Suppose my client doesn't want me to own his iPhone Distribution Certificate, is there a way I can send him the compiled app and let him adjust all App Id, Provisioning etc parameters, then sign and submit it? How do I do this?
The only way, since now documented, to certificate the binary is building it with a Dist. Certificate added to the machine that compile the source code.
You can export the certificate as .p12 file and re-import it in another machine, both procedure have to be done with Keychain Access utility.
You can try to do what you want to do with terminal calls, but I doubt that you can sign an iPhone app that has been compiled.
Look at the CodeSign step in the XCode build results window (click on the "lines of text" disclosure icon on the right to see the actual commands that XCode uses).
You'll see that the CodeSign step is using a command-line tool (/usr/bin/codesign) something like this:
/usr/bin/codesign -f -s "iPhone Distribution: My Company"
--resource-rules=/Users/username/source/myApp/build/Distribution-iphoneos/myApp.app/ResourceRules.plist
--entitlements /Users/username/source/myApp/build/myApp.build/Distribution-iphoneos/myApp.build/myApp.xcent
/Users/username/source/myApp/build/Distribution-iphoneos/myApp.app
It's signing the compiled application in the "build" directory using the signing identity specified by the "-s" option on the command line. So, there's no reason you couldn't move your "build" directory to another machine and sign it with the desired key using codesign
from the command line.