Apple certificate and provisioning profile

What is a provisioning profile & code signing in iOS?

If somebody ask you about the iOS app deployment process, you can easily give the answer . But when they ask a level deeper, you may not have an answer. The above question is one such thing which every ios developer should know. Let’s see what it is.

Apr 10, 2018 · 5 min read

Source: Stackoverflow and internet 🤓.

Apple’s definition : A provisioning profile is a collection of digital entities that uniquely ties developers and devices to an authorized iPhone Development Team and enables a device to be used for testing.

Why Provisioning Profiles?

Unlike Android, you can’t install any app on an iOS device. It h as to be signed by Apple first. However, when you’re developing an app, you probably want to test it before sending it to Apple for approval. Provisioning profile act as a link between the device and the developer account. During development, you choose which devices can run your app and which app services your app can access. A provisioning profile is downloaded from your developer account and embedded in the app bundle, and the entire bundle is code-signed. A Development Provisioning Profile must be installed on each device on which you wish to run your application code. If the information in the provisioning profile doesn’t match certain criteria, your app won’t launch.

Each Development Provisioning Profile will contains:

• Development Certificates — development certificate. These are for developers who want to test the app on a physical device while writing code.
• Unique Device Identifiers (List of devices that the app can run on)
• an App ID ( this can include a * wild card to be used for many applications with similar bundle identifiers ). —An App ID is a two-part string used to identify one or more apps from a single development team.

Devices specified within the provisioning profile can be used for testing only by those individuals whose iPhone Development Certificates are included in the profile. A single device can contain multiple provisioning profiles.

So, What is happening when we connect the device to xcode and installs the app??

When you install the application on a device the following things happens:

• the provisioning profile in the Mac goes to the developer certificate in your key chain.
• xcode uses the certificate to sign the code.
• device’s UUID is matched with the IDs in the provisioning profile.
• AppID in the provisioning profile is matched with the bundle identifier in the app.
• The entitlements required are associated with the App ID.
• The private key used to sign the app matches the public key in the certificate.

Here is a screenshot from xcode signing section:

SO, from the above image, you can see that AppID is checked, certificate is validated, Team is matched, capabilities and entitlements are matched .

If all the above steps are successful the signed binary is sent to the device and is validated against the same provisioning profile in the app and finally launched. If anyone of these conditions fail, then the app will not install — and you’ll see a greyed-out app icon.

The difference between Development and Distribution Profiles is that Distribution Profiles don’t specify any Device IDs. If you want to release an App which should be limited to a number of registered devices, you need to use an Ad-Hoc profile for that.

Distribution Profiles is used to submit app to the App Store for distribution. After the app is reviewed by apple they sign in the app with their own signature that can run on any device.

That’s all fine, But what is code signing?

Signing your app allows iOS to identify who signed your app and to verify that your app hasn’t been modified since you signed it. The Signing Identity consists of a public-private key pair that Apple creates for you.

Asymmetric cryptography

Asymmetric cryptography uses a public key and a private key. The users have to keep their private key for themselves, but they can share the public key. And using those public and private keys, a user can prove that he is indeed himself.

How asymmetric cryptography works??

Assume there is a UserA and UserB .

• UserA create a PrivateKeyA + PublicKeyA.
• UserB create a PrivateKeyB + PublicKeyB.

To secure the communication between UserA and UserB,

• UserA shares his PublicKeyA with UserB .
• UserB shares his PublicKeyB with UserA.

… and both users keep the private key with themselves.

When UserA sends a message to UserB,

• UserA encrypts the message with UserB’s PublicKeyB and send the message.
• This message can only be decrypted using UserB’s PrivateKeyB.

… The same thing happens when the UserB sends a message to UserA.

Watch this video for more understanding about asymmetric cryptography : Youtube video by savjee.

What is CSR(Certificate Signing Request) in iOS ??

CSR is not something that is used only in iOS. It is used in many places.

A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for a certificate.

Here , we create a CSR and give it to apple which will create the certificate for you. It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR, making a key pair. A certificate authority will use a CSR to create your certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

(optional — refer this link to understand how CSR works for SSL certificates. The procedure and working is almost similar)

The process :

• Create a Certificate Signing Request (CSR) through the Keychain Access Application.
• Keychain Application will create a private key (private key will be stored in the keychain) and a certSigningRequest file which you’ll then upload to Apple.
• Apple will proof the request and issue a certificate for you. The Certificate will contain the public key that can be downloaded to your system. After you downloaded it you need to put it into your Keychain Access Application by double clicking it. The Certificate will be pushed into the Keychain and paired with the private key to form the Code Signing Identity.
• Finally, at the time of app installation, the private key used to sign the app matches the public key in the certificate. If it fails, app is not installed.

If you enjoyed reading this post, please share and give some clapps so others can find it 👏👏👏👏👏 .

If you have any comment, question, or recommendation, feel free to post them in the comment section below!

Источник

iOS Team Administration Guide

Retired Document

Important: This document has been replaced by App Distribution Guide . App Distribution Guide offers step-by-step instructions for configuring, testing, and submitting your app for approval. This new document describes how to use Xcode and other Apple developer tools to create and configure your project, request signing certificates, create provisioning profiles, configure special App Store technologies, test your app on devices, create your app record in iTunes Connect, and submit your app for approval to Apple. If you have a company Apple Developer Program membership, you’ll also learn how to manage your team’s certificates and provisioning assets.

