Inside Code Signing

 

1. Code Signing需要的基础组件: 证书,私钥 

As an iOS developer, chances are you have a certificate, a public key, and a private key on your development machine. 

To use a certificate for signing, you need the private key.

A: 在OS X Keychain Access(钥匙链)中可以看到证书。 

B: 下面的命令也可以看证书。

$ security find-identity -v -p codesigning

2. 证书(certificate)

“A certificate is — very broadly speaking — a public key combined with a lot of additional information

that was itself signed by some authority (also called a Certificate Authority, or CA) to state that the

information in the certificate is correct. In this case, the authority is Apple’s authority for developer stuff,

the Apple Worldwide Developer Relations CA. ” Ref[1]

2.1 iOS开发中的两个证书: iPhone DeveloperiPhone Distribution 分别为前缀的证书。

This private key is what you use to sign the binaries with. Without the private key,

you cannot use the certificate and public key to sign anything.

代码签名本身使用的是: codesign 命令行工具。

“The signature for any signed executable is embedded inside the Mach-O binary file format,

or in the extended file system attributes if it’s a non-Mach-O executable, such as a shell script.” Ref[1]

2.2 使用私钥和证书对app进行签名

If you have a certificate and its private key, it’s simple to sign a binary by using the codesign tool.

Let’s sign Example.app with the identity listed above:

A: 为一个App进行签名

$ codesign -s 'iPhone Developer: Thomas Kollbach (7TPNXN7G6K)' Example.app

B: 替换原来的签名 (即: 重新签名)

$ codesign -f -s ‘iPhone Developer: Thomas Kollbach (7TPNXN7G6K)’ Example.app

C: 查看App的签名信息

$ codesign -vv -d Example.app 

will tell you a few things about the code signing status of Example.app:

D: 确认/查证 App的签名

$ codesign –verify Example.app

2.3 Bunldes 和 Resource

“When signing a bundled application, the resources are signed as well.  ” Ref[1]

“the signing process creates a _CodeSignature/CodeResources file inside the bundle. ”  Ref[1]

2.4 Entitlements 和 Provisioning

spctl 这个工具是什么?

spctl, which manages the system’s security assessment policy.

2.4.1 Entitlements

“Code signing is used to ensure that the application actually contains only what it says on the box — nothing

more and nothing less. The sandbox restricts access to system resources. ” Ref[1]

Entitlements specify which resources of the system an app is allowed to use, and under what conditions.” Ref[1]

.entitlements文件的创建:

“This is the XML generated by Xcode after clicking around in the Capabilities tab and enabling a few things.

Xcode automatically generates an .entitlements file and adds entries to it, as needed. ” Ref[1] 

Adding Capabilities

“it can help to look at what the signature actually says about the entitlements: 

$ codesign -d --entitlements - Example.app " Ref[1]

以上命令显示app的签名中包含的entitlements有哪些。

2.4.2 Provisioning Profile

“A provisioning profile is a container for the information needed by the operating

system to decide if it can let your app run.” Ref[1]

Provisioning Profile可以使App在开发机上运行,也可以进行ad-hoc/enterprise发布,

那么正式的发布需要Provisioning Profile吗? 推测是需要的。

“A provisioning profile is a collection of all the components needed to determine if a particular app can

run on a particular device. Provisioning profiles are used to enable app debugging on development devices,

and also for ad-hoc and enterprise distribution. Xcode will embed the provisioning profile you select in

the project settings within the app. ” Ref[1]

Provisioning Profiles 在文件系统的位置

"~/Library/MobileDevices/Provisioning Profiles, which is where Xcode keeps all the profiles downloaded

from Apple’s developer portal.” Ref[1] 

Provisioning Profiles的文件格式:

It is a file encoded in the Cryptographic Message Syntax,该语法由 RFC 3852 来描述。

查看Provisioning Profiles

$ security cms -D -i example.mobileprovision

以上命令的输出是XML形式的Plist。

该Plist文件中的key

DeveloperCertificates key,这个key是证书的列表。

“The certificates are Base64 encoded and in PEM format (Privacy Enhanced Mail, RFC 1848).”

$ openssl x509 -text -in file.pem

ProvisionedDevices key

“If you are looking at a development certificate, you will also find a ProvisionedDevices key,

which contains a list of all the devices you set up for this provisioning profile.” Ref[1]


Items 

code signing

device provisioning 

Entitlements: 权利

Provisioning 

Personal Information Exchange format (.p12) 

X.509


Reference

1. Inside Code Signing

http://www.objc.io/issue-17/inside-code-signing.html

2. Code Signing Guide (ToRead)

https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html

3. man codesign

4. How to Show & Verify Code Signatures for Apps in Mac OS X

How to Show & Verify Code Signatures for Apps in Mac OS X

5. How to check signatures on apps, installers, and packages

https://eclecticlight.co/2019/10/25/how-to-check-signatures-on-apps-installers-and-packages/

6. Checking Code Signing and Sandboxing Status in Code

https://oleb.net/blog/2012/02/checking-code-signing-and-sandboxing-status-in-code/

7. How to verify app signatures

https://medium.com/@andrew.perfiliev/how-to-verify-app-signatures-43fd5cd1bd3d