App Signing Guide

Re-sign the ControlFloor iOS apps with your Apple Developer certificate for deployment to your devices.

Why Re-signing Is Needed

ControlFloor includes three iOS applications that run on your devices. Apple requires that all iOS apps be signed with a valid developer certificate that is authorized for the specific devices they will run on. Since ControlFloor ships pre-built binaries, you must re-sign them with your own Apple Developer credentials before deployment.

Requirements

  • Paid Apple Developer Account ($99/year) — Free accounts are limited to one-week signing and a maximum of 2 side-loaded apps per device, which is insufficient for ControlFloor's three apps.
  • Signing Identity — A valid code-signing identity in your macOS Keychain (typically an "Apple Development" or "iPhone Distribution" certificate).
  • Provisioning Profile — A mobile provisioning profile that includes all devices you plan to use. The profile must support app extensions (for VidStream's Broadcast Extension) and XCTest (for CFA Agent).

Important

Many third-party re-signing tools cannot handle apps with extensions or XCTest runners. Use the included sign_all.macos.sh script, which is designed to properly handle all ControlFloor app types.

The iOS Apps

ControlFloor includes three iOS apps, all located in ~/cf/apps/:

AppPurposeNotes
ControlFloorAgent XCTest-based automation agent Runs as an XCTest runner on the device. Handles all automation commands.
vidstream.app Screen capture and video streaming Contains a ReplayKit Broadcast Extension. Requires extension-capable signing.
UIInspector.app Element tree inspection Queries the accessibility hierarchy for element information.

Signing Process

Step 1: Identify your signing identity

Run the signing script without arguments to list available identities:

$ ./apps/Utils/sign_all.macos.sh

This lists your available signing identities. Find the hash of the identity you want to use (e.g., 9CABA8B8B7B6B5B4B3B...).

Step 2: Locate your provisioning profile

The script also lists available provisioning profiles. Choose one that includes all your target devices. Profiles are typically stored in:

~/Library/MobileDevice/Provisioning Profiles/

Step 3: Unlock the keychain

$ security unlock

You'll be prompted for your Mac login password.

Step 4: Set environment variables and sign

$ export CFA_SIGNING_IDENTITY="your-signing-identity-hash" $ export CFA_PROVISIONING_PROFILE="/path/to/your.mobileprovision" $ ./apps/Utils/sign_all.macos.sh ./apps/*.app

Step 5: Verify

Successful output looks like:

=== Signing ./apps/ControlFloorAgent.app === ./apps/ControlFloorAgent.app: replacing existing signature === Signing ./apps/vidstream.app === PlugIns/CF Vidstream Extension.appex: replacing existing signature ./apps/vidstream.app: replacing existing signature === Signing ./apps/UIInspector.app === ./apps/UIInspector.app: replacing existing signature

Provisioning Profile Management

Your provisioning profile must include the UDIDs of all devices you want to use. When you add new devices to your fleet:

  1. Add the device UDID to your Apple Developer account
  2. Regenerate your provisioning profile to include the new device
  3. Download the updated profile
  4. Re-run the signing process with the new profile

When to Re-sign

  • Adding new devices — When new devices are added to your provisioning profile
  • ControlFloor updates — When you update the ControlFloor iOS apps to a new version
  • Certificate renewal — When your Apple Developer certificate is renewed
  • Profile expiration — When your provisioning profile expires (typically annually)

Troubleshooting

Error: "No signing identity found"

Ensure your Apple Developer certificate is installed in the macOS Keychain. Open Keychain Access and verify the certificate is present and not expired.

Error: "Provisioning profile does not match"

The provisioning profile must match the signing identity. Both should be from the same Apple Developer account. Regenerate the profile if needed.

App won't install on device

Verify the device UDID is included in the provisioning profile. Check that Developer Mode is enabled on the device (iOS 16+). Trust the developer certificate on the device (Settings → General → VPN & Device Management).