preface
Recently, WHEN I was in charge of the ios project, I was confused by various certificates and signature concepts. Besides, I didn’t have much contact with the ios test before, which made me feel even more useless. Therefore, I want to make up for this knowledge.
The signature
purpose
Let’s take a look at what Apple’s signature mechanism is designed to do. Before iOS came out, developing and running software on the mainstream operating systems (Mac/Windows/Linux) did not require a signature, and software could be downloaded from anywhere. As a result, the platform was difficult to control third-party software and piracy was prevalent. Apple hopes to solve this problem. It has absolute control over third-party apps on the iOS platform. It must ensure that every APP installed on iOS is officially approved by Apple. Through the signature mechanism.
Symmetric encryption
Generally speaking, signature refers to digital signature, which is based on asymmetric encryption algorithm. What is asymmetric encryption? Asymmetric encryption is relative to symmetric encryption; But either way, the purpose of encryption is to protect the content being encrypted;
Baidu’s interpretation of symmetric encryption:
In the encryption method of single-key cryptosystem, the same key can be used to encrypt and decrypt information at the same time. This encryption method is called symmetric encryption, also called single-key encryption.Copy the code
Yeah, you don’t get it? Meng force? Never mind, keep watching
Jb had a letter that he just wanted to show to himself and YY, so JB set a password (encrypted) for the letter and sent it to YY. YY could check the contents (decrypted) as long as it knew the password of the letter. Others could not check the contents even if they got the letter and wanted to read it without the password (key).
Symmetry means that encryption and decryption use the same key;
Asymmetric encryption
Unlike symmetric encryption, asymmetric encryption algorithms use two different keys for encryption and decryption. These two keys are the public key (public key) and the private key (private key).
The relationship between the public key and private key is as follows: The public key and private key are usually paired.
If your message is encrypted using a public key, you need the corresponding private key to decrypt it.
If your message is encrypted with a private key, you need the corresponding public key to decrypt it.
Asymmetric encryption protects message contents and allows message recipients to determine the identity of the sender.
Don’t understand? Here we go.
Again, the problem with symmetric encryption is that once the key is compromised in transit, confidentiality is lost;
Since the security of symmetric encryption is lower, asymmetric encryption is adopted. In this way, JB and YY need to hold a pair of their own public key and key respectively.
JB wrote the letter just for YY, then YY will have any different characteristics from others? YY has a key that only he knows! If JB uses the public key of YY for encryption, only THE key of YY can be decrypted, so that only YY can see it.
It should be noted that the public key is open to others;
In that case, since the public key of YY is public, suppose one SB wants to pretend to be JB and use the public key of YY to encrypt and then write a letter to YY.
JB in order to avoid this situation, the content of the letter with JB own key is encrypted, YY after receiving the letter, use JB’s public key to decrypt (only JB’s public key can unlock using JB private key encrypted content), if you can solve, so YY will know that this letter is JB hair, this is in order to determine the message sender;
The text may seem confusing, so I used a flow chart to make it easier to understand:
This is asymmetric encryption. Back to IOS itself, when we want to run a written IOS program to the real world, we use this asymmetric encryption method of authentication to ensure that the source of the program is trusted and secure
Digital signature & Certificate
What about digital signatures? In simple words, the function of digital signature is to mark a piece of data, indicating that I own the data, which is equivalent to signing a name, and then send it to others, who can know that the data is authenticated by me and the data has not been tampered with;
Here words, directly posted a peak god translated articles, convenient to understand; What is a digital signature
Bob has two keys, one is public and the other is private.
2) Bob gives the public key to his friends —- Patty, Doug, and Susan —- each one.
3) Susan is going to write a confidential letter to Bob. After she writes it, she encrypts it with Bob’s public key to keep it secret.
4) Bob received the letter, decrypted it with his private key and saw the contents. The point here is that as long as Bob’s private key is not compromised, the letter is secure and cannot be decrypted, even in someone else’s hands.
Bob wrote back to Susan and decided to use a “digital signature”. After writing the letter, he uses a Hash function to generate a digest.
6) Bob then uses the private key to encrypt the digest, generating a “digital signature”.
Bob attached his signature to the letter and sent it to Susan.
