My employer recently entered into an agreement with another company to share the source code for an iOS app that we developed. We haven't yet published this app in the App Store but plan to do so in the future. During the course of development, we've obviously created an app ID, provisioning profiles, certificates for development and remote notifications, etc. all of which are (obviously) tied to my employer's enrollment in the Apple Developer Program (ADP). The app itself is currently configured to allow Xcode to manage signing automatically.
Before we deliver the source code for this app to the other company, I need to make sure that none of my employer's information is present in the project source (so that the other company has to use their own info). I've looked through all the project-related files I could find and the only thing I really saw was a small section in the project.pbxproj file that looks like it is related to signing.
I would guess that this is something that a lot of people who decide to share their source on Github do but I'm still fairly new to iOS/Xcode app development so I was hoping that someone who has dealt with this before could offer some insight? Thanks very much!
If you just want to make sure they cannot get your company's signing identity, you can just send them the project. Since you are using automatic code signing, they would need to have your company's Apple developer ID credentials to sign in to the developer account in order to have Xcode generate a certificate and profile to sign as your company. None of the critical signing files are included in the Xcode project folder.
When you enable automatic code signing and sign into the Apple ID, Scode will generate a certificate and private key, which go into that Mac's Keychain, and a provisioning profile is generated and downloaded, which goes into a specific directory that is common for all projects (https://stackoverflow.com/a/45642752/3708242) and outside of the project directory.
As @Jack states in his answers, there are other pieces of information in the files you might want to scrub, but there is no risk you would be giving them access to your code signing information by sending them the project as is with automatic code signing turned on.
Long story, short, just send them the project directory.