- Apple: Distributions and Certificates
- Apple’s requirements
- There are two types of “profiles”
- Development profiles
- Distribution of profiles
- There are two modes of distribution
- The public distribution method
- The company’s distribution method
- Different types of Certificates
- Service extensions
- Distribution certificates
- Development certificates
- Apple Worldwide Developer Relations Intermediate Certificate updates
- Using the new certificate with Xcode
- Why is the Apple Worldwide Developer Relations Certification Authority being updated now if the current version doesn’t expire until 2023?
- Do I need to regenerate any of my certificates?
- Will customers be affected by the certificate renewal?
- Will my apps in development continue working?
- Will my in-house enterprise apps continue working?
- Should I keep both intermediate certificates installed?
- In what cases should I continue using the certificate that expires in 2023?
- Is Developer ID signed software affected?
- Certificate update timeline
- September 1, 2020
- January 28, 2021
- Updated by end of 2021
- No changes
- How to renew your Apple Developer Distribution Certificate
- How to generate a new Distribution Certificate
Apple: Distributions and Certificates
Apple’s requirements
Apple requires that every iOS application must be be certified, secure and can only downloaded from its Apple store. To be downloaded on an Apple terminal (iPhone, iPad, etc.) an application must have a “certificate”, an “identifier” and a “profile”.
There are two types of “profiles”
Development profiles
This configuration is linked to the development of an application. This development configuration allows you to install an application on specific terminals (for development, testing, etc.). The file used to specify the authorized media is called a provisioning profile.
In order to generate a “provisioning profile” it is necessary to have:
- an App ID which is a two-part channel used to identify the application.
- a Development Certificate which is the certificate associated with the account of the developper or company who wishes to test the solution. This private key used to sign the application corresponds to the public key of the certificate.
- one or more Device ID which is the UUID (Unique Device Identifiers) of the authorized terminals.
If the link between these elements fail, the application will not be able to be installed on a terminal.
In Xcode this gives…
Distribution of profiles
This configuration is essential in order to allow the app to be available on the App store. It allows you to submit an application for approval to the Apple store or to a corporate store. The file allowing to precise the essential elements for a store setting are also present in a provisioning profile.
To generate a “provisioning profile” it is necessary to have:
- the App ID which is to a two-part channel used to identify the application.
- the Development Certificate, which is the certificate associated with the account of the company or developer that owns the application.
This provisioning profile will not include a Device ID but will specify the types of terminals compatible with the application.
There are two modes of distribution
The public distribution method
The development certificate is associated with the debug path. The production certificate can be associated with two types of paths:
- Ad Hoc which is a Release provisioning usually dedicated to Alpha testers.
- Ad Hoc broadcasting works like an In-House deployment to a private server. Once the API is created, it must be deployed on a secure server so that authorized terminals (the Device IDs included in the provisioning) can download the application.
- To distribute an application in Ad Hoc you will need to create an In House distribution certificate, declare its application via Apple Developer and generate the associated provisioning profile.
2. The App Store which can also be distributed on two different environments:
- On Test Flight (https://developer.apple.com/testflight/ ) which is an environment dedicated to Beta testers hosted on the App Store.
- On the App Store which is the official Apple store
The company’s distribution method
The development certificate is associated with the debug path. The production certificate can be associated with two types of routes:
- The Ad Hoc is a Release provisioning usually dedicated to Alpha testers.
- Ad Hoc broadcasting to a private server and only installable by authorized terminals (Device IDs included in the provisioning).
- To distribute an application in Ad Hoc you will need an In House distribution certificate and declare it via Apple Developer to generate the associated provisioning profile.
2. The In House for a private server, for internal applications and without any “Device ID” restriction.
Different types of Certificates
Service extensions
Apple Push Notification Service (APNs) Certificate: to allow notifications to be sent. This certificate varies according to the environments, namely:
- The Development Environment says Sandbox
- The token is created for a single terminal and will not work on the production push network. This certificate is free of charge and valid for 12 months.
2. The Production (or Ad Hoc) environment
- This certificate is free of charge and valid for 13 months.
Apple Pay Payment Processing Certificate: to allow you to make transactions on mobile phones and websites with Apple Pay.
- This certificate is associated with the Merchant ID which is to identify the merchant entity. It is unique, does not expire and can be used on several media (website and applications). It is free of charge and valid for 25 months.
