- Each MAC has a pair of public and private keys
- When we apply for a certificate, we send the public key M to the Apple server via the CSR
- The Apple server encrypts public key M with Apple private key A and generates A certificate
- App package,Xcode will use coDesign tools, with private key M to sign app (including resource signature, code signature)
- Each mobile phone will have A public key A, which corresponds to the Apple server private key A, built into the operating system
- When the iPhone wants to install an app, it decrypts the certificate in the app with public key A to obtain public key M
- The decrypted public key M is used to verify whether the signature is legitimate and whether it is officially authenticated
There’s a problem with that process. Signed apps can be installed on any phone, which Apple doesn’t want, so there’s the mobileProvisioning Profile, which contains the devices that AppId has registered in the Apple background, and the certificates that are included. Only the corresponding app and registered device can be installed on the iPhone (app Store is launched, except enterprise signature).
The flow becomes the following:
