App Store

    How to Fix Error ITMS-90034: Missing or Invalid Signature

    Xcode signing settings and the Apple Developer certificates page shown while resolving an ITMS-90034 invalid signature upload error.

    Error ITMS-90034, missing or invalid signature, means your upload was not signed with a valid Apple submission certificate, so App Store Connect rejected it. The usual causes are signing with the wrong certificate type, such as a development certificate instead of an Apple Distribution certificate, an expired or revoked signing certificate, or a provisioning profile that does not match the certificate or the bundle ID. The fix is to sign with a valid Apple Distribution certificate and a matching App Store provisioning profile, refresh both if they are stale, and re-archive. Nested frameworks and extensions must be signed with the same distribution identity.

    Short answer

    ITMS-90034 means the binary you uploaded is not signed with a valid Apple submission certificate. Per Apple's certificates guidance, an App Store upload must be signed with an Apple Distribution certificate and a matching App Store provisioning profile. Check that your signing certificate has not expired or been revoked, and that the provisioning profile matches both that certificate and your app's bundle ID. If either is wrong, regenerate it, then clean and re-archive. Make sure any embedded frameworks or app extensions are signed with the same distribution identity, since one nested binary signed differently can trigger the error. In CI, refresh stale certificates and profiles.

    What ITMS-90034 means

    The error is App Store Connect telling you that the code signature on your upload is missing or is not from a certificate it accepts for submission. Apple requires apps distributed through the store to be signed with an Apple Distribution certificate, which proves the build came from your team, and ITMS-90034 is the rejection you get when that signature is absent, invalid, or from the wrong kind of certificate.

    It is a signing problem, not a code problem, which is the most useful thing to know when you first see it. Nothing about your app's functionality is wrong; the upload simply is not signed in the way Apple demands for the App Store. That framing narrows where to look: the certificate you signed with, the provisioning profile you used, and whether every part of the app, including nested binaries, carries the right signature. Working through those three in order is far faster than changing settings at random and re-uploading to see what happens.

    Did your certificate expire?

    An expired or revoked certificate is a common cause, so check it first. Apple Distribution certificates have a validity period, and once one expires, any build signed with it is no longer accepted, which produces ITMS-90034 on upload. A certificate can also be revoked manually or when a team member removes it, with the same effect.

    Verify the certificate's status in your Keychain and in the Apple Developer portal under Certificates. If it has expired or been revoked, create a new Apple Distribution certificate, install it, update your signing to use it, and generate or refresh a provisioning profile that references the new certificate. Then re-archive, since a build signed with the old certificate will keep failing until you rebuild with the valid one. It is also worth checking the expiry date proactively before a release, because certificates tend to lapse at the least convenient moment, midway through a deadline.

    Provisioning profile mismatch

    A provisioning profile that does not match is the other frequent cause. The profile ties together your certificate, your app's bundle ID, and the distribution method, so if it references a different certificate, a different bundle ID, or is a development profile rather than an App Store profile, the signature will not be valid for submission and you get ITMS-90034.

    Fix it by regenerating an App Store distribution provisioning profile that matches exactly: the same bundle ID as your app, and the Apple Distribution certificate you are actually signing with. Download the fresh profile and select it in your signing settings, or let Xcode manage signing automatically, which regenerates matching profiles for you. A mismatched profile is often the hidden reason a certificate that looks valid still fails, so treat the profile and certificate as a pair that must agree, not as two independent settings.

    Wrong certificate type

    Even a valid, unexpired certificate causes ITMS-90034 if it is the wrong type for the App Store. A development certificate is for testing on devices, not for store submission, so signing a distribution build with it produces an invalid submission signature. App Store uploads specifically need an Apple Distribution certificate.

    Confirm you are signing the release build with a distribution identity, not a development one. In manual signing, select the Apple Distribution certificate and the matching App Store profile for the Release configuration; in automatic signing, make sure the archive is built for distribution so Xcode uses the right identity. Mixing a development certificate into a distribution build is an easy mistake, especially in a CI setup that has both installed. Pinning the exact signing identity in your build settings, rather than letting the pipeline pick one, removes that ambiguity entirely.

    Common causes

    Most ITMS-90034 failures come from a short list. The table below maps each cause to what is wrong and the fix.

