Inside Code Signing

1. Code Signing需要的基礎組件: 證書，私鑰

As an iOS developer, chances are you have a certificate, a public key, and a private key on your development machine.

To use a certificate for signing, you need the private key.

A: 在OS X Keychain Access(鑰匙鏈)中可以看到證書。

B: 下面的命令也可以看證書。

$ security find-identity -v -p codesigning

2. 證書(certificate)

"A certificate is — very broadly speaking — a public key combined with a lot of additional information

that was itself signed by some authority (also called a Certificate Authority, or CA) to state that the

information in the certificate is correct. In this case, the authority is Apple’s authority for developer stuff,

the Apple Worldwide Developer Relations CA. " Ref[1]

2.1 iOS開發中的兩個證書: iPhone Developer 和 iPhone Distribution 分別為前綴的證書。

This private key is what you use to sign the binaries with. Without the private key,

you cannot use the certificate and public key to sign anything.

代碼簽名本身使用的是: codesign 命令行工具。

"The signature for any signed executable is embedded inside the Mach-O binary file format,

or in the extended file system attributes if it’s a non-Mach-O executable, such as a shell script." Ref[1]

2.2 使用私鑰和證書對app進行簽名

If you have a certificate and its private key, it’s simple to sign a binary by using thecodesigntool.

Let’s signExample.appwith the identity listed above:

A: 為一個App進行簽名

$ codesign -s 'iPhone Developer: Thomas Kollbach (7TPNXN7G6K)' Example.app

B: 替換原來的簽名 (即: 重新簽名)

$ codesign -f -s 'iPhone Developer: Thomas Kollbach (7TPNXN7G6K)' Example.app

C: 查看App的簽名信息

$ codesign -vv -d Example.app

will tell you a few things about the code signing status ofExample.app:

D: 確認/查證 App的簽名

$ codesign --verify Example.app

2.3 Bunldes 和 Resource

"When signing a bundled application, the resources are signed as well. " Ref[1]

"the signing process creates a_CodeSignature/CodeResourcesfile inside the bundle." Ref[1]

2.4 Entitlements 和 Provisioning

spctl 這個工具是什么?

spctl, which manages the system’s security assessment policy.

2.4.1 Entitlements

"Code signing is used to ensure that the application actually contains only what it says on the box — nothing

more and nothing less. The sandbox restricts access to system resources." Ref[1]

"Entitlements specify which resources of the system an app is allowed to use, and under what conditions." Ref[1]

.entitlements文件的創建：

"This is the XML generated by Xcode after clicking around in theCapabilitiestab and enabling a few things.

Xcode automatically generates an.entitlementsfile and adds entries to it, as needed." Ref[1]

Adding Capabilities

"it can help to look at what the signature actually says about the entitlements:

$ codesign -d --entitlements - Example.app " Ref[1]

以上命令顯示app的簽名中包含的entitlements有哪些。

2.4.2 Provisioning Profile

"A provisioning profile is a container for the information needed by the operating

system to decide if it can let your app run." Ref[1]

Provisioning Profile可以使App在開發機上運行，也可以進行ad-hoc/enterprise發布，

那么正式的發布需要Provisioning Profile嗎？ 推測是需要的。

"A provisioning profile is a collection of all the components needed to determine if a particular app can

run on a particular device. Provisioning profiles are used to enable app debugging on development devices,

and also for ad-hoc and enterprise distribution. Xcode will embed the provisioning profile you select in

the project settings within the app." Ref[1]

Provisioning Profiles 在文件系統的位置

"~/Library/MobileDevices/Provisioning Profiles, which is where Xcode keeps all the profiles downloaded

from Apple’s developer portal." Ref[1]

Provisioning Profiles的文件格式：

It is a file encoded in the Cryptographic Message Syntax，該語法由RFC 3852來描述。

查看Provisioning Profiles

$ security cms -D -i example.mobileprovision

以上命令的輸出是XML形式的Plist。

該Plist文件中的key

DeveloperCertificates key，這個key是證書的列表。

"The certificates are Base64 encoded and in PEM format (Privacy Enhanced Mail,RFC 1848)."

$ openssl x509 -text -in file.pem

ProvisionedDevices key

"If you are looking at a development certificate, you will also find aProvisionedDeviceskey,

which contains a list of all the devices you set up for this provisioning profile." Ref[1]

---

Items

code signing

device provisioning

Entitlements: 權利

Provisioning

Personal Information Exchange format (.p12)

X.509

---

Reference

1. Inside Code Signing

http://www.objc.io/issue-17/inside-code-signing.html

2. Code Signing Guide (ToRead)

https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html

3. man codesign

4.How to Show & Verify Code Signatures for Apps in Mac OS X

https://osxdaily.com/2016/03/14/verify-code-sign-apps-mac-os-x/

5.How to check signatures on apps, installers, andpackages

https://eclecticlight.co/2019/10/25/how-to-check-signatures-on-apps-installers-and-packages/

6.Checking Code Signing and Sandboxing Status in Code

https://oleb.net/blog/2012/02/checking-code-signing-and-sandboxing-status-in-code/

7.How to verify app signatures

https://medium.com/@andrew.perfiliev/how-to-verify-app-signatures-43fd5cd1bd3d

總結

以上是生活随笔為你收集整理的iOS.CodeSign的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。