archive
  • Over The Air (OTA) iOS IPA File Distribution For Public?
  • Retrieve certificate expiration date from an .ipa file?
  • Xcode 6 GM creating archive
  • Renaming of IPA app name
  • xcode 5 archive build fail, but normal build successfully
  • The developer is now a member of the developer program and has their own developer certificate. However, there can only be one distribution certificate.

    From a security point of view, is it safe/recommended for us to share the distribution certificate (and the private key) and a provisioning profile so they can build ipa files?

    Are there any other (safer) choices?

    PS: I was also thinking that we could resign an ipa with our distribution certificate but it still leaves us in the situation where they need to be able to build an ipa – and this is only possible with a distribution certificate + provisioning installed.

    2 Solutions Collect From Internet About “Is it safe to share the iOS Enterprise Distribution Certificate with external developers?”

    You can have your external developer to sign with whatever he wants and then you can re-sign the IPA and use it. This way the source code is “safe” in the developer’s perspective and you can use your IPA signed with your certificate. I normally use this, but you can do it in the command line too…

    As for your Post Scriptum part, that’s not true… I have the experience of working with external agencies where they use their own certificate and provisioning and when I receive their IPA I only need to re-signed it.

    They can be responsible for creating their own profile, and you can simply send them your p12 key (no big deal). You can also just give them the distribution certificate.

    To be honest, I’ve never been in a situation where an employer or contractor was hesitant to give me their certificate & p12 file. So I’ve never thought much of it!