Does a paid Apple Developer Program account fix every AltStore signing error?

It fixes most of them. The 99 USD per year membership replaces the seven-day personal team certificate with a one-year iOS Development cert, removes the three-app limit, and enables Push Notifications, Associated Domains, and full keychain access. It does not fix Bonjour pairing failures, system clock drift, or IPAs corrupted in transit. Apple still revokes a paid cert if it detects abuse.

Why does AltServer work on Windows but not always sign cleanly?

AltServer for Windows depends on iCloud for Windows for Bonjour and on iTunes for the underlying device pairing libraries. Both must be installed from Apple directly, not from the Microsoft Store, because the Store versions are sandboxed and cannot reach the connected device. Once both are installed and signed in to the same Apple ID, signing works the same as it does on macOS.

Can I sign an IPA on my own and skip AltStore entirely?

You can if you have a paid Apple Developer Program account. Use Xcode's Archive and Distribute flow, choose Ad Hoc or Development distribution, then install with the Devices and Simulators window. With a free Apple ID, only Xcode's personal team signing works, and only for projects you opened in Xcode at least once, which rules out installing a third-party IPA.

Is the seven-day refresh enforced by AltStore or by Apple?

By Apple. The personal team certificate Apple issues to free Apple IDs has a built-in seven-day validity window. AltStore did not choose this limit; AltServer is just regenerating the certificate every seven days through Apple's developer portal API. Per Apple's developer account help, paid memberships receive certificates valid for one year, which is why paying removes the refresh cycle.

Why does the same IPA fail on a second iPhone but work on the first?

Free Apple IDs only support one active personal team certificate at a time. When you install AltStore on a second device, AltServer revokes the first device's certificate to issue a new one. Every previously sideloaded app on the first device fails its next signature check immediately. Refreshing the first device or signing in to a different Apple ID restores the situation.

Why does AltStore say invalid code signature, and how do I fix it?

If AltStore stops mid-install with a red message about an invalid code signature, the failure almost always traces to the re-signing step that runs on your Mac, not to anything wrong with the IPA itself. AltStore Classic wraps every install with a free Apple ID developer certificate that expires after seven days, and four specific conditions break that signature in predictable ways.

Short answer

An invalid code signature in AltStore usually means one of four things: the free Apple ID certificate was revoked or expired, the IPA carries more than three App Groups, AltServer dropped its connection mid-install, or the system clock on your Mac drifted away from your iPhone. The fastest fix is to delete the certificate from your Apple ID portal, then refresh AltStore once before retrying the install, per the AltStore FAQ on signing.

What you should know

AltStore re-signs every IPA at install time. The IPA gets wrapped with your personal Apple ID developer cert by AltServer running on your Mac, then transferred over the local network to your iPhone.
Free Apple IDs receive a seven-day certificate. Per Apple's Developer Account Help on personal teams, free accounts can sign apps for personal use only, and the certificate expires after seven days.
Paid memberships get a one-year certificate. A 99 USD per year Apple Developer Program account removes the seven-day refresh cycle and the three-app sideload limit.
iOS validates entitlements at first launch. Apple's documentation on code signing describes how the kernel checks the embedded provisioning profile against the binary before letting it execute.
Most signing failures look identical from the outside. AltStore surfaces a generic invalid signature message whether the certificate is revoked, the entitlements file is malformed, or the binary itself is corrupted.
AltServer needs Bonjour open on the LAN. AltStore on the device pairs with AltServer over mDNS, and firewalls that block UDP port 5353 break the install pipeline silently.
Device Management trust is a separate step. Once the signed IPA installs, you still navigate to Settings, General, VPN and Device Management, and tap Trust on your Apple ID before the binary will run.

What does AltStore actually do when you tap install?

AltStore is not a normal app store. The IPA you side-load is never installed as-is. When you tap install, AltStore on your iPhone asks AltServer running on your Mac to fetch a fresh signing certificate from Apple's developer portal, regenerate a provisioning profile that matches the bundle ID, embed that profile into the IPA, recompute every CodeResources hash, and finally re-sign the binary with your personal team certificate. The resigned bundle is then sent to the device over a Bonjour connection on your local network.

Each step in that pipeline can fail, and the user-visible error is always the same generic invalid code signature warning. That makes the error genuinely hard to debug from the message alone. The Apple Developer forum thread on invalid code signature errors collects several variants of the same surface message coming from very different root causes.

Why does the same IPA install fine one day and fail the next?

The most common reason is the seven-day cert expiry. AltStore tries to refresh the certificate in the background, and free Apple IDs can only generate a new one if the user opens the app at least once during that window. Skip a week, and the cert quietly revokes; the next install attempt fails because there is no valid signing identity to sign against.

The second reason is multi-device conflict. Free Apple IDs are limited to one active personal team certificate at a time. If you set up AltStore on a second iPhone with the same Apple ID, the first device's certificate is invalidated. Every previously sideloaded app on that first device fails its next signature check immediately.

A less obvious reason is certificate revocation by Apple. If Apple's risk system flags unusual signing activity (a common signature shared across many devices, an IPA that resembles a previously rejected build), the cert is revoked server-side. AltServer cannot generate a new one until the old one is deleted from the developer portal manually.

Which entitlements break the signature most often?