Apple Pay Merchant Identity Certificate: to allow you to make payments on a website with Apple Pay.
This certificate is associated with the Merchant ID which corresponds to identifying the merchant entity. This identifier is unique, does not expire and can be used on several media (website and applications). It is free of charge and valid for 25 months.
Pass Type ID Certificate (Wallet): this is the membership’s certificate in the Apple Developer Program. It allows users to update the application.
If this certificate has expired, users of the application will be able to continue using the application but will no longer be able to update it. This certificate costs $99 per year.
Distribution certificates
iOS Distribution Certificate (App Store): this certificate allows you to publish on the Apple Store.
It is associated with the Apple Developer Program. It costs $99 a year.
iOS Distribution Certificate (In House, internal use apps): this certificate allows you to publish in In House or Ad Hoc.
It is associated with the Apple Developer Program. This certificate costs $299 per year.
Development certificates
Developer ID Application Certificate (Mac applications)
Certificates created before 22 February 2017 are valid for 5 years.
Certificates created since 22 February 2017 are valid for 18 years.
Developer ID Installer Certificate (Mac applications)
Certificates created before 22 February 2017 are valid for 5 years.
Certificates created since 22 February 2017 are valid for 18 years.
The Apple Worldwide Developer Relations Certificate (WWDR)
Implemented since February 14, 2016.
Certificate that signs the conformity of Developer ID certificates.
Источник
Apple Worldwide Developer Relations Intermediate Certificate updates
Starting January 28, 2021, the digital certificates you use to sign your software for installation on Apple devices, submit apps to the App Store, and connect to certain Apple services will be issued from the new intermediate Apple Worldwide Developer Relations certificate that expires on February 20, 2030. Learn how to prepare for the new intermediate certificate.
Using the new certificate with Xcode
If you’re running Xcode 11.4.1 or later, you’ll receive the updated certificate automatically when you sign an app after January 28, 2021. If you’re running an earlier release of Xcode and need to generate new certificates, download and install the new intermediate certificate and utilize the command line to sign your app. You can also archive your build with your existing Xcode version and sign it for distribution with Xcode 11.4.1 or later.
Why is the Apple Worldwide Developer Relations Certification Authority being updated now if the current version doesn’t expire until 2023?
Certificates cannot be issued with a validity period that extends past the intermediate certificate’s expiration date. Updating the intermediate certificate allows developers to obtain certificates before expiration that last for the expected duration, and provides ample time to prepare for the expiration of the existing intermediate certificate.
Do I need to regenerate any of my certificates?
No. Your existing certificates will continue to function until expiration or revocation, whichever comes first.
Will customers be affected by the certificate renewal?
No. Customers who have installed apps from the App Store or Safari Extensions will not be affected by the certificate renewal.
Will my apps in development continue working?
Yes. The development versions of your apps will continue to run until the provisioning profile used to compile them expires or you revoke your signing certificate.
Will my in-house enterprise apps continue working?
Yes. All in-house enterprise apps for iOS, iPadOS, tvOS, or watchOS that you’ve deployed will continue to run as expected until the provisioning profile used to compile them expires or you revoke your signing certificate. The iOS Distribution Certificate for the Apple Developer Enterprise Program was updated on September 1, 2020. iOS Distribution Certificates generated as part of the Apple Developer Enterprise Program between February 7 and September 1, 2020, will expire on February 7, 2023. Rotate the certificate before expiration to ensure your apps are installed and signed with an active certificate.
Should I keep both intermediate certificates installed?
Yes. The intermediate certificate that expires on February 7, 2023, will continue to issue select Apple services certificates, including Apple Push Notification service (APNs) SSL certificates and Apple Wallet pass signing certificates, so you should keep both versions installed on your development systems and servers. See the complete list and timeline of certificate changes below.
In what cases should I continue using the certificate that expires in 2023?
Continue using the existing Apple Worldwide Developer Relations Intermediate Certificate (expiring in 2023) if you use any of the certificates signed with it that are listed below. These services will be updated with a new intermediate certificate (expiring in 2030) by the the end of 2021. Keep both versions installed on your development systems and servers until later this year.
- Apple Push Notification service SSL (Sandbox)
- Apple Push Notification service SSL (Sandbox and Production)
- macOS Apple Push Notification service SSL (Production)
- Website Push ID
- WatchKit Services
- VoIP Services
- Pass Type ID
- Pass Type ID with NFC support
- App Store Receipt Signing
Is Developer ID signed software affected?
