I'm sorry I didn't accept any of the answers yet, but I've been trying some stuff and I think I found a way, a little strange and probably not optimal, but it could work and I would like to share it with you to see if you think it's ok.
First: I'm a developer with my own Apple ID and developer certificate. I have my own apps on the app store.
Second: I also make client work and then I want to upload and manage the apps I do for them, to a certain extent.
Third: My client has to have their own developer account and it has to be a company account, which will allow them to manage teams.
This is what I think that works:
- I ask my client to add me to their iOS Developer Team as an "admin". This is done through the member center. This allows me to create distribution certificates and distribution provisioning profiles, as stated in here.
- After I accept the invitation (can't remember if I really have to) I log into the member center. It will ask me to select the team I want to use for my session (my own team or one of my clients'). I choose my client's team.
- I go to Certificates and create a new Certificate for Production->App Store and Ad Hoc (I think there's a max of two per account, so if there are already two of them this option will be grayed out)
- I have to upload a CSR file generated from my computer's keychain, following on screen instructions, and then my certificate is ready to download and use.
- While I'm on member center I generate my AppID and then go to Provisioning Profiles and generate a new Distribution Profile for the App Store with my AppID and for the certificate just created.
That's it for member center, now I can download the distribution profile for the app I'm am developing for my client. Or let XCode 5 manage it.
Then I want to upload the app to the store and manage it with iTunes Connect with my own account.
- I ask the client to iTunes Connect -> Manage Users -> iTunes Connect User and add me with a Technical role. This allows me to manage apps, but I wont see anything about banks, contracts, payments...
- The problem with point 1 here is I already have an iTunes Connect account for myself with my email address and you can't have two iTunes Connect accounts linked to one email address. I could use a different address, but as I'm using gmail, I just use an alias. I give them the address: myemail+clientname@gmail.com
- Once invited, I receive an activation mail and then I can log into iTunes Connect with that address and create apps and set them ready to upload.
- Then I just have to go to Xcode, select my client's code signing identity (which is the certificate I created), the apps distribution provisioning profile (I created earlier too), archive, validate and submit to the app store with my alias for this client.
I've just tested it and it works.
It's not yet an optimal solution because when logging into iTunes Connect I can see every other app my client has and I could, potentially, delete something. But still, I think is a pretty good one for clients with no knowledge of XCode (or no interest in doing all this) but also wanting to keep their credentials and private keys secret.