The IPA's entitlements file is a plist embedded inside the app bundle. When AltServer re-signs, it has to match each entitlement to a capability that your free Apple ID is allowed to use. Most of the entitlements developers add in Xcode are unavailable on a personal team, which produces the same generic invalid signature error at install time.

The SideStore issue #782 tracks the most-reported case: apps with more than three App Groups or three keychain-access-groups fail signing because the personal team backend silently rejects them, even though the macOS codesign tool accepts the bundle locally.

The table below covers the entitlements that most reliably break AltStore signing, in rough order of frequency in user reports across the AltStore and SideStore issue trackers.

Entitlement	What it does	Why it breaks AltStore signing
`application-groups` (more than 3)	Shared container for sibling apps	Personal teams allow three at most
`keychain-access-groups` (more than 3)	Shared keychain entries	Same three-entry ceiling on personal teams
`aps-environment`	Push Notifications	Push capability is not available to free Apple IDs
`com.apple.developer.associated-domains`	Universal Links	Requires a verified domain on a paid team
`com.apple.developer.networking.vpn.api`	Network Extension / VPN	Restricted capability, paid team only
`com.apple.developer.icloud-container-identifiers`	iCloud document store	Requires a paid CloudKit container

The fix is almost always to strip the unsupported entitlements with a tool like ldid before handing the IPA to AltStore. Open the IPA as a zip, run ldid -e Payload/YourApp.app/YourApp > entitlements.plist, remove the offending keys, then re-apply with ldid -Sentitlements.plist Payload/YourApp.app/YourApp and re-zip the bundle. AltStore will sign the trimmed bundle without further complaint.

What is the step-by-step fix for an invalid signature error?

Work through these in order. Each one resolves a different root cause, and starting from the top fixes the majority of cases without further effort.

Refresh the certificate. Open AltStore on your iPhone, tap My Apps, tap the refresh icon, and wait until every app shows a fresh seven-day countdown.
Delete the existing certificate. Sign in to developer.apple.com with the Apple ID that AltStore uses, go to Certificates, Identifiers and Profiles, find the active iOS Development certificate, and revoke it. AltServer will generate a clean replacement on the next install.
Match the system clock. Set both Mac and iPhone to automatic date and time under their respective Settings panels. Drift greater than five minutes breaks the timestamp verification the kernel runs at launch.
Restart AltServer. Quit AltServer on the Mac, reopen it, confirm iCloud and Bonjour are running, then retry the install. The Bonjour pairing has to be re-established every time the Mac wakes from sleep.
Strip the entitlements. If the IPA contains push, VPN, or more than three App Groups, use ldid to remove those entries before signing. Apple's Technical Note TN3125 on code signature inspection covers the tooling to verify exactly what was signed.
Trust on the device. After a successful install, open Settings, General, VPN and Device Management, find your Apple ID, and tap Trust. Without this step, the app installs cleanly but refuses to launch with the same invalid signature error message.

How is AltStore PAL different for signing in the EU?

AltStore PAL is the version of AltStore distributed under Apple's Alternative App Marketplaces program in the European Union. It requires iOS 17.4 or later and an EU-region Apple ID. The signing model is fundamentally different from AltStore Classic.

Apps installed through PAL are signed by Apple itself after passing notarization, not by your personal team certificate, so the seven-day refresh cycle does not apply. The invalid code signature errors you see on AltStore Classic do not appear on PAL for that reason. If you are seeing them on what you believed was a PAL build, you are almost certainly running AltStore Classic instead, and the fix path is the personal team one described above. For builders weighing pre-submission analysis on an IPA before publishing to either marketplace or the App Store, PTKD.com (https://ptkd.com) is one of the platforms focused on automated IPA scans aligned with the OWASP MASVS.

What to watch out for

A signed bundle is not the same as a runnable bundle. AltStore can complete the re-signing step and still produce a binary that crashes at first launch because the bundle's Info.plist references a capability the signed entitlements do not include. The kernel raises the same generic error in iOS 17 and later, which is why the message alone is rarely enough to identify the root cause.

A second pattern is the IPA that was already signed before reaching AltStore. Some repackaged IPAs ship with a vendor signature still in place. AltServer attempts to strip and replace the signature, but if the original signer used custom resource exclusions in CodeResources, the resigning step fails partway through. Re-downloading the IPA from a clean source resolves this in most cases.

A third pattern that produces the same error is a corrupted IPA download. Bonjour transfer over a flaky Wi-Fi network can silently truncate the bundle. Verifying the SHA-256 hash of the IPA before handing it to AltStore catches this in under a minute and saves a lot of guessing.

Key takeaways

Invalid code signature in AltStore almost always means the free Apple ID certificate was revoked, expired, or carries more entitlements than a personal team allows.
The seven-day cert refresh is the single most common cause; a paid Apple Developer Program account removes it for 99 USD per year.
Strip push, VPN, and excess App Groups from the IPA's entitlements file before installing; ldid handles this in two commands.
AltStore PAL in the EU uses Apple notarization, not personal team signing, so this error class does not apply on PAL builds.
For builders who want an external automated read of an IPA's entitlements and signing posture before sideloading or store submission, PTKD.com is one of the platforms focused on pre-submission scans aligned with the OWASP MASVS.