No. Developer ID signing certificates are associated with a different intermediate certificate and aren’t affected by this renewal.
Certificate update timeline
These certificates will be issued with the new intermediate certificate (expiring in 2030).
September 1, 2020
iOS Distribution for Enterprise Developer Program memberships
January 28, 2021
- Apple Development
- Apple Distribution
- iOS App Development
- iOS Distribution ( App Store and Ad Hoc)
- Mac Development
- Mac App Distribution
- Mac Installer Distribution
- MDM CSR
- Apple Pay Merchant Identity
Updated by end of 2021
- Apple Push Notification service SSL (Sandbox)
- Apple Push Notification service SSL (Sandbox and Production)
- macOS Apple Push Notification service SSL (Production)
- Website Push ID
- WatchKit Services
- VoIP Services
- Pass Type ID
- Pass Type ID with NFC support
- App Store Receipt Signing
No changes
These certificates are not associated with the Apple Worldwide Developer Intermediate Certificate and are not affected by this change.
- Developer ID Application
- Developer ID Application with KEXT
- Developer ID Installer
- Apple Pay Payment Processing
Feedback Assistant
Submit bug reports and request enhancements to APIs and developer tools.
Send us feedback
Developer Forums
Ask questions and find answers by Apple engineers and other developers.
Contact Us
Tell us how we can help and we’ll find a solution by phone or email.
Источник
How to renew your Apple Developer Distribution Certificate
Action Needed: Distribution Certificate Expires in 30 Days. Your Distribution Certificate will no longer be valid in 30 days. To generate a new certificate, sign in and visit Certificates, Identifiers & Profiles.
If you’ve received this email from Apple and don’t know what to do about it, I will walk you through the steps you need to take in order to generate a new Distribution Certificate to replace one that is set to expire soon. You may replicate these steps whether you need to renew an iOS, macOS, watchOS, or tvOS distribution certificate.
All it takes is a Mac, an internet connection, and about 5 minutes of your time.
How to generate a new Distribution Certificate
1) First, open the Keychain Access app on your Mac.
2) From the Menu Bar, go to Keychain Access > Certificate Assistant > Request Certificate From Certificate Authority…
3) Fill out the Certificate Information, including user email address, and full name. Leave CA Email Address field empty. Then make sure you select the request to be Saved to disk. Click Continue.
4) When prompted, select where you want to save the file. I always leave the file name untouched and save it to the Desktop so I can easily locate it. Click Save. The CertificateSigningRequest file will be saved to your Desktop. You may now close the Certificate Assistant window.
5) In your browser, login to your developer account at developer.apple.com, then select Certificates, Identifiers & Profiles.
6) In this next step, make sure you select the Certificates section from the sidebar, then click on the ” + ” icon at the top. Depending on your needs, you may choose any of the following:
- Apple Development. Requires Xcode 11 or later but allows signing development versions of your iOS, macOS, tvOS, and watchOS apps.
- Apple Distribution (recommended). Allows you to sign your apps for submission to all App Stores or for Ad Hoc distribution. You must use Xcode 11 or later.
- iOS App Development. Create development-only versions of your iOS app.
- iOS Distribution (App Store and Ad Hoc). Create and sign your iOS app for submission to the iOS App Store or for Ad Hoc distribution.
- Mac Development. Create development-only versions of your Mac app.
- Mac App Distribution. This certificate lets you code sign your app and configure a Distribution Provisioning Profile for submission to the Mac App Store.
- Mac Installer Distribution. This certificate is used to sign your app’s Installer Package for submission to the Mac App Store.
Personally, I’d recommend using the new Apple Distribution certificate that opens all the doors for you in terms of development distribution and submission to all App Stores.
Once you’ve figured out the certificate you need, click Continue to move on to the next step.
7) Now we will upload the CertificateSigningRequest file we saved to our Desktop in the step 4 above. Upload it to the portal and click Continue.
8) With your certificate created, you can now download it. Once you click the Download button, a new distribution.cer file will be automatically saved to your Desktop.
9) Finally, double-click the distribution.cer file. A prompt will ask you to “add the certificate from the file distribution.cer to a keychain.” Click Add to continue.
To conclude, you may now double check and verify everything looks good in both Keychain Access > My Certificates, and on the Apple Developer portal. If all is good, your newly created distribution certificate should be showing with an expiration date of one year from today.
Источник