How and when to renew expiring provisioning profile?

Hi everyone,

I maintain an app that is developed and distributed with an Apple Developer Enterprise subscription and delivered via my institution’s private site, where users download the .ipa file after logging in. From what I see, we use automatic signing in Xcode where possible.

On the 1st of January 2024, the provisioning profile expired, and the developer before me had to rush to renew it because the app stopped working.

Now, I have some questions about how to prevent this from happening again:

  1. When should I renew the provisioning profile?
  2. Can I renew it before the expiration without blocking the current app version that users have already downloaded?
  3. How do I renew it? If I need to download a certificate, does it need to be converted into a different format?
  4. Do we need to build a new .ipa file that users will have to download before the expiration date?

here a screenshot clearance and guide:

I wasn't sure I should answer, since we don't use automatic signing, but since you haven't gotten any other responses, I'll take a stab at it.

In general, distribution certificates are good for 3 years, and distribution profiles are good for 1 year. A profile must refer to a certficate. So if a certificate expires less than one year after the profile is created/updated, the profile should be assigned a certificate with a later expiration date. Traditionally, Enterprise Developer accounts could have 2 certificates, so you could let them "overlap" a little. In other words, manually create a new certificate when there is a little over a year left on the other one. I don't know if the limit now is 2 manual certificates plus whatever certificates Xcode automatic signing creates (indicated my "Managed" at the end of the certificate type) or 2 certificates total.

From Googling various things like "Xcode automatic signing" and "apple rotate distribution certificates", it sounds like the system will update and/or create new profiles and certificates when the existing ones are getting close to expiring, but it only happens when you actually request that Xcode sign something. So if you recompile and archive your app, the automatic signing would do what is necessary with the profile and certificate.

Based on my experience with manually managing enterprise profiles and certificates, if the profile is renewed and it is able to use the same distribution certificate (with the same expiration date) as last year, existing installs do not stop working until the expiration date of the "old" profile. I try to get users to install the new ipa (archived with the new profile) before then, but inevitably there are a few that call or email after that date wondering why the app doesn't work :).

However, I couldn't find a definitive answer to the question "For an enterprise account, if the automatic signing system creates a new certificate, does it revoke the old one, which would cause all installations of the app that used the old profile (with the old certificate) to stop working?".

As I said, this does't give you a definitive answer, but since no one else responded yet, maybe it will help?

How and when to renew expiring provisioning profile?
 
 
Q