Expiry triage · access matrix · portal + Xcode runbook · twenty-minute acceptance
Teams that rent an Apple Silicon Mac by the hour often discover signing pain only when something is already red: Xcode says Signing certificate is invalid, Archive refuses to start, or TestFlight uploads fail with profile errors while the lease clock keeps running. Renewal is not one button—it is a chain across Apple Developer, local Keychain, provisioning profiles, and sometimes Fastlane Match on a machine you may not own tomorrow. This guide separates certificate expiry from profile expiry, lists five failure modes that waste lease hours, gives an SSH versus VNC decision matrix you can paste into runbooks, walks an eight-step renewal path with triage tables, adds four quotable facts for change tickets, and closes with a twenty-minute same-user VNC checklist before you ship again. Cross-links: Fastlane Match SSH/VNC matrix, first external TestFlight checklist, Organizer vs Transporter upload matrix, thirty-minute first-use checklist, and clock skew vs certificate errors.
Apple treats code signing certificates (identity in Keychain) and provisioning profiles (entitlements bundle tied to App ID, devices, and distribution type) as separate objects with separate expiry dates. Renewing only one leaves Archive broken. On a cloud Mac you also fight session state: the certificate may be valid in the portal while the rented node still holds yesterday’s profile in ~/Library/MobileDevice/Provisioning Profiles.
Development certificates typically last about one year; distribution certificates follow the same pattern but gate App Store and TestFlight exports. Profiles expire on their own schedule—often annually—and must be regenerated when capabilities, devices, or the backing certificate changes. If you use automatic signing, Xcode may hide the distinction until Organizer fails; manual signing teams see red rows immediately.
On hourly leases, these patterns burn money without moving the build forward:
Portal-only fix: someone creates a new cert in Safari on a laptop but never imports it on the billed Mac, so SSH builds still codesign with the expired identity.
Split users: VNC debugging as admin while CI SSH runs as builder; Keychain shows valid certs for one UID only.
Headless Match loops: match or sigh hangs waiting for “Always Allow” on private key access—misread as Git or bundler slowness.
Premature revocation: revoking the old distribution certificate to “clean up” before every node and Match branch holds the replacement, causing mass signing failure.
Teardown before proof: the node is destroyed right after a green Archive locally, but no one captured profile UUID, cert fingerprint, or ASC build row for audit.
If renewal is urgent because production is blocked, pair this section with the no-Mac emergency runbook for lease scope, then return here for signing hygiene. For Apple ID and two-factor friction during renewal, see the visual ASC login guide.
Tag tickets with ssh-ok, vnc-once, or vnc-required before you open a session. Renewal touches more GUI surfaces than a pure upload job because Keychain and Xcode Accounts are involved.
| Task | Recommended access | Typical failure signal | Common misread |
|---|---|---|---|
| Create CSR and download new cert (.cer) | VNC or local Mac + secure copy to node | CSR created on wrong Mac | Reuse old CSR after revocation |
| Double-click install cert into login Keychain | VNC (same user as builds) | Cert visible in portal, not in security find-identity | Import into System keychain only |
| Regenerate provisioning profile in Developer portal | SSH OK (browser in VNC often easier) | Profile shows expired in Xcode | Only refresh cert, not profile |
| Xcode → Settings → Accounts → Download Manual Profiles | VNC | Yellow warning on team | Delete DerivedData only |
| Toggle capabilities / App ID change | VNC + portal | Profile missing entitlement | Blame CocoaPods |
| Fastlane Match match / match nuke | VNC for first unlock; SSH after primed | Hang at codesign prompt | Rotate API key randomly |
| Archive + validate signing | VNC until green Archive | No signing certificate found | Upgrade Xcode patch first |
| Upload after renewal | See upload matrix | Invalid signature on ASC | Re-upload without new profile |
Rule of thumb: if the second failure mentions Keychain, trust, or “requires a development team,” stop SSH retries and open same-user VNC—another hour of lease without GUI rarely costs less than one focused graphical session.
Execute in order on the same macOS user that will Archive. Skipping Keychain import after portal work is the most common renewable mistake on rented Macs.
Inventory before change: In VNC, open Xcode → target → Signing & Capabilities. Note team, bundle ID, profile name, and whether signing is automatic or manual. In Terminal run security find-identity -v -p codesigning and save output to the ticket.
Confirm expiry in Apple Developer: Certificates → identify Development vs Apple Distribution rows. Profiles → locate the active App Store or Ad Hoc profile for your bundle ID. If the cert expires within your release window, plan rotation—not day-of panic.
Create or renew the certificate: Use Keychain Access on the rented Mac to generate a Certificate Signing Request, upload to the portal, download the .cer, double-click to install under login keychain, and confirm the private key appears paired with the certificate entry.
Regenerate the provisioning profile: Edit the profile in the portal (or let automatic signing recreate it). Download the new .mobileprovision or use Xcode Download Manual Profiles. Delete stale local copies if Xcode keeps picking an old UUID.
