iOS Code Signing & Provisioning in a Nutshell
I am developing Apps for more than 3 years now and 1 thing that still annoys me is Code Signing and Provisioning in iOS. What are Signing Identities? Why do I need to create Provisioning Profiles and care about such things as a developer? If you don’t have any good answers for those questions and really don’t want to read through the Apple Docs, this hopefully is the article that exposes the whole process for you and for me as a reference in less than 5 Minutes.
I am sure many of you can learn things fast just by reading through a text but what I really like, is to get things explained in a visual way with boxes and arrows. So the biggest Problem for me is that there is no chart or graphic that cherry-picked all the relevant parts and shows how everything works together in an easy to understand way. This is the reason why I will try to create one at the end of this Post. Let’s get started.
First, let us collect the major terms, you will stumble upon when trying to find any related stuff to Provisioning and Code Signing on the Internet.
- Member Center
- Signing Identity
- Private & Public Key
- Provisioning Profile
- App ID
Xcode & Member Center
If you are an iOS Developer you will usually use Xcode to create and manage your app and resources and upload them to the Appstore. This is all you need to know about Xcode to follow along this Post. if you want to read more about it click here: Xcode
After you registered for the Apple Developer Program you will be able to login to the Member Center. This is the place where you can create Provisioning Profiles, App IDs, Certificates etc.. Parts of the Member Center are directly connected with Xcode. For instance, you can see and create your Signing Identities or download and refresh Provisioning Profiles in your Xcode Settings.
Signing Identity, Public & Private Key, Keychain Application
One thing we need to clear up is the term Signing. Signing your app allows iOS to identify who signed your app and to verify that your app hasn’t been modified since you signed it. The Signing Identity consists of a public-private key pair that Apple creates for you. Think about the public-key as a lock-only mechanism, so you need to know the private key to unwrap, unlock or decode data again.
Where do the public and private key-pair come from and how do you request a certificate containing them? All this magic happens when you create a Certificate Signing Request (CSR) through the Keychain Access Application. If you do so, the Keychain Application will create a private key and a certSigningRequest file which you’ll then upload to Apple. Apple will proof the request and issue a certificate for you. The Certificate will contain the public key that can be downloaded to your system. After you downloaded it you need to put it into your Keychain Access Application by double clicking it. It is used by cryptographic functions to generate a unique signature for your application, which is basically your Code Signing Identity.
The certificate will also be available through the Member Center, but it will only contain the public key, so keep that private key safe.
An intermediate certificate is also required to be in your keychain to ensure that your developer or distribution certificate is issued by another certificate authority. I know that sounds a little bit confusing, but this is how it works. It is installed automatically when setting Xcode up the first time, so basically you don't need to care about it that much because it is configured manually.
Provisioning Profile & App ID
As we know, Apple likes to keep things secure, so it is not possible to install an App on any iOS Device out there using only the certificate. This is where Provisioning Profiles comes in. A Provisioning Profile must be installed on each device your application code should run on. Each Development Provisioning Profile will contain a set of iPhone Development Certificates, Unique Device Identifiers and an App ID. An App ID is a two-part string used to identify one or more apps from a single development team.
Devices specified in the Development Provisioning Profile can be used for testing only by those individuals whose Development Certificates are included in the profile. A single device can contain multiple provisioning profiles. The difference between Development and Distribution Profiles is that Distribution Profiles don’t specify any Device IDs. If you want to release an App which should be limited to a number of registered devices, you need to use an Ad-Hoc profile for that.
Here is the Chart I came up with. If you discover some things I missed or explained the wrong way, please let me know. As is said, this is the first time I really tried to wrap my head around the innards of Provisioning and Code Signing. I know that there is a lot more to talk about but I think this a good start for everything around this topic. I will try to keep this post up to date and fix everything wrong as fast as I can.
- Xcode will be installed and the Intermediate Certificate will be pushed into the Keychain
- Certificate Signing Request (CSR) will be created.
- Private Key will be generated along the CSR creation and stored in the Keychain
- CSR will be uploaded to the Member Center
- Apple will proof everything and issue the Certificate
- Certificate will be downloaded to your Computer
- The Certificate will be pushed into the Keychain and paired with the private key to form the Code Signing Identity
- The Provisioning Profile will be created using a Certificate, App ID and Device Identifiers and downloaded by Xcode
- Xcode will sign the App and push Provisioning Profiles onto the Device
- iOS will proof if everything is correctly configured.That means that the Provisioning Profile should include the Certificate you used to sign the App, your Device UDID and the correct App ID.
- Your App should be running now!