Asc Signing Setup
Onboard a new iOS or macOS app, rotate distribution certificates, and sync encrypted signing assets across teammates with the asc CLI.
Overview
asc-signing-setup is an agent skill for the Ship phase that configures bundle IDs, capabilities, certificates, and provisioning profiles using the asc CLI for iOS and macOS releases.
Install
npx skills add https://github.com/rorkai/app-store-connect-cli-skills --skill asc-signing-setupWhat is this skill?
- End-to-end asc CLI workflow: list/create bundle IDs, attach capabilities (e.g. iCloud) with required settings JSON
- Distribution certificate creation from an existing CSR or inline --generate-csr with key and CSR outputs
- Provisioning profile steps aligned with bundle ID + certificate pairing for iOS/macOS targets
- Team onboarding pattern when rotating or sharing signing assets via encrypted signing sync
- Explicit preconditions: asc auth, known bundle identifier, and CSR readiness before creating certificates
- 4-step workflow covering bundle IDs, capabilities, certificates, and provisioning
Adoption & trust: 658 installs on skills.sh; 845 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You need Apple signing assets for a new or rotating app but manual portal steps and scattered CSR files slow down your agent-assisted release pipeline.
Who is it for?
Indie iOS/macOS developers standardizing signing setup through asc with agent-run checklists before first TestFlight or store upload.
Skip if: Teams that only use Xcode automatic signing with no asc CLI, or Android-only shipping with no Apple Developer account.
When should I use this skill?
Set up bundle IDs, capabilities, signing certificates, provisioning profiles, or encrypted signing sync with the asc cli when onboarding a new app, rotating signing assets, or sharing them across a team.
What do I get? / Deliverables
After following the workflow you have a configured bundle ID with capabilities, a matching distribution certificate, and provisioning profiles ready for local builds, CI, or encrypted team sync.
- Configured bundle ID with required capabilities
- Distribution signing certificate and associated provisioning profile paths
- Documented asc command sequence suitable for CI or encrypted team sync
Recommended Skills
Journey fit
Signing and provisioning are the last mile before TestFlight or App Store submission—canonical shelf is Ship because the work gates whether builds are installable on devices and uploadable to Apple. Launch prep under Ship covers bundle IDs, capabilities, certificates, and profiles—the concrete checklist Apple expects before you cut a release build.
How it compares
Use instead of unstructured “open Apple Developer and click around” sessions when you want repeatable asc commands an agent can execute and audit.
Common Questions / FAQ
Who is asc-signing-setup for?
Solo builders and small teams shipping native Apple apps who use the asc CLI and want their coding agent to run a documented signing onboarding or rotation workflow.
When should I use asc-signing-setup?
Use it in Ship when onboarding a new bundle ID, renewing distribution certificates, adding capabilities like iCloud, or sharing encrypted signing assets across collaborators before launch.
Is asc-signing-setup safe to install?
Treat it as operational guidance that touches certificates and keys—review the Security Audits panel on this Prism page and never paste private keys into untrusted chats; run asc locally with your own ASC credentials.
SKILL.md
READMESKILL.md - Asc Signing Setup
# asc signing setup Use this skill when you need to create or renew signing assets for iOS/macOS apps. ## Preconditions - Auth is configured (`asc auth login` or `ASC_*` env vars). - You know the bundle identifier and target platform. - You have a CSR file for certificate creation, or you will let `asc certificates create --generate-csr` create one. ## Workflow 1. Create or find the bundle ID: - `asc bundle-ids list --paginate` - `asc bundle-ids create --identifier "com.example.app" --name "Example" --platform IOS` 2. Configure bundle ID capabilities: - `asc bundle-ids capabilities list --bundle "BUNDLE_ID"` - `asc bundle-ids capabilities add --bundle "BUNDLE_ID" --capability ICLOUD` - Add capability settings when required: - `--settings '[{"key":"ICLOUD_VERSION","options":[{"key":"XCODE_13","enabled":true}]}]'` 3. Create a signing certificate: - `asc certificates list --certificate-type IOS_DISTRIBUTION` - `asc certificates create --certificate-type IOS_DISTRIBUTION --csr "./cert.csr"` - Or generate a key and CSR inline: - `asc certificates create --certificate-type IOS_DISTRIBUTION --generate-csr --key-out "./signing/dist.key" --csr-out "./signing/dist.csr"` 4. Create a provisioning profile: - `asc profiles create --name "AppStore Profile" --profile-type IOS_APP_STORE --bundle "BUNDLE_ID" --certificate "CERT_ID"` - Include devices for development/ad-hoc: - `asc profiles create --name "Dev Profile" --profile-type IOS_APP_DEVELOPMENT --bundle "BUNDLE_ID" --certificate "CERT_ID" --device "DEVICE_ID"` 5. Download the profile: - `asc profiles download --id "PROFILE_ID" --output "./profiles/AppStore.mobileprovision"` 6. Inspect and install the downloaded profile locally when needed: - `asc profiles inspect --path "./profiles/AppStore.mobileprovision" --output table` - `asc profiles inspect --path "./profiles/AppStore.mobileprovision" --entitlements --output markdown` - `asc profiles local install --path "./profiles/AppStore.mobileprovision"` - `asc profiles local list --output table` ## Rotation and cleanup - Revoke old certificates: - `asc certificates revoke --id "CERT_ID" --confirm` - Audit remote provisioning profiles before deleting or rotating: - `asc profiles list --profile-state ACTIVE,INVALID --paginate --output json` - Apple `profileState` is not a complete expiration signal: some profiles can have a past `expirationDate` while still reporting `ACTIVE`. For true expired-profile audits, compare `expirationDate` against the current date instead of relying only on `INVALID`. - Delete old profiles: - `asc profiles delete --id "PROFILE_ID" --confirm` - Clean local Xcode provisioning profiles: - `asc profiles local clean --expired --dry-run` - `asc profiles local clean --expired --confirm` ## Shared team storage with `asc signing sync` Use this when you want a lightweight, non-interactive alternative to fastlane match for encrypted git-backed certificate/profile storage. ```bash # Push current ASC signing assets into an encrypted git repo asc signing sync push \ --bundle-id "com.example.app" \ --profile-type IOS_APP_STORE \ --repo "git@github.com:team/certs.git" \ --password "$MATCH_PASSWORD" # Pull and decrypt them into a local directory asc signing sync pull \ --repo "git@github.com:team/certs.git" \ --password "$MATCH_PASSWORD" \ --output-dir "./signing" ``` Notes: - `--password` falls back to `ASC_MATCH_PASSWORD`. - The encrypted repo follows a familiar match-style git layout for certs and profiles. - `pull` writes files to disk; keychain import or profile installation is a separate step. ## Notes - Always check `--help` for the exact enum values (certificate types, profile type