Align Match or CI (if used): Run your documented lane—often bundle exec fastlane match appstore or development variant—with readonly off only when intentional. Follow the Match matrix for VNC timing. Commit encrypted repo changes before inviting other machines to pull.
Clean signing smoke: Product → Clean Build Folder, then build for a physical device or Any iOS Device. Resolve “requires a provisioning profile” before attempting Archive.
Archive and local validate: Window → Organizer → Archive → Validate App. Capture screenshots or logs if validation fails; map errors to cert vs profile using the table below.
Hand off to shipping: Once signing is green, proceed with Organizer or Transporter and TestFlight acceptance. Store cert fingerprint and profile UUID in the release notes.
| Symptom | Likely layer | First action on cloud Mac |
|---|---|---|
| Signing certificate is invalid | Certificate / Keychain | Re-import .cer; check paired private key; verify clock (NTP runbook) |
| Provisioning profile expired | Profile | Regenerate in portal; Download Manual Profiles in Xcode |
| No profiles for team matching | Team / bundle mismatch | Confirm ASC team ID matches Xcode Accounts selection |
| Match decrypt or git errors | Secrets / repo | Verify passphrase and deploy key on node; do not nuke without escalation |
| Archive OK, upload fails signature | Export method / profile type | Ensure App Store profile on Release archive, not development export |
# Same-user checks before and after renewal (SSH or VNC terminal) xcodebuild -version security find-identity -v -p codesigning | head -n 20 ls -lt ~/Library/MobileDevice/Provisioning\ Profiles | head -n 8
Note: If you are new to the rented node, run the thirty-minute first-use checklist before renewal so Xcode CLT, licenses, and VNC user parity are already green.
Development renewals unblock day-to-day debugging on registered devices. You need a valid development certificate, a development profile that includes those device UDIDs, and Xcode trusting the team. Teams that only test on simulator may postpone device profile work—but Archive for TestFlight always needs distribution assets.
Distribution renewals gate App Store Connect uploads. After rotating distribution certs, every Mac and CI worker that signs release builds must import the new identity. If you use Match, the encrypted Git repo should become the broadcast mechanism; if you manually manage profiles, expect to touch each node before the next release train.
Capability changes—Push, App Groups, Associated Domains—require both an App ID update and a profile regeneration. Doing this under SSH without portal visibility often fails silently until VNC shows the capability checkbox mismatch. For a broader signing primer on rented hardware, see code signing on a remote Mac and Xcode 26.3 signing with VNC.
When you renew during a node migration or lease extension, export signing evidence before teardown: Keychain export policy permitting, Match passphrase escrow, and profile UUID list. The renewal and migration checklist prevents “valid in portal, missing on the new Mac” repeats.
| Check | Action | Pass criteria |
|---|---|---|
| User parity | VNC user equals SSH whoami | Single UID owns Keychain identities |
| Cert in Keychain | security find-identity shows Apple Distribution (or Development) | Valid cert with private key, not expired |
| Profile freshness | Xcode Signing row or latest .mobileprovision | UUID matches portal; expiry beyond ship date |
| Team login | Xcode Accounts without yellow badge | Correct team selected on target |
| Archive validate | Organizer Validate App succeeds | No signing or entitlement errors in log |
| Upload smoke (optional) | TestFlight internal build or dry-run upload | ASC shows processing or clear compliance message |
For pipeline-oriented teams, after manual renewal on the Mac aligns Match, wire CI using the same user or documented import steps—see Fastlane TestFlight on a remote Mac so the next automated build does not regress on a fresh node.
SSH vs VNC when Match owns your certs.
Read →After signing is green, ship the build.
Read →Post-renewal tester checklist.
Read →CLI lanes can refresh files after credentials exist, but CSR creation, .cer import, Keychain trust, and Xcode Accounts need a graphical session for the same user. Use SSH for scripted profile fetch only after VNC priming.
They are independent. Verify both in Apple Developer and in Xcode. A fresh cert with a stale profile still fails Archive; a renewed profile on a revoked cert fails codesign.
Only during a planned rotation when every Mac, CI host, and Match branch already holds the replacement. Emergency revocation on a short lease amplifies downtime.
Plan twenty minutes minimum for portal work, Keychain import, Archive validate, and evidence capture. Add time for Match mutations, capability changes, or clock fixes.
Certificate and profile renewal is where Apple’s web console, local Keychain trust, and Xcode’s idea of your team must agree on a machine that bills by the hour. SSH-only habits work for repeat uploads after trust exists; they break down when expiry forces new CSRs, private key pairing, or Account repair—tasks that hide behind “signing failed” summaries in CI logs.
Owning a Mac removes rental pressure but introduces hardware sleep, single-desk Keychain drift, and no clean-room nodes when a compromised cert must be rotated under audit. A leased remote Mac with VNC is not a luxury overlay; it is how you reproduce Apple’s expected graphical consent flows without buying another workstation for each contractor.
When you need a dedicated Apple Silicon host to renew signing assets and validate an Archive in one session, use VNCMac: open the deploy card below or the English purchase page, then run section five’s checklist before you invite TestFlight testers again.