8) After Susan receives the letter, she takes off the digital signature and decrypts it using Bob’s public key to get a summary of the letter. This proves that the letter was indeed sent by Bob.
9) Susan then uses the Hash function on the letter itself and compares the result with the summary obtained in the previous step. If they agree, it means the letter hasn’t been redacted.
10) Complications arise. Doug tried to trick Susan by secretly using Susan’s computer and swapping Bob’s public key for his own. At this point, Susan actually has Doug’s public key, but thinks it’s Bob’s. So Doug could pretend to be Bob, use his private key to make a “digital signature” and write a letter to Susan, who would decrypt it using the fake Bob public key.
11) Later, Susan senses something and finds herself unsure if the public key really belongs to Bob. She has an idea. She asks Bob to go to the Certificate Authority to certify the public key. The Certificate center uses its own private key, encrypts Bob’s public key along with some related information, and generates a “Digital Certificate.”
After Bob gets his digital certificate, he can rest easy. If you write to Susan in the future, just sign and attach your digital certificate.
13) After Susan receives the letter, she unlocks the digital certificate with the CA’s public key. Then she can get Bob’s real public key and prove whether Bob really signed the “digital signature”.
After reading the text, I have a preliminary understanding of digital signature and digital certificate
Certificate information
The popular science
1) Apple Developer Center website 2) Type of developer account: Individual -$99 (about 688 yuan/year) (Maximum of two commissioning certificates) Company -$99 (about 688 yuan/year) Need to provide a Dun & Bradstreet code for enterprise certification, can do team development management business -$299 need to provide a Dun & Bradstreet code, The program cannot be put into AppStore (for enterprise internal office software, etc.) (there are at most five debugging certificates)
Create a certificate
1) Add a certificate
2) Select the certificate
- Development certificate: 1 at most (20170425 days can only generate one)
- Production: Up to 3 Production certificates
3) Prepare to create the CSR file
4) Create the CSR file 01 (Open keychain -> Certificate Assistant -> Request a certificate from a Certificate Authority)
5) Create the CSR file 02 (fill in the email address, common name, both of these are optional, be careful to save the CSR file to disk)
6) Create a CSR file
7) Select the CSR file you just created
8) After creating the certificate, download the certificate
IOS signature certificate mechanism
AppStore
There is a public key built into ios, and the private key is saved by the Apple background. When the App is uploaded to AppStore, the Apple background uses the private key to sign the App data. After the ios system downloads the App, Verify the signature with the public key. If the signature is correct, the APP must have been authenticated by Apple and has not been modified, which meets Apple’s requirement: ensure that every APP installed is officially approved by Apple.
Xcode Build
In daily development, it’s impossible to submit to the App Store every time, so in local debugging, the device will change the verification of the App to the verification of the developer;
The Developer account here is the one you applied for in The Apple Developer Center. Once trusted, the iOS device will verify the Developer’s identity every time you build, not the App you build. In this way, the process of uploading and downloading application packages is eliminated. As we know, the verification App uses the signature mechanism to determine the source of the installation package, but what is the mechanism for verifying the developer’s identity here?
Verify the developer
First, iOS devices need to verify your developer identity, which is a macOS-based certificate policy. If you open keychain access and check the certificate, we can see a bunch of things like this:
You can see all kinds of certificates here; When you add your own account in Xcode, and select Team as your developer account in your project, you add something like this to your keychain:
In fact, there are only two things:
- The iOS device decrypts the certificate with the Apple public key, and the local certificate obtained must be signed by the Apple server, which ensures that the developer is authenticated by Apple.
- The public key obtained in the previous step is used to decrypt the App signature. If the decryption succeeds and the verification passes, it proves that the App is really built by the developer, thus ensuring the security of the App.
The only problem with this process is that the key is generated locally, and if you change computers, the local key pair will change. At this point, you need to export the certificate from your old MAC and install it on the new computer.
summary
This article mainly introduced the signature with certificate only, including symmetric encryption and asymmetric encryption, and digital certificate relevant information, and introduces the App Store with xcode certificate logic, from the overall to IOS certificate which have the effect of literacy, there would be no further details, first so, roughly the subsequent need to write a ~
Thank you.