AAB
.app bundle
App Sandbox
App Store Connect
Apple Distribution certificate
applicationId
Bundle identifier
Code signing
Developer Program
ES256 / RS256
ExportOptions.plist
Hardened Runtime
.ipa
Issuer ID
JWT
Key ID
Keystore
OAuth 2.0
.p8 file
Play Console
Provisioning profile
Service account
SUPPORTED_PLATFORMS
Team ID
TestFlight
Track
versionCode / versionName
.xcarchive
- AAB (Android App Bundle) #
- Google's modern distribution format for Android apps. Unlike an
.apk(which bundles every resource for every device), an AAB contains modular resources and lets Play Console serve a minimal APK tailored to each user's device at install time. LingCode runs./gradlew bundleReleaseto produceapp/build/outputs/bundle/release/app-release.aab. - .app bundle #
- The macOS executable package format — a directory that looks like a single file to Finder, containing the binary, resources, and
Info.plist. Mac App Store uploads are.appbundles, not.ipa. - App Sandbox #
- A macOS security mechanism that limits what an app can do — accessing files, making network requests, reading contacts, etc. — unless it declares each capability as an entitlement. Apple requires App Sandbox on every Mac App Store submission. Enable in Xcode → Signing & Capabilities → + Capability → App Sandbox. Not applicable on iOS (iOS apps are sandboxed by default at the OS level).
- App Store Connect #
- Apple's portal (appstoreconnect.apple.com) where you create app records, upload builds, invite testers, and submit for review. Everything Magic Deploy does for iOS/macOS lands here.
- Apple Distribution certificate #
- A signing certificate tied to your Team ID that proves builds came from your team. Installed in your login keychain; used by
xcodebuildto sign the archive before upload. Older projects may have team-scoped variants (Mac App Distribution, 3rd Party Mac Developer Application, iPhone Distribution) — LingCode accepts all four. Install via Xcode → Settings → Accounts → Manage Certificates → + → Apple Distribution. - applicationId (Android) #
- The Android equivalent of a bundle identifier, defined in
app/build.gradle'sdefaultConfigblock. Once an app is live on Play, this value can never change — a differentapplicationIdis treated as an entirely new app. - Bundle identifier (Bundle ID) #
- A reverse-DNS string (e.g.
com.example.myapp) that uniquely identifies an Apple app. Must match exactly between your Xcode target's General tab, your App Store Connect app record, and the identifier registered at developer.apple.com/account/resources/identifiers. - Code signing #
- The process of cryptographically signing an app bundle with a private key so the OS (macOS, iOS, or Android) can verify the code hasn't been tampered with. Apple uses an Apple Distribution certificate + provisioning profile; Google uses a keystore file.
- Developer Program #
- The paid membership you need to publish on the App Store. Apple's costs $99/year (individual) at developer.apple.com/programs/enroll. Google Play's equivalent costs $25 one-time at play.google.com/console/signup.
- ES256 / RS256 (JWT signing algorithms) #
- Two JWT signing algorithms you'll encounter in deploy contexts. ES256 uses ECDSA with P-256 — Apple's App Store Connect API keys use this. RS256 uses RSA-2048 with SHA-256 — Google service account JSON keys use this. Both produce a fixed-size signature and let the server verify the signer without ever seeing your private key.
- ExportOptions.plist #
- A small XML plist file that tells
xcodebuild -exportArchivehow to turn an archive into a distributable.appor.ipa. LingCode generates one on the fly with three keys:method = app-store,teamID = <your team>,signingStyle = automatic. Written tobuild/ExportOptions.plistin your project. - Hardened Runtime #
- A macOS security capability that disables some runtime behaviors (like loading arbitrary libraries or using executable memory) to reduce attack surface. Required for Mac App Store uploads and for notarized direct-distribution builds. Enable in Xcode → Signing & Capabilities → + Capability → Hardened Runtime. Not applicable to iOS.
- .ipa (iOS App Archive) #
- A ZIP file in a specific layout that contains your iOS
.appplus signing metadata. The final artifactxcodebuild -exportArchiveproduces for an iOS target. Magic Deploy uploads it viaxcrun altool --type ios. - Issuer ID #
- A UUID (e.g.
69a6de8f-03f7-47e3-e053-5b8c7c11a4d1) shown once at the top of your App Store Connect Keys page. Unique per team — all keys for your team share the same Issuer ID. Paired with a Key ID and a .p8 file to authenticate against the App Store Connect API. - JWT (JSON Web Token) #
- A compact, URL-safe token format: three base64-encoded parts (header, payload, signature) joined with dots. Magic Deploy generates JWTs signed with your private key (the
.p8for Apple or theprivate_keyfield from the service account JSON for Google) and exchanges them for short-lived access tokens. See RFC 7519. - Key ID #
- A 10-character alphanumeric string (e.g.
