Overview

Some customers prefer to retain full control over their app signing credentials and app store submissions due to internal security or compliance policies. In these cases, Pugpig does not require access to your Apple App Store Connect account or Google Play Console, and you will not need to provide an iTunes Connect API key (P8) or Google Play Service Account key for the purposes of build submission. Note that separate API credentials are still required for subscription and receipt validation.

This document outlines how the process works when a customer chooses to manage their own signing and/or app store submissions.

Please note: This approach requires more coordination and will result in longer turnaround times compared to our standard automated build and submission process. We strongly recommend granting Pugpig API-level access where possible — see Automatic build uploads to the app stores.

1. Distribution of Signing Files

Pugpig will require the following signing materials from you in order to produce correctly signed builds. These should be shared via a secure method agreed with your Pugpig project lead (for example, a shared Google Drive folder with restricted access).

iOS

• Distribution certificate (.p12) and password
• Provisioning profile (.mobileprovision)
• Bundle ID
• Any required entitlements (e.g. push notifications, associated domains)

Your distribution certificate (.p12) can be revoked instantly at any time from the Apple Developer Portal, with no impact on your live app. Importantly:

• A distribution certificate grants no access to App Store Connect — these are entirely separate credentials
• Without App Store Connect access, a distribution .p12 cannot be used to upload, publish, or distribute an app in any way
• A distribution certificate is in fact less sensitive than a development certificate, which can be used to sideload apps directly onto devices — a distribution certificate has no such capability

Android

• Upload keystore file and credentials
• Bundle ID (application ID)

When enrolled in Google Play App Signing, Google holds your actual app signing key. The upload keystore you share with Pugpig is a separate credential used only to authenticate builds before Google re-signs them for distribution. Crucially:

• It can be revoked and replaced at any time without affecting your live app
• It cannot be used to access your Google Play Console or account
• It does not grant access to your app's signing key

Signing materials must only be used for the apps contracted and agreed between your organisation and Pugpig. They will not be used for any other purpose.

2. Build Signing

Pugpig will sign the app builds using the files you provide. Builds will be signed to distribution standard, ready for upload to the app stores.

• iOS: A signed .ipa file will be produced.
• Android: A signed .aab file will be produced.

3. Delivery of Signed Builds

Once builds are ready, Pugpig will make them available to you via an agreed delivery method (e.g. a shared Google Drive folder, or upload to customer-provided storage such as a presigned URL endpoint).

After uploading, Pugpig will notify your team that a new build is available.

Please ensure your team is familiar with your internal process for uploading builds to App Store Connect and Google Play Console, as Pugpig will not be performing this step.

4. Pre-Submission Testing

Pugpig will carry out internal QA before delivering a signed build. However, we recommend your team also performs a review of the build prior to store submission, as issues found after submission can result in rejection and require a new build cycle.

5. App Store Submission

Your team is responsible for:

• Uploading the signed build to App Store Connect / Google Play Console
• Completing or updating app store metadata (description, screenshots, policy information, etc.)
• Submitting the build for review
• Monitoring the review process and handling any rejections

When submitting, please communicate clearly to your Pugpig project lead if any metadata updates are required — for example, new permissions that need updated privacy descriptions.

6. Issue Resolution

If a build is rejected by Apple or Google, or if issues are discovered post-release, please contact your Pugpig project lead. Pugpig will work with you to investigate and, where required, produce a new build.

Please be aware that each build cycle in this model requires manual steps on both sides and may take longer to resolve than under the standard automated process.

7. Compliance

All signing materials shared with Pugpig remain the property of your organisation. Pugpig will not use your signing certificates, keystores, or provisioning profiles for any purpose other than building and signing the agreed application(s).

For questions about this process, please contact your Pugpig project lead or raise a support ticket.