Page tree
Skip to end of metadata
Go to start of metadata

When signing iOS apps, it is helpful to have an understanding of app extensions (including watchOS apps) and entitlements.  Both extensions and entitlements impact the signing process and determine which distribution provisioning profiles you should use when signing.

App Extensions and watchOS Apps

App Extensions

App extensions give users access to an app’s functionality and content throughout iOS. For example, a Today widget extension gets a quick update or performs a quick task in the Today view of the Notification Center, and a Share extension posts to a website or shares content with others.

watchOS Apps

watchOS apps are built for Apple Watch and are embedded in iOS apps. They have two parts:

  • A set of user interface resources that are installed on Apple Watch.
  • An extension that runs on iPhone to provide glances and actionable notifications on Apple Watch.

For more information, see Apple's WatchKit documentation.

App Extensions and Distribution Provisioning Profiles

If your app contains extensions, you need a separate explicit distribution provisioning profile to sign the app and each extension in the app. If your app contains a watchOS app, you also need one distribution provisioning profile for the watchOS app and one for the watchOS app extension.

For example, if your app contains a watchOS App and a Share extension, you need four distribution provisioning profiles to sign the app:

  • App
  • Share extension
  • watchOS App extension
  • watchOS App

Apps with watchOS apps cannot be signed with the Admin Portal. You must use the signing package to sign an app that includes watchOS components. For more information, see Sign an App (Signing Package).

The App ID associated with the provisioning profile should have a suffix that matches the bundle ID of the app or extension that you are signing. Note, however, that if you are signing an app and the App ID and bundle ID do not match, App Management will automatically modify the bundle ID in the app to match the App ID in the provisioning profile. 

If you are using App Management to sign an app that includes extensions, the automatic modification of the bundle ID will work only when you sign with new credentials; signing with new credentials enables you to upload the correct provisioning profile for the app and each of its extensions. If you attempt to use stored credentials to sign an app that has extensions, App Management will not know which provisioning profile to use with each extension unless the bundle IDs and App IDs match. App Management is also able to automatically modify the bundle ID in an app/extension when you use the signing package to sign an app outside of the Portal; the signing package includes a manifest file that lets you specify which provisioning profile to use with the app and each extension.

For instructions on creating an App ID, see Manage App Identifiers. For instructions on signing an app with the signing package, see Sign an App (Signing Package).

While your Apple Developer account may still allow you to create a wildcard App ID and then associate that wildcard App ID with a distribution provisioning profile, you should create an explicit provisioning profile for an app and each extension in the app. Apple is deprecating support for wildcard App IDs and provisioning profiles, and may stop supporting certain functionality with apps that are signed with wildcard profiles. 


An entitlement is a single right granted to an app that gives it additional permissions beyond what it would ordinarily have. There are different terms used when enabling entitlements depending on where you are working:

  • When building an app in Xcode, a developer turns Capabilities ON or OFF to grant entitlements. 

  • When creating an App ID in the Apple Developer Portal, you enable app services to identify the entitlements for the app or apps associated with that App ID. Some app services are enabled by default for an explicit App ID that exactly matches the bundle ID. When you create a distribution provisioning profile, you associate it with an App ID; this is what determines which entitlements (or app services) are enabled in the provisioning profile. 

Entitlements and Distribution Provisioning Profiles

When you sign an app, you need to sign it with a distribution provisioning profile that has app services that match the entitlements built into the app. If the entitlements don't match, users will not be able to install the app on their devices. If the app includes app extensions, each extension must be signed with a different provisioning profile that has the correct entitlements. App Management helps ensure that you sign an app and its extensions (if there are any) with provisioning profiles that have the correct entitlements. When you upload a provisioning profile in the Sign with New Credentials section of the Signing tab, App Management compares the entitlements in the profile with the app/extension. If the entitlements don't match, App Management warns you and clearly identifies what doesn't match. Once you have this level of information, you can follow up on your own or with the appropriate member of your team to generate the necessary provisioning profile(s) from the Apple Dev Portal. 

The entitlements set for the app provide another reason for using explicit versus wildcard provisioning profiles. If an app enables any of the following entitlements, it must be signed with an explicit distribution provisioning profile (not a wildcard distribution provisioning profile):

  • App Group
  • Associated Domains
  • Game Center
  • HealthKit
  • HomeKit
  • Wireless Accessory Configuration
  • In-App Purchase
  • Push Notifications
  • VPN Configuration & Control
  • iCloud with CloudKit