Keys & cryptography

Private key

The secret half of a key pair. Whoever holds the private key for a code signing certificate can sign builds as that developer. Lose it and you cannot rotate; leak it and someone else can sign as you.

Signing private keyCode signing private key

Apple code signing uses an asymmetric key pair: a public key inside a certificate that Apple has signed, and a private key that only you have. The private key is what actually signs a build. The certificate just lets a verifier (Xcode, codesign, the App Store, Gatekeeper) check that the signature came from the holder of the matching private key.

Where private keys live

On the Mac of whichever developer generated the original CSR. The key was created locally and never left that machine.
Exported into a .p12 file (PKCS#12) so a teammate or build server can import it.
Stored in a secret manager (1Password, AWS Secrets Manager, HashiCorp Vault) and pulled into CI at build time.
Held by a managed signing service like HexSign or fastlane match, encrypted at rest and decrypted only inside the signing process.

Common failure modes

The developer who generated the CSR leaves the company and nobody else has the private key. The certificate still works, but you cannot rotate it.
A .p12 with a weak password ends up in a public git repo. Anyone who finds it can sign builds as your team.
Two developers each generate their own private key for the same certificate type, so the team ends up with two distribution certificates and neither one matches the other's provisioning profile.

Keep reading

Related terms

PKCS#12 / .p12 file

A password-protected file format that bundles a certificate and its matching private key together. The standard way to move an Apple signing identity between machines.

Read definition

CSR (Certificate Signing Request)

A file containing a public key and team identity, signed with the matching private key. You upload it to Apple to be issued a certificate. The private key never leaves your machine in the process.

Read definition

Keychain (macOS)

macOS's built-in encrypted store for passwords, certificates, and private keys. Xcode and codesign read signing identities from it.

Read definition

.p8 file (auth key)

A PEM-encoded private key file used for two specific Apple authentication flows: App Store Connect API keys and APNs auth keys. Has no expiration and no companion certificate.

Read definition

Code signing certificate

Umbrella term for any Apple-issued certificate used to sign a binary, installer, or push token. Covers Apple Development, Apple Distribution, Developer ID, APNs, Pass Type ID, and Mac Installer certificates.

Read definition

Next step

Help articles on this topic

Generate and store CSRs in the HexSign vault

Generate certificate signing requests with private keys encrypted at rest, or upload your own and reuse them across certificates.

4 min readRead article

Upload a private key for a certificate created outside HexSign

Pair a private key with a certificate you originally issued in the Apple Developer portal (or another tool) so HexSign can export .p12 bundles for it.

4 min readRead article

Rotate an expiring signing certificate without breaking releases

A safe sequence for swapping a soon-to-expire certificate for a new one across every dependent provisioning profile.

5 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.

Keys & cryptography

Private key

The secret half of a key pair. Whoever holds the private key for a code signing certificate can sign builds as that developer. Lose it and you cannot rotate; leak it and someone else can sign as you.

Signing private keyCode signing private key

Where private keys live

On the Mac of whichever developer generated the original CSR. The key was created locally and never left that machine.
Exported into a .p12 file (PKCS#12) so a teammate or build server can import it.
Stored in a secret manager (1Password, AWS Secrets Manager, HashiCorp Vault) and pulled into CI at build time.
Held by a managed signing service like HexSign or fastlane match, encrypted at rest and decrypted only inside the signing process.

Common failure modes

The developer who generated the CSR leaves the company and nobody else has the private key. The certificate still works, but you cannot rotate it.
A .p12 with a weak password ends up in a public git repo. Anyone who finds it can sign builds as your team.
Two developers each generate their own private key for the same certificate type, so the team ends up with two distribution certificates and neither one matches the other's provisioning profile.

Keep reading

Related terms

PKCS#12 / .p12 file

A password-protected file format that bundles a certificate and its matching private key together. The standard way to move an Apple signing identity between machines.

Read definition

CSR (Certificate Signing Request)

A file containing a public key and team identity, signed with the matching private key. You upload it to Apple to be issued a certificate. The private key never leaves your machine in the process.

Read definition

Keychain (macOS)

macOS's built-in encrypted store for passwords, certificates, and private keys. Xcode and codesign read signing identities from it.

Read definition

.p8 file (auth key)

A PEM-encoded private key file used for two specific Apple authentication flows: App Store Connect API keys and APNs auth keys. Has no expiration and no companion certificate.

Read definition

Code signing certificate

Read definition

Next step

Help articles on this topic

Generate and store CSRs in the HexSign vault

Generate certificate signing requests with private keys encrypted at rest, or upload your own and reuse them across certificates.

4 min readRead article

Upload a private key for a certificate created outside HexSign

Pair a private key with a certificate you originally issued in the Apple Developer portal (or another tool) so HexSign can export .p12 bundles for it.

4 min readRead article

Rotate an expiring signing certificate without breaking releases

A safe sequence for swapping a soon-to-expire certificate for a new one across every dependent provisioning profile.

5 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.