    CauseWhat is wrongFix
    Wrong certificate typeSigned with development, not Apple DistributionSign with an Apple Distribution certificate
    Expired or revoked certificateThe signing certificate is no longer validCreate a new certificate and rebuild
    Provisioning profile mismatchProfile does not match the cert or bundle IDRegenerate a matching App Store profile
    Unsigned nested binaryA framework or extension is signed differentlyRe-sign all with the same distribution identity
    Stale CI signing assetsThe pipeline uses an old cert or profileRefresh the certificates and profiles in CI

    Match your case to a row before changing anything. A certificate issue and a profile mismatch look identical in the error message but need different fixes, so confirming which one applies saves you from regenerating the wrong asset and uploading again only to see the same error return.

    Fix checklist

    Working through signing methodically avoids repeated failed uploads. The checklist below covers the steps in order.

    CheckActionDone?
    Certificate typeConfirm an Apple Distribution certificate for the App Store[ ]
    Certificate validityVerify it is not expired or revoked[ ]
    Profile matchEnsure the App Store profile matches the cert and bundle ID[ ]
    Nested binariesConfirm frameworks and extensions share the identity[ ]
    Clean rebuildRefresh assets, clean, re-archive, and re-upload[ ]

    The step people skip is cleaning and re-archiving after fixing the certificate or profile, since a stale archive keeps the old signature. In a pipeline, managing certificates and profiles with a tool like Fastlane match keeps them consistent across machines and avoids the mismatches that cause this error.

    After signing: scan before you submit

    Fixing ITMS-90034 gets your build uploaded, but a build that uploads cleanly can still be rejected in review for reasons unrelated to signing. Security and privacy issues are a common one, and they are cheaper to catch before you submit than after a rejection.

    A scanner like PTKD.com analyzes your .ipa and reports findings ordered by severity and mapped to OWASP MASVS, so you catch issues like unjustified permissions, cleartext traffic, or embedded secrets before submission. To be clear about the boundary: PTKD does not sign your app, manage certificates, or fix a provisioning profile. It checks the built, signed artifact for the security issues that a valid signature does not address.

    What to take away

    • ITMS-90034 means your upload is not signed with a valid Apple submission certificate; it is a signing problem, not a code problem.
    • Check whether your signing certificate has expired or been revoked, and create a new Apple Distribution certificate if it has.
    • Make sure the provisioning profile is an App Store profile that matches your certificate and bundle ID, and regenerate it if not.
    • Sign with a distribution certificate, not a development one, and ensure nested frameworks and extensions share the same identity, then clean and re-archive.
    • After signing is fixed, scan your build with PTKD.com for the security issues a valid signature does not cover.
    • #itms-90034
    • #code signing
    • #provisioning profile
    • #distribution certificate
    • #app store connect

    Frequently asked questions

    What does ITMS-90034 mean?
    It means App Store Connect rejected your upload because the code signature is missing or is not from a certificate it accepts for submission. Apple requires App Store builds to be signed with an Apple Distribution certificate. It is a signing problem, not a code problem, so look at the certificate, the provisioning profile, and whether nested binaries carry the right signature.
    Did my certificate expire and cause ITMS-90034?
    Possibly, and it is worth checking first. Apple Distribution certificates have a validity period, and a build signed with an expired or revoked certificate is no longer accepted, producing ITMS-90034. Check the status in Keychain and the Apple Developer portal, and if it expired, create a new Apple Distribution certificate, refresh the matching profile, and re-archive.
    How do I fix a provisioning profile mismatch?
    Regenerate an App Store distribution profile that matches exactly: the same bundle ID as your app and the Apple Distribution certificate you actually sign with. A profile that references a different certificate or bundle ID, or is a development profile, produces an invalid submission signature. Download the fresh profile and select it, or let Xcode manage signing automatically.
    Can the wrong certificate type cause ITMS-90034?
    Yes. Even a valid, unexpired certificate fails if it is the wrong type. A development certificate is for testing on devices, not store submission, so signing a distribution build with it produces an invalid submission signature. App Store uploads need an Apple Distribution certificate, so confirm the release build uses a distribution identity, not a development one.
    Why does ITMS-90034 persist after I fix signing?
    Usually because a stale archive still carries the old signature, or a nested framework or app extension is signed with a different identity. After changing the certificate or profile, clean and re-archive so the new signature is applied, and confirm every embedded binary shares the same distribution identity. In CI, refresh the certificates and profiles the pipeline uses.
    Does a valid signature mean my app is ready to submit?
    No. Fixing ITMS-90034 only gets the build uploaded; it can still be rejected in review for reasons unrelated to signing, such as security or privacy issues. A scanner like PTKD.com (https://ptkd.com) checks your .ipa for unjustified permissions, cleartext traffic, and embedded secrets, mapped to OWASP MASVS. It does not sign your app, but it covers what a valid signature does not.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free