Handing out iPhone certificate private key?

The company I work for has outsourced development of an iPhone app to another company. They want the binary to be signed with our certificate for distribution, but they've asked me to pass the private key (certificates.p12) used to create our certificate on to the other company. I am extremely concerned about hand开发者_StackOverflowing the ability to sign applications as us over to another company.

How can I convince my boss this is a really bad idea? What alternative solutions can I suggest to him? I have already asked him to get the source from them so we can sign and submit it ourselves, but without the ability to conclusively state that giving them the certificate is a bad idea, I'm kinda stuck in the "just look into it for me" limbo.

You don't need the source. You just need the compiled binary (make sure it's ARM, not x86) to sign with codesign.

The outsource company can just build and sign the app with their own certificate. You can then resign the app with your company's certificate before submission (use codesign).

There's not too much a consultant can do with the private key to just an App store Distribution certificate but without the team agent's iTunes Connect login credentials, as Apple's review team are the only ones who can run an app signed with your Distribution certificate, and you can't submit an app to iTunes Connect without the login matching the certificate (AFAIK).