Creating and Downloading a Distribution Provisioning Profile

To distribute an app, a team admin must create a distribution provisioning profile (this profile is different from a Development Provisioning Profile). The distribution provisioning profile consists of a name, a distribution certificate, and an app ID. The name is used only so that you can identify a provisioning profile. A provisioning profile is valid for one year.

Apps can be distributed either through the App Store with an iTunes Connect account or through ad hoc distribution. If you are enrolled in the Enterprise Program, you can also use in-house distribution. For more on distribution methods see Distributing an App .

To publish an app to the App Store, create a distribution provisioning profile specifying App Store as the distribution method.

To use ad hoc distribution, create a distribution provisioning profile specifying Ad Hoc as the distribution method and include a list of up to 100 devices authorized to run the app.

To use in-house distribution, create a provisioning profile specifying In-House as the distribution method.

Creating a Distribution Provisioning Profile

Downloading and Installing a Distribution Provisioning Profile

To install the provisioning profile on your Mac, drag the .mobileprovision file onto the Xcode, iPhone Configuration Utility, or iTunes icon in the Dock.

Copyright © 2013 Apple Inc. All Rights Reserved. Terms of Use | Privacy Policy | Updated: 2013-04-23

Источник

iOS Team Administration Guide

Retired Document

Important: This document has been replaced by App Distribution Guide . App Distribution Guide offers step-by-step instructions for configuring, testing, and submitting your app for approval. This new document describes how to use Xcode and other Apple developer tools to create and configure your project, request signing certificates, create provisioning profiles, configure special App Store technologies, test your app on devices, create your app record in iTunes Connect, and submit your app for approval to Apple. If you have a company Apple Developer Program membership, you’ll also learn how to manage your team’s certificates and provisioning assets.

Creating and Downloading Development Provisioning Profiles

To install an app on a device during development, you need three things: an app ID that identifies the set of apps it authorizes to run, a list of devices your team wants to use for testing, and a list of developers permitted to sign the app. These three things are bundled in a development provisioning profile. A development provisioning profile uniquely ties developers and devices to a development team. A provisioning profile is valid for one year. A device can be added to multiple provisioning profiles.

For your convenience, Xcode creates a wildcard app ID, called iOS Wildcard App ID, that matches all your apps. The first time you register a device in Xcode, Xcode creates a development provisioning profile, called iOS Team Provisioning Profile, that uses the iOS Wildcard App ID. Xcode automatically adds new developer certificates and registered device IDs to the iOS Team Provisioning Profile so you can use iOS Team Provisioning Profile for all apps that don’t require an explicit app ID.

Only team agents and admins can create development provisioning profiles.

Creating a Development Provisioning Profile

Each Provisioning Profile has one app ID associated with it. If you have multiple apps using Apple Push Notification Service (APNS), In-App Purchase, iCloud, or Game Center, create a separate development provisioning profile for each app. If you are installing multiple apps but you are not using those features, use a wildcard app ID.

Downloading and Installing a Development Provisioning Profile

If your development certificate is specified in the provisioning profile, it should show up automatically in the Devices organizer in Xcode after the provisioning profile is approved. If the provisioning profile isn’t in the Provisioning Profile list, click Refresh. For more information, including how to install a provisioning profile on your device, see Provisioning a Device for Development . In order to test an app, the development provisioning profile must be installed on both a Mac and the device.

To install the provisioning profile manually on your Mac, drag the file onto the Xcode, iTunes, or iPhone Configuration Utility app icon.

Copyright © 2013 Apple Inc. All Rights Reserved. Terms of Use | Privacy Policy | Updated: 2013-04-23

Источник

What kind of Certifcate and Provisioning Profile is needed for an iOS Apple TestFlight release?

I’m planning to release a beta version of my iPhone app on iOS 8 devices through the new Apple TestFlight app. What kind of Certifcate and Provisioning Profile is needed for that? Do I need a Production certificate and Distribution provisioning profile?

Available are these:

3 Answers 3

The Apple Technical Note TN2407 has a section titled «Submitting your app for publishing to TestFlight» and in this section Apple says:

TestFlight apps submitted to iTunesConnect need to be signed with an App Store Distribution Profile. TestFlight no longer accepts apps submitted with an Ad Hoc profile.

So the situation is now unambiguous: you need a production certificate for the app, and an App Store distribution provisioning profile.

I believe you need a Production certificate with a Distribution profile for «App Store». I just submit my app which is now in review for external beta testers. The first time I submit the app I was using an Ad Hoc profile as we always did while using the original Testflight. That profile caused the app to be rejected before it even got to the review processes. Once I changed to using an App Store profile it passed into the review process. So, Production cert, Distribution App Store provisioning profile worked for me.

The Apple developer site has some information on beta testing options for ios. It discusses both Ad Hoc and iTunes connect distribution.

You can also check out this tutorial, which goes through the processes using xcode to submit your build for testing.

Hope that helps.

You should use the following types of certificate and provisioning profile:

You should use an App Store Distribution Provisioning Profile to upload to Apple TestFlight:

When you go through the process of creating the Provisioning Profile, it will filter your Certificates to only allow iOS Distribution certificates.

Источник