Code Signing for iOS Please leave a comment if you have any questions.

E-mail: [email protected] Weibo: @RocZhang Twitter: @lighters9673

Post 1: introduction

This is the first in a series of tutorials on iOS code signing. This series covers the basics of the iOS code signing process. The entire series is:

  • Signing for iOS Code: 1. Getting Started
  • IOS Code Signing: 2. Certificate Signing Requests
  • Signing for iOS Code: 3
  • IOS Code Signing: 4. Provisioning Profiles
  • Signing for iOS App: 5

Typically, iOS devices can only run apps signed by trusted developers, unless the device has been jailbroken. If you’re an iOS engineer, you’ve certainly dealt with code signing in some way. Because code signing is one of the most painful and tedious tasks every iOS developer can’t escape, code signing and Provisioning profiles will be a constant annoyance unless developers fully understand the basics of code signing. This is an introduction to the process of code signing and its benefits and limitations.

About this series

Code signing for iOS apps is a hot topic for every iOS developer. Despite all the resources already available on the web and clear documentation from Apple, it still seems like a mystery. In this series, we’ll try to understand code signing from the ground up, including what it requires, and how code signing itself is handled. We’ll also explore how to do this using the GUI and command line. We’ll start with the Certificate Signing Request to get an iOS development Certificate, after which we’ll talk about the Certificate and its internal components. After understanding certificates, we’ll dive into Provisioning Profiles, and finally we’ll be able to understand the whole process of code signing. This series of articles was written by myself by researching online sources and Apple documentation, and I have included these citations in the last article. I also included some screenshots from the Apple Developer website and Xcode to help readers understand the concepts. I have tried to hide so sensitive content, but if there is still accidentally exposed, but also please do not black me 🙂.

Code signing

Before we get into the way Apple signs code for iOS apps, let’s take a look at code signing in general. In real life, we sign all kinds of contracts and agreements. So why sign it? Why are signatures so important to us? Usually this is because signing a contract protects us legally and we believe that nothing in the contract will be tampered with. Signatures also ensure that contracts are secured by trusted institutions, not fraudsters. This means that signing contracts gives us safety, security and trust.

Similarly, code signing is the digital signing of code to ensure who wrote it and that the code was not changed or corrupted when it was signed. Code signature uses cryptographic hash algorithms to verify the authenticity and integrity of software code. In the software world, code signature ensures the identity of the author, the integrity of the code, the build system and version, so that users of the software can feel reliable and secure when using it. Code signature uses a variety of security items such as private key, public key, certificate, digital signature, etc. Different code signing methods are used on different platforms such as Linux, Windows, and macOS.

IOS code signing

Apple is said to have very strong security mechanisms, aside from some of the glitches you may have seen in the news recently. It’s hard for hackers to break the security mechanism. Apple also uses a very strong code signing mechanism to ensure the security and integrity of iOS apps downloaded from the Apple App Store. For the most part, iOS code signing is like dark magic that happens behind the scenes. If it works well, everyone is happy, but when it goes wrong, everyone panics. Most iOS engineers don’t know much about the behind-the-scenes signing process. Apple recently released ‘Automatic Signing’ to help reduce the pain of Signing code so that it doesn’t interrupt the main development process. Code signing on The Apple platform relies on x.509 standard public key encryption, and we’ll discuss these tools and techniques later in this series.

Why learn iOS code signing

Most of the work of code signing today is handled by Xcode, so why should we care about code signing and why invest the time to learn about it?

Here are some reasons why you should learn the internals of code signing:

  • Gone are the days when iOS engineers deployed iOS apps directly from Xcode installed on their local machine. Companies today are using DevOps and CI/CD to build software so that all builds can be done automatically without human interaction or GUI interaction.
  • Developers have spent a lot of time trying to fix Xcode signing problems by regenerating and repairing certificates and configuration files because Xcode code signing failed. Third-party tools like Fastlane make it easier for iOS developers to create build scripts. However, when Apple makes changes in the underlying technology, Fastlane becomes unusable, and developers spend hours, days, or even weeks fixing broken deployment scripts. In some cases, engineers must wait until Fastlane implements the new changes.
  • If you’re an iOS developer or engineer and just want to be an iOS engineer all the time, you don’t need to learn this. But if you want to grow in your career, you need to understand these underlying tools, technologies, and the entire iOS ecosystem in detail. If you don’t understand these underlying technologies, no matter how good you are at iOS development, it won’t make you an iOS technical lead or an iOS technical architect. As a technical architect, you should be able to quickly fix code signing or similar infrastructure problems without relying on Xcode or other third-party tools.

Hopefully this is enough to prove the importance of code signing. It’s up to you to study or leave.

A prerequisite for

Let’s get into the world of iOS code signing. We’ll cover everything from scratch and what we do at the bottom. To start, we need the following preparations:

  • macOS
  • Apple Developer Membership
  • Xcode 9+

With all of this in place, you’re ready to dive into iOS code signing.

