Code Signing

// Definition

The process of cryptographically signing a mobile application bundle (IPA for iOS, APK/AAB for Android) with a certificate and provisioning profile before it can be installed on a device or distributed through an app store. On iOS, code signing is enforced strictly by Apple: apps must be signed with a developer or distribution certificate issued from an Apple Developer account, paired with a provisioning profile that lists permitted device UUIDs (for development) or targets the App Store or Enterprise distribution. On Android, signing uses a keystore file and is enforced at install time — unsigned APKs are rejected. Code signing is one of the most common pain points in mobile CI/CD pipelines: certificates expire, provisioning profiles drift out of sync with registered devices, and private keys must be stored securely without being committed to source control. Best practices include using a secrets manager for the keystore or P12 file, and automating certificate rotation.

// Related terms

• CI (Continuous Integration)

  The practice of merging every developer's working copy into a shared branch multiple times a day, with automated builds and tests running on each merge. The goal is to detect integration failures when they're small and cheap to fix, rather than at the end of a release cycle. CI is the foundation of modern delivery pipelines — tests that don't run in CI effectively don't exist.

• Artifact

  The output of a build step — a JAR, binary, container image, or bundle — that is promoted through pipeline stages and ultimately deployed.