back
loading skill details...
Set up bundle IDs, capabilities, signing certificates, provisioning profiles, and encrypted signing sync with the asc cli. Use when onboarding a new app,…
asc signing setup
Use this skill when you need to create or renew signing assets for iOS/macOS apps.
Preconditions
Auth is configured (asc auth login or ASC_* env vars).
You know the bundle identifier and target platform.
You have a CSR file for certificate creation, or you will let asc certificates create --generate-csr create one.
Workflow
Create or find the bundle ID:
asc bundle-ids list --paginate
asc bundle-ids create --identifier "com.example.app" --name "Example" --platform IOS
Configure bundle ID capabilities:
asc bundle-ids capabilities list --bundle "BUNDLE_ID"
asc bundle-ids capabilities add --bundle "BUNDLE_ID" --capability ICLOUD
Add capability settings when required:
--settings '[{"key":"ICLOUD_VERSION","options":[{"key":"XCODE_13","enabled":true}]}]'
Create a signing certificate:
asc certificates list --certificate-type IOS_DISTRIBUTION
asc certificates create --certificate-type IOS_DISTRIBUTION --csr "./cert.csr"
Or generate a key and CSR inline:
asc certificates create --certificate-type IOS_DISTRIBUTION --generate-csr --key-out "./signing/dist.key" --csr-out "./signing/dist.csr"
Create a provisioning profile:
asc profiles create --name "AppStore Profile" --profile-type IOS_APP_STORE --bundle "BUNDLE_ID" --certificate "CERT_ID"
Include devices for development/ad-hoc:
asc profiles create --name "Dev Profile" --profile-type IOS_APP_DEVELOPMENT --bundle "BUNDLE_ID" --certificate "CERT_ID" --device "DEVICE_ID"
Download the profile:
asc profiles download --id "PROFILE_ID" --output "./profiles/AppStore.mobileprovision"
Inspect and install the downloaded profile locally when needed:
asc profiles inspect --path "./profiles/AppStore.mobileprovision" --output table
asc profiles inspect --path "./profiles/AppStore.mobileprovision" --entitlements --output markdown
asc profiles local install --path "./profiles/AppStore.mobileprovision"
asc profiles local list --output table
Rotation and cleanup
Revoke old certificates:
asc certificates revoke --id "CERT_ID" --confirm
Audit remote provisioning profiles before deleting or rotating:
asc profiles list --profile-state ACTIVE,INVALID --paginate --output json
Apple profileState is not a complete expiration signal: some profiles can have a past expirationDate while still reporting ACTIVE. For true expired-profile audits, compare expirationDate against the current date instead of relying only on INVALID.
Delete old profiles:
asc profiles delete --id "PROFILE_ID" --confirm
Clean local Xcode provisioning profiles:
asc profiles local clean --expired --dry-run
asc profiles local clean --expired --confirm
Shared team storage with asc signing sync
Use this when you want a lightweight, non-interactive alternative to fastlane match for encrypted git-backed certificate/profile storage.
# Push current ASC signing assets into an encrypted git repo
asc signing sync push \
--bundle-id "com.example.app" \
--profile-type IOS_APP_STORE \
--repo "git@github.com:team/certs.git" \
--password "$MATCH_PASSWORD"
# Pull and decrypt them into a local directory
asc signing sync pull \
--repo "git@github.com:team/certs.git" \
--password "$MATCH_PASSWORD" \
--output-dir "./signing"
Notes:
--password falls back to ASC_MATCH_PASSWORD.
The encrypted repo follows a familiar match-style git layout for certs and profiles.
pull writes files to disk; keychain import or profile installation is a separate step.
Notes
Always check --help for the exact enum values (certificate types, profile types).
Use --paginate for large accounts.
--certificate accepts comma-separated IDs when multiple certificates are required.
Device management uses asc devices commands (UDID required).
asc profiles inspect and asc profiles local ... operate on local disk state, not App Store Connect API resources.don't have the plugin yet? install it then click "run inline in claude" again.