Before iOS came out, software downloaded from anywhere on our mainstream operating system (Mac/Windows) could run, and there were hidden risks in system security. Apple wanted to solve this problem by ensuring that every APP installed on iOS was officially approved by Apple, so there was the application signature of iOS.
1. What is application signature?
As the name implies, an application signature is the signature of an application, which is the result of a Hash and an RSA encryption of the executable file or script data (actually code) in the application. This is what Apple uses to make sure software hasn’t been modified or corrupted after being signed.
2. How does Apple verify app signatures?
Apple provides users with a basic authentication method. A public key is built into the iOS system, and the private key is stored in the Apple background server. When developers upload their developed apps to AppStore, Apple uses the server’s private key to sign in a violent and direct way (this is why we usually see the App display processing when we upload the App store). After the user downloads the App from the AppStore on the phone, the iOS system uses the public key to verify whether the signature is correct. If the signature is correct, Note that this App is authenticated by Apple background and has not been modified, which ensures that each App is officially approved by Apple.
3. What’s wrong with the above signature?
If we only installed our apps on iOS devices from the App Store, this would be easy to solve, but developers would definitely need to do real machine debugging, as well as distribution channels within the enterprise.
4. Apple’s two-tier signature
For developers, the installation package does not need to be uploaded to the App Store and can be directly installed on the mobile phone. However, in order to ensure the security of the system, Apple must have absolute control over the installed App and should not be abused so that non-development apps can be installed.
In order to meet these requirements, the complexity of iOS signatures has also begun to increase, and apple’s solution here is a two-layer signature.
When we need to install our development-stage App on the phone, Apple provides a way for developers to apply for a certificate.
Our Mac computer generated on A pair of M M public key and A private key, and then upload public key M packaged into CSR file to the apple servers, apple servers store on the server using the private key of A public key M for asymmetric encryption after get A developer certificate, the certificate is included in the encrypted public key M, this certificate is what we call the p12 file.
At the development stage, we want to install the App on the mobile phone. During the Build, Mac will use the private key M to sign the App, and then package the certificate we request from Apple server into our App. At this time, iOS operating system will use the public key A to decrypt the certificate packaged into the App. If the verification is successful, apple allowed the installation.
Then use public key A to decrypt the encrypted public key M in the certificate and verify the signature of the current App. In this way, Apple’s two-layer verification is completed, which not only ensures that apple allows the installation, but also verifies whether it is the App developed by us.
5. Describe the generation of the file
To ensure that the installed devices are permitted by Apple and limit the number of installed devices, When applying for a certificate from Apple, Apple returns a description file containing the certificate.
Xcode will request a description file from Apple as we develop.
Can use the Finder to open the file location ~ / repository/MobileDevice/Provisioning Profiles /;
The description file will contain information about the certificate, information about the authorized device, application time, expiration time and so on.
When we look at the certificate, the terminal goes to the current certificate folder and type security CMS-di Embedded. Mobileprovision and we see that the description file is actually a PLIST.
The above is the iOS application signature and application signature verification.