ABC123XYZ0) that names a specific App Store Connect API key. Shown per-key in the table at appstoreconnect.apple.com/access/api, and embedded in the.p8filename (AuthKey_<KeyID>.p8). - Keystore (.jks / .keystore) #
- A password-protected binary file that holds one or more RSA private keys used to sign Android AABs. Generated once per app with
keytool -genkeypair. If you lose the keystore you can never update the app on Play again, since Google uses its signature to prove new versions are "from you." Back it up in at least two places. - OAuth 2.0 #
- The authorization framework deploy APIs use. For automated (no-human) clients like LingCode, the relevant flow is JWT Bearer: sign a JWT with your private key, POST it to the token endpoint, receive a short-lived access token (typically 1 hour), then include it in
Authorization: Bearer <token>on all API calls. Google uses this flow; Apple's App Store Connect API uses a similar JWT-per-request pattern without the token exchange. - .p8 file #
- An ES256 private key file Apple generates when you create an App Store Connect API key. Only downloadable once. Saved as
AuthKey_<KeyID>.p8. LingCode signs JWTs with it to authenticate against the App Store Connect API. Treat it like a password — never commit to git. - Play Console #
- Google's portal (play.google.com/console) where you create Android app records, upload AABs, manage testers, and configure release tracks. Equivalent to App Store Connect.
- Provisioning profile #
- An Apple file that combines three things: which devices can run a build (not applicable for App Store builds), which certificate signs it, and which entitlements the app claims. For App Store distribution, Xcode's automatic signing generates and refreshes these on every archive. You rarely touch them directly.
- Service account #
- A Google Cloud identity that represents an automated service rather than a human user. Each service account has an email address (e.g.
lingcode-deploy@my-project.iam.gserviceaccount.com) and one or more keys. LingCode authenticates to the Play Developer API as a service account with release permission on your Play Console app. - SUPPORTED_PLATFORMS (Xcode) #
- An Xcode build setting that lists the platform slugs (
iphoneos,macosx,watchos,tvos) a scheme can target. LingCode reads it viaxcodebuild -showBuildSettings -jsonto auto-detect iOS vs. macOS and branch the--type/ destination accordingly. - Team ID (Apple) #
- A 10-character alphanumeric identifier for your Apple Developer team (e.g.
HPTTZS5J27). Copied from developer.apple.com/account → Membership Details. Also visible at the end of your Distribution certificate's common name:"Apple Distribution: Your Name (HPTTZS5J27)". - TestFlight #
- Apple's beta-testing service, integrated with App Store Connect. Every build you upload lands in TestFlight first (under Processing), then can be distributed to internal testers (up to 100 team members, no review) or external testers (needs Beta App Review, usually <24h). Works for both iOS and macOS.
- Track (Play Console) #
- Where an uploaded AAB lands in Play Console's release pipeline. Internal testing (up to 100 allowlisted testers, instant), closed testing / alpha (allowlisted, reviewed), open testing / beta (anyone with the link, reviewed), or production (visible on the Play Store, reviewed). You can promote a build from a lower track to a higher one without re-uploading.
- versionCode / versionName (Android) #
- versionCode is a monotonically increasing integer Play uses to order uploads. Every upload must have a higher
versionCodethan any before. versionName is the human-facing string shown in the Play Store (e.g."1.2.3"). Both live inapp/build/build.gradle'sdefaultConfig. LingCode's Auto-bump versionCode toggle increments the integer automatically before each deploy. - .xcarchive #
- An Xcode archive bundle — a directory containing a built, signed app plus dSYMs (debug symbols) and metadata. Produced by
xcodebuild archive; consumed byxcodebuild -exportArchiveto produce the final.appor.ipa. LingCode writes it tobuild/<scheme>.xcarchive.
Further reading
Primary sources for the concepts above, from Apple, Google, and the IETF:
- App Store Connect API reference (Apple)
- Notarizing macOS Software Before Distribution (Apple)
- Code Signing Guide (Apple, archive)
- Sign your app (Android Developers)
- Google Play Developer API
- OAuth 2.0 for Server-to-Server Applications (Google — service account flow)
- RFC 7519 — JSON Web Token (IETF)
- RFC 6749 — The OAuth 2.0 Authorization Framework (IETF)