I am new to iOS app development and am having a difficult time understanding some of the relationships between Certificates, Distributions, Provisioning Profiles, Targets and the entire codesigning process (and really, automatic codesigning).
I have a simple use case and have two types of flows I need to wrangle:
If someone could help me understand what all of these resources (Provisioning Profiles, etc.) are, and what their relationships to one another area, and what their cardinality with respect to Beta Testing and Production flows are, that would be immensely helpful to my overall understanding. If there are certain things that have to be done either in the Apple Developer console (web) or in XCode, please point that out.
Ideally, the answer here would explain to me all the steps I would need to take (either in XCode, Apple Developer console or via command line) to generate all of these resources so that I could accomplish all 3 flows describe above (Local Dev, Beta and Prod). It would also explain how Apple/iOS codesigning works, how automatic codesigning works, and how those steps fit into all 3 flows. Thanks in advance for any-and-all help!
The Signing Certificate represents the developer. It says "Code signed with this certificate was developed by this person or company". For a developer certificate that's usually a person. For a distribution certificate it represents the legally-responsible corporate entity that accepted an agreement with Apple (which may also be a single person).
I am not a Lawyer.
You want to keep all certificates secure, and be extra super careful with the distribution signing certificate as, in my non-lawyer opinion, it kinda embodies the legal contract you have with Apple.
Executable code (including an application) is commonly collected into bundles that have bundle identifiers. They are often of the form "com.someproducer.somesoftware". An application is one kind of executable and is identified by its main bundle's identifier which may also be called its application id (Android has a similar concept and if I recall it IS called the application id).
A Provisioning profile takes a signing certificate (who created this software) one or more bundle identifiers (what software is covered by this profile) and a set of devices (where can this software run) and ties them all together. The provisioning profile usually ends up being embedded inside of the software. In part the profile says says "this software, created by this person, can run on these devices". (it's more complicated than that but that's the general idea)
A "development" profile generally says "this developer can run this software on (essentially) their debugging device". So you can run the application on your phone for debugging, but you could not take the built application and install it on any random device.
When you are testing you can create what is called an "ad hoc" profile. In an ad hoc profile you identify EXACTLY which devices are allowed to run that software. You could collect the device IDs from your group of beta testers, put them on your developer account and then create an ad hoc profile. You use your certificate and that profile to sign an app that you can then send to the owners of those devices. The profile allows that software to run on those devices, and no others. There are strict restrictions on how many devices you can have on your account within a year.
Distribution certificates, and distribution profiles have special properties. Primarily when you sign software with them then send that software to the App Store, the App Store can validate your identity then re-sign and re-provision the app, so that it will run on any device. This is how you put an app into production. You send the app to Apple, the re-provision the app and make it available on the store.
As for how you create all those things, it would take a lot of instruction to go into a Stack Overflow answer and could change. I would start with Apple's documentation on Distribution:
https://developer.apple.com/documentation/xcode/distribution
If you REALLY want to deep dive into profiles, look at:
https://developer.apple.com/documentation/technotes/tn3125-inside-code-signing-provisioning-profiles