iOS Code Signing: Provisioning Profiles

Probably every iOS developer has spent hours (maybe even days) checking and fixing the code signing setup, (re)creating required certificates, registering new testing devices, etc.

There is one component of the code signing and sandbox machinery that binds signing, entitlements, devices and sandbox together: Provisioning profiles.

Introduction

One of the key elements behind Apple’s success is simplicity. More than being flashy or eye-catching, Apple designs things to look clean, simple, and straightforward. But when it comes to the application signing, certificates, entitlements and profiles, the word “simple” is probably the last word I would use.

I have been an iOS developer for a few years now and one thing that still annoys me is Code Signing & Provisioning. Why do I need to create all these different kinds of certificates, entitlements, and profiles? Why do I need to care about such things as a developer?

In this article, I will try to help those who might be really confused to find meaning in all of this, which sometimes seems like chaos and pointless complexity.

What is a provisioning profile?

Apple defines a provisioning profile as follows:

“A provisioning profile is a collection of digital entities that uniquely ties developers and devices to an authorized iPhone Development Team and enables a device to be used for testing.”

In simple words, a provisioning profile is a missing link between the device and the developer account that contains all the information related to the development team, certificates, entitlements, and registered devices. During development you can choose which devices can run your application and which application services your application can access.

Why do we need them?

You might be wondering why iOS applications need provisioning in the first place. The reason is that Apple wants to provide a safe and stable experience for the end user.

Unlike Android, you can’t install any application on an iOS device. It has to be signed by Apple first. In order to accomplish this, they have set up a chain of trust that links Apple link by link to your compiled application.

When you are developing an application, you probably want to test it before sending it to Apple for approval. During development, you choose which devices can run your application and which services your application can access. A provisioning profile is downloaded from your developer account and embedded in the application bundle, and the entire bundle is code-signed. A Development Provisioning Profile must be installed on each device on which you wish to run your application code. If the information in the provisioning profile doesn’t match certain criteria your application won’t launch.

Types of Provisioning Profiles

There are two main types of provisioning profiles: Development and Distribution. Additionally, there are different subtypes of Distribution profiles. All types of profiles are linked to your Apple Developer account.

Development (Development)

Development provisioning profiles are used by developers who want to test their applications on a physical device while writing code. By using it, they are able to deploy an application to an iPhone using the Xcode’s Run command.

Ad Hoc (Distribution)

An Ad Hoc provisioning profile is used later in the development process, particularly when you want to distribute your app to a small or medium size group of testers that are not included in the iOS developer program for your organization. These are very commonly used to distribute an app to testers via third-party testing service.

Enterprise (Distribution)

An Enterprise provisioning profile enables large enterprises to distribute in-house applications to enterprise-approved devices in a manner which is independent of the AppStore.

AppStore (Distribution)

App Store provisioning profiles are used for TestFlight or AppStore application distribution.

What information does it contain?

Provisioning profiles may contain signing certificates, provisioned device identifiers, application entitlements, and a bundle identifier. Keep in mind that different types of signing certificates contain different pieces of information.

Signing certificate

The code signing certificate is a way to assure end-users that the source code of an application hasn’t been changed since the last time it was signed by the developer.

Device identifiers

Every iOS device has a Unique Device Identifier (UDID) assigned to it. This identifier has to be provided to the app owner in order to register the iOS phone as a testing device.

Application entitlements

Key-value pairs grant an executable permission to use a service or technology. An entitlement is a right or privilege that grants an executable particular capabilities.

Bundle identifier

A bundle identifier or bundle ID uniquely identifies an application in Apple’s ecosystem. Two applications cannot have the same bundle identifier.

Where can I find installed provisioning profiles?

All your provisioning profiles should be located in the following directory:

~/Library/MobileDevice/Provisioning Profiles 

To find what code identities are currently installed on your machine, type and execute the following command from your terminal:

$ security find-identity -v -p codesigning

How to read the contents of provisioning profiles?

To read the contents of a provisioning profile, use the following command:

$ security cms -D -i /path/to/your.mobileprovision

To read and verify provisioning profiles, you can use the openssl command as well:

$ openssl smime -in /path/to/your.mobileprovision -inform der -verify

The command above will return the raw content which could be stored and shown in a property list form. To create a .plist file, use the following command:

$ openssl smime -in /path/to/your.mobileprovision -inform der -verify > profileInfo.plist

Also, you can use Quick Look to check the contents of your provisioning profile. Simply find your file by using Finder, select a provisioning profile you want to check, and press the Space bar to see the basic information.

Conclusion

The code signing and provisioning machinery are probably one of the most complex things an iOS developer has to deal with.

While it helps to understand the components at work, it still can be very difficult to keep under control, especially when working in teams. Creating, updating and passing around profiles and certificates can be very unwieldy and time-consuming.

Although all of this effort is very tedious for the developer, it has made iOS arguably one of the most secure end-user computing platforms out there.

Sources

1. Apple Developer Documentation
2. Stack Overflow
3. objc.io: Inside Code Signing
4. CodePath iOS Guides
5. Technical Note TN2206: macOS Code Signing in Depth
6. Bitrise blog: Understanding provisioning profiles for iOS applications
7. raywenderlich.com