Benefits of code signing

Apple made us go through the tedious process of signing code because it was good for the user. When users download an App from the Apple App Store, they feel safe because the code signature ensures that:

  • The code is written by a legitimate developer who is the author or issuer of the app
  • Code signatures ensure that code has not been tampered with by others since the author wrote it. It ensures that the author-generated code is original and that nothing else is injected into the original code after the author signs it.
  • Users can download applications from developers they trust without having to worry too much about security.
  • Code signing is meant to keep iOS users safe so they can be trusted to use apps downloaded from the AppStore.

Limitations of code signing

Although code signing is for user security, it does not always solve security problems in some ways.

  • The code signature guarantees that the code is from a legitimate developer certified by members of Apple’s Developer Program, but it does not guarantee that the code itself is free of security vulnerabilities.
  • Code signing does not guarantee that plug-ins loaded dynamically during App runtime are secure.
  • There is no DIGITAL rights management or copy protection technology for signed code.

Now you’ve seen the importance of learning code signing, as well as its benefits and limitations. In the next article, we’ll look at the important concept: how the code Signing process begins, namely Certificate Signing Requests.

Post 2: certificate signing request

In the last article, we covered the basics of code signing, its benefits and limitations. Now we’ll begin to understand some of the concepts of code signing. Let’s start where all code signing begins — the certificate signing request. You probably already know that we need a development and distribution certificate to build and deploy an app to the AppStore. Creating an iOS developer certificate is the first step every iOS developer needs to take. The process of creating a certificate begins with a certificate signing request. In this article we will cover the concept of Certificate Signing Request (CSR) and the process of using a CSR to Request a Certificate.

What is the CSR

A code signing request CSR is a message sent by an applicant to a certificate authority to apply for a digital identity certificate. It uses Public Key Infrastructure, a strategy for creating, managing, and distributing digital certificates. The CSR creation process is very standardized in PKI. The applicant needs to generate public and private keys on the local machine, and then the applicant needs to attach the public key and personal information such as email address and county to the CSR. The applicant holds a private key. Typical information required by CSR includes CN (common name), organization, organization unit, country, and email. The CSR contains certificate request information, a signature algorithm, and the requestor’s digital signature to prevent requests from forging certificates.

Send the CSR to Apple

The Certificate Signing Request (CSR) refers to the process of applying for a Certificate from a Certificate authority (CA), in this case Apple, so that Apple can issue developer certificates if the requester details are correct. The request needs to be created from your local macOS machine.

Create a CSR from the GUI

CSRS can be created through Keychain Access, and Apple has written some documentation, but to summarize what you need to do is:

  • Find Keychain Access in Spotlight
  • Choose Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority (Request a certificate from a Certificate Authority)
  • Fill in your details, such as email, name and country, and usually just follow the instructions on the screen
  • Select the option Saved to Disk
  • Specify a file name and click Save
  • Click Continue and the Certificate Assistant will create a CSR and save it on your computer

Create a CSR from the command line

If the GUI is a hassle, there is also a way to create a CSR using the command line. You can get a CSR by running a few quick commands, including your name, email address and country:

$ openssl genrsa -out mykey.key 2048 $ openssl req -new -key mykey.key -out CertificateSigningRequest.certSigningRequest -subj "/[email protected], CN=Your Name Dev Key, C=GB"Copy the code

At the end of the process, you’ll see a file with a strange name on your local MAC: CertificateSigningRequest certSigningRequest, this is what we need to go to the Apple Developer is used to generate and issue a certificate file. We will cover certificates later.

Now we have our CSR on our local machine. Let’s take a look at what happens when you create a CSR:

  • When a CSR is created, a public/private key pair is generated
  • The public key is attached to your CSR
  • The private key is stored on your local machine

If you want to learn more about public/private keys and how they work, you can read Asymmetric Cryptography, but in general public keys are used in public Settings and private keys are privately held and you should never share them with anyone.

Now take a look at what’s inside a CSR. Run the following command from your terminal, which will display the basic information inside the CSR.

$ openssl asn1parse -i -in CertificateSigningRequest.certSigningRequestCopy the code

If you want to see the CSR displayed in text and see the public key algorithm rsaEncryption and the signature algorithm sha256WithRSAEncryption, you can run the following command:

$ openssl req -text -noout -in CertificateSigningRequest.certSigningRequestCopy the code

This key pair is generated by RSA(2048 bits), the public key is attached to the CSR, and the private key is used for the actual signature, so we must keep it private. Generating CSRS on multiple macOS is not a good idea because key pairs generated on one MAC cannot be rendered on another MAC. Until we create a p12-format certificate, it is best to use a MAC to generate the CSR.

Now that we’ve seen how to create a CSR through keychain access and using the command line, in the next article we’ll look at the details of the certificates required for iOS development and distribution.